The world's most powerful cyberweapon is here. His name is Claude

This article was first published in Altinget. Read more from Altinget here.

For those of us inside the AI bubble there has only been one topic of conversation this past month, and it is Anthropic's latest AI model Claude Mythos.

Claude Mythos is the most powerful AI model ever created. So powerful, in fact, that Anthropic chose not to make it available to the public. Instead, only a handful of select companies, along with US government agencies, have access to the model.

The reason Anthropic is holding Claude Mythos back, according to the company itself, is that the model is too dangerous to let loose in the wild. Claude Mythos has superhuman hacking abilities that can be used to attack just about any digital infrastructure.

This is not an AI company crying wolf to drum up hype for its own product. The UK's state AI institute (AISI) independently confirmed that the model cracked attack scenarios no model had managed before. Actors and companies that have been given access to the model — including Microsoft, Amazon and a handful of cybersecurity firms — also confirm that Claude Mythos has found vulnerabilities in their systems.

You may have noticed that there have been an unusual number of security updates on the apps you use this past month? That is because of Claude Mythos. The Firefox browser typically detects and patches around 20 security holes per month. Last month the number was 423. The same trend holds for many other companies.

Attack is the best attack

A major problem in IT security is the imbalance between offense and defense. It is far easier to attack a system than to defend it. As an attacker you can try 1,000 different attacks and miss with 999 of them. You only have to land once and you can do enormous damage.

A defender, by contrast, has to block every single attack. This imbalance is the reason we periodically see hacking attacks that cripple fairly important infrastructure, as happened with the student platform Canvas just a couple of weeks ago.

Until now, only humans have been involved in this war over digital security. Criminal hacking groups or state actors like Russia and North Korea field dedicated hackers who attack equally dedicated defenders inside the world's IT departments.

AI shifts the balance of power. Hackers can now spin up thousands of AI models that work in tandem to probe weaknesses in computer systems. This multiplies the hacking capacity of existing actors, and — perhaps even scarier — opens the door for entirely new actors to enter the fray with a bare minimum of expertise. We could end up in a world absurd enough that the Taliban hacks Sparebanken Vest.

Claude Mythos is also capable of discovering zero-day vulnerabilities. These are weaknesses or security holes that no one knows exist until someone exploits them. It is nearly impossible to defend against threats you don't know about. It is a bit like trying to defend your house without knowing there is a secret hatch in the wall that neither you, the architect, nor the builders were aware of.

What happens if the internet collapses overnight?

Imagine what would happen if all of Norway lost power overnight. Chaos would set in immediately. People would freeze in their homes, darkness would fall over the streets, and we would struggle to deliver critical public services.

The internet has become as critical as electricity. Our entire society is built on digital systems working as they should, all the time. If models as powerful as Claude Mythos become widely available, our digital infrastructure could buckle. We are not prepared for a world in which that is possible.

Let me be perfectly clear: I do not think Claude Mythos itself will cause this. Not yet. But Claude Mythos shows us just how formidable AI models can become at hacking. Maybe it works itself out, and each new model improves defensive capabilities more than hackers can exploit them.

But perhaps a day will come when a model is so strong that it amounts to a blitzkrieg attack that takes down the entire internet. And if China is the one to build the model, you can bet they won't be handing it to Western firms first.

Great-power games

A small consolation with Claude Mythos is that it has forced the US government to wake up and take regulation seriously. Until now, the Trump administration's stance and strategy on AI has been to push ahead with as little regulation as possible and let the AI companies run free.

Every attempt to put regulation in place has been brushed aside, and the administration went to war with Anthropic when the company chose to stand up to the Pentagon, which wanted free rein for Claude.

But not even Trump can ignore national security. The Pentagon understands the threat Claude Mythos represents. Unfortunately, that does not mean we will end up with good or sensible regulation. On AI too, the president has been incoherent and erratic.

Norway is asleep at the wheel, again

So how is the discussion going in Norway? Well, as usual, non-existent. With the honourable exception of Aftenposten, none of the country's biggest newspapers have written anything at all about Claude Mythos. This despite the fact that AI-driven hacking is likely to become the biggest threat to digital infrastructure going forward.

A bigger question is how we are going to secure our digital sovereignty going forward. Claude Mythos clearly demonstrates that anyone who does not build advanced AI models themselves ends up at the mercy of the great powers. If the US and American companies do not give us access to these models so we can patch our own systems, every new model risks catching us completely off guard.

It is similar to the issue with American weapons systems, where Europe is now discovering just how vulnerable we have become. Michael Riegler and Inga Strümke — the latter of whom I have a number of disagreements with — write very well about this dependence in the op-ed "No one is going to solve the problem of AI vulnerability for us"

This is not a tolerable situation. It is time for us to wake up in Norway and take AI seriously. A good first step would be to follow the UK and set up a Norwegian AI safety institute. The UK's AISI is the only European body that has been given access to Claude Mythos. Norway should be in that room too.

This article was first published in Altinget. Read more from Altinget here.