Modern AI systems are effectively becoming a universal adviser for harmful actions, according to security technologist Bruce Schneier. In a recent analysis, he highlights how AI is closing the gap between skill and ability, enabling even unskilled individuals to carry out sophisticated cyber-attacks. This comes after a joint statement from the Five Eyes intelligence alliance—comprising the US, UK, Canada, Australia, and New Zealand—warning of the increasing cyber risks posed by AI models, particularly their ability to autonomously hack into systems.
The skill-ability gap widens
Schneier argues that for most of human history, skill and ability were synonymous, but computers have decoupled them. With AI, the gap is widening rapidly. People with ability but no skill—often outsiders not bound by professional norms—can now cause significant harm. He contrasts the skilled L0pth hackers of 1998, who testified they could take down the internet in 30 minutes, with modern 'script kiddies' who use prewritten tools. Now, AI models can act autonomously with minimal prompting, dramatically increasing the pool of potential attackers.
Five Eyes warning and defense strategies
The Five Eyes statement, released last week, notes that 'the rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years.' They recommend using AI to strengthen defense, including detecting vulnerabilities earlier, improving software quality, and monitoring unusual behavior. Schneier agrees, stating that AI must be harnessed for defense, as the same knowledge used for attacks can also protect systems.
However, he warns that guardrails imposed by AI companies like OpenAI and Anthropic are insufficient. Open-source models, which can run on personal computers and lack restrictions, will proliferate. Similarly, instructing models to report malicious prompts to authorities will only work for corporate models, not locally run ones.
Inevitable risks and the path forward
Schneier notes that teaching AI to fix vulnerabilities inherently teaches it how to exploit them, much like doctors learning to treat poisonings also learn how to poison. This leaves a world of increased volatility, where super-powered humans with AI assistants can do both wonderful and horrible things. The Five Eyes advice—standard security measures like patching and monitoring—remains the same but with newfound urgency. Schneier concludes that we must act before threats evolve, using AI to enhance every aspect of cyber defense.
