As Anthropic’s AI model Mythos, released on a limited basis, is reported to be too good at finding software vulnerabilities, interest is growing in its impact on cybersecurity.

As experiences using Mythos have been shared by the Mozilla Foundation, which provides the open-source browser Firefox, and global security company Palo Alto Networks, concerns over AI-driven threats appear to be growing.

Some say the threat from AI models such as Mythos will not be limited to security.

Bruce Schneier (브루스 슈나이어), a security expert and an instructor at Harvard University’s Kennedy School, drew attention by arguing in a recent column in The Guardian that Anthropic’s Mythos release shows AI could shake not only cybersecurity but also tax rules and regulatory systems.

He is first somewhat critical of Anthropic’s moves related to Mythos. Anthropic said it could not release it because it was too dangerous, but he says there is a need to look more closely at the context around Anthropic. He sees that Anthropic may not have made it public because it is too dangerous, but it could also be because it needs it for itself. Mythos has very high operating costs, he says, and it does not appear to have the capacity to release it to the public right now.

Even so, Schneier does not deny the threat itself that Mythos could bring. He said, "Not only Anthropic, but OpenAI and the latest generative AI, including open-source models, are getting better and better at finding and exploiting software vulnerabilities. Attackers will use this capability to break into critical systems around the world, plant ransomware, steal data, or take over systems. The world could become far more dangerous and unstable."

Defenders can, of course, also boost their capabilities with AI. Mozilla found and fixed 271 vulnerabilities in Firefox with Mythos. Schneier said, "In the future, AI automatically finding and fixing vulnerabilities will become a standard in the development process."

Schneier believes AI models like Mythos could threaten existing systems in broader areas beyond security.

He thinks strong search, pattern recognition and reasoning capabilities for analysing software can be applied to other systems with similar structures. To this end, he cited tax code systems as an example.

According to him, a tax code is not computer code, but a series of algorithms with inputs and outputs. Tax codes have vulnerabilities called tax loopholes. There are also ways to exploit them called lease strategies. There are also methods called tax avoidance strategies. There are also black hat hackers who maliciously find and exploit system vulnerabilities. In tax matters, lawyers and accountants play that role.

Schneier said, "Major investment banks will likely already be secretly working to exploit vulnerabilities using AI," and "They are feeding tax codes for all industrialised countries such as the United States and Britain into AI and telling it to find tax-saving strategies. No one knows yet whether the loopholes AI finds will be 10, 100 or 1,000. No one knows yet whether AI will be able to find more sophisticated ways to reduce taxes by cleverly linking tax laws across multiple countries."

He added, "If AI pours out countless tax-saving ideas, lawyers and accountants can pick those that can actually be used, legally justify them, and sell them to wealthy clients," and "As with tax codes, the same thing could happen in any complex regulatory system, such as environmental regulation or food safety regulation."

He also warned that the damage could be greater than AI finding software vulnerabilities.

He said, "Tax loopholes reduce government tax revenue, and regulatory loopholes allow the powerful to escape the rules. Software companies put out patches within days, but revising tax codes takes years. The process is political, and lobbyists block patches."

He added, "Just as the Industrial Revolution replaced human physical labour with machines, the AI revolution replaces human brain activity with machines. The tax systems, regulatory frameworks and security systems we have now are designed for human speed. They were not built to handle AI speed. Adapting to this is difficult, but there is no choice other than to do so."