'Mythos-Induced Security Shock'... "Defending Against AI Attacks Requires AI"

원본보기 아이콘

"Anthropic's latest artificial intelligence (AI) model, 'Mythos,' has made a dramatic leap in reasoning capabilities compared to previous models. It utilizes every method available to autonomously formulate and validate hypotheses, much like a human. Mythos has surpassed existing security patterns, making it impossible for humans to respond to its attacks-only AI can respond," said Professor Choi Byungho of the Human-Inspired AI Institute at Korea University.

With Anthropic and OpenAI launching new projects to leverage the latest AI models in cybersecurity, the industry has been struck by a wave of AI-driven security shocks and is scrambling to formulate countermeasures. The Ministry of Science and ICT has urgently convened chief information security officers (CISOs) from major companies to review and strengthen AI cyber defense readiness.

According to the information and communications industry on April 16, a roundtable led by the Ministry of Science and ICT was held the previous afternoon, attended by CISOs from 40 major companies to assess current issues and discuss response strategies. Previously, Anthropic activated 'Project Glasswing,' a cyber security initiative providing its latest AI model, Mythos, to a select group of U.S. partners such as Google, Apple, Microsoft (MS), Amazon, and Nvidia. Mythos has demonstrated the ability to autonomously detect vulnerabilities-including operating system (OS) bugs undiscovered for 27 years-and to conduct sophisticated attacks, raising concerns about its potential misuse for hacking.

Choi Woo-hyuk, policy chief of Information Security Network Policy at the Ministry of Science and ICT, stated, "While Anthropic's latest AI model, Mythos, could become a corporate security defense tool, there is also concern that it could be used as a weapon for attacks. Therefore, we must further advance security at both the public and private sector levels." He added, "Although some believe Mythos's capabilities may be somewhat overestimated, we will take a balanced view, examine the matter thoroughly, and work to develop countermeasures."

Since April 14, the Ministry of Science and ICT has held emergency meetings with the three major telecom companies-SK Telecom, KT, and LG Uplus-as well as major platform companies such as Naver and Kakao, and the information security industry. On the previous day, it also held a series of roundtables with leading domestic information security firms. A ministry official explained, "As advanced AI models like Mythos continue to emerge, concerns have been raised that they could fundamentally change the cybersecurity paradigm. While U.S. companies are participating in Anthropic's Project Glasswing and no domestic firm is involved yet, we are reviewing the current situation to ensure that our security capabilities are sufficiently advanced to respond."

During the meeting, industry participants stressed the need for concrete verification of Mythos's performance and suggested that Korea should launch its own security projects similar to Project Glasswing. A CISO from the telecom sector who attended the meeting said, "Mythos's performance has not yet been officially released, and related reports are scheduled for July, so the private sector may face limitations in accessing information. It is necessary for the government to collect information at the national level and share it with the industry."

The industry is preparing for the potential spread of AI-driven attacks by reviewing proactive threat intelligence systems and upgrading security frameworks to adapt to evolving attack methods. Park Taehwan, Head of the Cyber Security Center at AhnLab, said, "Next-generation AI models can automate the entire process from vulnerability detection to attack scenario generation. Especially when the discovery of unknown vulnerabilities (zero-day) is combined with the creation of attack code, both the speed and scale of attacks could increase simultaneously." He emphasized, "To counter AI threats, it is essential to conduct proactive assessments of the corporate IT environment, focusing on areas where vulnerabilities are likely to accumulate, such as legacy systems, outdated software, and old open-source components."

Experts agree that both the public and private sectors must heighten their security vigilance and continuously monitor and update response systems in accordance with the security guidelines and recommendations provided by related agencies, such as the Korea Internet & Security Agency (KISA).

Kim Myungju, Professor of Information Security at Seoul Women's University, commented, "Mythos can generate code exploiting vulnerabilities it finds without human intervention and execute it autonomously, representing a significant security threat to businesses. Since the AI can learn from the knowledge of hundreds of hackers and launch attacks in a short time, it can uncover vulnerabilities even in areas previously considered safe." Professor Kim added, "The government should strengthen software vulnerability assessments and respond accordingly, actively communicate with and inform the industry in the event of AI hacking attacks, and also enhance tests for potential 'dual use' misuse of AI."

Yeom Heungnyul, Professor of Information Security at Soonchunhyang University, stated, "A governance system must be established and implemented at the national level. The government should objectively assess the true nature and capabilities of Mythos, and the industry should upgrade or adjust its countermeasures according to the model's capabilities."

Professor Choi Byungho of the Human-Inspired AI Institute at Korea University added, "It is necessary to establish comprehensive AI-based governance, from national security to social infrastructure and corporate security. Governance that defends against AI attacks with AI must be built rapidly, enabling AI to analyze attack signals and respond instantly, rather than relying on humans."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.