Five Eyes spooks warn AI means infosec incidents can become ‘major operational and financial crises’

The leaders of intelligence agencies from the Five Eyes nations – Australia, Canada, New Zealand, the USA and the UK – have together issued strongly worded advice calling for leaders to nail cybersecurity basics or fall victim to ruinous AI-powered attacks.

“The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years,” the advice warns, and calls for organizations to take rapid action to ensure their defenses remain potent.

“While AI will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats,” the advice adds. “Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.”

After all that scary stuff, the spook bosses offer some antidote: “Cyber resilience is integral to advancing business continuity, market confidence, and long-term value.”

And how might one achieve that resilience? The Five Eyes have four suggestions:

• Understand and assess risk, readiness and accountability

• Prioritize foundational cyber security practices and controls

• Empower cyber leaders with authority and resources

• Stay actively engaged as threats and guidance evolve

“Cyber risk can no longer be treated as a purely technical issue,” the advice points out. “This is a core business risk and leadership responsibility,” because breaches are inevitable and “Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.”

The intelligence chiefs therefore want organizations to test their cyber resilience rigs.

“It is not enough to have controls,” they write. “Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence – not just improve efficiency.”

That last sentence is a rare moment of optimism in the advice and precedes a section in which the intelligence bosses observe “Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents.”

Readers of The Register might find this advice a little quaint given that infosec vendors have for years blathered on about the need for boards and bosses to take cyber seriously. It’s also been a couple of years since it became apparent that generative and agentic AI can fuel new and unusually potent cyber-attacks.

Interest in that idea spiked in the eleven weeks since Anthropic revealed the existence of its powerful flaw-finding Mythos model and hid it behind a regwall lest criminals use it to swiftly slice holes in important software.

The Five Eyes bosses address their advice to “leaders” – presumably bosses of substantial organizations – who may not have watched the Mythos mess unfurl while they worried about a global energy crisis kicking holes in their supply chains.

The good news is that the spy bosses don’t think leaders need to learn a lot to cope with the advent of AI, as their advice suggests five practical actions they rate as “not new,” but “now urgent to reduce not only technical risk, but also operational, financial and reputational exposure.”

For the record, those actions are:

1. Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.

2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritize security updates accordingly to manage risks.

3. Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.

4. Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.

5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.

Take us, and this, to your leaders, dear readers. ®