CSA tasks critical information infrastructure leaders to review cyber risks due to AI-enabled threats

Instead, the authorities maintain close working relationships with various partners, including major AI labs and cybersecurity firms, to track developments, as well as assess safety and security implications, he said.

“We are working with partners who have access to Mythos to better understand its capabilities and implications,” Mr Tan added.

He added that CSA works closely with relevant government agencies and industry experts to exchange insights on the threats and mitigation measures. It is also reviewing standards and obligations for CII owners to account for the faster attack timelines that AI enables.

Mr Tan said that he has finished visiting all 11 CII sectors.

“I’m very heartened that all the senior leadership – from chief executives to board members – are aware of the risk and are taking steps. So they are not taking this lightly,” said in response to a supplementary question from Mr Chua on how the government is directly supporting CII providers.

“They are putting in place not just processes, investments, to secure themselves and their systems, but also proactively thinking about how to secure their AI users in their organisations.”

Under the Cybersecurity Act, CSA has the authority to direct and enforce action where necessary.

“On Mythos, specifically, without direct access, we cannot test the model ourselves. But we assess the risk based on published evaluations, threat intelligence and our ongoing engagement with the major AI labs,” Mr Tan said.

“Where credible evidence emerges of a material risk to systems of national consequence, we work with and advise CII owners to patch and harden their systems. This is the approach we have used to date, and we will continue to do so.”

Responding to a supplementary question from MP Edward Chia (PAP-Holland-Bukit Timah) on how the government will ensure that small- and medium‑sized enterprises (SME) would not be left behind, Mr Tan said different resources have been deployed to support them.

These include a “self-check” on their systems and guidelines on how to deploy AI solutions within their organisations. 

Mr Tan also cited initiatives like the SMEs Go Digital Programme, where authorities work with industry partners providing these technology solutions and pre-approve them for support. “We make sure that basic cybersecurity hygiene is baked into those systems,” he said.

Ultimately, the issue is not any single model like Mythos, said Mr Tan.

He added: “The underlying shift is broader and the risks are real. We are treating them with the seriousness they deserve.”