transcript
Speaker 1:
[00:05] Last month, a group of computer researchers ran a test. They wanted to try using artificial intelligence to hack an operating system called OpenBSD.
Speaker 2:
[00:16] So OpenBSD is an operating system, you know, like Windows or Mac OS. It's been around for a long time.
Speaker 1:
[00:24] Our colleague Bob McMillan covers cybersecurity. He says this operating system is considered very secure. It's survived decades of cyber attacks.
Speaker 2:
[00:33] It's kind of on the front of the Internet for many corporations. It's used in firewalls. So it's facing the hackers all the time. So it's a good project to look at because it's been battle tested, right? And it's had lots of time for people to look for bugs and report them and fix them and stuff like that.
Speaker 1:
[00:54] A software bug is a flaw in a computer program that causes problems or even a crash. Hackers try to find bugs because they can use them as sort of a door into an otherwise closed computer system. So in this experiment, researchers took the latest AI model from Anthropic called Mythos, then let it loose into the software.
Speaker 2:
[01:18] They said, find us some bugs, and it found this bug. A guy named Niels Provos had written some code in 1998 and he made a mistake. Nobody noticed that mistake for over 27 years until Mythos took a shot at it.
Speaker 1:
[01:35] Wow. The bug Mythos found could have caused a serious problem, and it had sat there undetected by humans for nearly 30 years. So, what does this tell you about Mythos? Is it better at this than humans?
Speaker 2:
[01:54] I mean, you could sort of craft this narrative like, oh my gosh, they've had 27 years and no one saw it, and then AI found it. There are bugs that humans have missed that AI is able to find. I mean, that's a legit phenomenon.
Speaker 1:
[02:08] Anthropic, the company that made Mythos, said that the model was so powerful, it could, quote, reshape cybersecurity. And Mythos is just the beginning. Already, the cybersecurity world is struggling to keep up.
Speaker 2:
[02:22] AI models are getting very good at finding security vulnerabilities. The amount of bugs that are being found right now is skyrocketing, and people are freaking out because of that. Mythos has become the poster child for a phenomenon that I've been writing about for months, that people in the cybersecurity industry have been talking about for months, but with the Mythos release, it achieved critical mass.
Speaker 1:
[02:47] And what phenomenon is that?
Speaker 2:
[02:50] Well, the geeks call it the vulnerability Armageddon, but here at The Journal, we call it the bugmageddon.
Speaker 1:
[03:00] Welcome to The Journal, our show about money, business, and power. I'm Jessica Mendoza. It's Tuesday, April 21st. Coming up on the show, Bugmageddon and Cyber Security's Race Against Time. Bob, I want you to back us up just a little bit here. What are AI models like Mythos actually doing that's different from how software bugs have been found in the past?
Speaker 2:
[03:44] So, there's like a real change going on in the way bugs are being found. In the olden days, it was kind of a very specialized knowledge. You'd have to kind of master this arcane computer science of how systems work.
Speaker 1:
[04:07] So, if a hacker wanted to find a bug that would get them into, say, the Windows operating system, they'd have to learn how Windows worked.
Speaker 2:
[04:16] Twenty-five years ago, there were a million bugs being found in the Windows operating system, and for that to happen, people had to really dig into the ins and outs of how the Internet interacted with Windows. But it required hours and hours of work for humans to achieve the level of mastery required to even be playing in the bug hunting game. AI changes all that, right? Like, AI can just look at all these bugs and kind of get to that level of mastery very quickly.
Speaker 1:
[04:50] And where AI hacking models shine most is speed. Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days.
Speaker 2:
[05:03] So a bug would be disclosed, two years would go by, and then it would start getting exploited on average. Now it's like within a day. It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.
Speaker 1:
[05:23] There are some limitations with AI's abilities though. At least so far, AI doesn't really think creatively like people can.
Speaker 2:
[05:30] It's basically kind of repeating stuff that's already out there, so it's not going to be able to, as it stands now anyway, invent this whole new way of hacking systems.
Speaker 1:
[05:44] But Anthropic's Mythos is better at bug finding than any AI model that's come before it. The company announced the model earlier this month, and it said Mythos would be able to identify software vulnerabilities better than quote, all but the most skilled humans. Anthropic also said that the version it's been testing has already found thousands of vulnerabilities in every major operating system and browser.
Speaker 2:
[06:10] From the start, Anthropic was talking about it as very dangerous, you know, like we're not sure what to do with this, like who should get it?
Speaker 3:
[06:16] Anthropic has a new AI model so dangerous, they won't release it publicly.
Speaker 4:
[06:22] It could become a major hacking tool. This is a system that absolutely has slipped its bonds already, the company says, and as a result poses a threat.
Speaker 1:
[06:32] It seems like a lot of people have gotten worked up since Anthropic announced this.
Speaker 2:
[06:36] I mean, there's a lot of hype around AI right now, and when you hear about AI being too dangerous to be released, I think it's pretty natural to go, what's going on with this stuff? Is it systemic risk to our financial system? You know, is this going to open up all these back doors that hackers are going to be able to use to undermine confidence in the banking system?
Speaker 1:
[07:01] Imagine hospitals, banks and government and military websites being targeted by an AI hacker that can work faster and more aggressively than any human could. That's what Anthropic said it was trying to prevent. So to avoid the worst, Anthropic said it will only share mythos with a limited pool of companies that make up much of the backbone of the tech world, like Amazon, Google, and NVIDIA. Anthropic says it has no immediate plans to release the program to the public.
Speaker 2:
[07:29] We only want to release it to a select group of entities. So they picked about 50 corporations and organizations and said, take a look at this, see what you can do with it.
Speaker 1:
[07:40] The idea is that access to mythos could give those companies a head start against bugmageddon, allowing them to find the holes in their systems and patch them before hackers get their hands on mythos.
Speaker 2:
[07:52] Hacking is very asymmetrical. If you are the hacker, you just have to find one way in to your target. You do something and it doesn't work, like no big deal, you know, you can try again. If you're a defender and you try to defend something and it doesn't work, you're hacked.
Speaker 1:
[08:09] Bob says that this approach, being cautious about who gets access to the AI model, tracks with Anthropic's narrative of being a responsible and safe AI company. But some AI experts aren't sure if Anthropic could pull off a wide release of something like Mythos right now anyway, because of data constraints.
Speaker 2:
[08:28] There is a question about whether they have enough compute to meet demand. A new model would require a lot of compute and would put some strain on something that they're already having some difficulty delivering, which is, you know, access to their services.
Speaker 1:
[08:45] However, other companies are also working on their own versions of this technology. Anthropic's primary competitors, OpenAI and Google DeepMind, have said they have similarly capable models in the works. There's no release date set for any of these models yet, but Bob says cybersecurity teams have their work cut out for them.
Speaker 2:
[09:06] Like, there's a lot of bugs out there, there's a lot of bugs in software, and right now, we're just at this point where they're all being revealed. So, these network defenders, they're all thinking about ways of being creative, about solving the problem, but they can tell the bug mageddon is coming.
Speaker 1:
[09:28] After the break, how cybersecurity experts are looking to a past panic to prepare for tomorrow?
Speaker 2:
[09:35] However you slice it, it's the Y2K problem for AI.
Speaker 1:
[09:53] In 1999, there was a big computer problem on everyone's mind, Y2K.
Speaker 5:
[09:59] Congress has set to the task of answering the question, will the Y2K computer bug bring about Armageddon?
Speaker 1:
[10:06] Well, Bob, for those of us who may not remember exactly.
Speaker 2:
[10:09] Wait, you're telling me you don't remember Y2K?
Speaker 3:
[10:12] Come on.
Speaker 1:
[10:13] That was the year I turned 12, Bob.
Speaker 2:
[10:15] Weren't you worried as a 12-year-old that the world was gonna distract on New Year's Eve?
Speaker 1:
[10:20] I was just figuring out how to use an AOL account. Can you paint a picture of the Y2K bug phenomenon?
Speaker 2:
[10:29] Y2K happened when after a few just like amazing years of people writing software and software taking over and doing all kinds of great things. Somebody took a look at their code and they realized that when we enter the year on this program, we should have given it more than two digits.
Speaker 1:
[10:55] Back then, programmers had given dates only two numbers for the year like 99 for 1999. But they realized that when the date rolled over into 2000, computers might read the double zero as the year 1900 instead.
Speaker 2:
[11:12] There's a lot of software out there, financial institutions were using it, corporations were using it, and an astounding amount of code did not compute the year 2000.
Speaker 6:
[11:24] Everything from tax returns to social security could be a problem if old programming refuses to acknowledge the 21st century.
Speaker 2:
[11:34] People were worried about elevators freezing and the financial system melting down.
Speaker 7:
[11:41] Everyone here is waiting for the same thing, the stroke of midnight.
Speaker 2:
[11:46] I remember on New Year's Eve, like Y2K, I had like $5,000 cash in my pocket just in case. The ATMs didn't work for months.
Speaker 1:
[11:56] So with a clear deadline looming ahead, tech teams got to work.
Speaker 2:
[12:01] So they had to rewrite a lot of software so that it could understand the concept of 2000 and not 1900. So they worked like heck on this, and all these coders pulled like all-nighters and people working their butts off. And lo and behold, the year 2000 happened and the computers mostly ran. And so they did it.
Speaker 7:
[12:25] Emergency calls went through, the power stayed on, and we didn't go back into the dark ages.
Speaker 1:
[12:31] Thanks to all that grunt work by tech teams across the world, Y2K was famously a nothing burger once clock struck midnight.
Speaker 2:
[12:39] In cybersecurity, we always talk about the awful things, the ransomware outbreaks and hacks and things like that. But occasionally, we do something right collectively. And Y2K was an example of when the world knew about a problem and worked really hard and averted disaster.
Speaker 1:
[13:01] Bob says the Y2K lesson is to take threats seriously as early as possible. Mythos, and the concerns about it, has helped sound the alarm for the danger that AI can pose in the wrong hands.
Speaker 2:
[13:14] I mean, the good thing about all of the attention that that release got is like boards are asking, what's the deal, right? And so they have to come up with plans. And what they're doing is they're trying to get faster at patching.
Speaker 1:
[13:31] A number of companies are rolling out initiatives to deal with it. And even the White House is spooked. The administration has announced that it's taking steps to prepare for the vulnerabilities that Mythos could bring to the surface, both in government and in the private sector. How worried should the average person be?
Speaker 2:
[13:53] If I was to give advice to somebody who's not a cybersecurity expert, I'd say, worry about your two-factor authentication. Worry about getting phished. I mean, there's a lot of fraud going on right now. This is a theoretical problem. Wait for the global worm. The other thing is, we're rolling out all kinds of AI-created software and AI systems and agentic systems and things like that, and people are going to start hacking all of that. So that actually might be a bigger worry than all these bugs in existing software that AI is finding. We're not talking about that as much as we're talking about Mythos right now.
Speaker 1:
[14:33] Bob, it sounds like this is eventually going to be an issue though. Is there going to be some kind of big global coordination to get on top of this the same way there was back when everyone was getting ready for Y2K?
Speaker 2:
[14:48] Well, I mean, that's what the Mythos announcement was, right? We're going to work with 50 companies that really are in the center of the world's infrastructure. So, I mean, yeah, that is happening right now, and there are other efforts under way. I mean, you could look at Mythos as sort of the beginning. There's like a real global effort right now to fix our software, which is actually a good thing.
Speaker 1:
[15:13] But the speed at which AI is advancing means this time, it's probably going to be less of a moment and more of a new reality.
Speaker 2:
[15:21] There is no end to it though. I mean, there's going to be like a point at which people are freaking out about it less, I think. But we just have to beat the hackers before they write the global worm that shuts everything down.
Speaker 1:
[15:38] So having said all that, Bob, where do we land on Mythos? Is it good marketing, genuine threat, fundamentally going to change cybersecurity, somewhere in between?
Speaker 2:
[15:48] I just don't think you need to credit Mythos with fundamentally changing cybersecurity. I mean, all of these LLMs and what they can do, they're all changing cybersecurity. No question about that. It's kind of interesting that people, the industry is sort of ahead of the curve on this one, right? So to me, it does feel like Y2K, one of those things where people are kind of aware of the problem ahead of time. They're thinking of sensible things to do to mitigate it. Beyond that, there may be unexpected consequences that nobody's seeing right now. That's really the thing that I would kind of worry about is like, what is the unexpected consequence of all of these systems rolling out?
Speaker 1:
[16:40] That's all for today, Tuesday, April 21st. The Journal is a co-production of Spotify and The Wall Street Journal. If you like our show, follow us on Spotify or wherever you get your podcasts. We're out every weekday afternoon. Thanks for listening. See you tomorrow.
Speaker 8:
[16:59] The future of everything is The Wall Street Journal's flagship live event, returning to New York City May 4th through 5th. Be there as CEOs, policymakers and innovators and sit down with our journalists to answer the most pressing questions of the day. From finance, tech and economic policy to sports, streaming and style, we're bringing together today's most compelling newsmakers for two days of conversations on what's ahead. Listeners of this podcast can access exclusive discounted rates by visiting wsj.com/future. That's wsj.com/future.