Mythos and the last days of Nobody But Us

A shift in the balance of cyber-power is underway, and Anthropic's launch of Mythos - along with its public dispute with the US government - sits right at the centre of it. The implications for how nation states hoard and wield software vulnerabilities are significant, and will change cyberwarfare forever. No one seems to be talking about this, so in this piece I have attempted to explain what I think is really going on.

A doctrine that has guided American cyber-statecraft for more than a decade is quietly breaking. The Anthropic-Trump spat of the past two months, usually described as a fight about autonomous weapons, is one of its earliest visible consequences.

The doctrine is known as, NOBUS ("Nobody But Us"). It says that when the National Security Agency (NSA) discovers a previously unknown flaw in widely-used software (a "zero-day vulnerability"), it should assess the bar to anyone else finding the same flaw.

If that bar is high enough (because exploiting it requires, say, enormous compute, specialised mathematical insight, or access to foreign networks that only the NSA has) the agency can, and often does, keep the flaw to itself and use it to break into the computers of people it wants to watch.

Lower-value flaws are meant to be disclosed to the software vendor for patching. As former NSA director Michael Hayden put it: "if there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think NOBUS". This is probably what most people think happens, and generally is what happens when independent security researchers or companies discover vulnerabilities in well-known software. More widely, it's known as "responsible disclosure".

NOBUS has always had critics. Academic studies have suggested that independent researchers rediscover a meaningful fraction of stockpiled bugs within a year or two, at which point the asset becomes a liability. The NSA has also had its arsenal stolen on at least one spectacular occasion. In 2016 a group calling itself the Shadow Brokers dumped a cache of stolen NSA exploits onto the internet. One of them, EternalBlue, went on to power the WannaCry and NotPetya attacks in 2017, together causing something like $14 billion of damage worldwide. Both were previously unknown flaw in Microsoft Windows that the agency had been sitting on for years.

Still, the doctrine has survived, largely because its premise held. Finding a serious zero-day in significant software has always required rare expertise, patience and luck. America had more of all three than anyone else, so retention usually paid.

The levelling

On the 7th of April, Anthropic released a preview of a model called Claude Mythos. It is a general-purpose large language model of the sort that underpins the chatbots most of us now use for holiday planning and customer-service complaints. It is also, by some distance, the best automated bug-hunter ever built. In testing, Mythos identified thousands of previously unknown vulnerabilities across every major operating system and web browser. Among them was a 27-year-old flaw in OpenBSD (a secure operating system used on servers and in network appliances) and a 17-year-old remote-code-execution bug in FreeBSD's network file system that it not only found but exploited end-to-end, with no human involvement after the initial prompt. The whole run cost less than $20,000.

Anthropic chose not to release Mythos publicly. Instead it formed Project Glasswing, a consortium of twelve launch partners that reads like a list of the internet's giants: Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. Around 40 other organisations that maintain critical infrastructure have been brought in alongside them. The terms are straightforward: use Mythos to find bugs in your own code and in the open-source software you depend on; patch them; Anthropic discloses publicly within 90 days.

Notice who is not on the list: The United States government. Until very recently, they were not a partner. The Cybersecurity and Infrastructure Security Agency (CISA), the domestic cyber-defence agency that is most obviously suited to using such a tool, still does not have access. The NSA, according to Axios reporting, now does.

The iceberg

This is where things get interesting, and where a certain amount of informed speculation becomes unavoidable. Don your tinfoil hats.

The public account of the Anthropic-Trump fight runs as follows: The Pentagon wanted unfettered use of Anthropic's models. Anthropic refused, citing red lines around autonomous lethal weapons and domestic mass surveillance. The Pentagon retaliated by labelling the company a "supply-chain risk", a designation normally reserved for Chinese telecoms firms. The president ordered federal agencies to stop using the technology. Anthropic sued, and won a preliminary injunction, with Judge Rita Lin describing the supply-chain-risk designation as "classic First Amendment retaliation". Relations are now thawing, helped along, the story goes, by the Mythos release itself.

That is almost certainly part of what happened. But the Snowden disclosures of 2013 are a useful reminder of how much of the real substance of these disputes takes place well below the waterline. Before Snowden, ordinary citizens, technology executives and most members of Congress had little idea that the NSA had tapped undersea cables, compelled American firms to hand over bulk user data, and weakened cryptographic standards from the inside. The public surface of the intelligence relationship bore only a passing resemblance to what lay underneath.

The same scepticism is worth applying here. Anthropic has confirmed that it briefed senior American officials on Mythos's capabilities (both offensive and defensive) well before the public release. The major American software firms have, for more than two decades, given the NSA formal access to their closed source code in at least some cases. Microsoft's Government Security Program, launched in 2003, grants federal agencies read-only access to the source of Windows, Office, Exchange and SQL Server through a secure web portal. Where formal arrangements have not been available - most notably with Apple - Snowden-era reporting from over a decade ago described a sustained, multi-year agency effort to break into iOS by other means. A model capable of finding critical zero-days in open-source code becomes substantially more potent once paired with either form of access. It seems obvious to me that the intelligence community will have seen the Mythos capability, and wanted it on NOBUS terms, with the usual restrictions on disclosure.

For the NSA, the prospect of massively expanding its zero-day stockpile would be almost too hard to resist. The flip side is just as sharp: once adversaries have Mythos-equivalents of their own, a significant portion of the existing stockpile is liable to be neutered by vendor patching as the same bugs get independently rediscovered. That represents tens or hundreds of millions of dollars of research quietly going up in smoke.

It would only be human nature for the NSA to double-down on a decades old doctrine, rather than immediately accept that times may have changed.

It seems even more unlikely that Anthropic would agree to those terms. Glasswing is, in effect, an industrial-scale responsible-disclosure regime that bypasses the government entirely, routing findings to vendors who must patch them inside three months. The publicly-stated dispute about autonomous weapons and surveillance seems easily digested by the public and mainstream media, but to my eye doesn't seem to relate closely enough with the actual capabilities of Mythos, and the current "state of the art" of these tools.

The doctrine breaks

Whether or not that specific argument was ever had in a Washington conference room, the doctrinal implications are already clear. NOBUS relies on maintaining a lead. A tool that finds a 27-year-old OpenBSD flaw in a weekend offers a levelling. Chinese, Russian and Iranian intelligence services will have equivalents soon (if not already) and they will not be handing their findings to the Linux Foundation and others. The stockpiling bet only pays out if adversaries independently fail to discover the same bugs, and Mythos demonstrates that they will not.

The sensible American response, from a purely security standpoint, is to disclose aggressively and harden the commons. That is what Glasswing does. The irritating implication, for a certain kind of intelligence official, is that a private company has taken the decision out of the government's hands.