CeSIA Calls for Emergency European Response Following Revelation of Claude Mythos’ Cyber Capabilities

Anthropic announced on Tuesday, April 7, the restricted launch of Claude Mythos Preview, an AI model capable of autonomously identifying thousands of vulnerabilities, including some classified as critical, across all operating systems and browsers. CeSIA welcomes the decision to keep this model from the public and urges national and European authorities to implement an emergency cyberdefense plan before such capabilities become widely accessible.

According to a detailed evaluation of the model published by Anthropic, Claude Mythos Preview identified thousands of security flaws unknown to developers within the digital infrastructure supporting power grids, hospitals, banking systems, and government administrations worldwide. Given the scale of these discoveries, Anthropic took the unprecedented step of not releasing the model to the general public. Instead, the company launched Project Glasswing, a private initiative designed to allow a dozen major American tech companies—including Apple, Google, Microsoft, and Amazon—to prioritize patching the flaws discovered in their systems. While forty additional organizations have joined the effort, no public agencies or European companies are currently included.

Anthropic’s decision to delay the public release of its model should be welcomed. However, we must fear the upcoming publication of models with similar capabilities, which will likely occur in the coming months. Global IT systems are not ready to face the resulting tsunami of cyberattacks. We must use the remaining time to build a cyberdefense fortress equal to the threat."
— Charbel-Raphaël Ségerie, Executive Director of CeSIA.

Anthropic is not the only company developing models of this power. Its direct competitors possess—or will soon possess—systems with comparable capabilities and may choose to make them accessible, potentially nullifying Anthropic’s efforts to restrict the spread of its own model. Furthermore, different estimates suggest that open-source AI models are less than a year behind the most advanced private models. This means capabilities equivalent to Mythos could soon be accessible to everyone, including malicious actors, without any safeguards.

In the absence of common rules, competitive pressure drives each company to publish its models to avoid being left behind, a "race to deployment" whose consequences for IT security could be catastrophic.

CeSIA’s recommends national and european authorities to set up an urgent cyberdefense plan around three axes:

• Urgent Update of Official Cybersecurity Recommendations: Ensure strict application of these guidelines, particularly for critical infrastructure operators and their software supply chains.
  
• Build a Large-Scale European Vulnerability Detection Capability: Invest in sovereign vulnerability research that leverages the capabilities of the most advanced models, collaborating with leading industry firms where necessary.
  
• Establish a Binding Framework for Offensive AI Models: Mandatory notification, prior evaluation, and access restrictions for models with offensive capabilities must be established at European and international levels. This ensures that basic precautionary measures are no longer a competitive disadvantage but a standard.
  

April 14 correction: An earlier version of this release stated that Claude Mythos was able to "autonomously exploit thousands of critical flaws." This capability has not been demonstrated to date.