Claude Mythos promises to revolutionise software security, but it increases the concentration of technological, economic and strategic power in the hands of Big Tech by Andrea Monti – Originally published in Italian on Italian Tech-La Repubblica
Project Glasswing is an initiative promoted by Anthropic to improve the security of the code used to write the programmes that, by now, make everything work. Major Big Tech companies such as Apple and Microsoft, hardware manufacturers such as Cisco, and even the Linux Foundation – the heart of free software – have currently joined Glasswing.
The reason for this widespread participation is Claude Mythos, a version of Anthropic’s model so adept at uncovering software vulnerabilities that it cannot be made publicly available to anyone because it is too dangerous.
Mythos, in fact, has been able to uncover a huge number of ‘zero-day’ vulnerabilities — unknown even to the developers — not only in software that has traditionally never exactly been a ‘milestone’ of security, but also in systems such as OpenBSD (just one, and already fixed, although dormant for 27 years). So, Anthropic reasoned, it is better to avoid the uncontrolled circulation of information that could be exploited not only to ‘fix’ faulty software but also to commit crimes or state-sponsored attacks.
So far, the narrative fuelled by Anthropic’s marketing; from here, a few considerations.
The giant no longer has feet of clay
The first is of an almost philosophical nature: first the software industry created the problem by putting poorly written software into circulation for decades and then it expects to sell the “solution” to the problem it created.
To this we must add the fact that ‘vibe coding’ (i.e. ‘illiterate programming’) and automated code generation are producing a massive volume of programmes. So, whereas we used to speak of a giant with feet of clay, it is no longer just the feet of the ever-growing giant that are made of such fragile material.
If the findings announced by Anthropic are correct and the scale of the vulnerabilities is indeed so vast, it is unclear what else the European Union needs to establish once and for all that software is a product and that those who develop it are civilly and criminally liable for design flaws and for choosing to market it if it has not been adequately tested.
This, however, will not happen, and thanks to the EU’s failure to act, we will continue to treat software as a poem or a song even in the face of structural collapses of critical infrastructure and platforms.
Cybersecurity becomes a monopoly
The second is of an economic nature: Mythos, says Amodei’s company, does on its own and more quickly what a small number of people, endowed with great intellectual capacity and technical expertise, could do. If this is true, the cybersecurity services market will undergo a radical change. Mythos will become the gold standard that everyone will have to take into account to comply with the bureaucratic regulations on the security of infrastructure, systems and data.
This means that cybersecurity firms (not only small ones with great ‘intelligence’ but also, and above all, the larger ones, including state-owned enterprises) that do not have similar tools at their disposal or do not use Mythos will be unable to compete with those part of Glasswing. The same applies to hardware manufacturers who, for example, must certify the security of their software due to the cyber resilience regulation.
Increasingly, therefore, the cybersecurity market will speak American English and less and less any of the EU languages.
Big Tech is increasingly structural and organic compared to US geopolitics
The third is of a geopolitical nature: as revealed in 2016 by the Shadow Brokers scandal, various zero-day bugs, most likely in the possession of the US National Security Agency, had been used to carry out espionage. At the time, the number of these vulnerabilities was not particularly high; nevertheless, the news of their existence raised a series of questions which, once again, were not taken into account by European legislators rather than their US counterparts.
Today, if Mythos were to actually work, it would grant the United States unrivalled strategic and tactical superiority over adversaries, allies and partners. This is perfectly consistent with the position taken by Anthropic on the militarisation of its models: anything goes, as long as it is not against American citizens.
Citizens without (real) protection
In practical terms, it is certainly too early to hypothesise catastrophic scenarios, but this does not mean that the prospects highlighted are unrealistic, or that it is not necessary to take structural decisions for the survival of the technological ecosystem that we have allowed to grow in such a dystopian manner.
We can certainly continue to ignore the structural vulnerabilities of the infrastructure that governs our lives—caused by the short-sightedness of legislators, the unscrupulousness of corporations and the indifference of the public—but at some point, reality will demand its due.
And there is little doubt as to who will have to pay the price.