Five Eyes agencies warn AI will reshape offensive hacking 'in months, not years'
In a rare joint statement issued June 23, the cyber agencies of the U.S., U.K., Canada, Australia, and New Zealand told boards and executives to treat AI-driven cyber risk as a core business emergency.
The Five Eyes cybersecurity agencies issued a three-page joint statement on Monday, June 23, 2026, warning that frontier AI will reshape offensive hacking on a horizon measured in months, not years. The document, signed by the cyber arms of the United States, United Kingdom, Canada, Australia, and New Zealand, is addressed less to security teams than to the boards and executives above them.
“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the agencies wrote. “The timeline is not years, it is months.” AI, they argued, “lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly.”
The framing is deliberate. Cyber risk “can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility.” Controls, the agencies added, must “perform during a real incident.” The directives that follow are familiar in substance: reduce external attack surface, accelerate patching, retire legacy systems described as “easy targets.” CBC characterized the statement as light on details, largely restating core cybersecurity advice with new urgency attached.
The urgency isn’t abstract. CISA has separately tightened its remediation deadline for serious vulnerabilities at U.S. federal agencies to three days, citing AI threats directly. In April, Anthropic said its Mythos models had “unprecedented abilities to find software vulnerabilities.” Researchers at Backslash Security, reviewing the Claude Code update logs, counted dozens of newly discovered security vulnerabilities patched between April and early June 2026 in Anthropic’s own agentic coding tool.
The commercial politics are messier than the threat picture. The Trump administration recently barred Anthropic from selling its Mythos and Fable models abroad on national security grounds, then late last week the president said he no longer viewed the company as a security threat. An Anthropic spokesperson told Reuters the two sides were still working on the issue.
John Bruggeman, a Cincinnati-based cybersecurity expert, told CBC the gap between frontier and lesser models is what matters. Of the weaker systems: “You’re going to find way more information in the Library of Congress.” The joint statement is, in effect, an argument that the Library analogy is about to stop holding.
Sources
- https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/4523810/five-eyes-cyber-security-agencies-statement/
- https://www.cbsnews.com/news/ai-bypass-cybersecurity-systems-months-not-years-five-eyes-spy-partners-warn/
- https://therecord.media/five-eyes-alert-artificial-intelligence
- https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/
- https://www.cbc.ca/news/canada/five-eyes-ai-cyber-risk-warning-9.7245294
— END —