Australia and its intelligence-sharing allies have sounded the alarm for AI adoption, warning defenders to implement the technology or risk falling victim to advanced cyber threats.
In a statement released by Five Eyes – the decades-old signals alliance comprising agencies from Australia, New Zealand, US, UK, and Canada – cybersecurity defenders are urged to use AI to “move faster and more effectively”.
In what the alliance dubbed a “call to action”, Five Eyes warns although AI will bolster cyber defence over time, it also boosts the speed, scale and sophistication of threat actors.
Indeed, scammers have increasingly utilised AI to personalise their phishing messages, ransomware gangs have used the tech to automate portions of their attack lifecycle, and Google Threat Intelligence recently identified a threat actor which appeared to have used an AI-developed zero-day exploit.
“AI is not a future consideration – it is already here,” wrote Five Eyes.
“It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly.”
Five Eyes is urging companies to “use AI to strengthen defence”, noting AI tools can quicken vulnerability detection, improve software quality, monitor unusual behaviour and speed up incident response.
The collective notes, however, that success would “not come from having the most tools”.
“It will come from getting the basics right, acting quickly, and integrating cybersecurity into core business strategy.”
When asked how Australian companies should approach their AI adoption, an Australian Signals Directorate (ASD) spokesperson directed Information Age to existing Australian Cyber Security Centre advice.
Frontier models drive sober warning
Five Eyes warns the rapid pace of frontier AI development means cyber risk assumptions can become outdated in a matter of “months, not years”.
With the industry’s most cutting-edge models “anticipated to exceed current industry expectations”, the alliance warns AI may soon fundamentally transform “both offensive and defensive cyber capabilities”.
“We must act now,” reads the statement.
In recent months, AI company Anthropic’s unreleased Mythos model has driven significant concern for its purportedly groundbreaking cybersecurity capabilities.
The company announced a preview model for limited government and private organisations, but a recent directive from the US pulled Mythos and its sibling model Fable 5 from all non-Americans, citing national security concerns.
Though Anthropic’s repeated, lofty promises have attracted doubt from some security pundits, Gary Barlet, public sector chief technology officer at cybersecurity firm Illumio, said it was “wishful thinking” to assume AI cyber threats would slow down depending on the release of Mythos alone.
“Whether it's Mythos, Fable, or the next frontier model, it isn't a matter of if these capabilities become widely available – it's when,” said Barlet.
Security researcher Jamieson O'Reilly told Information Age frontier models were already “compressing the attack lifecycle, discovery, chaining, and exploitation,” while simultaneously giving defenders “new tools”.
“The gap between what advanced offensive AI can do today versus traditional red teaming already speaks for itself,” said O’Reilly.
“The Five Eyes are correctly flagging that defenders must match that speed and sophistication deliberately, or they will lose ground rapidly.”
Five Eyes issue five steps
Beyond AI, Five Eyes outlined five urgent, practical actions organisations should take to reduce their risk.
These include known cybersecurity basics such as incident response testing, reducing attack surfaces by optimising system exposure, addressing outdated, legacy systems, and strengthening identity and access controls.
The alliance also notes AI is shortening the time between vulnerability discovery and exploitation, meaning patching processes need to be handled with speed and priority.
O’Reilly added that “delaying foundational hygiene” while hoping “AI magic fixes everything” is a recipe for fast and expensive breaches.
“Good AI implementation, in this context, means treating AI as a force multiplier for resilience and detection, not just efficiency,” he said.
“Bad implementation is bolting on AI tools primarily for cost or speed gains without equivalent adversarial testing.”
‘We know, take it up with the board’
Vaughan Shanks, chief executive of Melbourne-based incident response vendor Cydarm Technologies, said much of the Five Eyes’ statement was already-known information.
“Take away AI and none of these response actions are new,” Shanks told Information Age.
“Security teams have been trying to get the basics right for years.
“The AI part is what’s new: attackers are moving faster, and a clear case for using AI for defence.”
He adds “the shortfall was never a lack of urgency”, but rather a “resourcing gap” that needed to be addressed at a boardroom level.
Indeed, Five Eyes said cyber risk is a leadership responsibility that can “no longer be treated as a purely technical issue”.
“Government should be able to set the targets using SOCI and similar legislation, then let the private sector figure out how to deal with it,” said Shanks.
“It’s a matter of setting the right incentives, starting with the board.”
