[Exclusive] Financial Firms to Use Security AI on Internal Networks Amid 'Mythos Shock'

View original image

As the emergence of “Mythos,” the next-generation security AI model from U.S. artificial intelligence (AI) company Anthropic, has heightened cybersecurity concerns in the financial sector, the government is moving to dramatically ease network separation regulations by allowing financial institutions to use security-focused AI within their internal networks. This proactive response is based on the principle of “countering AI with AI,” aiming to address the threats posed by Mythos in advance. Due to the highly interconnected nature of payment, remittance, and authentication systems in financial infrastructure, there are concerns that if hackers use AI to identify and exploit vulnerabilities first, the entire financial system could be paralyzed.

View original image

According to financial authorities on May 7, the Financial Services Commission plans to announce measures within this month to allow financial companies to utilize generative AI for security purposes and security solution-type SaaS applications within their internal networks as exceptions to current network separation regulations.

A senior official from the Financial Services Commission stated, “From the perspective that AI attacks must be countered with AI, domestic financial companies need to establish AI-based defense tools,” adding, “We are reviewing various measures, including ways to allow the use of generative AI in the security sector.”

For over a decade, financial authorities have maintained strict network separation regulations—completely isolating internal computer networks from external access—to prevent hacking incidents. Recently, cloud-based office management and work support services have been permitted for use within internal networks, but external generative AI services such as ChatGPT remain prohibited. However, following the emergence of Mythos last month, concerns have quickly spread within the authorities that the existing network separation system alone is insufficient to defend against sophisticated AI-based cyberattacks.

Mythos is a high-performance security AI model that analyzes complex software (SW) structures to identify security vulnerabilities and attack paths in a short period of time. Industry experts believe that if this model is exploited to generate attack code or design penetration scenarios, the magnitude of cybersecurity threats could fundamentally change. In particular, financial systems have a structure where outdated IT systems, built over decades, are intricately interconnected with various external integration functions. There is significant fear that if AI rapidly uncovers hidden flaws that humans cannot detect and hackers exploit them, the entire financial network could be disrupted simultaneously.

The financial authorities have set July—the month when security vulnerability information discovered by Mythos is scheduled to be fully released—as the “deadline” and are rushing to develop countermeasures. The rationale is that financial companies must establish a “proactive defense system” by using security AI to preemptively identify and rapidly patch weaknesses in their internal systems.

Yeom Heungyeol, Professor of Information Security at Soonchunhyang University, said, “Mythos is a cybersecurity-specialized AI model that quickly finds vulnerabilities and generates exploit code. Operating an AI that can detect vulnerabilities within internal systems would allow organizations to patch and respond to them proactively, before an attack occurs.”

Accordingly, financial firms are expected to first adopt proven security AI and SaaS solutions immediately after the network separation regulations for AI are eased, and then gradually build systems to respond to ultra-advanced AI like Mythos in the future. For example, by utilizing Anthropic’s security AI model Claude Opus to address internal vulnerabilities first, and then using Mythos to further enhance their defense systems. A security expert at a major commercial bank suggested, “It is important to gradually relax regulations while managing risks through mechanisms such as the regulatory sandbox system.”

However, financial authorities are drawing a clear line against fully allowing generative AI for non-security purposes. Since the risks of personal data leaks and the external transmission of sensitive information persist, the plan is to open up AI use in the security sector first in a limited manner, and then expand the scope of AI applications in the financial sector step by step.

Hot Picks Today

"Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①

• "Not Jealous of Winning the Lottery"... Entire Village Stunned as 200 Million Won Jackpot of Wild Ginseng Cluster Discovered at Jirisan
• "I'll Stop by Starbucks Tomorrow": People Power Chungbuk Committee and Geoje Mayoral Candidate Face Criticism for Alleged 5·18 Demeaning Remarks
• "To Get Revenge on Ex-Girlfriend" US McDonald's Manager Spits on French Fries
• "How Did an Employee Who Loved Samsung End Up Like This?"... Past Video of Samsung Electronics Union Chairman Resurfaces

An official from the financial authorities said, “As designating innovative financial services requires case-by-case review, we are considering separate institutional improvements regarding the relaxation of network separation regulations for security AI,” adding, “The specific methods for easing regulations will be finalized after further discussions.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.