The Five Eyes, the intelligence alliance consisting of the English-speaking nations of Australia, Canada, New Zealand, the United Kingdom and the United States, have issued a rare joint statement on Monday evening on the dangers of artificial intelligence, and urged leaders to “act now.” The alliance further suggested that although AI will improve cyber defenses over time, it will also accelerate the speed, scale and sophistication of cyber threats.
“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months,” the joint statement warned.
Eyes Calls to Leaders
The Five Eyes’ joint statement urged leaders to “understand and assess” the risk that AI presents, and to be ready and accountable. It further called for a prioritization of foundational cybersecurity practices and controls, and suggested that cyber leaders be empowered with authority and resources to address the threats from AI.
Leaders should also “stay actively engaged as threats and guidance” will evolve.
The statement also suggested that success will be a result of “getting the basics right,” which will require acting quickly and integrating cybersecurity into core business practices.
“Those that do not will face growing operational and strategic disadvantage,” the group statement continued.
It was signed by heads of each nation’s cybersecurity agencies, which included David Imbordino, director of the cybersecurity directorate at the National Security Agency (NSA), and Nick Andersen, acting director of the Cybersecurity and Infrastructure Security Agency (CISA).
Experts Weigh In
Several cybersecurity experts weighed in on the joint statement, addressing its key points but also what the Five Eyes may have missed in the warning.
John Strand, owner, Black Hills Information Security, who had spent 15 years in the Five Eyes intelligence community (IC), warned that AI is a bigger threat than many understand.
“I can say with confidence that we are horribly behind in understanding how quickly AI can move through the entire attack lifecycle,” Strand told ClearanceJobs in an email. “We’re still treating many of these capabilities as theoretical, while AI is already accelerating everything from reconnaissance and target discovery to exploitation and post-compromise operations. The DoD and intelligence community need to recognize that the pace of cyber operations is changing fundamentally, and many of our assumptions about warning time and attacker effort are rapidly becoming outdated.”
There is also the feeling from some in the cybersecurity community that the warning from the Five Eyes is important, but it could risk sending organizations in the wrong direction, and fail to address the key threats that AI presents.
“The instinct is to look outward at attackers using AI as a weapon. The harder conversation is looking inward at the AI infrastructure already running inside your organization and whether it was built with the governance and security controls to withstand what is coming,” explained Kristen Santora, head of customer success and partnerships at Silicon Valley-based Invi Grid.
“The timeline does not give enough runway to start thinking about AI security from scratch, and that’s the problem with traditional approaches,” Santora wrote in an email to ClearanceJobs.
Earlier this month, the United States Department of Commerce issued an export control directive that suspended all access to artificial intelligence developer Anthropic’s Fable 5 and Mythos 5 AI models by any foreign national. That included those inside or outside the United States, even those working at the company.
There has been speculation the models could be subject to a “jailbreak” that would bypass any corporate safeguards. The company responded by abruptly disabling both platforms to all customers to ensure compliance, but added that access to its other models would be unaffected. However, Santora said that may not go far enough.
“A model like Fable 5 can be jailbroken to exploit cybersecurity vulnerabilities, and when that happens, every organization that integrated it inherits the exposure,” she warned. “The Fable and Mythos situation is a signal that safeguards added after the fact are not enough. Organizations need to adopt a proactive, infrastructure-first security mindset before they integrate the next model, not after.”
AI Fear Mongering
Not every cybersecurity expert has taken the view that the sky is falling. This isn’t to say that the Five Eyes are overreacting, but the dangers of a cyberattack remain persistent, with AI simply being another threat vector.
“This is just fear-mongering around offensive AI capabilities. Right now, there is a huge and well-documented amount of offensive campaigns that are being run by APT groups and pentesters, using existing software and scripts, to ‘take down governments and businesses.’ It is also true that instead of using their standard tooling, they can use AI to accomplish the same attacks,” suggested Steven Swift, managing director at cybersecurity provider Suzu Labs.
Swift told ClearanceJobs that the threat from AI isn’t months away, and he suggested that the capabilities exist currently.
“If you provide an AI agent access to the tools, automation, and SOP that you would use for a more traditional offensive campaign, it’s relatively trivial for that agent to utilize that workflow to run the campaign,” Swift continued. “There is no unique, magic hack that AI has access to. AI agents are simply a different way of running the same kill-chain as we would have without them.”
He added that one of the reasons that most offensive campaigns find it so easy to compromise governments and businesses is because organizations have long underinvested in cybersecurity.
“The fix to this is to configure your systems to secure best practices, to patch ALL of your systems in a timely manner, and to license appropriately high-quality security tools to augment your secure configurations,” said Swift. “So on one hand, this is just more fear-mongering that AI security is scary. On the other hand, security professionals have been shouting to anyone who would listen that this has been a long-running problem. If mentioning AI security suddenly gets more buy-in, then that’s a win for finally making meaningful improvements to security posture.”
