Cybersecurity agencies of Australia, Canada, New Zealand, the United Kingdom and the United States issued a call to action on Monday for cyber defenders. The message was clear: artificial intelligence (AI) is a powerful weapon for cyber attackers; defenders must act urgently to improve their cyber defences.
There is much hype and uncertainty surrounding AI and cybersecurity right now. This latest statement comes little over a week since the US government caused frontier AI provider Anthropic to block access to Mythos and Fable, its most advanced AI technology, over fears they might be misused by foreign adversaries to attack US government systems .
In this torrid environment, it’s important for cyber defenders to look past the noise and prioritise what is truly important in protecting their systems.
A call to arms
The joint statement was issued by the heads of the national cybersecurity agencies of the Five Eyes . It warns that AI is dramatically shifting cyber risk and spells out how defenders must act to secure their organisations.
It notes how powerful AI is already helping adversaries carry out more sophisticated attacks more quickly.
One way this is happening is through automated vulnerability discovery and exploitation. No software is perfect. Adversaries leverage subtle design or implementation flaws in a system’s software to break into that system. They then take control of it and use it as a staging ground to launch further attacks.
This is why it’s so important for cyber defenders to keep up to date with deploying software patches. These are small modifications to system software that close off known vulnerabilities.
AI is enabling adversaries to find flaws orders of magnitude faster, as well as to work out how to exploit those flaws to carry out attacks .
For this reason, the Five Eyes statement warns that AI is dramatically shrinking the time between when a vulnerability is first discovered and when it is first exploited in an attack. Defenders can no longer afford to wait weeks before deploying software patches.
What can defenders do?
The Five Eyes report notes cyber fundamentals are crucial and encourages organisations to use AI to boost defences. But deploying AI without first investing in cybersecurity basics would be a mistake.
The cyber defenders who will be able to weather the AI storm will be those who already have mature practices. They know exactly what assets they need to protect, which systems in their organisation are exposed to attack, and what defences are in place to protect exposed systems. They also know to measure defence effectiveness and determine where defences are missing.
They also use evidence-based processes for tracking known vulnerabilities in their systems and prioritising which are most important to patch. These are backed up by reliable processes for rapidly testing and rolling out software patches, as well as for responding to cyber breaches and incidents.
When AI makes finding software vulnerabilities cheap, the next generation of software needs to be engineered to be secure by construction .
Working out the best methods to do this is what I have devoted my research career to.
Before reaching for AI, defenders should first invest in their fundamentals. Otherwise, they are effectively deploying a robot guard dog to defend an unlocked door.
The role for AI in cyber defence
This doesn’t mean AI can’t play an important role for cyber defence – just that it should augment rather than replace strong cyber fundamentals.
AI benefits attackers and defenders alike. An AI model that can help attackers find software vulnerabilities can also help defenders fix those same vulnerabilities.
AI that can automatically exploit software vulnerabilities is just as useful to defenders in helping them to confirm their software has been correctly patched. AI that can map and discover sensitive assets within a computer network is useful for both offensive and defensive purposes.
This is why it’s so important that defenders have access to AI capabilities, so they can be leveraged to harden and protect systems before that same AI is used to attack them.
Can regulation help?
Working out how to balance the competing benefits and risks of new cybersecurity technology is nothing new.
In the 1990s, society grappled with how to regulate the encryption that protects online communication from adversaries but also allows them to avoid law enforcement.
In the 2000s the rise of cyber exploit kits allowed defenders to better test their systems but also enabled any disaffected teenager with an internet connection to become a “script kiddie” hacker, leading to arms controls debates a decade later.
The 2010s gave us blockchain technologies such as Bitcoin and other cryptocurrencies, which were built on defensive cyber technologies but whose lasting legacy remains the rise of ransomware attacks and online illicit marketplaces.
The rise of AI presents a similar dilemma for regulators.
A blanket export ban on advanced AI models is likely to be counterproductive . Open-source AI models such as DeepSeek lag only months behind the most advanced models of OpenAI and Anthropic. Recent research suggests that much of that gap can be closed by pairing less powerful AI models with complementary technologies.
Defenders should therefore assume their adversaries already have access to AI on par with that used for cyber defence. Only by investing in strong foundations can they hope to escape the cat-and-mouse AI cyber arms race.
