SINGAPORE - Hackers no longer need specialised skills to be a threat to systems that power critical services with the rise of new artificial intelligence tools that can accelerate the exploitation of system flaws.

Urging over 1,000 attendees at GovTech’s STACKx Cybersecurity event to take the threat seriously, Senior Minister of State for Digital Development and Information Tan Kiat How said AI can be used to counter AI.

“Pandora’s box has been opened,” said Mr Tan on April 17, during his opening speech at the Marina Bay Sands Expo and Convention Centre.

He was describing the threat of AI tools such as Anthropic’s Claude Mythos Preview, which is reportedly capable of autonomously surfacing vulnerabilities in software systems and generating code to exploit flaws.

Anthropic said the model has found vulnerabilities in every major browser and operating system. Citing the danger of proliferation of such tech to bad actors, the company has shared the new AI model with a select group of companies to patch their security systems, opting against a public launch.

“There is a consensus among experts that these developments represent a step jump in the threat landscape,” said Mr Tan, addressing government leaders, chief information officers, tech professionals, and industry practitioners in the audience.

“In the wrong hands, it will enable even the less skilled threat actors to conduct sophisticated attacks at scale and speed. You can imagine the harm that can be done in the hands of skilled operatives who are augmented with AI.”

Though Mythos does not create new classes of attack, such tools can reduce the time and resources needed to conduct cyberattacks.

Organisations need to fundamentally rethink their digital security systems, said Mr Tan, adding that this includes systems that power critical services – known as operational technology – which could mostly only be compromised by those with special skillsets in the past.

The government has alerted sector leads and critical information infrastructure owners to tighten cyber hygiene measures, and will be meeting them in the coming weeks to discuss the implications on Singapore’s cybersecurity.

He also urged firms to not view cybersecurity as just another “box-checking” exercise, and that collaboration across the industry is needed for a secure environment.

The government has taken steps to work more closely with organisations to combat cyberthreats together, said Mr Tan, citing new measures to equip critical information infrastructure owners with classified threat intelligence and proprietary threat detection systems to defend against adversaries.

As AI-automated attacks continue to surface, he also urged the use of AI as a counter tool to detect threats early and respond quickly, which can reduce the asymmetry of skills between attackers and defenders.

But at the same, enterprises must also adopt AI securely so it does not become a vulnerability.

“This means building capabilities in testing and establishing standards for safe and secure AI use,” said Mr Tan.

During a keynote speech at the event, GovTech’s chief executive Goh Wei Boon also echoed Mr Tan’s advice to “fight fire with fire” by equipping cyberdefenders with AI tools.

While 99 per cent of government services are now accessible digitally, the trade-off is a massive expansion of attack surface, said Mr Tan. He added that half of the government’s 2,000-strong systems are internet-facing.

“In the past, we could focus defences on a few gateways and firewalls to potentially keep the actors out. Now, our perimeter has essentially disappeared.”

Every website, digital platform, and device used by government officers is a potential access point, said Mr Tan, adding that AI can now be used to discover flaws within configuration and codes much faster.

To guard against attackers, Mr Goh urged companies to build secure AI systems, citing the agency’s efforts to roll out tools such as Litmus, which acts as a security scanner for AI systems.

The agency has also been experimenting with using AI to detect vulnerable code and conducting security tests with AI agents.

“No single organisation has all the resources to deal with the ever-expanding attack surface or the increasing ease with which new vulnerabilities are discovered,” said Mr Goh.

“The only way to overcome is is by working together across government, industry, and academia to innovate and stay ahead of emerging threats.”

In an advisory published by the Cyber Security Agency of Singapore on April 15, local firms have been advised to shore up their defences against frontier AI models that can be used to scale cyberattacks.

Some immediate mitigation measures include applying software patches for all critical and high-severity vulnerabilities, implementing multi-factor authentication across all interfaces and gateways, and reviewing user permissions to remove unnecessary access rights.