Five Eyes Joint Statement: AI Dramatically Shifting Cyber Risk
Cybersecurity agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States issued a joint call to action on Monday, warning that artificial intelligence (AI) is a powerful weapon for cyber attackers and urging defenders to act urgently. The statement, released by the heads of the Five Eyes intelligence alliance's national cybersecurity bodies, emphasizes that AI is enabling adversaries to carry out more sophisticated attacks at unprecedented speed.
One key concern is automated vulnerability discovery and exploitation. AI allows attackers to find software flaws orders of magnitude faster and develop exploits more quickly, dramatically shrinking the window between a vulnerability's discovery and its exploitation. The statement notes that defenders can no longer afford to wait weeks before deploying software patches.
Cyber Fundamentals Crucial Before Adopting AI
The Five Eyes report stresses that cyber fundamentals are crucial and encourages organizations to use AI to boost defenses—but only after investing in basic cybersecurity practices. "Deploying AI without first investing in cybersecurity basics would be a mistake," the report states. Defenders who will weather the AI storm are those with mature practices: they know their assets, which systems are exposed, what defenses are in place, and how to measure effectiveness. They also use evidence-based processes for tracking vulnerabilities and prioritizing patches, backed by reliable processes for rapid testing and incident response.
"When AI makes finding software vulnerabilities cheap, the next generation of software needs to be engineered to be secure by construction," said a cybersecurity researcher involved in the report. "Before reaching for AI, defenders should first invest in their fundamentals. Otherwise, they are effectively deploying a robot guard dog to defend an unlocked door."
AI's Dual Role: Attack and Defense
AI benefits both attackers and defenders. Models that help attackers find vulnerabilities can also help defenders fix them. AI that automatically exploits vulnerabilities is useful for confirming that patches are correctly applied. AI that maps sensitive assets within a network serves both offensive and defensive purposes. The report underscores the importance of defenders having access to AI capabilities to harden systems before adversaries exploit them.
The statement comes just over a week after the US government pressured frontier AI provider Anthropic to block access to its most advanced models, Mythos and Fable, over fears they could be misused by foreign adversaries to attack US government systems.
Regulatory Challenges and Historical Parallels
Balancing the benefits and risks of new cybersecurity technology is not new. In the 1990s, encryption regulation debates arose; in the 2000s, cyber exploit kits enabled both defenders and "script kiddie" hackers; and the 2010s saw blockchain technologies like Bitcoin, which, despite defensive origins, fueled ransomware and illicit markets. AI presents a similar dilemma. The report warns that a blanket export ban on advanced AI models is likely counterproductive, as open-source models like DeepSeek lag only months behind the most advanced ones. Recent research suggests that pairing less powerful AI with complementary technologies can close much of the gap. "Defenders should assume their adversaries already have access to AI on par with that used for cyber defence," the report concludes. "Only by investing in strong foundations can they hope to escape the cat-and-mouse AI cyber arms race."
