Five Eyes Cybersecurity Agencies Issue Statement Regarding AI-Related Shifts in Cybersecurity Risks, Urging Organizational Leaders to “Act Now”

On June 22, the leaders of the cybersecurity agencies in Australia, Canada, New Zealand, the UK, and the U.S. issued a joint statement calling for an “urgent” focus on cyber resilience in anticipation of “frontier AI models . . . exceed[ing] current industry expectations” and “fundamentally transforming both offensive and defensive cyber capabilities” within a timeline of “months.”  The frontier AI models referenced in the statement are the latest generation of advanced AI models that are capable of identifying and exploiting security vulnerabilities, which may result in an increased cadence of cybersecurity intrusions and data loss.  In light of the growing capabilities of these models, the statement encourages organizations to avoid treating cyber risk “as a purely technical issue” or an “IT issue” and instead take a “whole-of-organization” approach to cyber resilience that treats it as a “core business risk and leadership responsibility” that is “central to operational continuity and market trust.”  The statement also proposes several “urgent” practical actions that organizations can take to reduce risk, many of which were also discussed in our recent client alert regarding key considerations for lawyers addressing cyber risks posed by frontier models. 

In light of the anticipated “rapid” shift in the cyber risk landscape, the statement cautions that “cyber risk assumptions,” which can underpin organizations’ cybersecurity approaches, “can become outdated in months, not years.”  The statement encourages organizations looking to protect against evolving risks to “integrat[e] cyber security into core business strategy” and consider opportunities to integrate AI into security operations to detect vulnerabilities, improve software quality, monitor for unusual behavior on networks, and respond more quickly to incidents.  Notably, the statement anticipates that while “[b]reaches will occur,” it emphasizes that preparedness is key and “[b]oards and executives should ensure cyber resilience is in place and works under pressure.”

The statement also encourages organizations to implement the following foundational security practices, noting that even if they are “not new,” their implementation is “urgent” to reduce risk: 

1. Reduce attack surface by limiting unnecessary system access and external connectivity.

• Accelerate patching processes to address the ways that AI is shortening the time between vulnerability discovery and exploitation, including prioritizing security updates to manage risk.

• Address legacy systems that are no longer supported with security updates, which are easier targets.  

• Review and strengthen identity and access controls to limit who can access critical systems and regularly review permissions.

• Prepare for incidents before they happen, including by testing response plans, training and preparing teams, and focusing on fast containment and recovery on the assumption that beaches will occur.