Pressure on organizations to de-risk is NCSC’s Joseph Stephens’ ‘biggest concern’.
The European Commission and several EU member states, including Ireland, are in talks with Anthropic, about Mythos, as states around the world seek to protect their vulnerable infrastructure from cyber threats.
“We’ve been in direct contact with them,” National Cyber Security Center’s (NCSC) director Joseph Stephens told SiliconRepublic.com, referring to Anthropic, whose European headquarters are based in Ireland.
“But we are working with the European system because there is more power in having a systematic approach,” he added.
Mythos sent shockwaves through the industry following its limited launch to select large businesses last month. Anthropic’s initiative received high praise from experts, including Stephens, who called on other providers of frontier AI models to do the same.
Is control out of bounds?
The development of the Mythos, Anthropic claims, was not intentional, but simply the result of “the side effects of the general development of code, thought and autonomy”.
And arguably, states don’t have much power when it comes to controlling technological development or controlling how it’s distributed – at least initially.
The growing concern about cybersecurity risks posed by AI is not limited to Mythos. Combined, these factors create a difficult environment for policymakers as they try to innovate in this space that is rising faster than ever.
“We have to see what Ireland can and can’t do,” Stephens said. “We cannot stop a company like US-based Anthropic from releasing or not releasing a model.”
The launch of the Mythos caused such a stir that the NCSC – for the first time – issued a statement on the release of a specific product.
Meanwhile countries around the world, including the US, UK, Canada and Japan, are quick to invite Anthropic to discussions that could use this model to strengthen the security of their critical infrastructure.
However, governments and large businesses aside, start-ups and SMEs with limited resources to strengthen their cyber security are particularly vulnerable.
“The biggest concern here right now is pressure [Mythos] they can put organizations now having to outsource all of their digital products and services,” said Stephens.
But ironically, AI helps in situations like this.
Will the EU AI Law help?
Stephens called for a joint effort between states to come up with a common regulatory approach to such models.
“The AI Act allows us to ensure that products entering our markets are made in a safe and secure manner,” he said. “Europe has really moved forward with the AI Act…[but] we cannot control our way out of it.”
The line between regulation and stifling innovation is one the EU is no doubt still seeking.
It attempts to remedy some of these over-regulations in the form of simplified and consolidated regulations. Earlier this month, the bloc adopted new interim rules on the AI Act.
The AI Act applies to businesses selling in the EU, or if the AI output is used in the EU. The landmark legislation tries to balance managing the risks of this technology while allowing the EU to benefit from its strengths.
According to legal expert Dr TJ McIntyre, it is possible to control models like Mythos with external effect, but only if they are sold in the EU or if their products are sold in the region.
McIntyre is an associate professor at the Sutherland School of Law at University College Dublin.
“It is unclear whether the AI law will apply if Mythos is banned from use outside the EU,” he explained.
However, the Act is “designed to address ‘offensive cyber capabilities, such as methods of vulnerability detection, exploitation, or unauthorized use’ as a form of systemic risk,” he said. Therefore, “In theory”, the EU could take action under the AI Act.
Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.
