Jessica Mendoza (2:47)

And what phenomenon is that?

Bob McMillan (2:50)

Well, the geeks call it the vulnerability Armageddon. But here at the Journal. We call it the Bugmageddon.

Jessica Mendoza (2:59)

Welcome to the Journal, our show about money, business and power. I'm Jessica Mendoza. It's Tuesday, April 21st. Coming up on the show, Bugmageddon and Cybersecurity Security's race against time.

SAP Advertiser (3:27)

This episode is presented by SAP. Your company's ambitions can't be held back by long implementation, surprise costs, or empty AI promises. SAP Grow AI Cloud ERP gets you live fast, keeps pricing predictable and delivers built in AI that gets results the first day, not someday. All on a single platform that's easy to manage, industry ready and designed to scale with your business. Bring it with SAP grow AI Cloud ERP for any size business. SAP.com grow K pop demon hunters, saja

McDonald's Advertiser (3:58)

Boy's Breakfast Meal and Hunt Trick's Meal have just dropped at McDonald's. They're calling this a battle for the fans. What do you say to that, Rumi? It's not a battle. So glad the Saja boys could take

Jessica Mendoza (4:08)

breakfast and give our meal the rest of the day. It is an honor to share.

McDonald's Advertiser (4:12)

No, it's our honor.

Jessica Mendoza (4:14)

It is a larger honor.

McDonald's Advertiser (4:16)

No, really, stop. You can really feel the respect in this battle. Pick a meal to pick a side

Bob McMillan (4:24)

and participate in McDonald's while supplies last.

Jessica Mendoza (4:32)

Bob, I want you to back us up just a little bit here. What are AI models like Mythos actually doing that's different from how software bugs have been found in the past?

Bob McMillan (4:44)

So there's like a real change going on in the way bugs are being found? In the olden days, it was kind of a very specialized knowledge. You'd have to kind of master this arcane computer science of how systems work.

Jessica Mendoza (5:06)

So if a hacker wanted to find a bug that would get them into, say, the Windows operating system, they'd have to learn how Windows worked.

Bob McMillan (5:15)

25 years ago, there were a million bugs being found in the Windows operating system. And for that to happen, people had to really dig into the ins and outs of how the Internet interacted with Windows. But it required hours and hours of work for humans to achieve the level of mastery required to even be playing in the bug hunting game. AI changes all that, right? Like, AI can just look at all these bugs and kind of get to that level of mastery very quickly.

Jessica Mendoza (5:49)

And where AI hacking models shine most is speed. Eight years ago, the average time between a bug being found and a hacker using that bug in a cyber attack was 847 days.

Bob McMillan (6:02)

So a bug would be disclosed, two years would go by, and then it would start getting exploited on average now it's like within a day. It's not rocket science, but it takes time for a human to do it. You have to have a certain level of expertise. AI has absorbed all of that.

Jessica Mendoza (6:22)

There are some limitations with AI's abilities, though, at least so far. AI doesn't really think creatively like people can.

Bob McMillan (6:30)

It's basically kind of repeating stuff that's already out there. So it's not going to be able to, as it stands now anyway, invent this whole new way of hacking systems.

Jessica Mendoza (6:43)

But Anthropic's Mythos is better at bug finding than any AI model that's come before it. The company announced the model earlier this month, and it said Mythos would be able to identify software vulnerabilities better than, quote, all but the most skilled humans. Anthropic also said that the version it's been testing has already found thousands of vulnerabilities in every major operating system and browser.

Bob McMillan (7:09)

From the start, Anthropic was talking about it as very dangerous. You know, like, we're not sure what to do with this, like, who should get it.

McDonald's Advertiser (7:15)

Anthropic has a new AI model so

Jessica Mendoza (7:18)

dangerous they won't release it publicly.

Bob McMillan (7:21)

It could become a major hacking tool. This is a system that absolutely has

SAP Advertiser (7:25)

slipped its bonds already.

Bob McMillan (7:27)

These, the company says, and as a result, poses a threat.

Jessica Mendoza (7:31)

It seems like a lot of people have gotten worked up since Anthropic announced this.

Bob McMillan (7:35)

I mean, there's a lot of hype around AI right now. And when you hear about AI being too dangerous to be released, I think it's pretty natural to go, what's going on with this stuff? Is it systemic risk to our financial system? You know, is this going to open up all these backdoors that hackers are going to be able to use to undermine confidence in the banking system.

Jessica Mendoza (8:01)

Imagine hospitals, banks, and government and military websites being targeted by an AI hacker that can work faster and more aggressively than any human could. That's what Anthropic said it was trying to prevent. So to avoid the worst, Anthropic said it will only share Mythos with a limited pool of companies that make up much of the backbone of the tech world, like Amazon, Google, and Nvidia. Anthropic says it has no immediate plans to release the program to the public.

Bob McMillan (8:28)

We only want to release it to a select group of entities. So they picked about 50 corporations and organizations and said, take a look at this. See what you can do with it.

Jessica Mendoza (8:39)

The idea is that access to Mythos could give those companies a head start. Against Bugmageddon, allowing them to find the holes in their systems and patch them before hackers get their hands on Mythos.

Bob McMillan (8:51)

Hacking is very asymmetrical. If you are the hacker, you just have to find one way in to your target. You do something and it doesn't work. Like no big deal. You know, you can try again. If you're a defender and you try to defend something and it doesn't work, you're hacked.

Jessica Mendoza (9:08)

Bob says that this approach being cautious about who gets access to the AI model tracks with Anthropic's narrative of being a responsible and safe AI company. But some AI experts aren't sure if Anthropic could pull off a wide release of something like Mythos right now anyway, because of data constraints, there is a

Bob McMillan (9:28)

question about whether they have enough compute to meet demand. A new model would require a lot of compute and would put some strain on something that they're already having some difficulty delivering, which is, you know, access to their services.

Jessica Mendoza (9:45)

However, other companies are also working on their own versions of this technology. Anthropic's primary competitors, OpenAI and Google DeepMind, have said they have similarly capable models in the works. There's no release date set for any of these models yet, but Bob says cybersecurity teams have their work cut out for them.

Bob McMillan (10:05)

Like, there's a lot of bugs out there, there's a lot of bugs in software, and right now we're just at this point where they're all being revealed. So these network defenders, they're all thinking about ways of being creative, about softw solving the problem. But they can tell the Bugmageddon is coming

Jessica Mendoza (10:27)

after the break. How Cybersecurity experts are looking to a past panic to prepare for tomorrow.

Bob McMillan (10:35)

However you slice it, it's the Y2K problem. For AI.

Everpass Advertiser (10:46)

Business owners, game day isn't just another shift. It's your biggest opportunity. What you show on your screens decides where fans stay. Everpass brings premium live sports together in one streaming platform built for businesses so you can deliver the games your customers want without the hassle. Reliable, easy to manage and designed for your venue. Make your place the one fans choose. Visit everpass.com to learn more.

Lowe's Advertiser (11:10)

If you've got spring fever, Lowes has the cure. During Springfest, make your landscape stand out with three free bags of Miracle Gro 3 Quarter Kit Cubic Foot Garden Soil when you buy three plus get up to 40% off select major appliances to keep clothes, food and dishes fresh all season long. Our best lineup is here at Lowe's valid through 422, while supplies last selection varies by location. See lowe's.com for details. Soil offer excludes Alaska and Hawaii.

Jessica Mendoza (11:45)

In 1999, there was a big computer problem on everyone's mind. Y2K Congress has set to the task

McDonald's Advertiser (11:52)

of answering the question, will the Y2K computer bug bring about Armageddon?

Jessica Mendoza (11:58)

Well, Bob, for those of us who may not remember exactly.

Bob McMillan (12:01)

Wait, you're telling me you don't remember Y2K?

Jessica Mendoza (12:03)

Come on, that was the year I turned 12.

McDonald's Advertiser (12:06)

Bob.

Bob McMillan (12:07)

Weren't you worried as a 12 year old that the world was going to destruct on New Year's Eve?

Jessica Mendoza (12:12)

I was just figuring out how to

McDonald's Advertiser (12:13)

use an AOL account.

Jessica Mendoza (12:15)

Can you paint a picture of the Y2K bug phenomenon?

Bob McMillan (12:20)

Y2K happened when after a few, just like amazing years of people writing software and software taking over and doing all kinds of great things, somebody took a look at their code and they realized that when we enter the year on this program, we should have given it more than two digits.

Jessica Mendoza (12:47)

Back then, programmers had given dates only two numbers for the year, like 99 for 1999. But they realized that when the date rolled over into 2000, computers might read the double zero as the year 1900 instead.

Bob McMillan (13:04)

There's a lot of software out there. You know, financial institutions were using it, corporations were using it, and like an astounding amount of code did not compute. The year 2000.

McDonald's Advertiser (13:15)

Everything from tax returns to Social Security could be a problem if old programming refuses to acknowledge the 21st century.

Bob McMillan (13:25)

People were worried about elevators, you know, freezing and the financial system melting down.

McDonald's Advertiser (13:32)

Everyone here is waiting for the same thing. The stroke of midnight.

Bob McMillan (13:38)

I remember on New year's Eve, like Y2K, I had like $5,000 cash in my pocket just in case, you know, the ATMs didn't work for months.

Jessica Mendoza (13:48)

So with a clear deadline looming ahead, tech teams got to work.

Bob McMillan (13:52)

And so they had to rewrite a lot of software so that it could understand the concept of 2000 and not 1900. And so they worked like heck on this. And all these coders pulled like all nighters and people working their butts. And lo and behold, the year 2000 happened. And the computers mostly ran. And so they did it.

McDonald's Advertiser (14:17)

Emergency calls went through, the power stayed on. And we didn't go back into the dark ages.

Jessica Mendoza (14:23)

Thanks to all that grunt work by tech teams across the world. Y2K was famously a nothing burger.

Bob McMillan (14:28)

Once clock struck midnight in cybersecurity, we always talk about the awful things, you know, the ransomware outbreaks and hacks and things like that. But, like, occasionally we do something right collectively. And Y2K was an example of when the world knew about a problem and worked really hard and averted disaster.

Jessica Mendoza (14:52)

Bob says the Y2K lesson is to take threats seriously as early as possible. Mythos and the concerns about it has helped sound the alarm for the danger that AI can pose in the wrong hands.

Bob McMillan (15:05)

I mean, the good thing about all of the attention that that release got is like, boards are asking, what's the deal? Right? And so they have to come up with plans. And what they're doing is they're trying to get faster at patching.

Jessica Mendoza (15:22)

A number of companies are rolling out initiatives to deal with it, and even the White House is spooked. The administration has announced that it's taking steps to prepare for the vulnerabilities that Mythos could bring to the surface, both in government and in the private sector. How worried should the average person be?

Bob McMillan (15:44)

If I was. If I was to give advice to somebody who's not a cybersecurity expert, I'd say worry about your two factor authentication. Worry about, you know, getting phished. I mean, there's a, like, a lot of fraud going on right now. You know, this is a theoretical problem, like, you know, wait for the global worm. And the other thing is, I mean, we're rolling out all kinds of AI created software and AI systems and Agentix systems and things like that, and people are going to start hacking all of that. So, you know, that actually might be a bigger worry than all these bugs in existing software that AI is finding. And we're not talking about that as much as we're talking about Mythos right now.

Jessica Mendoza (16:25)

Bob, it sounds like this is eventually going to be an issue, though. Is there going to be some kind of, you know, big global coordination to get on top of this the same way there was back when everyone was getting ready for Y2K?

Bob McMillan (16:40)

Well, I mean, that's what the Mythos announcement was, right? Like, we're going to work with 50 companies that, like, really are in the center of the world's infrastructure. So, I mean, that, yeah, that is happening right now, and there are other efforts underway. I mean, you could look at Mythos as sort of the beginning. There's like a real global effort right now to fix our software, which is actually a good thing.

Jessica Mendoza (17:04)

But the speed at which AI is advancing means this time it's probably going to be less of a moment and more of a new reality.

Bob McMillan (17:12)

There is no end to it, though. I mean, there's going to be like a point at which people are freaking out about it less, I think. But we just have to beat the hackers before they write like the global worm that shuts everything down.

Jessica Mendoza (17:30)

So, having said all that, Bob, where do we land on Mythos? Is it good marketing, genuine threat, fundamentally going to change cybersecurity? Somewhere in between?

Bob McMillan (17:39)

I just don't think you need to credit Mythos with fundamentally changing cybersecurity. I mean, all of these LLMs and what they can do, they're all changing cybersecurity. No question about that. And it's kind of interesting that, like, people, the industry is sort of ahead of the curve on this one, right? So to me, it does feel like Y2K, one of those things where people are kind of aware of the problem ahead of time. They're thinking of sensible things to do to, To. To mitigate it. And beyond that, there may be unexpected consequences that nobody's seeing right now. That's really the thing that I, I would kind of worry about is like, what is the unexpected consequence of all of these systems rolling out?

Jessica Mendoza (18:31)

That's all for today. Tuesday, April 21st. The Journal is a co production of Spotify and the Wall Street Journal. If you like our show, follow us on Spotify or wherever you get your podcasts. We're out every weekday afternoon. Thanks for listening. See you tomorrow.

Vanta Advertiser (18:51)

Security program on spreadsheets, New regulations piling up and audit dread. It's time for Vanta. Vanta automates security and compliance, brings evidence into one place and cuts audit prep by 82%. Less manual work, clearer visibility, faster deals, zero chaos. Call it compliance or call it compliance.

Jessica Mendoza (19:12)

Get it?

Vanta Advertiser (19:13)

Join the 15,000 companies using Vanta to prove trust. Go to vanta. Com. Calm.