After the leaked reports at the end of March, which Anthropic had developed powerful fresh model Claude, the company formally announced Mythos Preview on Tuesday, along with news that it has convened an industry consortium, known as Project Glasswing, to tackle the implications of the fresh model for cybersecurity and developing artificial intelligence capabilities more generally.
The group includes Microsoft, Apple and Google, as well as Amazon Web Services, Linux Foundation, Cisco, Nvidia, Broadcom and more than 40 other organizations in technology, cybersecurity, critical infrastructure and finance, which will have private access to the model, which is not yet widely shared. The idea is simply to give the developers of the world’s core technology platforms time to enable Mythos Preview on their own systems so they can mitigate vulnerabilities and take advantage of the exploit chains the model develops in simulated attacks. More broadly, Anthropic emphasizes that the goal of convening the effort is to launch urgent research into how industry-wide artificial intelligence capabilities are on the cusp of what the company says is the need to change current software security and digital protection practices around the world.
“The real message is that this isn’t about the model or Anthropic,” Logan Graham, leader of the borderline company’s red team, tells WIRED. “We need to prepare now for a world where these capabilities will be widely available in 6, 12, 24 months. Many things would change in terms of security. Many of the assumptions on which we have built modern security paradigms may break down.”
Models developed and trained by many companies are increasingly able to find vulnerabilities in code and propose remediation solutions or strategies to exploit the vulnerabilities. This creates a fresh generation of the classic security cat-and-mouse game, in which the tool can support defenders, but can also fuel bad actors and make it easier to carry out attacks that were once too costly or complicated to be practical.
“The announcement of Claude Mythos is an especially big leap,” Anthropic CEO Dario Amodei said Tuesday in a video launching Project Glasswing. “We didn’t specifically train him to be good in cyberspace. We trained him to be good in code, but as a side effect of being good in code, he’s also good in cyberspace.” In the video, he adds that “more powerful models will come from us and from others. That’s why we need a plan to address this.”
Anthropic’s Graham notes that in addition to detecting vulnerabilities – including creating potential attack chains and proof-of-concepts – Mythos Preview enables more advanced exploit development, penetration testing, endpoint security assessment, system misconfiguration detection, and evaluation of software binaries without access to its source code.
Graham says that by releasing Mythos Preview on a staggered basis, starting with an industry collaboration phase, Anthropic sought to leverage the principles of coordinated vulnerability disclosure, a process that gives developers time to patch a bug before it is publicly discussed.
“We saw Mythos Preview achieve things that a senior security researcher would otherwise be able to achieve,” says Graham. “So this has very big implications for how we enable such capabilities. If not done carefully, it could significantly speed up attackers’ attacks.”
Glasswing project partners, including some of Anthropic’s competitors, adopted a collaborative tone in statements issued at the launch.
“Google is pleased to bring together this cross-industry cybersecurity initiative,” Heather Adkins, Google’s vice president of security engineering, said in a statement. “We have long believed that artificial intelligence creates new challenges and opens new opportunities in cyber defense.”