The United Kingdom government has issued a clear and urgent warning to businesses across the nation: the age of AI-powered cyber threats is no longer a distant possibility but a rapidly approaching reality. In an open letter published on 15 April, technology secretary Liz Kendall called on business leaders to recognise that the cyber threat landscape is fundamentally changing, driven by the emergence of advanced frontier artificial intelligence models.

According to Kendall, the traditional reliance on a small number of highly skilled cybercriminals is giving way to a new paradigm. AI models are learning to perform tasks that previously required rare human expertise—finding vulnerabilities in software, writing exploitation code, and doing so at speeds and scales that were unimaginable just a year ago. This shift, she argues, demands an equally significant shift in how organisations approach their cybersecurity strategies.

The Rise of Autonomous Cyber Offence

The catalyst for this warning is the recent debut of Anthropic's frontier model, Mythos, and the accompanying Project Glasswing. Project Glasswing is designed to give some of the world's largest technology companies a head start in addressing the vulnerabilities that Mythos can supposedly uncover. The UK government's AI Security Institute (AISI), operated by the Department for Science, Innovation and Technology (DSIT), has been rigorously testing Mythos's capabilities.

Kendall revealed that the AISI found Mythos to be substantially more capable at cyber offence than any model previously assessed. The institute also reported that frontier model capabilities are now doubling every four months, a significant acceleration from the previous rate of eight months. This finding is deeply concerning not only for what it means today but for the trajectory it sets.

Implications for UK Businesses

Kendall stressed that this threat is not confined to government systems or critical infrastructure. Cybercriminals will target ordinary companies of every size, in every sector, because attackers go where defences are weakest. She urged business leaders and board members to regularly discuss cyber risks and not delegate these responsibilities solely to IT teams. The government recommends signing up to the Cyber Governance Code of Practice, while smaller businesses can use the NCSC's Cyber Action Toolkit.

Additionally, all businesses should plan and rehearse incident response practices, consider taking out cyber insurance, and look into the Cyber Essentials certification scheme to establish basic security policies. The NCSC’s Early Warning service and sector-specific regulatory resources are also highlighted as valuable tools.

Government Action and Broader Context

The UK government is not standing still. It opened the AISI two-and-a-half years ago, and the nation now boasts some of the most advanced capabilities for understanding frontier AI models. The National Cyber Security Centre (NCSC) continues to develop practical guidance, and upcoming legislation—the Cyber Security and Resilience Bill and the National Cyber Action Plan—will further strengthen protections.

However, Kendall emphasised that government action alone is insufficient. Every business has a part to play. She noted that the Meta warning from recent months, where AI spending became a liability, shows the financial stakes involved. CIOs must prove that AI investments deliver genuine value, and security must be integrated from the start.

Agentic AI and the Changing Security Matrix

The rise of agentic AI—AI that can act autonomously—adds another layer of complexity. Security teams must rethink their approaches, moving from deterministic to non-deterministic models. The US has also unveiled a six-pillar national cyber security strategy that places developing technologies like AI at the centre. Meanwhile, the International Monetary Fund has warned that AI cyber attacks could trigger a global financial crisis.

Anthropic's Mythos is not the only player; OpenAI recently announced scaling up its Trusted Access for Cyber programme, showing that the accelerating impact of AI on cyber is not isolated to a single company. The government expects more organisations to follow suit.

Practical Steps for Organisations

Kendall provided a clear call to action: businesses must treat cybersecurity as an essential part of running a modern company, not an optional extra. She urged leaders to use the Cyber Governance Code of Practice, the NCSC’s Early Warning service, and to rehearse incident response plans. For smaller firms, the Cyber Action Toolkit offers accessible steps. The Cyber Essentials certification scheme helps establish foundational policies.

The government’s message is unequivocal: the trajectory is clear, and preparation must begin now. The businesses that act today—embedding cybersecurity into their culture and operations—will be best placed to thrive through the coming technological upheaval and seize the advantages it offers.

As AI capabilities continue to double every four months, UK businesses face a narrow window to adapt. The choice is between proactive resilience and reactive crisis management. The government has laid out the path; it is up to every leader to walk it.

Source: ComputerWeekly.com News