The Economics of Cybersecurity: Spending More Tokens Than Attackers

In the rapidly evolving landscape of cybersecurity, the introduction of Anthropic's Mythos, a powerful LLM, has sparked a new debate. Mythos, capable of executing complex security tasks, has not been released publicly, only accessible to critical software makers to enhance their systems. This development has led us through the usual cycle of reactions to AI advancements, from shock to skepticism. However, a recent analysis by the AI Security Institute supports Anthropic's claims, highlighting Mythos's superior performance in simulated corporate network attacks.

The analysis reveals a new economic model for cybersecurity: spending more tokens to discover vulnerabilities than attackers do to exploit them. In a test, Mythos completed a 32-step corporate network attack simulation three times out of ten attempts, with a budget of 100 million tokens per attempt, equating to $125,000 for all runs. The findings suggest that as long as financial resources are available, Mythos can continue to find exploits, akin to a proof of work system in cryptocurrency.

This realization has several implications. Open source software (OSS) remains crucial, as securing OSS with tokens could potentially make it more secure than proprietary solutions. However, this also makes OSS a more attractive target for attackers. Furthermore, the development process for software is likely to evolve into a three-phase cycle: development, review, and hardening. Each phase has distinct resource requirements, with human input driving development and financial resources limiting hardening.

Ultimately, the cost of securing code is dictated by the market value of exploits. As long as models like Mythos continue to improve without reaching a point of diminishing returns, the necessity to outspend attackers remains. This economic model challenges traditional security audits, suggesting a continuous and budget-optimized approach to cybersecurity.