America's top cybersecurity agency is locked out of a powerful artificial intelligence model that can find and exploit network vulnerabilities at unprecedented speed, even as other government offices and dozens of private companies race to use it.
The Cybersecurity and Infrastructure Security Agency, which helps protect banks and power plants from cyber threats, does not have access to Anthropic's Mythos Preview model, according to two sources familiar with the situation. CISA was not included in Anthropic's restricted list of more than 40 organizations currently testing the tool.
The exclusion matters because CISA is supposed to be the federal government's frontline defense against cyberattacks. Industries it oversees are increasingly worried about AI-powered hacking campaigns, yet the agency responsible for warning them about threats cannot access the very technology that could help them understand the danger.
Anthropic withheld Mythos from public release precisely because of its power. The model can discover and weaponize security flaws faster than traditional hacking techniques allow. The company gave it only to vetted organizations committed to testing defenses, not exploiting them.
The roster of approved testers includes the National Security Agency, the Commerce Department's Center for AI Standards and Innovation, and numerous private firms. CISA is not among them. While Anthropic officials briefed CISA and Commerce on Mythos capabilities earlier this month, a briefing is not the same as hands-on access.
The timing raises questions about CISA's capacity to operate at full strength. The Trump administration has been trimming the agency's workforce and budget. CISA's acting director Nick Andersen recently told lawmakers the agency has fewer resources than needed. The administration proposed cutting as much as 707 million dollars from CISA's budget for the next fiscal year, and the agency has already shed more than a third of its staff.
National cyber director Sean Cairncross is working to negotiate broader access to Mythos for civilian agencies. The Treasury Department is also pursuing entry into the testing program. Neither CISA nor Anthropic responded to requests for comment on the current access situation.
Organizations that have gained Mythos access are using it primarily to find weaknesses in their own networks before adversaries do. That defensive posture is how the tool is supposed to work.
The broader concern is whether CISA will be able to fulfill its role as the hub for sharing threat intelligence across critical infrastructure sectors when it cannot access the latest tools shaping the AI hacking landscape.
Author James Rodriguez: "When the agency tasked with defending the nation's critical infrastructure gets left out of testing the most powerful hacking model ever created, something is clearly broken in how Washington is handling AI security."
Comments