A Greek myth clouds Singapore’s blue sky AI ambitions
By Amit Roy Choudhury
The surge of AI-enabled cyberattack vectors could potentially threaten the tech advances made by Singapore unless adequate safeguards are put in place.
Anthropic’s latest AI model, Mythos, has spooked the global tech community with its unprecedented ablity to sniff out network vulnerabilities that have never been detected before and they worry that in the wrong hands it would become a tool for highly sophisticated intrusions into otherwise secure networks. Image: Canva.
The Singapore public sector has been laser-focused in embracing artificial intelligence (AI), with 80 per cent of the 150,000 public officers already using AI tools in their workplace, one of the world’s highest adoption rates.
However, the biggest potential road bump to this blue-sky vision of an AI-enabled smart nation was Mythos, the Greek word for myth or mythology.
Claude Mythos was Anthropic’s latest AI model, which has shown an unprecedented ability to both detect and exploit vulnerabilities across critical software systems.
More on Mythos later.
Coming back to Singapore’s AI ambition, the Singapore Prime Minister and Minister for Finance, Lawrence Wong, in 2024 during the launch of the country’s updated Smart Nation 2.0 policy, articulated the country's ambition.
Known for being acutely aware of both its strengths and weaknesses, Singapore has identified the need for a pool of talented manpower well conversant with AI in order to realise its Smart Nation ambition.
As a result, a major focus has been steps to augment AI talent in the nation.
The government’s latest announcement that it plans to upskill 40,000 tech professionals by 2029 was the latest in a series of policy moves to dramatically increase the number of AI enabled workers.
This move complemented the earlier announced initiative to train 100,000 non-technology professionals to be AI-bilingual by 2029.
The excitement about the possibilities that open with the widespread use of AI has been quite palpable, especially in the public sector.
Developers sound the alarm
Ironically, the companies that have been at the forefront of the large language models (LLMs), which are the brains behind AI systems, have sounded the alarm in this path to AI Nirvana.
They appear fearful of their own creation!
A recent report by Google Threat Intelligence Group (GTIG) said that AI-powered hacking has gone from a nascent problem to an “industrial-scale threat”.
Echoing the Google warning, Palo Alto Networks’ Chief Product and Technology Officer Lee Klarich has said organisations have a narrow three-to-five-month window “to outpace the adversary before AI-driven exploits start to become the new norm.”
Most of these warnings can be traced to an unusual announcement by Anthropic in April.
The company took the unprecedented step of issuing a public warning about Claude Mythos.
Anthropic declared the model was “too powerful for public release due to its unprecedented ability to identify software vulnerabilities”, claiming that the model was able find vulnerabilities in systems that had been overlooked by human reviews and security tests.
In a blog post, Anthropic said the model was able find vulnerabilities in systems that had been overlooked for more than 20 years within a few minutes.
The company was scared enough to restrict access to the model to just 40 tech and security companies under Project Glasswing.
The ostensible reason was to give these companies time to use Mythos to check on security vulnerabilities in existing networks and, in a best-case scenario, fix them as soon as possible before a public release.
Unfortunately, software was like a genie in a bottle; once it came out, there was no putting it back in and they have a notorious habit of leaking out into the wild.
Experts were not talking about whether cyber criminals will get their hands on a version of Mythos, they were focussing on how soon this will happen.
It was also only a matter of time before other AI models would catch up with Mythos.
This explained the warnings issued by Google and Palo Alto Networks, among others.
How prepared is Singapore?
This brings us back to Singapore’s rapid embrace of AI, especially in the public sector.
How prepared was the Republic to face this new wave of AI-driven cyberattacks, often orchestrated by state actors?
The answer would be found only once an actual attack occurred, but the indications were that the government at the leadership and policy level was well aware of the threat posed by Mythos and its analogues.
Earlier this month, speaking in Parliament, Singapore Senior Minister of State for Digital Development and Information, Tan Kiat How, acknowledged the dangers posed by Mythos in detecting previously undiscovered software vulnerabilities.
Tan noted that while the government was yet seen fully autonomous AI agents conducting end-to-end campaigns, “it was a matter of time”.
To allay fears, he emphasised that what Mythos represented should be seen as a "continuum" of developments rather than a sudden, singular event.
On May 9, speaking at a public event, Coordinating Minister for National Security K. Shanmugam, noted that cyber attackers were targeting Singapore by using AI to make attacks cheaper and faster.
He added that this was a serious issue, and operators of critical information infrastructure (CIIs) urgently needed to improve their defence preparedness.
New rules and regulations
On the operations front, a slew of rules, regulations and advisories have been issued to protect systems that used AI, even before Mythos came on the scene.
Early this year, the Infocomm Media Development Authority (IMDA) of Singapore launched the Model AI Governance Framework for Agentic AI (MGF).
This was the world’s first governance framework specifically designed for AI agents capable of autonomous planning, reasoning and action.
The policy focussed on ensuring that the risks were assessed upfront and there would be human-in-the-loop while implementing technical controls and processes. It also enabled end-user responsibility.
The MGF has built on earlier governance instruments for traditional AI and generative AI (GenAI) policies to address novel risks arising from the autonomous agentic AI bots.
Apart from this, the Cyber Security Agency of Singapore (CSA) has released discussion papers and addendums specifically focused on securing agentic AI systems, providing practical guidance on mapping workflows and applying controls across the entire AI lifecycle.
The Singapore government has also been investing in AI-powered tools for
active vulnerability and patch testing.
This included in-house capability building and partnerships to adapt global tools for detecting, triaging, and responding to threats at "machine speed".
All these developments showed that the government was aware of the risks of AI.
Network strong as weakest link
Being aware of the risks is half the job done. Being able to prevent attacks was the other and more important half.
This is where things start to get uncertain. In cybersecurity a network’s strength was decided by its most vulnerable point.
And that vulnerable point was the end-user. Most breaches in cybersecurity occur due to actions taken by humans.
This was important because as the country rushed towards training more professionals in the use of AI, the focus should also be on making them aware of the risks.
The glamour of AI and autonomous bots should not hide the potential dangers.
The ultimate success of Singapore’s pivot into an AI-first nation would depend not only just on developing an AI savvy workforce; it would depend on a workforce aware of both the advantages and dangers of AI.
This required mandatory training on cyber hygiene and on how to defend in case of an attack. Cybersecurity was always important but in the new age of AI it has become a major imperative.
The country’s Smart Nation 2.0 journey hinged on developing this awareness.
