Anthropic’s claim last week that its Mythos tool can find security flaws in almost any software sent shock waves through the wood paneled sanctums of the financial system and the less well appointed suites of some senior government officials. Treasury Secretary Scott Bessett called in CEOs, telling them that if bad guy hackers got their hands on Mythos before corporations fixed their software, there would be chaos. Any hacker could break in to any network.
Well yes, but, while Mythos is, no doubt, an advance on existing code scanners, it is an evolutionary change not revolutionary. Its rollout was also a masterpiece of public relation by Anthropic.
However, there really was a huge seismic shock to cyberspace recently, one that presages potential disasters, but it did not come from Anthropic. It came from Google. And its announcement was not accompanied with publicity; it was intentionally low key, almost hidden, at government request. Why am I less concerned about Mythos and more worried about what Google admitted?
Anthropic’s Mythos is likely the apotheosis of scanners of code for security vulnerabilities, but software “vul scans” have been around for over a decade using machine learning, a more primitive form of artificial intelligence. One of the reasons that Mythos has found vulnerabilities in commonly used software is that the creators of such software have not been systematically using the best of the newer capabilities to critique their old work. Most important recently developed code was created with vulnerability scanning already occurring as the code was written.
The scare that Anthropic created was two fold: 1) corporations would be at risk of being hacked if they did not take software security seriously and b) highly valued cyber security companies will all be made worthless because Mythos would replace them. Not so fast.
First, hackers have already been using AI to discover software security flaws in order to hack into networks. Mythos does it better, but that only underlines the existing need to improve software security in government and corporations. Thank you Secretary Bessett for telling the CEOs what they should already have been doing. Maybe now they will pay attention and maybe you could also tell your fellow Cabinet members to fix their notorious porous networks. (Also, maybe you should ask Anthropic if we should all be concerned that Mythos apparently has a mind of its own and broke out of the isolation area in which it was developed?)
Second, only a small portion of cyber attacks use vulnerabilities in code to access an enterprise’s network. Most attacks take advantage of misconfiguration of systems, identity impersonation, social engineering and other vectors. If we fixed all of the code vulnerabilities and kept fixing them with Mythos, cyber attacks would probably drop by less than twenty percent. Part of the reason for that estimate is that artificial intelligence algorithms are also already making those other attack techniques more powerful and successful. Mythos does nothing to stop them. Thus, cyber security applications will still be necessary even after Mythos has given a corporation a clean bill of code.
While many cyber security professionals were really not quaking in their boots over Mythos putting them out of work, they were frightened by what Google quietly revealed: quantum computing that can crack most encryption is going to arrive much faster than we had all planned. While many people may think that encryption is something Signal fanatics, intelligence agencies and armed forces use, actually we all use it. Digital certificates are embedded in most of the components of the Internet and without them the networks would not work. Digital certificates use encryption, as do browsers, e-mails, remote sensors, and many data bases, all without the user noticing. Without reliable encryption the Internet breaks because almost any network could be compromised.
We have known for decades that whenever a giant quantum computer starts reliably working, it would be able in seconds to do the decryption work that today would take supercomputers years. What Google just told the world was that a much smaller quantum computer, one that could be created in the next two or three years at the current rate of progress, could do that decryption. It will take most corporations and governments longer than that to find and replace all of the encryption that they and their vendors utilize. The result is likely to be a field day for hackers, with cyberspace becoming a truly risky and hostile environment for any transaction.
Replace is the key word. There are already encryption keys that are theoretically resistant to what is still a non-existent quantum computer (Note we call them quantum resistant not quantum proof, like bullet resistant not bullet proof. Big difference.). Such post-quantum encryption just has to be installed, everywhere. But “just” installing it will be a Herculean task at least as great as the Y2k software replacement effort, which, if you were not involved in it, let me assure you was an expensive and massive international campaign over several years.
If there is good news in all of this, it is that some government agencies and large financial institutions have already begun that replacement process. Most government agencies and corporations have not only not begun, they have not scoped the project, planned for it, or budgeted against the requirement. For some of them, it may already be too late. They should have started last year. As one former senior NSA officer familiar with these recent developments told me, “it would be appropriate right now for them to be frantic.”
Maybe Anthropic can ask Mythos how to solve this problem too. We will be waiting, but meanwhile, we need to get ready for Y2Q, that day coming at us fast when many widely utilized encryption keys become hackable, making crypto currency worthless and, more importantly, putting most of our real economy at risk of fraud, theft, manipulation, and destruction. Maybe Secretary Bessett would like to call the CEOs back in?
Richard Clarke served for thirty years in national security roles in the US government, including ten years in the White House under three presidents. He is the CEO of Good Harbor Security Risk Management. (richardaclarke.net)
