U.S. Cyber Defense Agency Deploys Anthropic AI to Scan Government Software

0
3

Key Takeaways

  • The Cybersecurity and Infrastructure Security Agency (CISA) is employing Anthropic’s AI model Mythos to scan government code repositories for security flaws that could be exploited by foreign spies or cybercriminals.
  • This initiative highlights growing U.S. government interest in leveraging advanced AI for defensive cybersecurity, even as Anthropic faces a strained relationship with the White House.
  • Anthropic’s Mythos (and its public variant Fable) has demonstrated strong capabilities in identifying and exploiting vulnerabilities, prompting use by other agencies such as the National Security Agency (NSA).
  • A February dispute over Anthropic’s refusal to remove safeguards against autonomous weapons and domestic surveillance led to a Pentagon supply‑chain risk designation, which was later blocked by a court.
  • Subsequent releases of Mythos with added cybersecurity safeguards triggered a White House demand to block foreign users, causing a temporary global shutdown of the model that was lifted last week.
  • Despite the ongoing tension, CISA’s Attack Surface Evaluation team has already uncovered a large number of vulnerabilities through the Mythos‑based audits, though exact scope and severity remain undisclosed.
  • Neither Anthropic nor CISA have publicly detailed the initiative, and the NSA and White House have not responded to requests for comment on their use of the model.
  • The episode underscores the broader challenge of balancing AI innovation, national security interests, and ethical safeguards in government procurement and deployment of cutting‑edge technologies.

CISA’s Adoption of Anthropic’s Mythos for Government Software Audits
The Cybersecurity and Infrastructure Security Agency (CISA) has begun using Anthropic’s AI model Mythos to examine government code repositories for bugs that could be leveraged by foreign adversaries or cybercriminals. According to three sources familiar with the effort, the scanning is conducted by CISA’s Attack Surface Evaluation team, a unit tasked with performing digital security assessments and controlled hacking exercises across federal systems. The goal is to proactively identify weaknesses before they can be exploited, thereby strengthening the nation’s cyber defenses.

How Mythos Is Being Deployed Within CISA
Mythos functions as an automated code‑analysis tool that can rapidly sift through large volumes of software, flagging potential vulnerabilities such as buffer overflows, injection flaws, or insecure configurations. CISA’s Attack Surface Evaluation team runs the model against internal repositories, supplementing traditional manual reviews and static analysis tools. Two sources indicated that the audits have already uncovered “a large number of vulnerabilities,” although they did not specify the exact count, the nature of the flaws, or their severity levels. Reuters was unable to determine the total amount of code reviewed or the depth of the analysis performed.

Background on Anthropic’s Relationship with the U.S. Government
Anthropic, the San Francisco‑based AI startup behind Mythos, has experienced a turbulent interaction with federal agencies. In February, the company refused to remove certain safety safeguards that prevented its models from being used for autonomous weapons or domestic surveillance. In response, the Pentagon placed Anthropic on a formal supply‑chain risk designation—a label traditionally reserved for foreign firms suspected of facilitating espionage. The move was extraordinary because it targeted a domestic AI firm, reflecting heightened concerns about the dual‑use potential of advanced AI systems.

Legal Pushback and the Easing of Tensions
The Pentagon’s blacklist was challenged in court and blocked by a judge in March, which alleviated immediate restrictions on Anthropic’s ability to work with defense‑related entities. Following that ruling, the friction between the company and the government began to ease. Anthropic subsequently released a private version of Mythos that emphasized its strength in cybersecurity vulnerability detection and exploitation, a capability that attracted interest from other intelligence and defense components.

NSA’s Early Adoption of Mythos
Despite the earlier supply‑chain controversy, the National Security Agency (NSA) had reportedly been experimenting with Mythos as far back as April. Axios revealed that NSA analysts were testing the model in classified environments and were impressed by its proficiency in uncovering exploitable bugs. The New York Times later corroborated that NSA personnel had been using Mythos in secure settings, noting its effectiveness as a force multiplier for the agency’s cyber‑defense and offensive cyber operations.

The Release of Fable and the White House’s Foreign‑User Restriction
When Anthropic rolled out a public iteration of Mythos dubbed Fable, which included what the company described as cybersecurity safeguards, the White House suddenly demanded that the model prohibit foreign nationals from running it. This directive triggered a worldwide shutdown of Fable’s availability, disrupting users across academia, industry, and allied governments. The restriction was lifted only last week after negotiations and technical adjustments, though the episode underscored the sensitivity surrounding AI model distribution and national security considerations.

Statements from the Involved Parties
Anthropic did not respond to Reuters’ requests for comment on the CISA initiative. A CISA spokesperson said last month that they would look into whether any information could be shared about the Mythos‑based audits but did not reply to follow‑up emails. Neither the NSA nor the White House has publicly addressed questions regarding their use of Mythos or the ensuing restrictions, leaving many details of the arrangements opaque.

Implications for Government AI Procurement and Cybersecurity Strategy
CISA’s use of Mythos signals a broader shift toward integrating sophisticated AI tools into core cybersecurity functions. By automating vulnerability discovery, agencies hope to close the gap between the rapid pace of software development and the slower, manual processes traditionally used for security testing. However, the episode also highlights the challenges that arise when cutting‑edge AI capabilities intersect with policy concerns about misuse, export controls, and the protection of sensitive government data. The tension between fostering innovation and ensuring responsible deployment will likely shape future procurement decisions, oversight mechanisms, and the development of AI‑specific security standards across federal agencies.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here