- UK cybersecurity watchdog warns of patch wave.
- Strain likely on ‘critical’ projects little-funded by users.
- Anthropic’s pronouncements over Mythos the likely instigator.
The UK’s National Cyber Security Centre (NCSC) has warned of a ‘ patch wave’ that’s likely to hit developers as large language models are put into use finding bugs and issues that could potentially affect software in common use.
The Centre has said that organisations should identify and patch any internet-facing attack surfaces, and “work inwards” to cloud instances and on-premise assets, hot-patching where possible, letting automated updates happen, or when neither is viable, at least reassess their processes so they can support “frequent and scaled-updating.” Companies should have a general ‘update by default’ policy, the Centre advised.
At least in partial response, the UK’s biggest employer, the National Health Service, is reported to have instructed developers to set GitHub repos to private to mitigate against code scanning by malicious bug-hunters using AI, despite the constant ingestion by large language models of public code, such as that published by the NHS, over the last four years.
Speaking to The Register , the NHSX’s previous head of open technology, Terence Eden, said, “Closing now doesn’t meaningfully protect you.”
The announcement by Anthropic of its Mythos model has led many to believe that the company’s latest LLM-based cybersecurity platform has bug-finding superpowers. Mythos is currently enshrouded behind Project Glasswing, meaning it’s only available to only a few large technology organisations. Anthropic has not released figures detailing the numbers of false positives Mythos raises, and its System Card ‘s [PDF] seven-page cybersecurity section (of 244 pages total) also lists no CVEs, severity ratings, nor disclosure timelines.
Large language models have been used by cybersecurity teams to assess software for potential security issues for several years; the improvements to harnesses around agentic workloads mean that models such as Mythos are able to develop working code that could be used to exploit issues. It may be this extra automated step that will allow less-abled attackers to deploy exploits in the wild.
The investment that Anthropic has announced to help bolster cybersecurity comprises largely of credits that teams searching for flaws can use on models Anthropic hosts. If small open-source projects are hit by the NCSC’s ‘patch wave’, it’s feared that many elements of software making up critical infrastructure will not be patched or corrected in a timely manner. There have been several high-profile reports of core software projects being inundated with specious bug reports and pull requests emanating from LLM scans of project source code, so the prospects for cybersecurity don’t look good.
The main effect of any ‘patch wave’ will be to highlight the extent to which every organisation has built critical infrastructure on the basis of software that’s often written and published in the open by volunteers or barely-paid developers. When there is a swathe of bugs filed against those projects, there is a high level expectation amongst software users for remediation, but an inverse, low level of acknowledgement of the same software’s importance the rest of the time, most notably manifest in the dire finances of most vital projects.
It’s worth noting that Anthropic has a history of making speculative public pronouncement bordering on hyperbole surrounding all its endeavours – although it’s not unique in that regard. That doesn’t mean it’s safe to disregard the impact of the step-wise improvement in LLM harnesses that has led to systems like Mythos. Organisations do need to react quickly to what may be a larger-than-previously number of exposed security flaws. But the sense of urgency seems to stem from one company with a particular financial agenda, and that agenda has nothing to do with supporting those who will end up bearing the cost of patching vulnerabilities (or the cost of sifting through a wave of potential vulnerability warnings to find the genuine issues).
The UK NCSC’s announcement has little to offer cybersecurity teams than boilerplate advice. The detail and complexity of the modern software stack’s dependencies mean a clearer lead needs to be provided, one that takes into account the reality of how organisations build with, and come to depend on, software. It’s not helpful to respond with hyperbolic phrases like ‘patch wave’ to the latest big reveal by Anthropic, a company with a track record of egregious claims.
Better would be to lead by giving examples and a workable framework by which software creators could be recompensed as acknowledgement of the importance of their roles.
(Image source: “Romania; the boy who cried wolf” by Kashklick is licensed under CC BY-NC 2.0 .)
Want to experience the full spectrum of enterprise technology innovation? Join TechEx in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click here for more information.
TechHQ is powered by TechForge Media . Explore other upcoming enterprise technology events and webinars here .
