‘The Timeline Is Not Years, It Is Months’

In a rare joint statement, the Five Eyes intelligence alliance—the United States, Australia, the United Kingdom, Canada, and New Zealand—warned on Monday that the cybersecurity threats posed by advanced AI models are approaching a critical point.

“As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead,” the alliance said in a joint statement signed by the intelligence chiefs of all five countries, including the United States’ David Imbordino, who leads the National Security Agency’s cybersecurity directorate, and Nick Andersen, who is the acting director of the Cybersecurity and Infrastructure Security Agency (CISA). “The timeline is not years, it is months.”

In the letter, the leaders say that developments in AI have been accelerating the “speed, scale, and sophistication of cyber threats” by lowering barriers for bad actors and shrinking the window between the discovery of a software vulnerability and its exploitation.

“Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility,” the letter reads. “Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.”

To help address the risks, the Five Eyes are urging leaders to limit unnecessary system access and external connectivity, avoid delays in patching vulnerabilities by prioritizing security updates, test response plans for potential breaches, strengthen identity authentication, and limit user access to critical systems. The group also urged organization leaders to integrate AI into their security operations.

“Organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents,” the group wrote.

The statement comes at a tense time for cybersecurity. Earlier this year, Anthropic announced a new AI model called Mythos, which it said was so scary good at cracking software vulnerabilities that access could only be granted to select organizations and governments. Promptly after Anthropic’s limited deployment of its spooky new, allegedly privacy-shattering model, OpenAI came forward with a model of its own with similar premises.

According to reports from the few organizations that have gained access, the Mythos model is able to bypass Apple’s notoriously tough-to-crack operating system and completely take over a corporate system in six out of 10 attempts.

After announcing it had begun its long-awaited IPO process, Anthropic first expanded access to the Mythos model before releasing an allegedly safer defanged version to the public called Claude Fable 5. That model was not up for too long before the Trump administration intervened and forced Anthropic to suspend foreign nationals’ access to both Fable 5 and Mythos, citing national security concerns. The ban included all foreign nationals living in or outside of the United States, including the company’s own employees. To ensure compliance, Anthropic disabled access to both models for all users.

The anticipated impact of these next-generation AI models is quickly becoming a major topic of discussion in global politics. Last week, AI company chiefs like Anthropic’s Dario Amodei, OpenAI’s Sam Altman, and Google DeepMind’s Demis Hassabis were in attendance at the annual G7 Summit, taking seats at the same table as leaders of some of the most powerful governments in the world to discuss, among other things, the cyber risks of their models.

While new AI models continue to put pressure on cybersecurity agencies around the world, the United States is facing another crisis of its own. Shortly after President Trump took office in January 2025, the nation’s top cybersecurity agency, CISA, lost a third of its workforce to layoffs initiated by the administration.

Even though Trump was semi-responsible for the agency’s creation back in 2018 during his first term, he has since turned against it after officials refused to back his voter fraud claims in the 2020 presidential election that he lost to former President Joe Biden. In his second term, Trump has proposed more than $250 million in budget cuts to the organization.

Last month, the agency was also involved in a rather embarrassing cybersecurity incident in which investigative journalist Brian Krebs found that CISA had left information like plaintext usernames and passwords for internal systems on GitHub, possibly for about six months.

With AI models advancing rapidly and governments themselves admitting that they are proving to be a cybersecurity liability, it will be interesting to see how CISA, crippled under the Trump administration’s attacks, will respond to these threats. So far, things are not looking particularly great, especially if you consider a recent report that the agency just gained full access to the model only two weeks ago.