Urgent Anthropic security meeting

On Tuesday, April 7, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell called top Wall Street bank chiefs to Washington for an urgent discussion about cyber risks tied to Anthropic’s newest model, according to people cited by Reuters and CBS News. The point was not a bad earnings quarter or a bank failure; it was a software model. (reuters.com) (cbsnews.com) The model is Anthropic’s Claude Mythos Preview, announced on April 7 with a restricted rollout instead of a public launch. Anthropic said it held the model back because it can find more serious software flaws and can help turn known bugs into working exploits. (anthropic.com 1) (anthropic.com 2) A software vulnerability is a hidden crack in code, like a door in a bank vault that looks locked but never fully latches. A zero-day vulnerability is the worst version of that problem, because the defender does not know the crack exists yet and has had zero days to patch it. (cisa.gov) (googleprojectzero.blogspot.com) Banks care because they run on old and new code at the same time: payment rails, trading systems, cloud software, mobile apps, and mountains of open-source components. One fast system that can scan for weak points across all of that changes the speed of the game for both defenders and attackers. (fsb.org) (nist.gov) Anthropic says Mythos Preview found “more, higher-severity bugs” than earlier tools and that more than 99% of the vulnerabilities it found were still unpatched when it wrote its technical note. That is why the company limited access instead of putting the model on a normal public application programming interface. (anthropic.com 1) (anthropic.com 2) Anthropic paired the launch with Project Glasswing, a defense program that gives early access to selected security teams, critical infrastructure operators, and more than 40 organizations that build important software. The company said it is committing up to $100 million in usage credits and $4 million in donations to open-source security groups. (anthropic.com 1) (anthropic.com 2) That helps explain why regulators treated this as a system problem instead of a vendor problem. Reuters reported that the meeting was about Anthropic’s model, but the concern at Treasury and the Federal Reserve was the broader risk from “similar models” that could automate cyberattacks against financial firms. (reuters.com) (finance.yahoo.com) This is also not the first official move around the model. CNBC reported that Anthropic had already been in conversations with the Cybersecurity and Infrastructure Security Agency and the Center for AI Standards and Innovation before the public announcement. (cnbc.com) (anthropic.com) The banking meeting spread beyond the United States within days. Bloomberg reported that the Bank of Canada and major Canadian banks held their own discussion on April 10 about the same Anthropic-related cyber risk after the U.S. meeting earlier that week. (bloomberg.com) (reuters.com) The unusual part is not just that officials worried about artificial intelligence in general. It is that the Treasury secretary and the Federal Reserve chair reportedly pulled in bank chiefs over one named model, days after that model’s release, because the fear was that machine-speed bug hunting could outrun bank patching and incident response. (reuters.com) (anthropic.com) If that becomes normal, bank regulation changes shape. Supervisors would no longer be looking only at whether a bank bought the right security software; they would also be looking at whether the whole financial system can keep up when frontier models can map digital weak spots faster than human teams can close them. (fsb.org) (nist.gov)