US Cyber Agency Leverages Anthropic’s Mythos for Government Code Audits

0
4

Key Takeaways

  • The Cybersecurity and Infrastructure Security Agency (CISA) is employing Anthropic’s AI model Mythos to scan U.S. government code repositories for security flaws that could be exploited by foreign adversaries or cybercriminals.
  • The audits, conducted by CISA’s Attack Surface Evaluation team, have already revealed a substantial number of vulnerabilities, though the exact scope and severity remain undisclosed.
  • Anthropic, which has confidentially filed for a U.S. initial public offering, has experienced a strained relationship with the U.S. government, including a Pentagon supply‑chain risk designation after refusing to remove safeguards against autonomous weapons and domestic surveillance uses.
  • Despite the blacklist, the National Security Agency (NSA) has been using Mythos since April, reporting strong performance in classified testing environments.
  • The release of a public version of the model, dubbed Fable, triggered a White House demand to block foreign users, leading to a temporary global shutdown that was lifted last week.
  • The episode highlights growing governmental interest in powerful AI tools for cybersecurity, balanced by ongoing concerns over misuse, supply‑chain risks, and the need for clear policy frameworks governing AI deployment in national‑security contexts.

Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has turned to Anthropic’s artificial‑intelligence model Mythos to automate the auditing of government software. According to three sources familiar with the initiative, CISA is using Mythos to scan vast repositories of federal code for bugs that could be leveraged by foreign spies or cybercriminals. This move underscores a broader trend of federal agencies embracing advanced AI capabilities to bolster defensive cyber operations, even as the startup behind the model navigates a politically charged relationship with Washington.

Details of the Scanning Effort
The audits are being carried out by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital security assessments and penetration‑testing exercises across government networks. One of the sources indicated that the team feeds Mythos with access to government code bases, allowing the model to autonomously identify potential weaknesses such as buffer overflows, injection flaws, or insecure configuration settings. The initiative represents a shift from manual code reviews to AI‑driven, continuous monitoring, aiming to increase both the speed and thoroughness of vulnerability detection.

Findings from the Audits
Two of the sources reported that the Mythos‑based scans have already uncovered “a large number of vulnerabilities,” although they declined to provide specifics regarding the type, quantity, or severity of the flaws discovered. Reuters was unable to determine precisely how much government code has been processed or whether any of the identified bugs have been patched. Nonetheless, the admission that significant issues have surfaced validates the utility of the AI model as a force multiplier for CISA’s limited human analyst resources.

Anthropic’s Corporate Background
Anthropic, the San Francisco‑based AI research firm behind Mythos, has confidentially filed for a U.S. initial public offering, signaling its intent to tap public markets while continuing to develop cutting‑edge language models. The company rose to prominence with its focus on AI safety and alignment, advocating for models that refuse to facilitate harmful applications such as autonomous weapons or mass surveillance. This principled stance has, however, placed it at odds with certain elements of the U.S. defense and intelligence communities.

Government Tensions and the Pentagon Blacklist
Relations between Anthropic and the U.S. government soured in February after the company refused to lift safeguards that prevented its AI from being employed for autonomous weapons or domestic surveillance. In response, the Pentagon issued a formal supply‑chain risk designation—a label traditionally reserved for foreign firms suspected of enabling espionage—to Anthropic. The designation threatened to restrict the company’s ability to do business with federal agencies. A federal judge blocked the blacklisting in March, easing the immediate strain but leaving the underlying policy disagreement unresolved.

NSA Adoption Amidst the Controversy
Despite the Pentagon’s risk label, the National Security Agency (NSA) has reportedly been using Mythos since April. According to earlier reporting by Axios and later corroborated by the New York Times, NSA analysts have tested the model in classified settings and praised its effectiveness at identifying and exploiting cybersecurity vulnerabilities. The NSA’s willingness to deploy Mythos suggests that, at least within certain intelligence components, the perceived operational benefits outweigh the formal supply‑chain concerns raised elsewhere in the government.

Release of Fable and the White House Intervention
In an attempt to broaden Mythos’s utility while addressing safety worries, Anthropic released a public version of the model called Fable, which it marketed as incorporating cybersecurity safeguards. The White House reacted swiftly, demanding that Anthropic prohibit foreigners from accessing Fable. This directive triggered a global shutdown of the model, preventing both domestic and international users from running the software. The restriction was lifted only last week after negotiations and technical adjustments addressed the administration’s concerns, highlighting the fragile balance between innovation, security, and geopolitical sensitivities.

Current Status and Ongoing Dialogue
As of early July, Mythos (and its public counterpart Fable) are again accessible to users worldwide, though the episode has left a lingering atmosphere of caution among government officials. Neither the NSA nor the White House has provided further comment on the matter, and Anthropic has not responded to Reuters’ inquiries about the CISA initiative. The episode underscores the ongoing negotiation between AI developers seeking to deploy powerful tools and policymakers tasked with mitigating risks associated with dual‑use technologies.

Implications for Government AI Adoption
CISA’s experiment with Mythos illustrates a growing appetite within federal cybersecurity units for AI‑driven code analysis, promising faster detection of flaws that could otherwise remain hidden for months or years. However, the controversy surrounding Anthropic’s model also serves as a cautionary tale: agencies must weigh the advantages of cutting‑edge AI against potential misuse, supply‑chain vulnerabilities, and the necessity of clear governance structures. The episode may prompt the development of more precise guidelines governing AI acquisition, usage rights, and oversight—particularly for models that possess offensive cyber capabilities.

Outlook
Looking forward, the intersection of AI and national‑defense cybersecurity is likely to deepen. Agencies such as CISA and the NSA will continue to evaluate models like Mythos for tasks ranging from vulnerability scanning to threat hunting, while policymakers refine frameworks that address both innovation and security. The outcome of this particular episode—where a temporary ban was lifted after diplomatic and technical engagement—may serve as a template for how future disagreements are resolved: through dialogue, transparent risk assessments, and adaptive policies that allow the government to harness AI’s strengths without compromising its strategic interests.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here