A Greek myth clouds Singapore’s blue sky AI ambitions

In a blog post, Anthropic said the model was able find vulnerabilities in systems that had been overlooked for more than 20 years within a few minutes. 

The company was scared enough to restrict access to the model to just 40 tech and security companies under Project Glasswing.  

The ostensible reason was to give these companies time to use Mythos to check on security vulnerabilities in existing networks and, in a best-case scenario, fix them as soon as possible before a public release. 

Unfortunately, software was like a genie in a bottle; once it came out, there was no putting it back in and they have a notorious habit of leaking out into the wild.  

Experts were not talking about whether cyber criminals will get their hands on a version of Mythos, they were focussing on how soon this will happen.  

It was also only a matter of time before other AI models would catch up with Mythos.  

This explained the warnings issued by Google and Palo Alto Networks, among others. 

How prepared is Singapore? 

This brings us back to Singapore’s rapid embrace of AI, especially in the public sector. 

How prepared was the Republic to face this new wave of AI-driven cyberattacks, often orchestrated by state actors?  

The answer would be found only once an actual attack occurred, but the indications were that the government at the leadership and policy level was well aware of the threat posed by Mythos and its analogues.  

Earlier this month, speaking in Parliament, Singapore Senior Minister of State for Digital Development and Information, Tan Kiat How, acknowledged the dangers posed by Mythos in detecting previously undiscovered software vulnerabilities. 

Tan noted that while the government was yet seen fully autonomous AI agents conducting end-to-end campaigns, “it was a matter of time”.  

To allay fears, he emphasised that what Mythos represented should be seen as a “continuum” of developments rather than a sudden, singular event. 

On May 9, speaking at a public event, Coordinating Minister for National Security K. Shanmugam, noted that cyber attackers were targeting Singapore by using AI to make attacks cheaper and faster.

He added that this was a serious issue, and operators of critical information infrastructure (CIIs) urgently needed to improve their defence preparedness. 

New rules and regulations 

On the operations front, a slew of rules, regulations and advisories have been issued to protect systems that used AI, even before Mythos came on the scene. 

Early this year, the Infocomm Media Development Authority (IMDA) of Singapore launched the Model AI Governance Framework for Agentic AI (MGF).  

This was the world’s first governance framework specifically designed for AI agents capable of autonomous planning, reasoning and action.  

The policy focussed on ensuring that the risks were assessed upfront and there would be human-in-the-loop while implementing technical controls and processes. It also enabled end-user responsibility. 

The MGF has built on earlier governance instruments for traditional AI and generative AI (GenAI) policies to address novel risks arising from the autonomous agentic AI bots. 

Apart from this, the Cyber Security Agency of Singapore (CSA) has released discussion papers and addendums specifically focused on securing agentic AI systems, providing practical guidance on mapping workflows and applying controls across the entire AI lifecycle. 

The Singapore government has also been investing in AI-powered tools for

active vulnerability and patch testing.  

This included in-house capability building and partnerships to adapt global tools for detecting, triaging, and responding to threats at “machine speed”. 

All these developments showed that the government was aware of the risks of AI.  

Network strong as weakest link 

Being aware of the risks is half the job done. Being able to prevent attacks was the other and more important half. 

This is where things start to get uncertain. In cybersecurity a network’s strength was decided by its most vulnerable point.  

And that vulnerable point was the end-user. Most breaches in cybersecurity occur due to actions taken by humans. 

This was important because as the country rushed towards training more professionals in the use of AI, the focus should also be on making them aware of the risks.  

The glamour of AI and autonomous bots should not hide the potential dangers.  

The ultimate success of Singapore’s pivot into an AI-first nation would depend not only just on developing an AI savvy workforce; it would depend on a workforce aware of both the advantages and dangers of AI. 

This required mandatory training on cyber hygiene and on how to defend in case of an attack. Cybersecurity was always important but in the new age of AI it has become a major imperative. 

The country’s Smart Nation 2.0 journey hinged on developing this awareness.