The heads of the Five Eyes cybersecurity agencies have issued a rare joint statement declaring that artificial intelligence is reshaping cyber risk in months rather than years, delivering a blunt and unambiguous message to business and government leaders across Australia, the United States, Britain, Canada, and New Zealand to act immediately rather than treat the threat as a future consideration. The statement, released on Monday night, warns that frontier AI models are expected to exceed industry expectations and will fundamentally transform both the attack and defence sides of cybersecurity, and that the window between a vulnerability being discovered and actively exploited is closing at a pace that existing patching and response cycles were never designed to accommodate. Among the signatories is the head of the Australian Cyber Security Centre at the Australian Signals Directorate, who expressed cautious optimism that Australia is well positioned to meet the challenge provided organisations treat it with the seriousness it demands.
The urgency of the statement is underscored by a recent and striking demonstration of how quickly frontier AI capabilities are advancing. On 13 June, Anthropic suspended worldwide access to its two most powerful AI models, Fable 5 and Mythos 5, following a United States export control directive tied to security concerns, leaving Australian users without access and without prior notice. Testing conducted by Britain’s AI Security Institute had found that one of the models could successfully break into computer systems approximately 73 per cent of the time, a finding that has been described as representing a step change in capability rather than an incremental improvement. The agencies noted that this kind of rapid capability uplift means that cyber risk assumptions that were considered sound can become dangerously outdated within months, creating an environment in which organisations that delay action face compounding and increasingly avoidable exposure.
The joint statement makes clear that cyber risk can no longer be treated as a purely technical matter to be managed by IT departments, characterising it instead as a core business risk and a direct leadership responsibility requiring boards and executives to be genuinely confident their defences would hold during a real attack rather than simply having controls nominally in place.
Practical steps outlined by the agencies include reducing the number of systems exposed to the internet, accelerating the patching of known vulnerabilities, retiring unsupported legacy systems, and tightening access controls over critical networks, with particular emphasis on the danger that AI-shortened exploitation timelines pose to operational systems with long update cycles. The agencies also strongly urged organisations to deploy AI actively in their own defences, noting that adversaries are already leveraging the technology and that organisations integrating AI into their security operations will be better positioned to detect weaknesses earlier, identify unusual behaviour, and contain incidents before they escalate into operational and financial crises. ASCS reinforced this message directly, stating that defenders must learn from and adopt emerging technology including AI, because adversaries are already doing so and the tools and capabilities to respond effectively are available to those willing to act.