InvestMarketplaceEquityNews
Is Anthropic's Mythos a cybersecurity breakthrough, or just 'criti-hype'?
Market Updates

Is Anthropic's Mythos a cybersecurity breakthrough, or just 'criti-hype'?

Fierce Network17d ago

  • Anthropic claims its Mythos security software is so powerful and dangerous that it will release it to only a few select partners

  • Is Mythos as dangerous as Anthropic claims? Or maybe it's an example "criti-hype"

  • AI hype and criti-hype make it much harder to discuss real benefits and costs

Tuesday was a good day to be afraid that the world was coming to an end. President Donald Trump was threatening to rain destruction on Iran, making World War III seem likely. And Anthropic announced Mythos, security software it claimed was so powerful and dangerous that it would release the tool to only a few select partners.

I was not afraid. The world has been on the verge of World War III my whole life. And Tuesday night is trash night for us, so if the world ended then, at least I wouldn't have to take out the trash.

As for Mythos -- maybe it is as dangerous as Anthropic claims. Or maybe it's an example of what Lee Vinsel, associate professor of science, technology and society at Virginia Tech, called "criti-hype."

What is criti-hype -- and why does it matter for AI?

Credit goes to my friend Cory Doctorow for introducing me to criti-hype, a word and concept he uses often in his writing, though it's not as well-known as the word and concept he himself coined.

Criti-hype is the other side of hype. Where hype makes glorious promises for the benefits of technology, criti-hype warns the technology is an existential threat. Hype and criti-hype serve the same goal: Give the people delivering the message money, and plenty of it, to either deliver on the promise or protect you from the threat. And if a new technology is powerful enough to pose a catastrophic danger, gosh, wouldn't it be great if you licensed that technology so it was working for you?

Vinsel cites several examples of criti-hype, including this outstanding example of sober science journalism:

AI traffics in both flavors of hype. Champions claim AI will give us eternal life, cure cancer or deliver fully autonomous self-driving telco networks (granted, two of these things are more important than the third). The most extreme warnings, meanwhile, claim that AI threatens to take all our jobs or kill everyone.

AI has real benefits and costs. At Fierce Network, we've written at length about AI's vast potential for telco network automation and customer service. AI is great for BSS/OSS and other back-office work. Agentic AI is potentially revolutionary, disrupting business the way the internet and mobile did.

And AI also carries real threats -- job displacement and driving down wages. AI drives a data center boom, bringing pollution, wasted power and water, and community backlash.

Both hype and criti-hype make it much harder to discuss real benefits and costs. You can't hear yourself think over the shouting.

What Anthropic claims about Mythos and Project Glasswing

Anthropic's Project Glasswing, announced Tuesday, smells like both hype and criti-hype.

Glasswing is an initiative comprising a dozen top companies in the tech industry: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks "in an effort to secure the world's most critical software."

Anthropic explains: "We formed Project Glasswing because of capabilities we've observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity. Claude Mythos Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."

The company continues, "Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout -- for economies, public safety and national security -- could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes."

Anthropic extended access to "over 40 additional organizations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems." And the AI provider will provide up to $100 million usage credits for Mythos Preview and $4 million in direct donations to open-source security organizations.

Anthropic concludes its short announcement with a rallying cry to the world to rise to the task of "defending the world's cyber infrastructure" against threats.

Cisco picks up the torch in a blog post signed by Anthony Grieco, SVP & chief security and trust officer: "Today, I'm proud to share that Cisco is joining the world's most critical cyber defenders to confront the most consequential shift in the history of our industry." Yipes!

Fortunately, we have the good gray New York Times to provide a calm perspective. What does the Times have to say?

Wow. That's a lot. I need to lie down a minute.

Analyst pushes back on Mythos hype

Mobile analyst Richard Windsor is skeptical. "The real danger from Mythos is that it does something really stupid, such as releasing corporate secrets or posting valuable source code online, as opposed to wiping out humanity," Windsor writes.

He continues, "Anthropic is pumping the hype yet again by stating that its Mythos model is so good that it is too dangerous to make it generally available, and it is only allowing a few pre-vetted companies to have access to it.

My guess is that the reality is that Mythos is in beta and is being soft-launched to a few trusted partners so that the kinks and bugs can be worked out of it before it goes on general release."

Both OpenAI's GPT-2 in 2019 and its o1 model were considered too dangerous to release, but were released anyway, and the world did not end. Neither model "was the huge leap forward in performance towards artificial superintelligence that was cited as the reason for making them so dangerous, but this commentary did help stoke hype, speculation and probably the ability to raise money," Windsor writes.

He made a prediction: "The net result is that right before the next time Anthropic needs to raise money, Mythos will be deemed to be safe and will be made generally available to anyone who wants it."

AI is useful and transforming business and "Anthropic has an edge in being more focused on the enterprise than on the consumer," Windsor says. He adds:

"Hence, I think this commentary is just more of the usual hype and that Mythos will be released when it is market-ready, as there is no chance of it commanding a robot army to wipe out humanity. In fact, it is more likely to do something irretrievably stupid that harms its user through data loss or a hack, and it is this danger that Anthropic is working on fixing."

What telcos should do about Mythos -- now and when it's available

What should telcos do? What they've been doing all along -- or what they should have been doing -- but more so: Maintain good security practices, with greater urgency.

"Telcos should treat security with the same rigor as other critical infrastructure enterprises, such as fintech or biotech," Roy Chua, AvidThink founder and principal analyst, told Fierce. Once Mythos becomes generally available, it should be used to review all critical and sensitive software soft code, using Mythos like other AI-powered analysis tools, including static and dynamic application security testing (SAST and DAST) and advanced vulnerability scanning. Lacking direct access to Mythos, at least in the short term, telcos will need to rely on security partners.

"Telcos not yet implementing best practices -- such as SBOM [software bill of materials] management, pre-check-in vulnerability scans and SAST/DAST -- must close these gaps immediately. Rapid adoption of these practices is essential to staying secure," Chua said.

And telco operators need to prioritize modernizing legacy software stacks, improving software supply-chain visibility and integrating cyber resilience into network strategies. "Rapid advancements in AI-assisted vulnerability discovery heighten the urgency for these steps," Chua said.

Telcos' limited access to Mythos will not put them at a competitive disadvantage, Jack Gold, founder and principal analyst of J. Gold Associates, told Fierce. Telcos already have major initiatives to find vulnerabilities on their networks, and they work with major security companies. Major telco providers, such as Ericsson, Nokia, Samsung and Cisco, have their own AI initiatives in security.

Glasswing and Mythos are focused on securing cloud infrastructure, he said.

And Anthropic's claim to have discovered a 27-year-old vulnerability in OpenBSD and multiple Linux kernel flaws should not be alarming. Software has always had built-in vulnerabilities, many undiscovered or undisclosed. "It's not surprising that there are vulnerabilities in old code," Gold said. "But just because there is a vulnerability doesn't mean it's easy to exploit."

Even though telcos are critical infrastructure providers, they should not seek direct access to Mythos and Glasswing, Gold said. They should let hyperscalers and Anthropic take the lead, at least at first.

Mythos will likely reach general availability eventually. When it does, telcos should be ready to put it to work alongside existing security tools. Until then, the advice from analysts is clear: don't wait for Anthropic's AI to save you. The work of hardening telco networks against AI-assisted attacks is already overdue -- and no amount of hype changes that.

Originally published by Fierce Network

Read original source →
Anthropic