The leaders of Five Eyes are warning of artificial intelligence's (AI) rapidly transforming cyber risk, urging leaders to act swiftly to minimise the brunt of attacks.
Head of New Zealand’s National Cyber Security Centre (NCSC) Catriona Robinson said AI was "not a future consideration, it is already here."
"It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, AI offers powerful tools to strengthen defence."
The call from the leaders of the Five Eyes security agencies was spurred by Frontier AI’s "ability to identify and exploit vulnerabilities at unprecedented speed and scale". Frontier AI models are the most advanced types of software available.
"As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead," Robinson said.
"Breaches will occur but preparedness helps you contain them quickly and prevent escalation into major operational and financial crises."
The NCSC was assessing frontier AI models to inform its response to security risks.
The Five Eyes' statement on the AI security risk describes cyber risks as no longer a purely technical issue - "This is a core business risk and leadership responsibility."
"It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence - not just improve efficiency."
It states standard practice now must be secure-by-design and secure-by-default and there must be multiple layers of defence.
"As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero‑day vulnerabilities," the statement read.
"The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.
"Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy."
Five Eyes' 'practical actions'
The statement says whilst the following actions may not be new, they are now urgent to reduce technical risk, and also operational, financial and reputational exposure.
1. Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.
2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.
3. Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.
4. Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.
5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.
We welcome your comments below. If you are not already registered, please register to comment
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.