Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Director’s note: Mythos upends business as usual 

(Image by Tung Lam from Pixabay)
By Frank Cilluffo

Dear readers,

Mythos didn’t just shake up how AI can attack and defend: Business as usual, and the public-private partnership model on which we have long relied, is being fundamentally reshaped. The Trump administration, which has generally favored a lighter-touch approach to artificial intelligence, is now discussing possible oversight mechanisms for advanced AI models before they are made publicly available, Tripp Mickle, Julian E. Barnes, Sheera Frenkel and Dustin Volz reported at The New York Times. Anthropic deserves credit for sounding the alarm early about the implications of Mythos and for bringing both government and industry into the conversation. Increasingly, private companies are operating at the leading edge of national cyber defense, and we are now grappling in real time with the enduring tension between innovation and security. Lingling Wei reported at The Wall Street Journal that new AI discussions may start between Washington and Beijing on potential AI guardrails, showing that even adversaries recognize the significance of AI-driven crises that could spiral out of control.

The challenge ahead is not simply more cyberattacks. It’s about speed and scale. It is a compression of operational timelines that will soon outpace the ability of institutions, regulators and even traditional security operations to respond effectively. Richard Lindsay at Tech Radar captures this shift well, arguing that AI is evolving beyond simply a weapon or shield and increasingly becoming a mechanism attackers can use to manipulate an organization’s own infrastructure against itself. And cybersecurity is more than simply a technology or national security issue. Increasingly, it is becoming a matter of systemic economic stability. At the IMF, Tobias Adrian, Tamas Gaidosch and Rangachary Ravikumar warn that Mythos may foreshadow how rapidly AI-enabled cyber risks could destabilize the financial system.

Project Glasswing partner CrowdStrike’s chief privacy officer, Drew Bagley, joins me on next week’s Cyber Focus with firsthand insight on how AI-enabled exploitation is collapsing the operational timelines security teams have relied upon for decades. Watch a preview of this upcoming episode here.

On the latest episode of Cyber Focus, I sat down with Signal CTO Ehren Kret to discuss how encryption is only part of the picture when it comes to secure messaging. From the “leaky” nature of metadata and social graphs to the hidden vulnerabilities of aging smartphone software, he broke down the most common misunderstandings users have about secure communications. Our conversation included what private communication really requires, why endpoint security remains a major challenge, how AI built into operating systems could create new risks for private communication, post-quantum encryption, lawful access debates, phishing threats and shaping better user understanding along with better technology. “At the end of the day, your phone is still an endpoint that can be targeted,” he cautioned.

The White House released a new counterterrorism strategy this week that includes “offensive cyber operations against those planning to kill Americans or who support those plotting to do so.” Its inclusion in a broader counterterrorism framework is welcome recognition that cyber operations are increasingly viewed as a normal and necessary instrument of national power.

This week CISA unveiled the CI Fortify initiative to help critical infrastructure operators prepare to keep services active in geopolitical conflict incidents. As Acting Director Nick Andersen said, “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” Last month’s hack of Itron, a critical infrastructure technology vendor, underscored how third-party compromises can cascade across essential services, Angus Loten reported at The Wall Street Journal. Russell D. Howard, Alicia Ellis and Sarah Shoer explored the threat of conflict concentrating on critical systems in a timely analysis at Small Wars Journal, arguing that much of today’s counterterrorism architecture still relies on an actor-centric model but often overlooks the underlying infrastructure – including water, food and supply chains –  that enable power.

An alarm was sounded this week about the potential impact to the energy sector from sharply escalating data center power demands. NERC said it issued a Level 3 Essential Action Alert and a voluntary reliability guideline focused on challenges posed by large loads after observing significant oscillations that occur in seconds, leaving little or no room for real-time responses and threatening the reliability of the bulk power system. These are precisely the kinds of systemic stresses that emerge when AI-driven infrastructure growth collides with legacy operational realities. The urgency with which stakeholders are being encouraged to prepare for this unprecedented demand is both encouraging and necessary.

And at War on the Rocks, Matthew Levitt explores the question of why Iran, with plenty of motive in the current conflict and a track record of past plots, has not attacked our homeland in the past two months despite threats to do so. Iran has a demonstrated ability to plot attacks in the homeland, even if most have failed, but authorities have not reported any since the war began – and this may come down to intent and capability, he writes.

This week by the numbers:

  • Taiwan High Speed Rail (THSR) confirmed that a 48-minute disruption to three trains was caused by a rogue general alarm signal remotely triggered after a college student allegedly exploited a vulnerability in a communication network. (The Register)
  • A misconfigured server linked to Jerry’s Store, a carding market where hackers check whether stolen credit cards still work, exposed 345,000 cards after an AI coding error caused a major security flaw. (Hackread)
  • DHS Secretary Markwayne Mullin said CISA lost about 1,100 employees over the course of the 76-day partial government shutdown. (The Hill)
  • In tallying up all of the money crypto traders have reportedly lost to hackers so far this year, analysts found that 76% is now in North Korea. (Dark Reading)
  • Abu Dhabi warned its citizens of six cyber threats it describes as the most prevalent during emergencies as the UAE is currently facing between 500,000 and 700,000 cyberattacks daily, particularly targeting strategic sectors during high-pressure periods. (Gulf News)

For longer weekend reads, David R. Frelinger and Karl P. Mueller at RAND present a “rideout” strategy in which the United States should prioritize measures to avoid strategic disaster on the path toward AGI, regardless of the course it takes, and maximize decisionmakers’ long-term options in a world with advanced AI. And an intelligence brief from Jay Deen at Dragos delves into an early real-world observation of an adversary using commercial AI tools to identify and prioritize OT infrastructure during an IT intrusion at a Mexican water utility.

Lt. Gen. Douglas A. Schiess has been nominated by President Donald Trump to become the third Chief of Space Operations at a critical time for the U.S. Space Force. And the nomination of Adam Cassady to lead the State Department’s Bureau of Cyberspace and Digital Policy advanced out of committee. Congratulations to both as they stand ready to fill these important roles.

The security community lost a titan on April 30 with the passing of Stewart Baker, former NSA general counsel and the first DHS assistant secretary for policy. Stewart was one of the sharpest legal and strategic minds in cybersecurity, intellectually fearless, deeply principled and never afraid to challenge conventional wisdom. He will be deeply missed by so many of us who benefited from both his wisdom and his friendship.

Taken together, this week’s developments point to a simple reality: The pace of technological change is accelerating faster than the institutions designed to manage risk. Meeting this moment will require more than better technology. It will demand operational collaboration, resilience, and a willingness to rethink long-standing assumptions about cyber defense and national security.

War Eagle,

Frank Cilluffo

Read More

Click to listen highlighted text!