No, Mythos is not the end of computer security: it is its evolution in AI sauce

When Mythos, Anthropic's new cybersecurity model, was unveiled last month, panic ensued, and evidently the dust has not yet settled if Frank Elderson, ECB board member vice-chairman of the Banking Supervisory Board, told the Financial Times that he will hear from European banks on Tuesday to find out what their thoughts are on the subject of security in times of AI. The fear is that these tools will 'breach' the protection standards currently in use, but things are different. Mythos is just one of the AI systems under development. OpenAI and Microsoft announced Daybreak and Mdash a few days ago, several Chinese security companies have followed suit, and many others will follow, radically changing the scenario of how computer security will be done. The speed at which attacks will develop will overwhelm the ability of humans to respond, but at the moment, as Sandra Joyce, VP of Google Threat Intelligence, also confirmed during an interview, AI attacks are few, predictable and hardly dangerous. The problem shifts to the future, when criminals will be able to orchestrate and automate entire attack campaigns with AI, but it will take time, and if the defence is structured properly, a massacre is not expected. Already today, there are principles of defence that can protect companies from AI attacks, because AI attacks will be fast, numerous, but not magical. The concept of Zero Trust coupled with Advanced Threat Control (ATC), as Bitdefender researcher Martin Zugec points out, already identifies everything an attack can do, and in a blopost he says that just as Zero Trust is a security principle widely applied to networks, applying it to processes on computers is enough to have a very powerful weapon: if a process starts making unexpected network connections, accessing files it has no reason to touch, or executing code from memory without a corresponding file on disk, it deserves to be closely examined, regardless of its origin.

Of course, to this must be added that the security infrastructure of companies must also have a solid foundation. One of the issues Frank Elderson is concerned about and wants to talk to banks about is that with the new AI systems, criminals can analyse security patches that fix vulnerabilities and create a way to exploit them in a matter of hours instead of weeks. But this is a false problem: already with the current tools available to everyone, a patch can be analysed within minutes. Banks and companies must already be able to install fixes within a few hours (preferably less than one) of their release if they do not want to risk compromise. And without using special AI models. We need to be prepared, we need specialised AI models for computer security to be made available to European companies, but the apocalypse today is not called Mythos.