Been briefed – Five Eyes cyber security agencies joint statement on AI-enabled cyber risks

A joint statement by the leaders of the Five Eyes cyber security agencies – Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, National Cyber Security Centre (NCSC) (United Kingdom), National Cyber Security Centre (NCSC) (New Zealand), Cyber Security Directorate (United States) and Cybersecurity and Infrastructure Security Agency (CISA) (United States) – calling for action in response to rapid transformation of cyber security risks because of artificial intelligence (AI). While noting that AI can be used for offensive and defensive cyber security purposes, they warn that AI is amplifying cyber security threats. In the spirit of the depth and transparency of the Five Eyes cyber security partnership and how critical sharing cyber threat information is partner countries' collective security, they 'call on leaders across industry – including vendors – to act now and work together to protect our people and secure our future.'

AI as a cyber security threat

Adversaries are already using AI to move faster and more effectively. AI accelerates the speed, scale and sophistication of cyber threats by lowering barriers for malicious actors, increasing the speed and complexity of attacks and shrinking the window between vulnerability discovery and exploitation. Also, AI is more capable at identifying vulnerabilities including zero-day vulnerabilities.

Improving cyber resilience

Cyber resilience is needed to ensure business and operational continuity, market confidence and trust, long-term value and operational and strategic advantage. It comes from 'getting the basics right, acting quickly, and integrating cyber security into core business strategy.' To do so, the Five Eyes cyber security agencies urge business and other leaders to:

understand and assess risk, readiness and accountability
prioritise foundational cyber security practices and controls
empower cyber leaders with authority and resources
stay actively engaged as threats and guidance evolve.

Further, cyber risks must be treated as a core business risk and leadership responsibility not as as a purely technical issue. Leaders should ensure cyber resilience is in place and works under pressure in real incidents including by:

embracing secure-by-design and secure-by-default as 'standard practice – not an aspiration'
ensuring defence in depth delivered through a range of solutions
accepting that breaches will occur
recognising that preparedness helps contain cyber risks quickly and prevents escalation into major operational and financial crises.

The Five Eyes cyber security agencies reiterating cyber security actions that 'are not new, but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure'. Those actions are:

reducing your attack surface by limit unnecessary system access and external connectivity, isolating systems that do not need to be connected to the internet
prioritising security updates and accelerating patching processes because AI is shortening the time between vulnerability discovery and exploitation making delays in patching more risky
addressing legacy systems because unsupported systems are easy targets making them strategic liabilities not just technical debt
reviewing and strengthening identity and access controls to limit access to critical systems and, where access is needed, enforcing strong authentication and regular reviews of permissions
preparing for incidents before they happen by testing response plans, training and preparing teams, assuming breaches will occur and focusing on fast containment and recovery.

Using AI for cyber security defence

The Five Eyes cyber security agencies also say that defenders must strengthen defences using AI. Integrating AI into security operations can 'detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents.'

Urgent action is needed

AI is challenging cyber risk assumptions meaning they can be outdated in months, not years. Organisations need to act now, including being prepared to adapt and withstand evolving threats. Acting now will reduce exposure to growing and avoidable risk while strengthen resilience and build confidence with customers, partners, and investors.

Been briefed – Five Eyes cyber security agencies joint statement on AI-enabled cyber risks

Algorhythms

AI

cyber security & AI

national security & AI

Go for a byte

cyber security

Australian Cyber Security Centre

Canadian Centre for Cyber Security

Cybersecurity and Infrastructure Security Agency (US)

Cyber Security Directorate (US)

National Cyber Security Centre (UK)

National Cyber Security Centre (NZ)

national security

Five Eyes

Australian Government

Canadian Government

Communications Security Establishment Canada

Government Communications Headquarters (UK)

Government Communications Security Bureau (NZ)

New Zealand Government

UK Government

US Department of Homeland Security

US Government

US National Security Agency

AI as a cyber security threat

Improving cyber resilience

Using AI for cyber security defence

Urgent action is needed

You might also like

Questions the next National Cultural Policy should address on AI, creative practice, copyright and IP

Been briefed – NSTM-4 Adversarial Distillation of American AI Models White House memorandum

Been briefed – What 81,000 people want from AI, Anthropic

AI buying AI: Big Tech has been on an AI spending spree

Whether DeepSeek or Seedance, what is behind US criticism of Chinese AI? And why it matters

I want to access members only blog content including the weekly WTF now?! round-ups

Try it for free