The Journal. - Cybersecurity Braces for AI ‘Bugmaggedon’
Episode Date: April 21, 2026AI models like Anthropic's Mythos are finding software bugs at an unprecedented rate, kicking off a cybersecurity scramble to prevent what experts are calling “bugmageddon.” Thanks to these new mo...dels, hackers will be able to exploit those bugs more quickly than ever before. WSJ’s Robert McMillan explains why major corporations and the White House are scrambling to patch their systems. Jessica Mendoza hosts. Further Listening: - The Battle Over AI in Warfare - AI Is Coming for Entry-Level JobsSign up for WSJ’s free What’s News newsletter. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Last month, a group of computer researchers ran a test.
They wanted to try using artificial intelligence to hack an operating system called OpenBSD.
So OpenBSD is an operating system, you know, like Windows or MacOS.
It's been around for a long time.
Our colleague Bob McMillan covers cybersecurity.
He says this operating system is considered very secure.
It survived decades of cyber attacks.
It's kind of on the front of the internet for many corporations.
It's used in firewalls.
So it's facing the hackers all the time.
So it's a good project to look at because it's been battle tested, right?
And it's had lots of time for people to look for bugs and report them and fix them and stuff like that.
A software bug is a flaw in a computer program that causes problems or even a crash.
Hackers try to find bugs because they can use them.
them as sort of a door into an otherwise closed computer system.
So in this experiment, researchers took the latest AI model from Anthropic,
called Mythos, then let it loose into the software.
And they said, find us some bugs.
And it found this bug.
A guy named Niels Provost had written some code in 1998, and he made a mistake.
And nobody noticed that mistake for over 27 years until Mythos.
Took a shot at it.
Wow.
The bug mythos found could have caused a serious problem,
and it had sat there undetected by humans for nearly 30 years.
So, I mean, what does this tell you about mythos?
Is it better at this than humans?
I mean, you could sort of craft this narrative, like, oh, my gosh,
they've had 27 years and, like, no one saw it, and then AI found it.
Like, there are bugs that humans have missed that AI is able to find.
I mean, that's a legit, uh,
Phenomenon. Anthropic, the company that made Mythos, said that the model was so powerful it could, quote, reshape cybersecurity.
And Mythos is just the beginning.
Already, the cybersecurity world is struggling to keep up.
AI models are getting very good at finding security vulnerabilities.
The amount of bugs that are being found right now is skyrocketing, and people are freaking out because of that.
Mythos has become the poster child for a phenomenon that I've been.
writing about for months that people in the cybersecurity industry have been talking about for months,
but with the mythos release, it achieved critical mass.
And what phenomenon is that?
Well, the geeks call it the vulnerability Armageddon, but here at the Journal, we call it the Bugmageddon.
Welcome to The Journal, our show about money, business, and power.
I'm Jessica Mendoza. It's Tuesday, April 21st.
Coming up on the show,
Bugmageddon and Cybersecurity's race against time.
This episode is brought to you by IG Private Wealth.
When your financial life gets more complex,
having a clear plan matters.
IG advisors build personalized, integrated financial plans
that connect your investments, tax strategies,
retirement income, and estate planning
into one coordinated plan.
They will help you make confident decisions
about your wealth and your future.
Get financial advice that puts you,
at the center. Visitigprivatewealth.com to find an advisor near you.
This episode is brought to you by Volkswagen.
Want to go electric without sacrificing fun?
The Volkswagen ID4 is all-electric and thoughtfully designed to elevate your modern lifestyle.
It's fun to drive with instant acceleration that makes city streets feel like open roads.
Plus, a refined interior with innovative technology always at your fingertips.
The all-electric ID4, you deserve for.
more fun. Visit vw.ca to learn more. SUVW, German engineered for all.
Bob, I want you to back us up just a little bit here. What are AI models like mythos
actually doing that's different from how software bugs have been found in the past?
So there's like a real change going on in the way bugs are being found. In the olden days,
it was kind of a very specialized knowledge. You'd have to kind of master this arcane,
computer science of how systems work.
So if a hacker wanted to find a bug that would get them into, say, the Windows operating system,
they'd have to learn how Windows worked.
25 years ago, there were a million bugs being found in the Windows operating system.
And for that to happen, people had to really dig into the ins and outs of how the Internet
interacted with Windows.
But it required hours and hours of work for humans to achieve the level of mastery required
to even be playing in the bug hunting game.
AI changes all that, right?
Like, AI can just look at all these bugs and kind of get to that level of mastery very quickly.
And where AI hacking models shine most is speed.
Eight years ago, the average time between a bug being found and a hacker-ne-year-old,
using that bug in a cyber attack was 847 days.
So a bug would be disclosed, two years would go by, and then it would start getting exploited
on average. Now it's like within a day. It's not rocket science, but it takes time for a human
to do it. You have to have a certain level of expertise. AI has absorbed all of that.
There are some limitations with AI's abilities, though. At least so far, AI doesn't really think
creatively like people can.
It's basically kind of
repeating stuff that's already
out there, so it's not going to
be able to, as it stands
now anyway, invent this whole
new way of
hacking systems.
But Anthropics Mythos is better at bug
finding than any AI model that's
come before it. The company
announced the model earlier this month
and it said mythos would
be able to identify software vulnerabilities
better than, quote, all but the most skilled humans.
Anthropic also said that the version it's been testing
has already found thousands of vulnerabilities
in every major operating system and browser.
From the start, Anthropic was talking about it as very dangerous,
you know, like we're not sure what to do with this, like who should get it.
Anthropic has a new AI model so dangerous, they won't release it publicly.
It could become a major hacking tool.
This is a system that absolutely has slipped its,
bonds already, the company says, and as a result, poses a threat.
It seems like a lot of people have gotten worked up since Anthropic announced this.
I mean, there's a lot of hype around AI right now.
And when you hear about AI being too dangerous to be released, I think it's pretty
natural to go, what's going on with this stuff?
Is it systemic risk to our financial system?
You know, is this going to open up all these backdoors that hackers are going to be?
to use to undermine confidence in the banking system?
Imagine hospitals, banks, and government and military websites being targeted by an AI hacker
that can work faster and more aggressively than any human could.
That's what Anthropics said it was trying to prevent.
So to avoid the worst, Anthropics said it will only share mythos with a limited pool of
companies that make up much of the backbone of the tech world, like Amazon, Google, and
Envidia. Anthropic says it has no immediate plans to release the program to the public.
We only want to release it to a select group of entities. So they picked about 50 corporations
and organizations and said, take a look at this, see what you can do with it. The idea is that
access to mythos could give those companies a head start against Bugmageddon, allowing them to
find the holes in their systems and patch them before hackers get their hands on mythos.
Hacking is very asymmetrical.
If you are the hacker, you just have to find one way into your target.
You do something and it doesn't work like, no big deal.
You know, you can try again.
If you're a defender and you try to defend something and it doesn't work, you're hacked.
Bob says that this approach, being cautious about who gets access to the AI model,
tracks with Anthropics narrative of being a responsible and safe AI company.
But some AI experts aren't sure if you're not.
Anthropic could pull off a wide release of something like Mythos right now anyway, because of data
constraints. There is a question about whether they have enough compute to meet demand. A new model
would require a lot of compute and would put some strain on something that they're already
having some difficulty delivering, which is access to their services. However, other companies
are also working on their own versions of this technology. Anthropics' primary competitors,
OpenAI and Google DeepMind have said they have similarly capable models in the works.
There's no release dates set for any of these models yet,
but Bob says cybersecurity teams have their work cut out for them.
Like, there's a lot of bugs out there.
There's a lot of bugs in software.
And right now we're just at this point where they're all being revealed.
So these network defenders, they're all thinking about ways of being creative about solving the problem.
but they can tell the bug McGettin is coming.
After the break, how cybersecurity experts are looking to a past panic to prepare for tomorrow.
However you slice it, it's the Y2K problem for AI.
This episode is brought to you by Volkswagen.
Need a vehicle that isn't afraid to make a splash?
That's the Volkswagen Tows.
Capable and confident.
It's fit for everyday life.
Nimble in traffic, agile and tight spots.
and still spacious enough for weekend getaways.
While available, 4-motion all-wheel drive gives confidence in rain and snow,
the capable Touse.
You deserve more confidence.
Visit vw.ca to learn more.
SUV-W, German engineered for all.
Square knows that in hospitality, efficiency is everything.
That's why their system lets you take payments.
Track sales, handle inventory, manage staff, send invoices,
and keep up with finances all in one place.
Apply through orders with zero mistakes.
get the data you need and keep everything working together.
So you're ready for whatever's next.
Learn more about their customizable plans at squareup.com.
In 1999, there was a big computer problem on everyone's mind, Y2K.
Congress has set to the task of answering the question,
will the Y2K computer bug bring about Armageddon?
Well, Bob, for those of us who may not remember exactly?
Wait, you're telling me you don't remember Y2K?
Come on.
That was the year I turned.
12, Bob.
Weren't you worried as a 12-year-old that the world was going to distract on New Year's Eve?
I was just figuring out how to use an AOL account.
Can you paint a picture of the Y2K bug phenomenon?
Y2K happened when after a few just like amazing years of people writing software and software
taken over and doing all kinds of great things, somebody took.
took a look at their code,
and they realized that when we enter the year on this program,
we should have given it more than two digits.
Back then, programmers had given dates only two numbers for the year,
like 99 for 1999.
But they realized that when the date rolled over into 2000,
computers might read the double zero as the year 1900 instead.
There's a lot of software out there,
financial institutions were using it, corporations were using it, and like an astounding amount of code did not compute the year 2000.
Everything from tax returns to Social Security could be a problem if old programming refuses to acknowledge the 21st century.
People were worried about elevators, you know, freezing and the financial system melting down.
Everyone here is waiting for the same thing, the stroke of making.
I remember on New Year's Eve, like Y2K, I had like $5,000 cash in my pocket just in case, you know, the ATMs didn't work for months.
So with a clear deadline looming ahead, tech teams got to work.
And so they had to rewrite a lot of software so that it could understand the concept of 2000 and not 1900.
And so they worked like heck on this.
And all these coders pulled like all-nighters.
and people working their butts off.
And lo and behold, the year 2000 happened,
and the computers mostly ran.
And so they did it.
Emergency calls went through.
The power stayed on,
and we didn't go back into the dark ages.
Thanks to all that grunt work by tech teams across the world,
Y2K was famously a nothing burger once clock struck midnight.
In cybersecurity, we always talk about the awful things,
you know, the ransomware outbreaks,
and hacks and things like that.
But occasionally, we do something right collectively.
And Y2K was an example of when the world knew about a problem
and worked really hard and averted disaster.
Bob says the Y2K lesson is to take threats seriously as early as possible.
Mythos and the concerns about it
has helped sound the alarm for the danger that AI can pose in the wrong hands.
I mean, the good thing about all of the attention that that release got is like boards are asking what's the deal, right?
And so they have to come up with plans.
And what they're doing is they're trying to get faster at patching.
A number of companies are rolling out initiatives to deal with it.
And even the White House is spooked.
The administration has announced that it's taking steps to prepare for the vulnerabilities that mythos could bring to the surface.
both in government and in the private sector.
How worried should the average person be?
If I was to give advice to somebody who's not a cybersecurity expert,
I'd say worry about your two-factor authentication,
worry about, you know, getting fished.
I mean, there's like a lot of fraud going on right now.
You know, this is a theoretical problem.
Like, you know, wait for the global worm.
And the other thing is, I mean, we're rolling out all kinds
of AI-created software and AI systems and agenic systems and things like that, and people are
going to start hacking all of that. So, you know, that actually might be a bigger worry than all
these bugs in existing software that AI is finding. And we're not talking about that as much
as we're talking about mythos right now. Bob, it sounds like this is eventually going to be an
issue, though. Is there going to be some kind of, you know, big global coordination to get on top of
this the same way there was back when everyone was getting ready for Y2K?
Well, I mean, that's what the Mythos announcement was, right?
Like, we're going to work with 50 companies that, like, really are in the center of the world's
infrastructure.
So, I mean, that, yeah, that is happening right now.
And there are other efforts underway.
I mean, you could look at Mythos as sort of the beginning.
There's, like, a real global effort right now to fix our software, which is actually a good thing.
But the speed at which AI is advancing
means this time
it's probably going to be less of a moment
and more of a new reality.
There is no end to it though.
I mean, there's going to be like a point
at which people are freaking out about it less, I think.
But we just have to beat the hackers
before they write the global worm
that shuts everything down.
So having said all that, Bob,
where do we land on mythos?
Is it good marketing, genuine threat,
fundamentally going to change cybersecurity somewhere in between?
I just don't think you need to credit mythos with fundamentally changing cybersecurity.
I mean, all of these LLMs and what they can do, they're all changing cybersecurity.
No question about that.
And it's kind of interesting that, like, people, the industry is sort of ahead of the curve on this one, right?
So to me, it does feel like Y2K, one of those things where people are kind of aware of the problem ahead of
time. They're thinking of sensible things to do to mitigate it. And beyond that, there may be
unexpected consequences that nobody's seeing right now. That's really the thing that I would
kind of worry about is like, what is the unexpected consequence of all of these systems rolling out?
That's all for today, Tuesday, April 21st. The journal is a co-production of Spotify and the Wall Street
Journal. If you like our show, follow us on Spotify or wherever you get your podcasts. We're out every
weekday afternoon. Thanks for listening. See you tomorrow. When a country's productivity cycle is broken,
people feel it in their paychecks, their communities, their futures. What does this mean for
individuals, communities, and businesses across the country? Join business leaders, policymakers,
and influencers for CG's national series on the Canadian Standard of Living, productivity,
and innovation. Learn what's driving Canada's productivity decline and discover actionable solutions to
reverse it.