Time to Rewrite the Entire Cybersecurity Model or Face the Consequences

Anthropic’s Claude Mythos Preview is the final nail in the coffin of an already broken cybersecurity model. As if the initial announcement that it found thousands of critical zero-day vulnerabilities across every major operating system — and therefore was too dangerous to release publicly — wasn’t eye-opening enough, it has now been revealed that the model has already leaked to unauthorized users. Those of us in cybersecurity knew that, unfortunately, this was only a matter of time. And the imperative to act has never been more urgent.

We should all understand one thing: this is not an incremental change. This is the end of our cybersecurity model, and we are about to be tested in ways we have never imagined.  

Cyber math never worked

To understand how this advancement breaks everything, let’s look backwards to the world before Mythos entered our vocabulary four weeks ago. Every operating system, all software, and any network device is full of vulnerabilities and has been for decades. The first question we should be asking is “Why don’t we have more breaches?”

Everyone in cyber quotes the same line: the defender must be right 100% of the time, but the attacker needs to be right only once. Those are terrible odds for the defenders, and that has always been the “math problem” of cybersecurity. However, the thing that has kept the defenders in the game has been the finite speed of the attackers. Although the attackers have the mathematical advantage, creating and executing breaches has been human-driven at human speed. The math might be terrible, but the attackers and defenders were fighting a relatively fair fight. That ended with Mythos.

Mythos (and models to come) end the current cybersecurity model

Finding vulnerabilities and creating exploits at machine speed breaks everything. This is a completely new attack operating model, and we don’t have a machine-speed model for defense. When the attackers move at machine speed, and the defenders move at human speed, we don’t lose the game — it’s game over.  Here are three simple examples:

• ‍‍‍Patching. Patching laptops and servers often takes days, weeks, or months. Sometimes it never happens. We patch at human speed, if we’re lucky.  Even if the models that find vulnerabilities and create exploits also create patches, how do we patch everything at machine speed?
• ‍Process. Companies have extensive processes for product testing and procurement that take months just to decide what to purchase. Attackers are not going to wait months or years for companies to implement a new tool.
• ‍Supply chain. We talk about supply chains nonstop, but it’s about power, data center, and GPUs to fuel our AI dreams. What about the networking gear and firewalls that connect everything? What would happen if the entire world needed to execute the largest hardware refresh ever to close all of the holes in our infrastructure? Think in years (or decades) based on the current constraints.

The attackers in the AI age have an asymmetric advantage unlike anything we’ve planned for or seen before. A security strategy that relies on occasional patching and keeping threats outside the perimeter is a recipe for disaster, and there is extraordinarily little time to change it.

Mythos is just the first demonstration that AI can find and weaponize flaws faster than the world can patch and fix them. Mythos, and the models to come, have finally made it impossible to ignore the obvious: the broken security model most organizations rely on simply can’t keep us safe in the AI world.

Cyber has a new mission

The cybersecurity industry has spent decades promoting, selling, and optimizing prevention. Prevention works, some of the time, and will continue to do so. But if it worked all the time, breaches would never occur.

Mythos proves that no vulnerability is too old, too obscure, or too deeply buried to stay hidden forever. In a world where nothing can hide, anything and everything can be exploited — and eventually will be. Every organization must assume breach. When exploits emerge immediately after vulnerabilities are discovered, the risk to the system increases dramatically. This is where cyber finally gets a new mission: resilience.

AI accelerates what attackers can find and how quickly they can weaponize it. But it does not change the fundamental pattern of every successful attack. The attacker gets inside, moves from an initial foothold to something much more important, using our own infrastructure and networks to do so. The network that enables us to communicate and operate is the same one that allows the attacker to hide, move, and eventually compromise our crown jewels.

In the same way that Y2K created a global movement and mandate to update all systems, right now we need a “Manhattan Project” to increase cyber resilience. Network observability and segmentation will enable us to find, control, and limit the blast radius of breaches. Resilience equals survival in the AI era.

Before Mythos, we learned about new threats only after we got hit. But now we have a window into the future, and we must not squander it. We need to bring together the best minds in tech, cybersecurity, and government to come up with a plan to patch the world and build cyber resilience into everything we do.

The stability of our world as we know it depends on it, and we can’t go fast enough. We won’t stop everything, but we can survive anything if we start now.