More OT Companies Ushered Into Project Glasswing
In a significant move within the operational technology (OT) sector, Anthropic has extended its exclusive Project Glasswing to include a select group of OT companies. This initiative allows members to access Mythos, a powerful language model touted as the most cyber-capable product from Anthropic’s research labs. The decision has sparked various reactions across the cybersecurity community, particularly given the implications for competition in the market and the larger ecosystem of cybersecurity practices.
Recently, well-known OT equipment manufacturers like Hitachi, and cybersecurity firms such as Tenable and Dragos, announced their participation in Project Glasswing, citing potential benefits from the advanced capabilities of Mythos. Other organizations and government entities have also expressed interest in joining the ranks of this invitation-only club. Despite Anthropic revealing that around 150 additional organizations have gained entry, a comprehensive list of these participants remains undisclosed.
Critics within the OT security landscape have raised concerns about Anthropic’s selective admission process, accusing the company of effectively determining "winners" and "losers" within the industry. Moreover, some argue that Anthropic may be leveraging Glasswing as a marketing tool aimed at generating significant revenue, particularly as the company gears up for a potential initial public offering (IPO) this year.
Independent security expert Adrian Sanabria noted that the ongoing competition between Anthropic and its rival, OpenAI, places immense pressure on both companies to secure clients who will rely on their models for ongoing security operations. He highlighted the importance of the vulnerability management process, asserting that these AI tools could be crucial in a landscape increasingly fraught with software vulnerabilities, a phenomenon he described as the "vulnpocalypse."
In a recent interview, Rob M. Lee, Founder and CEO of Dragos, provided insight into how his company intends to utilize Mythos. He stated that Dragos plans on employing the model to conduct thorough assessments of its own technologies for vulnerabilities that could be exploited by adversaries. Approximately 15 to 20 specialized vulnerability hunters from Dragos have been redirected to work with Mythos. This shift comes backed by a share of the $100 million worth of credits Anthropic has allocated to Project Glasswing, which means that accessing these models incurs no additional costs for Dragos.
Lee mentioned that while any vulnerabilities discovered through Mythos would follow the standardized coordinated disclosure practices, the insights gleaned would be particularly valuable in understanding probable adversarial actions within OT environments. He expressed optimism about the potential contributions this experience with Mythos would offer, while concurrently gathering intelligence on how threat groups currently leverage language models in cyber-attacks.
Despite the advantages of membership, Lee pushed back against criticisms that Anthropic should have expedited its admission process for more applicants, asserting that the company is doing its best to accommodate everyone within the constraints of resources and logistics. He also emphasized that expanding access to more firms would ultimately benefit the sector as a whole, especially before adversaries gain similar capabilities.
However, a high-ranking cyber executive, who requested anonymity, pointed out the risks of creating a tiered access system with the current membership of Project Glasswing. They cautioned that companies with privileged access could gain a competitive edge, almost serving as a "Good Housekeeping" seal of approval that could skew the market in their favor. The executive also underscored the peculiar makeup of the initial membership, noting how cash-rich tech giants with their own advanced models were included, while several recognized players most often targeted by ransomware attacks remain excluded.
Joshua Corman, a public safety and resilience expert, voiced concerns that simply having access to Mythos is insufficient to solve the pressing security issues facing OT operators. He drew an analogy between the complexities of cybersecurity and vaccine deployment, explaining that merely developing patches does not equate to enhanced security. The actual implementation of these fixes is the critical step, particularly in industrial environments where operational stability is paramount. For sectors like water utilities, where many operators lack necessary resources, immediate action is critical as adversaries increasingly refine their cyber-weaponization tactics.
Munish Walther-Puri, a leading expert on critical digital infrastructure, acknowledged that while access to Mythos might not breed immediate technical advantages for many OT firms, the market implications could be transformative. Membership in Glasswing may signal a level of sophistication and trust that influences procurement decisions and establishes gravitational pull towards established players already entrenched in the project.
As the first round of memberships continues to spark debate, the implications of Anthropic’s selective engagement highlight broader issues concerning cybersecurity in OT. The challenge remains not just in accessing advanced technologies, but in ensuring that these innovations are effectively integrated and utilized in addressing the multifaceted threats posed in an increasingly complex digital landscape. Stakeholders across the industry are now watching closely to see how the unfolding dynamics within Project Glasswing will shape both the competitive landscape and the future of cybersecurity in the operational technology sector.