EXCLUSIVE: “Meeting the Challenge of Mythos” – Monica Sasso, Red Hat in ‘The Fintech Magazine’

Any tool that prompts the IMF to schedule a security debate has to be a serious threat, right? So how can organisations ensure they know their weak spots? Red Hat says it’s time for a new plan

When claims about the capability of Anthropic’s new tool, Claude Mythos, and particularly its hacking prowess, were revealed in early April, it just served to underline the cybersecurity challenge presented by AI. By ripping through legacy code, the latest model appeared to have found unseen weaknesses – including a decades-old vulnerability in the open-source Linux kernel.

The risks posed to systems if hackers got mainstream access to Claude Mythos – which they inevitably will – were clearly significant. So, Project Glasswing was launched, whereby a preview version of the model was released to major tech firms for further investigation. Among them were Amazon Web Services, Apple, Microsoft and Google, and chip-makers Nvidia and Broadcom.

The developer also offered to work with the US government. The world’s finance ministers are so concerned that an International Monetary Fund (IMF) meeting in Washington DC in April set aside time to discuss it. Whether we’re on the brink of a cybersecurity apocalypse remains unknown, and we’ve heard about AI ‘inflection points’ before. But Claude Mythos has at the very least lowered barriers to entry on both sides – for hackers and legitimate bug research – says software firm Red Hat.

It argues that the only sensible course of action for businesses now is to plan for an IT security failure, whatever and whoever prompts it. Monica Sasso, Digital Transformation Lead for Red Hat’s global financial services team, believes the industry is now so interconnected that it cannot prevent failures.

“So plan for them and practise for when the proverbial hits the fan. Practise with your third parties, your fourth parties, your fifth parties.”

Red Hat, an IBM subsidiary, develops open-source software for enterprises and offers subscriptions for support, training and integration services. Known for its operating system, Red Hat Enterprise Linux, the firm was quick to assess the five vulnerabilities unearthed by Claud Mythos. The findings are spelled out in a Red Hat blog, Navigating The Mythos-haunted World Of Platform Security, which concludes the dangers posed range from benign to manageable. While that’s reassuring, the business does expect AI to ‘exponentially accelerate’ the discovery of flaws in the foundations of the software supply chain.

“When paired with the malicious use of AI models, especially powerful frontier models like Mythos, bad actors can now find previously unknown flaws and exploit them. All this seems disastrous, but only if we, as an industry, try to hide from it or minimise these capabilities,” it said.

“Red Hat defends against cyber attacks with constant code curation – the team itself using AI – to identify weaknesses, and uses a triage system so that potentially exploitable vulnerabilities can be prioritised when a long list of bugs is unearthed.

Culture change

At a policy level, Sasso’s advice to businesses is that they must be holistic, with responsibility resting on all shoulders.

“The threats of cybersecurity are everywhere, and they’re getting way more sophisticated now that geopolitics is involved more than ever,” she says. “It can’t just be down to the chief information and security officer, that’s not realistic. Everybody in a bank, everybody in a [financial services] firm needs more training. There’s an opportunity to change the relationship with staff and make them feel like they own part of the solution.”

Buy-in from staff at all levels is also important because, while recent headlines have focussed on the risk of machine attacks, the vast majority of digital breaches remain the result of a human being duped, says Sasso. And due to the interconnectedness of digital services, an attack or your organisation may originate anywhere in a supply chain.

“So, it’s not just the staff,” says Sasso, “it’s also your clients, your consumers. I think everybody should be trained in social engineering.”

She points to a need to shift the culture around digital security and resilience.

“These are holistic problems to solve,” she says. “The way banks and all big companies are structured, it’s silos, silos, silos. So, it requires a different way of thinking. It needs the various
aspects of the business to be organised together.

“The second point is, rather than saying ‘here are the regulations, we’re going to do these 100 things and then we’ll be compliant’, you need to think of the outcome you are trying to drive for your firm, its shareholders, your clients and the regulator.

“Join up the different initiatives into one new business model change. If you want to run your business properly, and you want to be a 365, 24/7 operation and delight your clients, all these things need to be fed into one operating model, not checkboxes.

“People think of compliance and regulation as constraints. But they’re an opportunity to build a digital-first, client-led operating model. And that’s truly how I think about it.”

Context is king

When considering resilience, Sasso stresses that implementing this holistic approach to resilience should be the job of senior management. And management must be mindful of context, since resilience for a major bank where a breach could threaten the wider economy is different to resilience needed for a regional building society.

Be crystal clear about the problem being solved, she says, since it’s easy to be distracted by ‘new, sexy, fun, cool tech’. And consider what tech is already available within an organisation. Can it be used better? Or differently? Or used across silos?

For reasons of efficiency and its ability to remove a potential point of failure, Sasso is keen on distributed ledger technology (DLT), which is too often seen simply as the system behind cryptocurrency. Rather, she sees DLT as a potentially transformational feature in financial services.

“It comes back to education, understanding what’s behind these technologies, and again, the problem they’re trying to solve,” Sasso says. “DLT solves the middleman problem. We have a person in the middle of a transaction to make sure the money I give you is real. But DLT creates a technological marketplace, instead of a person managing that transaction.”

The ability of Claude Mythos to easily unearth potentially critical vulnerabilities in what had previously been regarded as robust systems brought it to the attention of the International Monetary Fund. Perhaps the educated people at the IMF recognised ‘mythos’ as the Greek word used by Aristotle to indicate the plot device for a tragedy. But it was more commonly used to mean simply a narrative. And any story can be rewritten from a different perspective. If we are to be protected from future threats, organisations need a new storyline.

5 Factors that drive resilience – with or without AI

Understand your supply chain.

Sasso says: “It’s not just your software supply chain, it’s your technology supply chain and the service providers. Who are your fourth and fifth parties? We’ve seen this with some of the big outages that have taken down airlines, grocery stores, you’ve not been able to pay at Greggs with your credit card, for example.”

Manage third parties like they are part of your organisation.

“In the past we would outsource certain functions because we were a bank, not a tech company,” says Sasso. “Well, now you need to manage your tech providers exactly how you would manage them if they were in-house.”

Plan for failure.

Sasso reveals: “A client was doing a disaster recovery test over a weekend, and although they had outsourced some of their technology services to us, they didn’t include us. They then couldn’t get things up and running.”

Have flexible and fungible technology.

A business should avoid locking into a contract or subscription that ties them to a particular technology that may become uncompetitive or unwanted. “It’s very easy to be transactional and sign a subscription for two years. But what about year three? What about year five?” says Sasso.

Enhance security and penetration testing.

Sasso says a business should discover its own weak points, likening it to sport where a competitor ‘breaks their muscles down so that they can become strong’.

This article was published in The Fintech Magazine Issue #38, Page 31-32

The post EXCLUSIVE: “Meeting the Challenge of Mythos” – Monica Sasso, Red Hat in ‘The Fintech Magazine’ appeared first on FF News | Fintech Finance.