As concerns grow that Anthropic's new AI model, Claude Mythos, could be exploited for cyberattacks, the Japanese government is moving to utilize AI for security checks on information systems in both the private and public sectors.
Mythos is a high-performance AI that surpasses previous models in identifying software vulnerabilities. While it can be beneficial for security assessments, if it falls into the hands of hackers, it could be used to discover unknown security flaws known as "zero-day" vulnerabilities. In tests conducted by the UK's Artificial Intelligence Security Institute (AISI), the model successfully extracted desired information approximately 70% of the time. Anthropic names its AI models after literary terms, with Mythos meaning "myth" in ancient Greek.
On May 18, the Nihon Keizai Shimbun (Nikkei) reported that the Japanese government would discuss measures related to Claude Mythos at an inter-agency meeting. The plan includes requiring information system providers to conduct vulnerability assessments using AI, establishing cybersecurity guidelines for businesses, and creating a framework for information sharing between the government and local authorities. The meeting is chaired by Digital Minister Naoki Matsumoto and includes participation from the Ministry of Economy, Trade and Industry, the Financial Services Agency, the Ministry of Health, Labour and Welfare, and the Ministry of Land, Infrastructure, Transport and Tourism.
Due to concerns about misuse, Anthropic has limited access to Mythos to around 50 companies and institutions primarily based in the United States. This group reportedly includes major tech firms like Google, Apple, and NVIDIA, as well as cybersecurity company CrowdStrike. The AI Safety Institute in Japan has also sought access to Mythos but had not secured it as of early this month.
Conversely, organizations already using Mythos have reported significant results. The Mozilla Foundation, which supports the Firefox browser, announced that Mythos identified 271 vulnerabilities in the latest version of the browser. Given that Firefox typically reports 10 to 20 vulnerabilities per month, this represents a substantial increase in productivity. While Anthropic plans to expand its offerings beyond the U.S., the American government opposes widening access for security reasons, leaving Japan's ability to secure access uncertain.
The Japanese government has been considering broadening the scope of its preparations related to Mythos from the financial sector to encompass all critical social infrastructure. Japan's three largest banks have already secured access to Mythos for system safety checks, and the government intends to expand the assessment to 15 critical infrastructure sectors, including finance, information and communications, power, water, gas, airports, railways, healthcare, and administrative services.
The guidelines are expected to include procedures for identifying and addressing system vulnerabilities using high-performance AI, as well as operational methods for cybersecurity frameworks. Companies unable to use Mythos will be instructed to utilize other AI tools for vulnerability assessments, and products with identified vulnerabilities will need to be patched and reissued.
The scope of these assessments will not be limited to private enterprises. Information systems of central and local governments will also be included in vulnerability checks. The government plans to gather information related to AI-based cybersecurity defenses at the National Cybersecurity Headquarters and will explore how to utilize AI when handling highly confidential information. A system for public-private information sharing will be established in collaboration with AISI, and cooperation with AISI institutions in major countries like the U.S. and the U.K. will be pursued.
Service providers responsible for essential societal functions, such as power companies, telecommunications firms, railway and airport operators, hospitals, and financial institutions, will also be subject to these checks. The Japanese government will request that these providers' management teams ensure security system assessments and secure necessary budgets and personnel, urging them to prepare for potential disruptions to product or service supply due to cyberattacks.
The controversy surrounding Mythos highlights the dual risks of AI being used as a tool for cyberattacks and the reality that defending against such attacks without AI is increasingly challenging. The Japanese government's requirement for system providers and critical infrastructure operators to conduct AI-based assessments reflects a shift in cybersecurity focus from human checks to continuous AI monitoring.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.