Anthropic’s new model found decades-old vulnerabilities in foundational open-source code that millions of automated tests and countless human experts had missed, presaging a potentially revolutionary moment in cyber.

Ben Buchanan, former senior advisor for AI at the White House now at SAIS, and Michael Sulmeyer, former Assistant Secretary of Defense for Cyber Policy now at Georgetown, join the show to break it all down.

Full disclosure: Ben advises Anthropic.

We discuss…

• How Mythos found 27-year-old bugs in code everyone thought was secure

• The offense-defense balance: whether a Ukraine with Mythos and a Russia without it changes the war

• Project Glasswing and Anthropic’s attempt to build a private-sector vulnerabilities equities process

• Why critical infrastructure patching is about to become a nightmare

• What happens when ransomware gets vibe-coded

• Why bio won’t be far behind

Listen now on your favorite podcast app.

Has the Atomic Bomb of Cybersecurity Just Been Discovered?

Jordan Schneider: So how big a deal is Claude Mythos?

Ben Buchanan: This is a big one. I’ve been thinking about cybersecurity and AI for more than a decade. I think a lot of us who were thinking about AI and cyber back then imagined that a day like this might come where you could see automated vulnerability discovery. It does feel like something that had long been imagined is actually now finally here, and it’s up to all of us to figure out what that means.

Jordan Schneider: So what can the model do?

Ben Buchanan: What this system does at its core is it takes a general-purpose capability — it is not a cyber-specific model — and applies it to the business of vulnerability discovery and exploit development. As Michael can attest very well, these are fundamental tasks in cybersecurity: finding a weakness in a piece of computer code and then figuring out how to exploit that weakness to do something as an attacker that you’re not allowed to do.

The evidence is very clear that Claude Mythos is by far the best automated system in the world ever to do this, and is better than even some of the best expert humans — or close to some of the absolute top-tier expert humans — at this task of vulnerability discovery and exploit development. The proof is in the pudding. It found vulnerabilities in code that all of our operating systems and all of our browsers are running. Those vulnerabilities in some cases had lurked there for multiple decades. In some instances, we thought that code was secure. Millions of automated tests had been run on it, and yet Mythos found ways to exploit it. There is a real raw capability here that is vital.

The question is, what’s the analogy for that? That is really an important question.

Jordan Schneider: Let’s stay on the finding of a 27-year-old bug in a piece of open-source software that the entire world uses. Michael, how wild is that?

Michael Sulmeyer: That’s pretty wild. I ended up talking to one of the original developers of some of that software. And it was just silence on the other end. Because everyone thought this was almost axiomatic in computer software development and in cybersecurity — that this piece of code was secure. Knowing that at some point this day would probably come where they’d find problems in it, but that today was going to be the day, and it would be a machine that did it.

Jordan Schneider: The point being that this type of thing — the entire world has been looking for it in this library for decades. You would think that someone would have been able to find or exploit or patch it, given this level of proliferation. This is not the sort of thing where Apple pushed a new update three months ago and we’ve got to work the kinks out.

Ben Buchanan: No, this is long-standing code, there for decades. The core credo of the open-source software movement, which I should be clear I totally support, is: with enough eyeballs, all bugs are shallow. Basically, if enough smart people are looking, they will find everything that is to be found. I think the answer for this moment is we need to have machines look too — or at least, a machine of this capability level can find things that a lot of good humans looking for a long time didn’t find.

The Nuclear Analogy

Jordan Schneider: So let’s come back to the nuclear analogy I started with. The US, of course, invented the atomic bomb and then had a good four-year run of exclusive access to this power. No one else has this model. Just for the record, where are we? Is the US government not allowed to play with this at all?

Ben Buchanan: I would ask the US government. I don’t know what the particulars are between Anthropic and the US government.

Jordan Schneider: Okay, but there’s like a six-month whatever. So TBD on that. Because my first thought was, this is almost like U-boats’ 1942-style happy times. If you’re the one person in the world who can use the offensive version of this, where on the other side you now have Project Glasswing and the whole world trying to harden their systems. Michael, how much fun would a nation-state doing offensive stuff potentially be able to have with this power and no one else having it?

Michael Sulmeyer: “Fun” is probably not the word I would use in the official setting…

Ben Buchanan: You’re out of government now, you can say what you want.

Michael Sulmeyer: That’s true. I think when you think about what is the fundamental responsibility for the kind of role you have in government, it’s to bring options to the senior-most decision makers. What something like this allows for is a new set of options — if used for offense and exploitation purposes — a new way to really scale those options for decision-makers. Whatever the expected outcome is, for better intelligence collection or other types of purposes, it really opens up the opportunity space.

What I think remains the same is that success in cyberspace generally has come down to a race — a race from when the offense or the exploiters know about a problem and how fast they can get at it, compared to how fast the defenders can identify, fix, and then disseminate the fix as broadly as possible. So part of the answer is: if you’ve got the offense, you’re the only one, and defense doesn’t know, it’s pretty open season.

Ben Buchanan: I know Michael agrees with this, but Rob Joyce, who was the head of what was then called Tailored Access Operations — the pointier part of NSA — gave this talk at USENIX in 2016, which I actually used as the basis for a paper in 2019 or 2020 when I was starting the cyber-AI project. The basis of the talk is walking through the steps of offensive cyber operations. This is the first time someone from NSA is out there saying, essentially, how NSA at a conceptual level goes about its business.

The conclusion we came to in 2019 and 2020 was that at least theoretically, at each step of that offensive operation process, AI could help. Now I think with something like Mythos, that conclusion is just far more robust. We saw the glimmers of it in 2019 and 2020, but Mythos is really doing it — not just in vulnerability discovery, though that’s a key part of it, but throughout the process. There’s something in the system card for Mythos where it carried out a simulated network exploitation that would have taken a human 10 hours. So there really is evidence now that what cyber operators call the kill chain can be transformed by AI capabilities.

Now, a separate question for Michael is, of course — will the governments be able to adapt? That’s a whole other thing. But as a technical matter, it seems to me we’ve crossed that Rubicon.

Russia, Ukraine, and the Offense-Defense Balance

Jordan Schneider: Let’s talk about the status quo ante. Russia-Ukraine is maybe the best analogy, because that’s the conflict where we’ve presumably had the most no-holds-barred cyber going on between two countries in a hot conflict. When you’re ranking the things determining battlefield progress or morale, cyber is pretty low on the list. Michael, is your sense that these two countries are equally sophisticated and the technology leads you to fight yourself to a standstill? Is a Ukraine with Mythos today performing radically differently if Russia doesn’t have it?

Michael Sulmeyer: It’s a really good hypothetical. I think it could give Ukraine the advantage. I also really like how you distinguished cyber operations from electronic warfare, which is a common conflation. You see a lot of battlefield use of EW, which has had important battlefield effects. You’ve seen much less of the kind of cyber attacks-type work. It was the opening shot in some sense of the conflict with the Viasat compromise, but it wasn’t really exploited and leveraged.

I’d say you’re probably still seeing a lot of cyber intrusions — I’ve been out of the business for a while — but that’s different from creating destructive or disruptive effects that would degrade and disrupt morale. We shouldn’t think that there isn’t a lot of aggressive, malicious cyber activity going on between Russia and Ukraine right now.

Ben Buchanan: It seems to me that if you had something like Claude Mythos as a state, you would probably want to use it for your intelligence operations or your pre-positioning, because you are almost by definition going to find vulnerabilities no one else knows of with this system. And you don’t want to make a lot of noise about that. You want to go in, set up a persistent, quiet presence. My view for decades has been that the advantage of cyber is not the whiz-bang sky-is-falling blackout — though you can do that sometimes — it is the slow, insidious shaping of the environment and collection of information. A capability to find vulnerabilities and exploit them autonomously would really help on that side of the ledger.

Michael Sulmeyer: Can I ask Ben a question on something he just said? You mentioned shaping, and you have a great piece from many years ago where you questioned in a lot of ways the difference between signaling and shaping. I think the answer is pretty clear on how well Mythos would help with shaping. Does it help the ability to signal through cyberspace at all, for the crowd that’s obsessed with deterrence?

Ben Buchanan: The backstory here, as Michael alluded to, is my pitch back when I was a cyber academic — even before the White House — was that cyber operations were suited to shaping: stealing a card, stacking the deck, rather than changing how the other side plays its hand. I don’t think Mythos changes that.

The broadest thing you could say about a capability like this is, in the abstract, it has some brandishing value or maybe even deterrent value because it bolsters the status of the nation that has it. But I imagine a government who truly wanted to play offense would want this kept quiet so that people don’t go looking for it. Anthropic has very clearly come out and said their goal for this technology is not to play offense — their goal is to tilt the balance of power in cyber operations to the defender. Michael mentioned Project Glasswing, where Anthropic is trying to give access to some critical software developers — Apple, Google, and the like — to make sure systems are secure before a Mythos-like capability proliferates.

The bottom line for me is this is incredibly important for understanding the landscape of modern cyber operations, but it does not fundamentally change their character, which I think is still one of shaping rather than signaling.

Project Glasswing and the Proliferation Clock

Jordan Schneider: How messy is this going to get? You brought up Project Glasswing — basically, the idea is let’s give this to the adults first and let them play with it for an undetermined amount of time. There were about 40 companies, a pretty awkward line in the press release saying they’re open to partnering with federal, local, and state governments. TBD on that one.

At some point, the past five years of model development have shown that this is not something that only one company with a certain view about how this capability should be rolled out is going to keep under wraps. What happens when someone else who’s not only giving this to folks who want to patch up holes gets access to this technology? That could be someone training a new model, someone releasing this in the US, someone releasing this in China, or someone hacking Anthropic’s servers.

Ben Buchanan: I buy the premise here. Anthropic says it in their press release — this is going to get out there at some point because folks will catch up. Let’s not overstate that though, which is to say it appears by all accounts that Mythos had a huge compute requirement. I’m sure we’ll get to export controls at some point, Jordan, because you and I always do. This is not the kind of thing that you could just train out of the box without a lot of computing power. Things like export controls will constrain who has access to this level of capability for a while. How long? I’m not sure, honestly.

Michael Sulmeyer: I do think there’ll be a transition period. And I do think Anthropic’s model of the situation is right — that we want to, during that transition period, patch as much stuff as we can, find the vulnerabilities and patch as much as we can. The consortium, the Glasswing thing, I think is pretty interesting because you have like 12 named members and then a broader group of companies, many of which are fierce competitors, all coming together and saying this is a systemic threat and we have to get ahead of it. That’s exactly the kind of response we need in a transition period. Because to your question, Jordan, we don’t know how much time we have. It’s probably not a ton, even though I think it’s more than some people expect.

Ben Buchanan: What I also take away from it — there is a bureaucratic process which I’m sure every single listener is well aware of, Jordan. After the Snowden disclosures, there was a study and report done, and they recommended the White House create what was called a vulnerabilities equities process: what should the government do when it discovers a vulnerability in software, and how does it make the cybersecurity trade-off versus the exploitation or offense trade-off?

What you have through Glasswing is, I think, one of the first efforts by a private-sector company that has developed a capability that finds these vulnerabilities to figure out its own almost multinational vulnerability equities process. It’s a remarkable effort to manage those equities and do it in a responsible way. It’s tough in government, and I think it’s going to be real tough outside in the private sector to do it too.

Jordan Schneider: Let’s talk about that. That whole government process has had some ups and downs. And now we have the private-sector version of it, because this White House is fighting with Anthropic and maybe just didn’t quite believe that this transformative capability was right around the corner. Michael, let’s talk about the pluses and downsides of the federal government seemingly taking a backseat for now.

Michael Sulmeyer: A vulnerabilities equities process in government really works well, and I’m a big supporter of it, when there’s a commitment to action and actually fixing with urgency the problem that’s pointed out. Where it doesn’t work and where it feels disappointing is when you go through the whole effort to do the right thing, make sure you warn the company that’s got a problem, and it doesn’t feel like the urgency is there to fix it.

Jordan Schneider: Urgency on the part of the vendor?

Michael Sulmeyer: Yeah, the vendor. You’ve handed them the understanding of what they’ve got to do to fix it, but now they’ve got to go fix it, and they’ve got to do it quickly. They can’t just sit on it.

A great thing you’ve seen in Glasswing is Anthropic saying they’re going to come back in 90 days showing which vulnerabilities have been fixed. That’ll be a good test of the urgency on pickup by all the partners, and also a way to improve the process going forward.

The Patching Nightmare

Michael Sulmeyer: I do think this is an important point — historically, sometimes even once the patch was issued, people wouldn’t apply it for a long time, or the company would know the vulnerability and take its time issuing the patch. The whole process from discovery of the bug to development of the patch to deployment of the patch — that’s going to have to go so much faster in a post-Mythos era, because stuff like this will proliferate and folks will be looking for these things and maybe they can reverse-engineer patches. The IT industry and the backbone of critical infrastructure is going to have to level up in speed because of Mythos.

That probably is a harbinger of what’s going to come in AI — that where we have the things for societal resilience, we’re going to have to get more resilient faster for individual cycles because AI is going to accelerate the offensive side of the ball.

I would also note — on a good day at a software company where you’re talking about a vulnerability found in actively supported software where the developers are still employed, it’s still difficult. Now you also have to factor in the situation where you find a vulnerability in software where all the people who wrote it are gone, and the company said, “We stopped supporting this thing years ago.” Just thinking about how you’re going to manage the scale of vulnerabilities that’s going to come through here in the near term across software — whoa.

Ben Buchanan: There’s a flavor of that in critical infrastructure as well. Even if the critical infrastructure companies are still in business or the software providers are still in business — you tell me, it’s closer to your world than mine — but my understanding is that is a messy set of systems to patch. It is not meant to take critical infrastructure down every week or every two weeks to apply a software update. Sometimes the uptime is measured in months or years.

So if one of the effects of this new world is that AI systems find vulnerabilities in critical infrastructure software with a much higher cadence, that’s going to be its own complexity. And of course, the consequences of failure are pretty high there.

Michael Sulmeyer: Right now, you use Chrome, and the smart people at Chrome force Chrome to reboot to apply the patch after a certain number of days. Apple figured out that if you get people new emojis, they’ll update their iOS and get some good security vegetables with it.

Ben Buchanan: There’s a whole swath of software and associated hardware that is not subject to that kind of patch cycle. If a vulnerability is found there, it’s going to be a real problem. We thought a lot of software was secure, but then again, we thought some of the software that Mythos found vulnerabilities in was secure as well. And clearly it wasn’t.

Offense vs. Defense in the Mythos Era

Jordan Schneider: So what does Mythos tell us about the offense-versus-defense dynamic with accelerating cyber capabilities? The hope is, all right, well, maybe I don’t have to hire these software engineers back. I can just press a button.

Ben Buchanan: I think in the near term, putting Anthropic’s efforts to benefit the defensive side — if Mythos were just dropped in the world for anyone to use, a capability like this would clearly benefit the offense. And I think Michael should talk about some of the ways in which it can benefit the offense at each step of the kill chain.

Michael Sulmeyer: My hope is that we can get through some kind of transition period in which it benefits the offense, mitigate that as much as possible by differentially privileging defenders, and then we end up in a world — I don’t know how long this is going to take — where new code is secure, Mythos has found most of the vulnerabilities that are out there, and we have patched those.

The counter-argument, which is a pretty compelling one, and which is why this is a hope and not necessarily a prediction, is as Michael said, some companies don’t exist and their software is not going to get patched even if a patch was developed, just because there won’t be anyone to push it out. Critical infrastructure is harder. In the long run, it’s going to be messier, but you can tell yourself a good-news story here if society can use this technology to its fullest extent.

Michael Sulmeyer: I’m skeptical we’re going to be able to manage it, but that’s the good-news story. You can’t give up. Glasswing is the best way at scale to give defenders a fighting chance. I cannot think of a different or better way to deal with it, but that doesn’t mean there aren’t still structural issues that are going to make uptake more challenging, especially with critical infrastructure.

Ben mentioned some parts on the offense. If you think about that old Rob Joyce / Ben Buchanan framework of what the offense kill chain is — from reconnaissance to gaining initial access into a system, to persisting in that system, lateral movement to get where you want to go, and then finally generating an effect — those are the five parts of what Rob Joyce talked about and what Ben wrote about as well.

AI, even without Mythos, probably helps you along each one of those. If you wanted to say which one it helps the most and which one the least — there’s an argument that AI would help you with persisting really quite a bit in novel ways, because once you’ve broken in, you have to make sure you don’t get caught. Finding ways to blend in with what normal looks like within a system and to adapt on the fly — that’s pretty cool if you can do that, and it’s a hard thing to do remotely for humans. Probably the one that may not benefit the most — still benefit, but maybe not like persistence — might be effect. There are still ways to improve how you extract data, but you’re still extracting information. You might do it in more creative ways or extract more in a shorter amount of time, but I’m not sure that’s where you’ll see the step change on offense from AI.

Ben Buchanan: There is an interesting notion here. If you look at the most powerful cyber attacks historically — and here I’m saying attacks very deliberately as opposed to espionage — there is already, before we even get to the machine-learning era, an automated component. And it’s that automation that gives it scale.

Whoever attacked the Iranian centrifuges in Stuxnet — that clearly has an automated component that lets it spread from system to system. If you flash forward to 2017, the WannaCry attack from North Korea — not clear it was meant to be an attack, but was an attack — had automated propagation. The Russian attack NotPetya in 2017, probably still on a dollar-value basis the most damaging destructive cyber attack in history, probably more than $10 billion worth of damage, clearly very automated.

So there is an intuition we can develop in which automation in cyber operations, even before the machine-learning era, can yield the power that manual operations can’t. And there have been some near misses. One of the most overlooked cyber attacks in history was the Russian blackout in Ukraine in 2016, a case called Crash Override. The Russians, for context, had been in Ukraine in 2015 — December 2015, they caused a blackout, very manual, this beautiful symphony of all these different pieces of the operation coming in at once, but totally manual. A year later, the Russians come back, they try it again with Crash Override, but in a totally automated way. Maybe the Russians being the Russians, they screw it up — the effects were not world-changing, powers out for an hour or something.

But one of the questions that came to my mind when I started seeing the cyber capabilities of Mythos is, how would this work in targeting critical infrastructure? Could this actually manipulate a programmable logic controller or industrial control system in a way that has a kinetic effect, in the way that the Russians tried and failed to do? The answer might be yes. Or if this one can’t, the next one can.

I do think there’s an element in which the automation of the kill chain yields more overall power for the attacker. On the flip side, though, for defense — put aside AI. There are things we’ve known for years that you could do to frustrate efforts like that. Air-gapping an OT network from an IT network, for example. That doesn’t take AI to do on defense.

Michael Sulmeyer: It doesn’t necessarily take AI to exploit it. But the fact is that kind of foundational step isn’t done nearly enough. It isn’t implemented nearly enough. I wouldn’t want to lose the point that foundational cybersecurity measures — just doing what we know works — doesn’t go away just because of Mythos. You should still, maybe all the more reason, urgently do what you know you probably should have done a while ago, because that will help you. It may not totally protect you — it was never going to totally protect you — but it will make a model’s life harder to jump an air gap at a critical infrastructure system.

I totally agree with that. Basically where we’re both landing is Mythos is a game-changer for cyber operations in that it’s going to change how sides play the game, but it’s still the same game, and the core tenets of what works in cybersecurity — I think those are going to hold for a while. One of the chief ones is the defender has this huge advantage that so few defenders actually realize and claim for themselves: they set the terrain. They get to decide where the operations are going to take place within their network in terms of protecting the boundaries and air-gapping.

I’m optimistic that Mythos can, in the right hands, aid defenders by making those networks more secure, by finding the configuration errors before the attackers do and remediating those.

I’ve seen it work really well, unfortunately, only after the organization has been had. Once you get nailed, then you find that it turns out you could just air-gap these two networks, or you could implement these kinds of changes. You could have done it before, but now you’ve got the urgency, now you’ve got the resources. Even though all the evidence in the world said that was the thing to do, you needed to be attacked first to be convinced. And I hope we can get over that hump.

A bunch of American banks — JP Morgan in 2012 got a lot of Iranian incoming, DDoS and intrusion stuff. That was one of the seminal moments for the financial sector. You talk to them five years later — how did you guys get serious about this? They recognized a very clear business case with credibility, and they felt the incoming in 2012. They were lucky that those were not extremely destructive attacks, but it was a galvanizing moment for the industry.

Michael Sulmeyer: What Anthropic would say, and certainly what I would say, is Mythos should be a galvanizing moment for every industry. A reminder that now the clock is really ticking before the offensive side of the ball levels up in cyber, and defense has to get there first.

On those Iranian DDoS attacks, what I think is also really important to note is that those institutions — whether they knew it or not at the C-suite level — at the CIO level, I think knew they could have worked with and been under Akamai’s protection to have resisted that kind of activity anyway. They just hadn’t wanted to do that. It was all totally preventable. They just, again, needed to unfortunately go through it. Not to pick on them, because it’s hard to adjust — I get it — but that just furthers the point. They know what to do. We can give Jordan his show back here.

Jordan Schneider: No, this is amazing. Thank you, guys.

Ransomware, Voidlink, and the Non-State Threat

Jordan Schneider: There were some really interesting lines in the red-team report by outside cybersecurity experts that were almost like an emotional plea, saying: we’re in for it, strap in, this is going to be really messy and really painful. Ben, you mentioned the $10 billion of damage from a Russian cyber attack that went awry. I’ve been asking ChatGPT for ransomware and cyber-extortion numbers, which seem really low — in the tens of millions or like $120 million in 2025.

Ben Buchanan: I’d have to imagine it’s more than that globally, in the aggregate.

Jordan Schneider: That seems like it’s going to change. How much more mischief can you get up to if your goal isn’t just finding schematics for fighter jets or poking around systems like China has been reported as doing over the past few years, but really just messing things up — in a “don’t care what happens” way, or in an “I want to extract enormous amounts of money from desperate organizations” way?

Ben Buchanan: There’s no doubt that a capability like this in the wrong hands would allow a lot of that. It’s hard to put a dollar figure on it, but you could probably do billions of dollars of damage if you were going no-holds-barred or if enough groups had access to it.

An interesting case — I think from maybe January or February of ‘26 — is a case called Voidlink, where it was a ransomware group and the defenders teased apart the code and realized the code itself had been all written by, I think, Claude — one of the AI systems. Rather than a bigger ransomware operation, it was just a small number of people, maybe even one person, that had essentially vibe-coded a ransomware operation and was carrying it out. Even before Mythos, this was a capability that was coming online.

In some sense, I think we, society, crossed the Rubicon with Opus 4.6 in January or February, when Anthropic found 500 high-severity vulnerabilities. They weren’t as big a deal as what Mythos found, but it wouldn’t surprise me if we look back with the benefit of hindsight and say that’s when the exponential really started to take off, and Voidlink was in the mix for that, showing how non-state actors could pick that up.

We’ve become, rightly so for a lot of reasons, very focused on China as the peer competitor. But what happens when Russia or China gets their hands on something like this? For Ukraine, sure, the Russians are going to use it to bully and harass and attack them. But more broadly, it’s a really compelling espionage tool, which means you don’t use it to screw things up and make yourself known.

However, in focusing on great-power competition, we’ve as a result put counterterrorism on a deprioritized basis. In some sense, it was the fifth priority: China, Russia, Iran, North Korea, terrorists. The goal was keep number five as number five. The challenge is that the terrorists have all the incentive in the world to screw things up and make things be very disruptive.

Jordan Schneider: And you’re rounding down — or cartels or the Houthis. It’s a pretty broad group of non-state actors. And even North Korea. This is their game, right? Just trying to make money off cyber hacks.

Ben Buchanan: Scamming, yes, for sure. Beating the sanctions. I would distinguish the scamming and financial exploitation from more destructive and disruptive things that I think terrorists and probably cartels would have more reason to do than North Korea would. They’d want to use it for their own purposes, which is more about scamming the system.

The Next Turn of the Crank

Jordan Schneider: What does the next step of the exponential look like in six or nine months?

Ben Buchanan: I have to assume — it’s almost an article of faith at this point — there are vulnerabilities out there that Mythos does not find, cannot find, and that a better system would find. I doubt we’re at the ceiling of AI cyber capabilities. We’ve saturated every benchmark. Anthropic has reported it’s very hard to measure Mythos’s capabilities because it aces every single test or close to it. But I have to assume there’s a little more headroom, maybe a lot more.

One way to think about it — this is not original to me — is that all of the vulnerabilities Mythos finds are vulnerabilities that are immediately legible to a human once explained. Some are very clever, to be sure, but there’s not a lot of doubt about them. It is sometimes the case that a human historically could find a whole new class of vulnerabilities, where it’s a weakness that shows up again and again because we didn’t recognize it was a weakness. At first it looks alien, then once it explains it, it makes a lot of sense. Maybe the next generation starts finding more of these vulnerabilities that are less intuitive to us.

Michael Sulmeyer: From a cyber and AI development standpoint, that’s absolutely right. When you step back — how do most citizens look at or relate to this technology? I think most of the citizenry looks at it and says, “Why do I keep getting these preposterous phone calls asking me for my credit card number, or some prince in Krablokistan is offering me $5,000?”

It’s very possible that at that level, they don’t perceive much of a change. Those who get their hands on Mythos and want to cause abuse may have bigger fish to fry, but the ransomware gangs and the scammers keep at it. And on defense, we don’t look at stopping the scammers that hit vulnerable populations like senior citizens. So I think there’s a big segment of the population whose life is still being severely irritated by cyber scammers one way or the other.

That’s where we get to the defensive side of the ball — where can we use Mythos to raise the bar for what it takes for an attacker or scammer or spy to achieve their objective? Frankly, I think it’s an open question. The Glasswing thing is a really noble undertaking, and I commend everyone involved, but the press release is not the point. The point is, if we sit here in six months, have they patched 10,000 or however many high-severity vulnerabilities in the collective ecosystem, and has that actually had the effect of meaningfully raising the bar for intruders? That’s a very open question. That would stave off a crisis. But may not have any real impact on senior citizens.

Ben Buchanan: If the phones aren’t secure, then it doesn’t matter.

Jordan Schneider: Speaking of senior citizens, we’ve had all these hospital ransomware things over the past few years. If NYU Langone every two weeks is getting another “pay us $500 million or we’re going to delete your entire system,” then this is a very real thing. Cyber extortion was a sexy news story and a few school systems and hospitals got screwed up, but this was not a society-shattering trend over the past 10 or 15 years — in the way that once you have this proliferated, it may end up being.

Ben, you mentioned this idea of new classes of exploits, things that aren’t legible to human beings. Is there a theoretical limit? Is it possible to be sure that code is secure? I guess the answer is no, right?

Ben Buchanan: No, the answer is actually yes. There’s a branch of computer science called formal methods, which essentially gives a mathematical guarantee, a provable guarantee that a particular piece of code is secure. Now, right now we cannot do very much with formal methods — they’re fairly limited. But I can imagine we are sitting here in five years, 10 years, who knows, maybe given AI acceleration even less time, and we’re shipping secure code because we have used formal methods and AI can help with that. That is a possible end state. That’s a very desirable end state that I would love to get to. We are nowhere near that right now, but at the mathematical limit, it leads us to formal methods.

Norms, Bio, and What Comes Next

Jordan Schneider: It’s interesting that the most dramatic AI national-security application — well, I guess targeting is kind of TBD — is cyber, which is a space where it’s kind of no-holds-barred sitting here in 2026. Whereas if it was something around bioweapons or chemical weapons, maybe because there was already a global norm that this stuff isn’t cool, there might have been a richer path to have an international dialogue on potentially not exploring this tech tree. Given that the big one is coming in cyber first with AI, what other thoughts or implications do you have?

Ben Buchanan: I think we are very fortunate that cyber is coming first. I think we should use cyber as a lesson for what is coming next at the intersection of AI and other fields. Bio will not be far behind. At some point we will have a Mythos moment for bio. I’m not smart enough as a biologist to know what that looks like, but I’m confident that is the direction of travel. Maybe the norms save us — I kind of doubt it, especially when it comes to non-state groups, but who knows.

One lesson we should take away from Mythos is not “wow, this means AI is really good at cyber” — it’s that AI is really good. This is a general-purpose system that happens to be good at cyber. If you read the Anthropic system card for Mythos, it’s also really good at bio. I imagine the next version is going to be even better. There’s been a lot of debate for the last five years about how good AI systems are going to be. Obviously folks like me have argued for a very long time that they’re going to be very good, faster than people think. I’m biased here, but this feels like a pretty big piece of evidence that should update us towards taking AI risks seriously — in cyber, yes, but also in things like bio, because those are not going to be far behind.

Michael Sulmeyer: You mentioned norms, and the cyber community had a multi-decade effort to try to figure out what kind of international normative commitments could be made among countries about peacetime behavior. That was a noble effort. But I remember some Israeli colleagues telling me at one point, 10 years ago, “You missed the boat on starting a normative effort. You want to start the effort when you have enough of an advantage that the other side doesn’t quite see it yet, so you can get everybody to commit to maybe tying half a hand behind their back because people don’t quite see it as so detrimental to their own self-interest. You start too late, everybody’s so invested in trying to use the technology to pursue their objectives — it’s hard to get those kinds of commitments.”

A question I have — and I wish Joe Nye was still here to talk to about it — is: have we already missed that moment in AI? Not saying we should or shouldn’t be spending a ton of effort on a normative regime, just that if you’re asking about norms, that would be my question. Is it already a little too late?

Jordan Schneider: The thing with chemical weapons is they didn’t win you World War I. When it’s still kind of an open question, there’s a lot more excitement and incentive to explore the possibility space.

Ben Buchanan: It’s pretty clear to me the next wave to crash in terms of big societal national-security things is going to be bio. I hope people who are skeptics of AI look at Mythos and what it does for cyber and say, this should cause me to rethink my prior views when it comes to AI and bio.

Deepfakes, Persuasion, and the Information Ops Frontier

Jordan Schneider: Michael, at the very beginning of the show you alluded to the personal phishing-type cyber stuff. The last show I did with Ben, I tried to sell him on the US-China AI companion race and the potential implications — AI-powered case officers, recruiting spies, getting people to do things. AI being able to radically improve if you have a capability and people aren’t ready for it. Mythos doesn’t necessarily give you the video call with your mother — that’s probably the true frontier. But I’m curious for your general thoughts on how AI is going to ramp up that human-relationship-establishing side of convincing a soldier not to fight in a war, or someone to give you their secrets, or a country to revolt against their leadership.

Michael Sulmeyer: It’s a great way to talk about that nexus between cyber and information operations. If cyberspace is the delivery system — the way of getting to the information operations — then what does the message say? What does the content look like for the purpose of trying to convince you to not do something, or to do something?

You didn’t need Mythos to see how much more convincing deepfakes were becoming. And there’s an international-security dimension, but there’s also a very at-home dimension. Post-government, I’ve been helping K-through-12 school districts look at the kinds of new security threats and challenges they’re facing. Deepfakes of students against other students, by students against teachers — it’s scary how this is playing out because it’s so convincing. It’s very difficult to have a technological solution, to have AI figure out if that’s an AI-generated message. And so the opportunity for known human validation and follow-up requires a level of discipline and process that I’m not sure our institutions have really developed.

Ben Buchanan: It’s deepfakes for sure in the images and audio and video, but one of the really surprising things to me about AI — and I’m sure Mythos is good at this too, and frankly the whole class of systems including Google and OpenAI — is just how convincing they can be with text alone.

This was the last academic project I did before I went to the White House. At Georgetown, we used GPT-3 — before GPT-3 was released to the public, an early version — to see if it could persuade people on two political issues. One was, should the US be more aggressive towards China? The other was, should the US withdraw from Afghanistan? This was the summer of 2020. It could measurably, in a statistically significant way, write single-shot text messages that would change people’s minds. That was 2020. If you look at what’s happened since — a Nature study, a Stanford study — it’s pretty clear AI systems have only gotten better.

The one that’s so striking to me — I’m going to butcher some of the stats, but this is pretty close — is there’s a subreddit called Change My View, where people post an opinion and it awards points (I think they call them deltas) to folks who give compelling counter-arguments. Some researchers used an AI system in 2024–2025 to post on Change My View. I think it scored in the top 1% of earning these points and changing people’s minds.

We’ve strayed a little from cyber operations as narrowly defined, but it gets to the broader point: in a renewed competitive information environment, an AI system can be useful for a wide range of aspects of national competition — cyber operations on offense, cyber operations on defense, but also the adjacent category of information operations.

Closing: Bureaucratic Uptake and the Race Ahead

Jordan Schneider: Michael, you brought up information operations, which folks will debate, but I think have been somewhere between ineffective and national embarrassment over the past few decades. Maybe we can close on bureaucratic uptake for these tools. It may be hard to hire someone who speaks Tagalog well enough to push narratives into the Philippine political system. But if all you have to do is press a button, it starts to be a lot easier to do some of this. Aside from hardening systems, is there anything different from the slate of recommendations you were pushing during the Biden administration versus what you’d want to give the US government in a post-Mythos era?

Ben Buchanan: Jordan, you know this, but near and dear to my heart is building an American lead and a democratic lead in AI. This whole conversation we’ve had — the cyber dimensions and everything else — reaffirms the importance of doing that. Obviously, that’s an export-control conversation, a domestic-investment conversation, an infrastructure-buildout conversation. One of the things we tried very hard to do in the Biden administration was to ensure democratic preeminence in AI, in part because we had high conviction that things like Mythos were coming, that this technology would be useful for national security and geopolitical competition.

Frankly, I think a lot of folks — don’t take my word for it — if you look at what Dean Ball wrote, a former Trump administration advisor, when he left the government, he commented on basically how non-AGI-pilled his colleagues were, how they don’t believe in a world of very powerful AI systems. I’m hopeful that for them and for other people, things like Mythos and the broader development of AI capabilities can be a reminder that we really want America to lead in this technology. And it would be so much worse for the world if China had this. I doubt if China had this, they’d be giving it to defenders first and making a lot of noise about the need to patch systems. They’d be doing exactly the kind of espionage we’ve been talking about.

Jordan Schneider: It’s an interesting Jensen proof point, right? He’s been talking for years about how this stuff is entirely revolutionary but has been pretty quiet about it from a national-security perspective, saying they’ll be able to get all the chips they need, it’s not going to change the world when it comes to the sharp end of what governments want to do. And here’s another proof point against that. Michael, take us out. Any closing thoughts?

Michael Sulmeyer: You have to hope that the leaders of America’s war fighters know that this is a technology they have to adopt to really make sure that our offensive cyber operators maintain and extend a competitive advantage. As Ben said, this is important to win, and this is an important tool to extend that advantage for the nation in cyberspace.

A large debate that probably has not played out enough on defense is what kind of autonomy our leaders are comfortable with for a model to run for cyber defense on sensitive military networks. It doesn’t really work to have the model merely alert a human that there might be a problem. And yet you’d be right to have some caution about just turning the keys over to the model to say, “Hey, keep us safe.”

I worry that between the CIOs and these kinds of bureaucracies, the instinct is to maintain human accountability and not disrupt the business process. But increasingly viewing it as an operational matter, as a contested domain, where you have to put more weight on autonomy to defend faster — that’s where I worry there’s a really tough conversation coming, and there’s going to be risk that has to be taken to lean on AI to keep us safe.

Jordan Schneider: That was excellent. Thank you two so much for being a part of ChinaTalk. Is this WarTalk? It’s ChinaTalk. Is this ModelTalk? I’ve got so many verticals now, it’s horrible.

Ben Buchanan: Jordan, I told Michael that your show used to be called ChinaEconTalk. And then you dropped the econ and it became ChinaTalk. And now you do so much stuff on AI and other things — you’re just going to be Talk.

Jordan Schneider: We’re just Talk Talk. We’re Talk Talk.