Singapore has told its most important digital infrastructure operators to beef up cyber defences against frontier AI models that are so powerful that hackers can take a much shorter time to exploit undocumented vulnerabilities.
The chief executive officers of the country’s major financial institutions have met with the sector’s government regulator to discuss how to collectively respond against the cyber threats posed these new AI models, it was revealed today.
The heads of similar critical information infrastructure (CII) operators, such as telecom or utilities operators, have also been told by the country’s cybersecurity authorities that their existing cybersecurity measures may no longer be valid.
Senior Minister of State for Digital Development and Information, Tan Kiat How, told Parliament today that new attacks could be faster, more scalable and sophisticated.
He said the government is reviewing the standards and obligations for CII owners so they can respond more urgently to the threats posed by these frontier AI models.
Last month, Anthropic said it had not released Claude Mythos publicly because of the AI model’s ability to find undocumented vulnerabilities in digital systems and Web browsers.
A check by Britain’s AI Security Institute found that Claude Mythos could autonomously attack small, weakly defended and vulnerable enterprise systems where access to a network has been gained.
While the researchers could not confirm if the AI could attack well-defended systems, they advised organisations to evaluate their cybersecurity setups. They would also further track the AI’s capabilities against real-world systems in future.
Anthropic isn’t alone. OpenAI’s GPT-5.5 that was released soon afterwards is also said to be capable of potent autonomous attacks as well. In some scenarios, it was highly successful with reverse engineering, vulnerability research and malware unpacking.
Considering how many cyber attacks Singapore faces, it might not require an AI to even use an undiscovered vulnerability. It may just have to keep probing multiple weak points until it finds a loophole that has yet to be patched in time.
This is one reason the Cyber Security Agency of Singapore (CSA) has called for the board and chief executives of CII operators to not leave cyber defence against frontier AI to IT departments.
What’s concerning are multi-stage attack chains, for example, which can now be carried out without a hacker’s intervention. Social engineering is also more personalised now with AI helping to trawl the Internet for victims’ information.
CII operators, according to the CSA, should review their current cybersecurity risk posture, though it stopped short of prescribing a timeline.
Through this review, they should account for new AI-enabled threats, confirm they have visibility over critical systems, ensure faster patching than adversaries, govern AI use appropriately, and use AI to help fight off potential attackers.
CSA has said it would publish further technical guidance, in a letter sent to CII operators today.
