British businesses are being urged to take immediate action in response to a new generation of experimental frontier artificial intelligence models that are rapidly developing the ability to discover and exploit software vulnerabilities. The warning comes from the UK government, which is signaling a fundamental shift in the cybersecurity landscape.
In an open letter addressed to Britain's business leaders on April 15, technology secretary Liz Kendall outlined the changing nature of cyber threats. She stated that the most serious cyber attacks have historically relied on a small number of highly skilled criminals, but that dynamic is shifting. Kendall emphasised that AI models are now becoming capable of performing tasks that previously required rare expertise, such as finding weaknesses in software, writing code to exploit them, and doing so at a speed and scale that would have been unimaginable even a year ago.
This stark assessment follows the recent debut of Anthropic's frontier model, Mythos, and its accompanying Project Glasswing. The project is designed to give some of the world's largest technology companies a head start in addressing vulnerabilities that the model can supposedly uncover. Kendall revealed that the UK's AI Security Institute (AISI), operated by the Department for Science, Innovation and Technology (DSIT), has been rigorously testing the capabilities of Mythos.
The AISI found that Mythos is substantially more capable at cyber offence than any model previously assessed. According to the institute, frontier model capabilities are now doubling every four months, a sharp acceleration from the eight-month doubling time observed in the recent past. This acceleration is seen as a critical factor in the evolving threat landscape.
Kendall noted that this finding is significant not only for what it means today but also because it highlights the speed at which AI capabilities are increasing and the threats they potentially pose. She pointed to OpenAI's announcement of scaling up their Trusted Access for Cyber programme, indicating that AI's accelerating impact on cybersecurity is not isolated to a single company, and that more are expected to follow. The trajectory is clear, and Kendall stressed the necessity for preparedness as frontier AI model capabilities are expected to increase rapidly over the next year.
The UK government is not standing still in response to this threat. Kendall highlighted the opening of the AISI two and a half years ago, which she described as now possessing the most advanced capabilities anywhere in the world for understanding frontier AI models. More broadly, the National Cyber Security Centre (NCSC) continues to develop practical guidance for user organisations. The upcoming Cyber Security and Resilience Bill and the National Cyber Action Plan, soon to be published, are also expected to move things in the right direction.
However, Kendall emphasised that government action alone is insufficient. Every business in the UK has a part to play, she said. Criminals will not only target government systems and critical infrastructure; they will target ordinary companies of every size in every sector, as attackers go where defences are weakest. She urged business leaders and board members to ensure they are regularly discussing cyber risks and not delegating such matters solely to IT teams. She encouraged signing up to the Cyber Governance Code of Practice for those who have not already done so, while smaller businesses can take advantage of the NCSC's Cyber Action Toolkit. All businesses should also be planning and rehearsing incident response practices and considering taking out cyber insurance.
Kendall pointed businesses towards the Cyber Essentials certification scheme to help them establish basic security policies and procedures. She additionally highlighted resources provided by the NCSC, notably its Early Warning service, and by regulators for regulated sectors. We are entering a period in which the pace of technological change may test every institution in the country, she stated. The businesses that act now, that treat cybersecurity as an essential part of running a modern company rather than an optional extra, will be the ones best placed to thrive through it and seize its advantages.
The warning comes against a backdrop of increasing investment in AI research and development by both state and non-state actors. The UK's AISI has been at the forefront of evaluating these models, and its findings underscore the dual-use nature of such technology. While AI can be a powerful tool for defense, its offensive capabilities are advancing at a pace that challenges traditional cybersecurity frameworks. The AISI's testing of Mythos reportedly included simulating real-world attack scenarios, where the model demonstrated an ability to autonomously identify zero-day vulnerabilities and craft exploit code, a task that previously required extensive manual effort by skilled penetration testers. This development is particularly concerning for small and medium-sized enterprises (SMEs), which often lack the resources to deploy sophisticated cybersecurity measures. The government's call to action aims to level the playing field by encouraging widespread adoption of baseline security practices.
Historically, cybersecurity has been a reactive field, with organisations patching vulnerabilities after they have been discovered. The advent of AI-powered offensive capabilities demands a proactive approach. The UK government's strategy includes not only guidance but also legislative measures, such as the Cyber Security and Resilience Bill, which is expected to impose stricter requirements on critical infrastructure operators. The National Cyber Action Plan will outline further steps to bolster the nation's cyber defenses, including investment in AI-driven defensive tools and workforce development. These measures are part of a broader effort to ensure that the UK remains resilient in the face of rapidly evolving threats.
The impact of this shift is already being felt across sectors. Financial services, healthcare, and energy are particularly vulnerable, as they rely heavily on digital infrastructure and handle sensitive data. The NCSC has reported an increase in AI-related cyber incidents, including automated phishing campaigns and complex ransomware attacks. The government's emphasis on board-level engagement reflects an understanding that cybersecurity is no longer merely a technical issue but a business-critical risk that requires strategic oversight. By urging business leaders to treat cybersecurity as an essential component of running a modern company, Kendall is signalling a cultural shift in how organisations should perceive and respond to these threats.
In addition to the immediate guidance, the government is investing in long-term resilience measures. This includes funding for AI research initiatives that focus on defence mechanisms, as well as collaboration with international partners to establish norms and standards for AI in cyberspace. The development of the AISI itself is a testament to the UK's commitment to staying ahead of the curve. As AI capabilities continue to accelerate, the need for continuous monitoring and adaptation becomes ever more critical. Businesses that fail to act now risk being left vulnerable to attacks that could have been mitigated with basic precautions. The government's warning is clear: the time for complacency is over, and proactive cybersecurity is essential for survival in the digital age.
Kendall's letter also referenced the global nature of the threat, noting that similar capabilities are being developed by actors around the world. The UK is not alone in grappling with these challenges, but its proactive stance in testing and regulating frontier models positions it as a leader in the field. The upcoming Cyber Security and Resilience Bill is expected to set a precedent for other nations to follow, potentially driving a global standard for AI safety. In the meantime, individual businesses must take responsibility for their own security posture, leveraging the tools and guidance provided by the NCSC and other bodies. The path forward requires a collective effort, with government, industry, and academia working together to address the challenges posed by AI-powered cyber threats.
Source: ComputerWeekly.com News