GS3 Cyber Security

AI model raises global cybersecurity concerns
AI model raises global cybersecurity concerns

AI-Powered Cybersecurity & Critical Infrastructure Protection

Exploring the implications of Anthropic's Mythos model as firms assess its potential vulnerabilities and security ramifications in India.
Surya
5 mins read

Introduction

Artificial Intelligence is rapidly transforming the cybersecurity landscape — from a reactive, human-driven discipline to a proactive, automated one. Anthropic's unreleased model Claude Mythos, announced through Project Glasswing — a 40-firm consortium with a $100 million budget — has already identified vulnerabilities in foundational global systems including the Linux kernel, OpenBSD, and FFMPEG. For India, the stakes are particularly high: government systems running Aadhaar and GST operate on older codebases; critical infrastructure like SCADA and IoT systems are embedded in manufacturing and public utilities; and no Indian firm features in the current Glasswing partner list. The arrival of AI-grade vulnerability scanners marks a qualitative shift in the threat environment — one that India's regulatory and industry response has not yet fully absorbed.

"It's an entire tsunami coming in." — Vinayak Godse, CEO, Data Security Council of India (DSCI)


Key Data Points (Exam-Ready)

ParameterDetail
Project Glasswing budget$100 million
Firms in Glasswing consortium40 companies + open-source maintainers
Systems already scannedLinux kernel, OpenBSD, FFMPEG
India's rank in Anthropic's markets2nd largest (by absolute users)
Indian firms in Glasswing listNone (as of report)
Nodal cybersecurity body in IndiaCERT-In (under MeitY)
Key industry bodyDSCI under NASSCOM

Background & Context

What is Claude Mythos / Project Glasswing? Mythos is an unreleased LLM by Anthropic specifically capable of scanning large codebases to identify previously undiscovered software vulnerabilities. Project Glasswing gives early access to a consortium of technology firms to patch vulnerabilities before the model is released publicly — a responsible disclosure approach analogous to bug bounty programmes, but at AI scale and speed.

Why this matters globally: Software vulnerabilities in foundational systems — operating system kernels, networking protocols, open-source libraries — underpin virtually all digital infrastructure. A single unpatched vulnerability in the Linux kernel, for instance, could expose millions of servers worldwide simultaneously.

Why this matters specifically for India: India's digital public infrastructure — Aadhaar (1.4 billion enrollments), UPI, GST Network, CoWIN — runs on codebases that have accumulated technical debt over years. These are precisely the systems where decades-old vulnerabilities are most likely to remain undiscovered.


Key Concepts

Vulnerability Density Debate: A foundational question in cybersecurity is whether software bugs are dense (infinitely many, continuously discoverable) or sparse (rare, patchable to a near-secure state). The answer determines whether AI-grade scanners like Mythos represent a one-time cleanup or a permanent arms race between AI attackers and AI defenders.

Tech Stack Interdependence: Indian IT firms use composite technology stacks — hardware and software from multiple global vendors. Patches from Glasswing partners will indirectly benefit Indian firms through this shared infrastructure. However, bespoke code written by Indian ITeS firms for specific clients remains entirely outside this protection.

SCADA & OT Systems: Supervisory Control and Data Acquisition systems manage physical infrastructure — power grids, water treatment, manufacturing. Unlike IT systems, OT (Operational Technology) systems often cannot be patched quickly due to uptime requirements, making them especially vulnerable to AI-discovered exploits.


Implications for India

SectorSpecific Risk
Government IT (Aadhaar, GST, GSTN)Older codebases; highest exposure to long-dormant vulnerabilities
ITeS / Systems IntegratorsBespoke client code not covered by Glasswing patches
SaaS & Deep Tech Product CompaniesEntire product ecosystem potentially exposed when Mythos goes public
Critical Infrastructure (SCADA, IoT)Physical-world consequences; difficult to patch without downtime
Bug Bounty ResearchersAI may displace human vulnerability researchers
Sovereign Tech Firms (e.g. Zoho)Dilemma: submit code to American LLM audit or risk unpatched exposure

The Sovereign Dilemma

Indian firms building indigenous alternatives to foreign tech stacks — Zoho being the most prominent example — face an acute strategic dilemma:

  • Option A: Submit proprietary code to Mythos-level scanning → accepts dependence on an American AI firm for security assurance of sovereign infrastructure
  • Option B: Decline → risks operating with vulnerabilities that AI-powered adversaries (including state actors) may discover and exploit first

This dilemma has no clean resolution without India developing equivalent domestic AI-powered cybersecurity capability — a gap the article implicitly highlights.


India's Institutional Response

CERT-In (Indian Computer Emergency Response Team): Operating under MeitY, CERT-In is India's nodal agency for cybersecurity incident response. MeitY officials are currently studying Mythos's implications. CERT-In's response to attacks on government servers during the India-Pakistan conflict last year has been cited as a positive indicator of institutional readiness.

DSCI (Data Security Council of India): Under NASSCOM, DSCI is coordinating across IT industry verticals to assess exposure. Has declined to confirm whether India-specific conversations with Anthropic are underway.

Gaps:

  • No Indian firm in Glasswing — India is absent from the core vulnerability remediation effort
  • No public framework for AI-assisted vulnerability disclosure in India
  • Uneven cybersecurity readiness across state governments and departments

Way Forward

  • Negotiate Indian participation in Project Glasswing or equivalent programmes — particularly for critical government infrastructure
  • Develop domestic AI cybersecurity capacity — invest in Indian LLMs capable of vulnerability scanning for sovereign infrastructure
  • Mandatory security audits for all critical digital public infrastructure (Aadhaar, UPI, GSTN) using AI-grade tools
  • Sector-specific CERT units for SCADA/OT systems in power, water, and manufacturing
  • Update IT Act and CERT-In frameworks to address AI-generated vulnerability disclosures and responsible patching timelines
  • Bug bounty programme scaling — AI will not eliminate the need for human researchers but will require them to operate at higher sophistication levels

Conclusion

The emergence of AI-powered vulnerability scanners like Claude Mythos represents a structural shift in cybersecurity — compressing the timeline between vulnerability discovery and potential exploitation from years to days. For India, the absence from Project Glasswing is not merely a missed opportunity but a strategic gap in the protection of digital public infrastructure that serves over a billion citizens. The transitionary period — between today's exposure and a future where AI defenders dominate — will be, in the words of Anthropic's own researcher, "very bad." India's response must combine immediate diplomatic and commercial engagement with Glasswing partners, long-term investment in domestic AI security capabilities, and a regulatory framework that treats cybersecurity not as an IT compliance exercise but as a matter of national security.

Attribution

Original content sources and authors

Author Aroon Deep Source The Hindu

Syllabus classification

How this article maps to GS papers

Main syllabus

GS3Cyber Security

Quick Q&A

What is Claude Mythos and how does Project Glasswing aim to transform global cybersecurity practices?
Claude Mythos is an advanced, unreleased large language model (LLM) developed by Anthropic, designed to act as a powerful scanner of software systems to identify previously undiscovered vulnerabilities. Unlike traditional cybersecurity tools that rely on known threat signatures or manual auditing, Mythos leverages AI capabilities to analyze vast codebases and detect hidden flaws that may have remained unnoticed for years. This represents a paradigm shift from reactive to proactive and predictive cybersecurity.

Project Glasswing is a collaborative initiative involving around 40 companies and open-source maintainers, supported by a $100 million budget. It aims to deploy Mythos across critical global software infrastructure such as Linux, OpenBSD, and FFMPEG. The objective is to identify and patch vulnerabilities before the model becomes publicly available, thereby reducing the risk of malicious exploitation.

This initiative reflects a broader transformation in cybersecurity practices where AI-driven auditing complements human expertise. For instance, vulnerabilities found in foundational systems like the Linux kernel can have cascading effects across industries worldwide, including India’s IT ecosystem. Thus, Glasswing represents a shift towards collective security responsibility and pre-emptive threat mitigation at a global scale.
Why is Claude Mythos considered both a cybersecurity tool and a potential threat?
Claude Mythos presents a classic dual-use technology dilemma in cybersecurity. On one hand, it is a powerful defensive tool capable of identifying deep-seated vulnerabilities in widely used systems. By enabling early detection and patching of bugs, it can significantly strengthen the resilience of global digital infrastructure. For example, its ability to uncover flaws in systems like Linux or SCADA networks could prevent large-scale disruptions in sectors such as energy, manufacturing, and governance.

On the other hand, the same capabilities make it a potential threat if accessed by malicious actors. Once publicly available, hackers or state-sponsored entities could use Mythos-like tools to discover and exploit vulnerabilities at an unprecedented scale and speed. This is particularly concerning for legacy systems such as Aadhaar or GST platforms, which may rely on older codebases with hidden weaknesses.

Thus, Mythos embodies a paradox: it can either strengthen cybersecurity or amplify risks, depending on who controls and uses it. This underscores the importance of responsible AI deployment, restricted access, and global cooperation to ensure that defensive advantages outweigh offensive misuse during the transition phase.
How could the emergence of Mythos impact the Indian IT industry and its security preparedness?
The emergence of Claude Mythos is likely to have profound implications for the Indian IT and IT-enabled services (ITeS) industry. Indian firms often operate as system integrators, building customized solutions on top of global technology stacks. While patches released through Project Glasswing may enhance the security of underlying infrastructure, the responsibility for securing bespoke code and integrations lies with the firms themselves.

This creates both an opportunity and a challenge. On the positive side, Indian companies can benefit from improved baseline security in widely used platforms. However, they must also invest significantly in their own cybersecurity capabilities to address vulnerabilities in custom-built applications. As highlighted by industry experts, failure to do so could expose them to novel attack vectors enabled by advanced AI tools.

Additionally, sectors like SaaS and deep-tech startups may face heightened risks, as their products could become targets for automated vulnerability discovery. This may also disrupt traditional practices like bug bounty hunting, where human researchers identify flaws. Overall, Mythos could push Indian IT firms to transition from a reactive to a proactive, AI-driven security posture, requiring investments in talent, tools, and governance frameworks.
Critically analyse the implications of AI-driven vulnerability detection on the 'bug density vs. bug scarcity' debate in cybersecurity.
The 'bug density vs. bug scarcity' debate revolves around whether software systems contain numerous undiscovered vulnerabilities (dense) or only a limited number of rare flaws (sparse). AI-driven tools like Claude Mythos have the potential to significantly influence this debate by empirically uncovering vulnerabilities at scale.

If Mythos consistently identifies large numbers of previously unknown bugs across diverse systems, it would support the bug density hypothesis. This implies that software ecosystems are inherently fragile, and cybersecurity will remain a continuous 'whac-a-mole' challenge where fixing one vulnerability reveals many more. Such a scenario could overwhelm organizations, especially those with limited resources, and necessitate continuous AI-assisted monitoring.

Conversely, if Mythos eventually exhausts most vulnerabilities and systems become relatively secure, it would validate the bug scarcity perspective. This would suggest that AI tools can help achieve a stable and secure digital environment over time. However, experts like Nicholas Carlini caution that the transition phase may be particularly dangerous, with attackers and defenders both leveraging similar capabilities.

In essence, while AI may tilt the balance in favor of defenders in the long run, the short-term implications include heightened uncertainty, increased attack surfaces, and the need for robust governance mechanisms.
Examine the potential risks posed by Claude Mythos to India's critical infrastructure, citing examples like SCADA and government IT systems.
India’s critical infrastructure, including government IT systems and industrial control mechanisms like SCADA (Supervisory Control and Data Acquisition), faces significant risks from advanced AI tools like Claude Mythos. These systems often operate on legacy codebases that may contain vulnerabilities undetected for decades. Mythos’s ability to identify such deep flaws could expose these systems to potential exploitation.

For instance, platforms like Aadhaar and GST, which are central to governance and public service delivery, may become targets if vulnerabilities are revealed faster than they can be patched. Similarly, SCADA systems used in power grids, water supply, and manufacturing are not only digital but also have physical consequences. A successful cyberattack on such systems could lead to disruptions in essential services, posing risks to national security and public safety.

Additionally, the threat is not limited to financial hackers but extends to state-sponsored actors, who may exploit these vulnerabilities for strategic gains. However, India’s institutional mechanisms, such as CERT-In, have demonstrated resilience in responding to cyber threats, as seen during past geopolitical tensions.

This case highlights the urgent need for modernizing legacy systems, enhancing real-time monitoring, and adopting AI-driven defensive tools to safeguard critical infrastructure in an era of rapidly evolving cyber threats.
Provide examples of how global collaboration initiatives like Project Glasswing can benefit Indian firms despite limited direct participation.
Even though Indian firms are not prominently represented in Project Glasswing, they stand to benefit significantly from its outcomes due to the interconnected nature of global technology ecosystems. Most Indian IT companies rely on widely used open-source and proprietary platforms such as Linux, FFMPEG, and cloud infrastructure provided by global vendors. Vulnerabilities identified and patched through Glasswing will automatically enhance the security of these foundational systems.

For example, if Mythos detects a critical flaw in the Linux kernel, which underpins servers used by Indian IT firms, the subsequent patch will protect countless applications and services in India. Similarly, improvements in widely used libraries like FFMPEG can prevent vulnerabilities in multimedia processing systems used across industries, from entertainment to surveillance.

Another indirect benefit lies in knowledge diffusion. Indian cybersecurity professionals and organizations like the Data Security Council of India (DSCI) can learn from the methodologies and insights generated through Glasswing. This can help them upgrade their own security practices and frameworks.

Thus, even without direct participation, Indian firms gain through shared infrastructure security, global best practices, and improved resilience, highlighting the importance of international cooperation in addressing cybersecurity challenges.

Practice questions

1 question for mains preparation

A nation that builds its digital infrastructure on foreign code but cannot audit that code has sovereignty in name only. In light of this, examine the cybersecurity challenges facing India's critical information infrastructure and discuss the measures needed to protect it.

15 marks · 250 words · 8 mins