Stress on organisations to patch vulnerabilities a ‘major concern’ for NCSC’s Joseph Stephens.
The European Commission and several EU member nations, including Ireland, are in talks with Anthropic, over Mythos, as states worldwide scramble to protect their vulnerable critical infrastructure from cyber risks.
“We’ve had direct contact with them,” the National Cyber Security Centre’s (NCSC) director of resilience Joseph Stephens told SiliconRepublic.com, referring to Anthropic, whose European headquarters are based in Ireland.
“But we’re working through the European system because there’s more strength in having a coordinated approach,” he added.
Mythos sent shockwaves through the industry following its limited launch to select big businesses a month ago. Anthropic’s move received much praise from experts, including from Stephens, who called on other frontier AI model providers to do the same.
Is control out of bounds?
Mythos’ development, Anthropic claims, was not intentional, but merely the result of a “downstream consequence of general improvements in code, reasoning and autonomy”.
And undoubtedly, states don’t wield much power when it comes to controlling technological advancements or managing how it is disseminated – at least initially.
The growing concern around AI-induced cybersecurity risks is by no means restricted to Mythos. Put together, these factors create a difficult environment for legislators as they attempt to catch up to new innovations in this space propping up faster than ever before.
“We have to recognise what the Irish state can and cannot do,” Stephens said. “We can’t stop a company like Anthropic based in the US from releasing or not releasing a model.”
Mythos’ launch created such a ripple that the NCSC – for the first ever time – released a statement on a specific product release.
Meanwhile nations worldwide, including the US, UK, Canada and Japan, were quick to invite Anthropic to discussions to potentially employ the model to bolster their critical infrastructure security.
However, governments and big businesses aside, start-ups and SMEs with limited resources to bolster their cybersecurity are particularly at risk.
“The major concern here right now is the stress that [Mythos] may place on organisations who are now going to have to patch all of their digital products and services,” Stephens said.
But ironic as it is, AI does come in handy for situations such as these.
Will the EU AI Act help?
Stephens called for a joint effort between states to come up with a common regulatory approach around such models.
“The AI Act allows us to ensure that products that come onto our marketplace are done in a secure and a safe way,” he said. “Europe has really pushed forward with the AI Act…[but] we can’t regulate our way out of it.”
The line between regulating and stifling innovation is one that the EU is arguably still in search for.
It is attempting to remedy some of this over-regulation by way of a simplified and consolidated set of rules. Earlier this month, the bloc adopted new provisional rules on the AI Act.
The AI Act applies to businesses that sell into the EU, or if the AI output is used in the EU. The landmark regulation attempts to balance managing the risks of this technology while letting the EU benefit from its potential.
According to law expert Dr TJ McIntyre, it is possible to regulate models such as Mythos with extraterritorial effect, but only if they are sold into the EU or if their outputs are sold into the region.
McIntyre is an associate professor in the Sutherland School of Law at University College Dublin.
“It’s not clear that the AI Act would apply if Mythos is geo-restricted for use outside the EU,” he explained.
However, the Act is “designed to address ‘offensive cyber capabilities, such as the ways in vulnerability discovery, exploitation, or operational use can be enabled’ as a type of systemic risk,” he said. So, “In theory”, the EU could take action under the AI Act.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
