The heads of the Five Eyes cybersecurity agencies have issued a rare joint statement warning that artificial intelligence is reshaping cyber risk in months rather than years, and have urged business and government leaders to act immediately.
Released on Monday night, the statement brings together cybersecurity chiefs from the Five Eyes allies – Australia, the United States, Britain, Canada and New Zealand. It says frontier AI models are expected to exceed industry expectations and will transform both attack and defence, and that the gap between a vulnerability being found and exploited is closing fast.
“The urgency is clear. AI is not a future consideration – it is already here,” the statement says. “It lowers barriers for malicious actors and increases the speed and complexity of attacks … At the same time, AI offers powerful tools to strengthen defence.”
The warning follows a recent reminder of how quickly those capabilities are moving. On June 13, Anthropic suspended worldwide access to its two most powerful AI models, Fable 5 and Mythos 5, after a US export control directive tied to security concerns, and Australian users lost access without notice.
Testing by Britain’s AI Security Institute had found one of the models could break into systems about 73 per cent of the time, which Queen Mary University of London academic Gina Neff described as “a step change in capability”.
The agencies said cyber risk could no longer be treated as a purely technical matter. It was a core business risk and a leadership responsibility, they said, and boards and executives needed to be confident their defences would hold during a real attack rather than simply having controls in place.
Stephanie Crowe, head of the Australian Cyber Security Centre at the Australian Signals Directorate, was among the signatories. She said Australia was well placed if organisations took the threat seriously.
“I’m actually really positive that we have the tools and we have the capabilities,” Crowe said. “If we all take action and we actually take the time to look at our cyber risk management plans, and the priorities we place on the things that we need to do to defend ourselves, then we’re in a really good place.”
Crowe said defenders should learn from emerging technology such as AI. “Our adversaries are using them and we all need to use them to defend our networks,” she said.
The chiefs set out practical steps for organisations to take, urging leaders to cut the number of systems exposed to the internet, patch known flaws faster, retire unsupported legacy systems and tighten controls over who can reach critical networks. AI was shortening the time between a flaw being discovered and used, they said, which made delays in patching more dangerous, especially for operational systems with long update cycles.
Breaches should be assumed rather than feared, the agencies said, with response plans tested in advance so incidents could be contained before they became operational and financial crises.
The statement also pressed leaders to use AI to defend themselves. Organisations that built the technology into their security operations could detect weaknesses earlier, watch for unusual behaviour and respond to incidents sooner, the chiefs said, which reduced both the cost and impact of attacks. Success would come from getting the basics right and acting quickly, they said, not from buying the most tools.
The intervention reflects growing unease among Western security agencies about the pace of frontier AI development and its use by state-backed and criminal hackers. Cyber risk assumptions could become outdated in months, the agencies said, and resilience was central to operational continuity and market trust.
“Cyber resilience is not an IT issue,” the statement said. “Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.”
The agencies called on industry, including technology vendors, to work together. “We call on leaders across industry … to act now and work together to protect our people and secure our future,” the statement said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
David Swan is the technology editor for The Age and The Sydney Morning Herald. He was previously technology editor for The Australian newspaper.Connect via X or email.From our partners
