Mythos Related Risk

Why in the News?

Government has formed a panel under SBI Chairman to assess risks emanating from AI platform Mythos.

What is Mythos

• Mythos (officially Claude Mythos)  is a generative artificial intelligence (Gen AI) model developed by Anthropic.
  • It possesses advanced capabilities to: 
    • Autonomously scan large codebases for exploitable weaknesses.
    • Chain multiple low-severity vulnerabilities into high-impact attack paths.
    • Develop exploits faster than organisations can patch them.
  • It is designed primarily for defensive cybersecurity tasks and identification of "zero-day" vulnerabilities (previously unknown software flaws).
• During its preview, Mythos uncovered "thousands" of major vulnerabilities across every major operating system and web browser.
• Due to its advanced capabilities and potential risks, its access is currently limited to roughly 40 organisations globally under Project Glasswing, including Amazon, Google, and Nvidia, as well as major US banks. 
• China has also developed its own version of Mythos, called Qihoo 360. 

What makes Mythos more dangerous than previous AI models?

• Advanced "Agentic" Behavior and Attack Chaining: It can independently detect and exploit unknown vulnerabilities (zero-days), combining multiple flaws to bypass security and gain high-level access across major operating systems and web browsers.
• Lowering the Barrier to Cybercrime: The model allows non-experts or individuals with no formal security training, to successfully execute sophisticated cyberattacks.
• Overloading Cyber Defenders: It can find thousands of vulnerabilities within hours, overloading defenders as traditional patching systems may not fix weaknesses quickly enough.
• Critical infrastructure risk: Banking, power, and telecom systems are particularly exposed when attackers can generate tailored exploits.
• Severe Threats to the Global Financial System: The banking sector is highly vulnerable due to interconnected networks and legacy IT systems, where an AI-driven cyberattack could rapidly spread across domestic and global institutions.
  • For e.g. NPCI's UPI processes billions of transactions, and any breach could paralyse digital payments.
• Systemic and Geopolitical Instability: Models like Mythos turn AI cyber risks into real threats, raising concerns over digital infrastructure, economic stability and weak global coordination on AI safety standards.

Government's Response to Mythos threat

• IT Ministry set up the AI Governance and Economic Group, an inter-ministerial body,  as the apex mechanism for coordinating AI policy and governance framework. 
• India is in active talks with the US administration and Anthropic to secure access to Mythos under Project Glasswing, as no Indian firm is currently among the ~40 organisations in the programme. 
• Banks to report suspicious incidents to CERT-In immediately.

Way Forward

• Indigenisation of critical software systems: It offers sovereign control over systems and the pacing of their updates, which can be synergised against the threat landscape for India. 
• AI vs. AI Defence Architecture: Deploy AI-driven detection and response systems to counter AI-enabled attacks at machine speed.
  • India must invest in domestic AI security research to build independent capacity for evaluating frontier models.
• Legacy System Modernisation: Accelerate core banking system upgrades, reducing dependence on vulnerable legacy platforms.
• International Cooperation: Strengthen bilateral and multilateral cybersecurity treaties and information-sharing mechanisms with the US, EU, and like-minded nations under frameworks such as the Quad Cyber Working Group.
• Public-private coordination: Between MeitY, CERT-In, NPCI, and telecom operators should be institutionalised.