UK government warns businesses to prepare for AI-enabled cyber attacks
Frontier AI models are developing the ability to find and exploit software vulnerabilities at speeds that would have been impossible a year ago, the UK government warned on 15 April. Business secretary Liz Kendall said the threat has fundamentally shifted: attacks no longer require rare expertise or small teams of skilled criminals.
The UK's AI Security Institute (AISI) tested Anthropic's new Mythos model and found it "substantially more capable at cyber offence than any model we have previously assessed." The institute estimates that frontier model capabilities are doubling every four months, down from eight months previously.
Kendall said the acceleration matters not just for today's threats but as a signal of what's coming. "The trajectory is clear and therefore it is vital that we are prepared for frontier AI model capabilities to rapidly increase over the next year, and plan accordingly for that outcome," she said.
OpenAI announced last week it is scaling up its Trusted Access for Cyber programme, indicating the problem extends beyond a single vendor. Kendall expects other companies to follow.
What government is doing
The UK government established AISI two-and-a-half years ago and now claims the most advanced capabilities anywhere for assessing frontier AI models. The National Cyber Security Centre (NCSC) is preparing practical guidance for organisations. The government will also publish the Cyber Security and Resilience Bill and National Cyber Action Plan.
But Kendall was clear: government action alone is insufficient.
What businesses need to do
Kendall urged business leaders and board members to make cyber security a regular board-level discussion rather than delegating it to IT teams. Attackers target organisations where defences are weakest, she said.
She recommended several concrete steps:
- Sign up to the Cyber Governance Code of Practice if not already done
- Use the NCSC's Cyber Action Toolkit (particularly for smaller businesses)
- Plan and rehearse incident response procedures
- Consider cyber insurance
- Pursue Cyber Essentials certification to establish basic security policies
- Use the NCSC's Early Warning service and sector-specific regulator resources
"The businesses that act now - that treat cyber security as an essential part of running a modern company, not an optional extra - will be the ones best placed to thrive through it," Kendall said.
For government officials responsible for cyber policy, understanding AI for Government is increasingly essential. Those working in security roles should consider resources on AI for Cybersecurity Analysts to understand how these tools change threat detection and vulnerability management.
Your membership also unlocks:
