Five Eyes Warns AI Widens Cybersecurity Skill Gap, Empowering Attackers
A joint Five Eyes intelligence alliance statement highlights the growing threat of AI in cybersecurity, warning that advanced AI models are rapidly diminishing the need for deep technical skill to launch sophisticated attacks.

National security agencies from the Five Eyes alliance—comprising Australia, Canada, New Zealand, the United Kingdom, and the United States—have issued a joint statement sounding the alarm on the escalating cyber risks posed by artificial intelligence. The core concern is AI's burgeoning capability to autonomously hack into systems and networks, a development that significantly widens the gap between an individual's technical skill and their actual ability to cause harm.
While the statement itself was measured, its implications are profound. The agencies emphasize that AI is accelerating a trend that has been evolving for decades: the decoupling of skill and ability in the realm of cyberattacks. Historically, launching sophisticated attacks required extensive knowledge and technical expertise. However, modern AI models, even those without advanced guardrails, can now perform complex actions like network intrusion, data exfiltration, ransomware deployment, and system destruction with minimal human input, effectively lowering the barrier to entry for malicious actors.
This phenomenon is not unique to cybersecurity. Bruce Schneier, in his analysis of the Five Eyes statement, draws parallels to other fields, noting that while doctors and engineers possess the knowledge to cause harm, their lengthy training instills ethical codes that largely prevent misuse. AI, however, acts as a universal advisor, potentially empowering individuals with harmful intent but lacking the traditional skill-based ethical constraints.
The proliferation of AI tools, particularly open-source models that can be run locally and modified without oversight, presents a significant long-term threat. Unlike frontier models developed by major corporations, which may have built-in safety mechanisms, these smaller, more accessible models can be distributed freely, much like the 'script kiddie' tools of the past, but with vastly amplified capabilities. This decentralization makes it difficult to implement and enforce safeguards.
Efforts to mitigate these risks by instructing AI models to report malicious prompts to authorities are unlikely to be effective against locally run, open-source systems. Similarly, attempting to fundamentally prevent AI models from acquiring knowledge that could be used for harm is seen as an intractable problem. The same knowledge required to identify and fix vulnerabilities in code, for instance, is also the knowledge needed to exploit them.
The Five Eyes agencies acknowledge that the advice they are offering—enhanced cybersecurity practices—is not new. It echoes recommendations made by security professionals for years, including testimony before Congress in 1998. What *is* new is the urgency and the speed at which AI is changing the threat landscape. The agencies warn that "cyber risk assumptions can become outdated in months, not years," necessitating constant adaptation and preparedness.
Despite the risks, the statement also highlights AI's potential for defense. The agencies advocate for leveraging AI to strengthen every facet of cybersecurity, from earlier vulnerability detection and improved software quality to faster incident response. This dual-use nature of AI underscores the critical need for robust security measures and proactive adaptation to evolving threats.
The overarching message is one of increased global volatility. As AI empowers individuals with unprecedented capabilities, the potential for both immense good and catastrophic harm grows. The challenge lies in harnessing AI's defensive potential while mitigating its offensive capabilities, a task that requires a fundamental shift in how cybersecurity is approached in the age of artificial intelligence.