Cybersecurity Braces for AI ‘Bugmaggedon’

**Jessica Mendoza** (0:05)
Last month, a group of computer researchers ran a test. They wanted to try using artificial intelligence to hack an operating system called OpenBSD.

**Robert McMillan** (0:16)
So OpenBSD is an operating system, you know, like Windows or Mac OS. It's been around for a long time.

**Jessica Mendoza** (0:24)
Our colleague Bob McMillan covers cybersecurity.
He says this operating system is considered very secure. It's survived decades of cyber attacks.

**Robert McMillan** (0:33)
It's kind of on the front of the Internet for many corporations. It's used in firewalls. So it's facing the hackers all the time. So it's a good project to look at because it's been battle tested, right?
And it's had lots of time for people to look for bugs and report them and fix them and stuff like that.

**Jessica Mendoza** (0:54)
A software bug is a flaw in a computer program that causes problems or even a crash. Hackers try to find bugs because they can use them as sort of a door into an otherwise closed computer system.
So in this experiment, researchers took the latest AI model from Anthropic called Mythos, then let it loose into the software.

**Robert McMillan** (1:18)
They said, find us some bugs, and it found this bug. A guy named Niels Provos had written some code in 1998 and he made a mistake.
Nobody noticed that mistake for over 27 years until Mythos took a shot at it.

**Jessica Mendoza** (1:35)
Wow. The bug Mythos found could have caused a serious problem, and it had sat there undetected by humans for nearly 30 years.
So, what does this tell you about Mythos? Is it better at this than humans?

**Robert McMillan** (1:54)
I mean, you could sort of craft this narrative like, oh my gosh, they've had 27 years and no one saw it, and then AI found it. There are bugs that humans have missed that AI is able to find. I mean, that's a legit phenomenon.

**Jessica Mendoza** (2:08)
Anthropic, the company that made Mythos, said that the model was so powerful, it could, quote, reshape cybersecurity.
And Mythos is just the beginning. Already, the cybersecurity world is struggling to keep up.

**Robert McMillan** (2:22)
AI models are getting very good at finding security vulnerabilities. The amount of bugs that are being found right now is skyrocketing, and people are freaking out because of that.
Mythos has become the poster child for a phenomenon that I've been writing about for months, that people in the cybersecurity industry have been talking about for months, but with the Mythos release, it achieved critical mass.

**Jessica Mendoza** (2:47)
And what phenomenon is that?

**Robert McMillan** (2:50)
Well, the geeks call it the vulnerability Armageddon, but here at The Journal, we call it the bugmageddon.

**Jessica Mendoza** (3:00)
Welcome to The Journal, our show about money, business, and power. I'm Jessica Mendoza. It's Tuesday, April 21st. Coming up on the show, Bugmageddon and Cyber Security's Race Against Time.
Bob, I want you to back us up just a little bit here. What are AI models like Mythos actually doing that's different from how software bugs have been found in the past?

**Robert McMillan** (3:44)
So, there's like a real change going on in the way bugs are being found. In the olden days, it was kind of a very specialized knowledge.
You'd have to kind of master this arcane computer science of how systems work.

**Jessica Mendoza** (4:07)
So, if a hacker wanted to find a bug that would get them into, say, the Windows operating system, they'd have to learn how Windows worked.

**Robert McMillan** (4:16)
Twenty-five years ago, there were a million bugs being found in the Windows operating system, and for that to happen, people had to really dig into the ins and outs of how the Internet interacted with Windows. But it required hours and hours of work for humans to achieve the level of mastery required to even be playing in the bug hunting game.
AI changes all that, right? Like, AI can just look at all these bugs and kind of get to that level of mastery very quickly.

**Jessica Mendoza** (4:50)
And where AI hacking models shine most is speed. Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days.

**Robert McMillan** (5:03)
So a bug would be disclosed, two years would go by, and then it would start getting exploited on average. Now it's like within a day.
It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.

**Jessica Mendoza** (5:23)
There are some limitations with AI's abilities though. At least so far, AI doesn't really think creatively like people can.