Anthropic PBC is limiting the release of its latest artificial intelligence model to a handful of major technology firms, warning that the system may be capable of powering cyberattacks if software makers don’t have a chance to test it against their own defences first.     

Anthropic said Tuesday that it’s forming an initiative called Project Glasswing with Amazon.com Inc, Apple Inc, Microsoft Corp, Cisco Systems Inc and other organisations. The companies will get access to the new Anthropic model known as Mythos so they can test it against their own products and hunt for vulnerabilities. The idea is that the group will collectively share findings with peers. 

The AI startup meanwhile has no plans yet to release Mythos to the general public. The company said it’ll use the findings from Project Glasswing to inform what guardrails must be in place for the technology. 

The arrangement reflects growing concerns among tech firms that more sophisticated models will be misused by criminals and state-backed hackers to hunt for flaws in source code and bypass cyber defences. AI technology already is being used to help enable cyberattacks. In one case, a hacker used AI tools to facilitate a breach affecting the Mexican government.

During Anthropic’s testing, its in-house security team found that Mythos Preview was capable of identifying and then exploiting vulnerabilities "in every major operating system and every major web browser when directed by a user to do so,” according to a blog post. The exploits weren’t "run-of-the-mill” either, the team said. In one case, it wrote a web browser exploit that chained together four vulnerabilities. 

Anthropic rival OpenAI has also previously stressed the growing cyber capabilities of its models and introduced a pilot program meant to put its tools "in the hands of defenders first.”

"We think this isn’t just Anthropic problem. This is an industry-wide problem that both private corporations but also governments need to be in a position to grapple with,” said Newton Cheng, who leads the cyber effort within Anthropic’s Frontier Red Team. "What we’re trying to do with Glasswing is give defenders a head start.”

Anthropic said it has discussed Mythos’s security-related capabilities with US officials, but declined to say which agencies. Cheng pointed to the company’s existing work with the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.

Mythos is a general-purpose AI model and was not specifically developed for cybersecurity purposes, Anthropic said. Yet, Mythos has already discovered a number of security issues, Cheng said, including a 27-year-old bug used in critical internet software. The AI system also found a 16-year-old vulnerability in a line of code for popular video software that automated testing tools had scanned five million times but never detected, Anthropic said. 

Dianne Penn, head of product management for research at Anthropic, said there are protections in place to ensure that members of Project Glasswing keep a tight grip on access to the Mythos model, but declined to share more detail for security reasons. 

The existence of Mythos was first revealed thanks to a leak late last month after a draft blog post was left available in a publicly searchable data repository. – Bloomberg