If you believe Anthropic, a cybersecurity reckoning is coming, and its name is Mythos.
In early April, the company put out a blog post claiming an early-access version of its new model could be directed to identify and exploit vulnerabilities in every major operating system and every major web browser. Mozilla CTO Bobby Holley claimed the preview model found 271 vulnerabilities in its system, more than 10 times the number its predecessor, Opus 4.6, found.
Jon Ferguson, CIRA
AI has great potential to improve the quality of software, but in that process, it’s going to expose a lot of existing risk in the supply chain.
Anthropic’s preview program, Project Glasswing, allows big-name, US-based players like Amazon Web Services, Apple, Cisco, and Microsoft to learn from the alleged digital bloodhound, but it appears that no Canadian companies are on the list. BetaKit reached out to Anthropic for confirmation, but did not receive a response by press time.
The White House has also reportedly blocked Anthropic’s attempt to open up Glasswing to 70 more companies, citing security concerns. The perceived threat has Canadian institutions and companies battening down the hatches in preparation for a model that can see their every security flaw.
To get a better understanding of Mythos and its potential impact on Canadian cybersecurity, BetaKit spoke to Jon Ferguson, the vice-president of cyber and DNS at the Canadian Internet Registration Authority. In the following conversation, Ferguson expresses skepticism that Mythos is all it’s cracked up to be, the dangers of powerful technology being solely in the hands of big tech companies, and why this highlights the need for Canada to focus on sovereign AI.
The following interview has been edited for length and clarity.
Is the Mythos hype overblown?
There’s a little bit of dust to settle still to understand what Mythos really is.
We’re starting to see that some of Mythos is great marketing as opposed to a major technological revolution. There’s no doubt that AI, regardless of what frontier-style model you want to look at, is becoming capable, and that is very much being directed at things like vulnerability detection. AI has great potential to improve the quality of software, but in that process, it’s going to expose a lot of existing risk in the supply chain.
How prepared is Canada to deal with a model that can discover vulnerabilities at scale?
Canada tends to be a little bit later in the adoption curve; a little more risk-averse.
One of my concerns about Glasswing and these initiatives to protect critical suppliers is that, right now, it’s protecting a very select few large multinationals.
If I only allow the big guys to get access to this new tech, what happens to medium and small businesses? What happens to your hydro authority? What happens to the municipal water plant? They’re left out in the cold.
We’re really fearful that we’re stifling innovation to a point where, if you’re not running in one of these platforms, if you’re not one of the select people who get into the program, it’s going to be harder and harder.
What are the concerns here for business owners or public institutions?
If you look at the pace of high-risk vulnerabilities and how regulation is starting to form penalties for having these vulnerabilities, you’re in this really tight pinch where you’re getting hit more and more by problems, and you’re getting penalized heavier and heavier for having problems. But then, the tools that are the easiest to use to remediate that aren’t available to you.
I think that’s the risk. Are we playing defence at human speed while the offense is using machine speed? How do you keep pace?
Are we playing defence at human speed while the offense is using machine speed?
The hardware I buy today is at a massive premium because of the AI boom. If it takes longer for me to get it, by the time it lands in my data centre and in a rack, it may not be what I need to run the new model that’s coming.
There’s a real dilemma right now for organizations to figure out how to weigh into this. We don’t all have the VC funds to just throw it out there and say, ‘oh, well, I’ll go and get more.’
Are there any silver linings to stronger AI models in cybersecurity?
The quality of the reports coming from some of the AI tools means there’s less time needed to rebuild the vulnerability scenario. It’s actually getting a lot of high-quality development and QAs to spend more time fixing the issues rather than trying to replicate them.
A lot of the positive outcomes here should be that the supply chain gets more secure in time. The question is: just how egregious are some challenges that we face in the interim?
Does Canada need its own, sovereign Mythos?
I think a sovereign AI capacity, even a self-sovereign AI capacity, is something that we need to be talking about.
Sovereign AI capacity, even a self-sovereign AI capacity, is something that we need to be talking about.
It’s all part of the sovereign infrastructure discussion. There’s a lot of conversation around new data centres and new capacity, but are we considering LLMs and AI as a sovereign tech lead? There are some companies now in Toronto, Cohere is the best known, that are trying to do this from a Canadian perspective by taking models and training them more explicitly on Canadian data, on Canadian soil. But are we making those investments quickly enough?
When we have a sovereign infrastructure discussion, it always becomes, where do you start? Because this is a new and emerging area, is this not a logical place to make it sovereign out of the gate, as opposed to trying to stick the horse back in the barn after the fact?
When the general public votes with their feet and their wallets, things change. It creates an opportunity for Canadian businesses and ventures to thrive and ultimately create a tech legacy that should build the capacity of the country.
What is CIRA’s role here?
A lot of what we’re doing is in policy and advocacy. Part of the organization is looking at the regulations and laws that are coming down and providing recommendations around what to do from a privacy and security protection perspective.
This year is the first year in 10 years of us doing internet performance monitoring in Canada, where we saw the universal broadband minimums being met in Canada. If you think that we’re going to rely more and more on AI and cloud models, then we’re putting bigger and bigger stress on the internet pipes.
We talk deeply about big, extractive industries like oil and gas and lumber. But the pipes and connectivity that are required to get everybody online and connected to this wave of technology? A lot of that infrastructure is decades old. So, as a society, we have to decide if this is here to stay, and how does Canada own that connectivity?
It’s a complex thing. We are in a dual role of operating and also looking out for policy and frameworks from an international perspective. It’s a two-way street. What happens if you’re being hit by this technology and need to bring it forward, and what does it mean to make it accessible to Canadian businesses and to keep it Canadian?
Feature image courtesy CIRA. Photo by Jessica Deeks.