AI-Powered Cybersecurity & Critical Infrastructure Protection
Introduction
Artificial Intelligence is rapidly transforming the cybersecurity landscape — from a reactive, human-driven discipline to a proactive, automated one. Anthropic's unreleased model Claude Mythos, announced through Project Glasswing — a 40-firm consortium with a $100 million budget — has already identified vulnerabilities in foundational global systems including the Linux kernel, OpenBSD, and FFMPEG. For India, the stakes are particularly high: government systems running Aadhaar and GST operate on older codebases; critical infrastructure like SCADA and IoT systems are embedded in manufacturing and public utilities; and no Indian firm features in the current Glasswing partner list. The arrival of AI-grade vulnerability scanners marks a qualitative shift in the threat environment — one that India's regulatory and industry response has not yet fully absorbed.
"It's an entire tsunami coming in." — Vinayak Godse, CEO, Data Security Council of India (DSCI)
Key Data Points (Exam-Ready)
| Parameter | Detail |
|---|---|
| Project Glasswing budget | $100 million |
| Firms in Glasswing consortium | 40 companies + open-source maintainers |
| Systems already scanned | Linux kernel, OpenBSD, FFMPEG |
| India's rank in Anthropic's markets | 2nd largest (by absolute users) |
| Indian firms in Glasswing list | None (as of report) |
| Nodal cybersecurity body in India | CERT-In (under MeitY) |
| Key industry body | DSCI under NASSCOM |
Background & Context
What is Claude Mythos / Project Glasswing? Mythos is an unreleased LLM by Anthropic specifically capable of scanning large codebases to identify previously undiscovered software vulnerabilities. Project Glasswing gives early access to a consortium of technology firms to patch vulnerabilities before the model is released publicly — a responsible disclosure approach analogous to bug bounty programmes, but at AI scale and speed.
Why this matters globally: Software vulnerabilities in foundational systems — operating system kernels, networking protocols, open-source libraries — underpin virtually all digital infrastructure. A single unpatched vulnerability in the Linux kernel, for instance, could expose millions of servers worldwide simultaneously.
Why this matters specifically for India: India's digital public infrastructure — Aadhaar (1.4 billion enrollments), UPI, GST Network, CoWIN — runs on codebases that have accumulated technical debt over years. These are precisely the systems where decades-old vulnerabilities are most likely to remain undiscovered.
Key Concepts
Vulnerability Density Debate: A foundational question in cybersecurity is whether software bugs are dense (infinitely many, continuously discoverable) or sparse (rare, patchable to a near-secure state). The answer determines whether AI-grade scanners like Mythos represent a one-time cleanup or a permanent arms race between AI attackers and AI defenders.
Tech Stack Interdependence: Indian IT firms use composite technology stacks — hardware and software from multiple global vendors. Patches from Glasswing partners will indirectly benefit Indian firms through this shared infrastructure. However, bespoke code written by Indian ITeS firms for specific clients remains entirely outside this protection.
SCADA & OT Systems: Supervisory Control and Data Acquisition systems manage physical infrastructure — power grids, water treatment, manufacturing. Unlike IT systems, OT (Operational Technology) systems often cannot be patched quickly due to uptime requirements, making them especially vulnerable to AI-discovered exploits.
Implications for India
| Sector | Specific Risk |
|---|---|
| Government IT (Aadhaar, GST, GSTN) | Older codebases; highest exposure to long-dormant vulnerabilities |
| ITeS / Systems Integrators | Bespoke client code not covered by Glasswing patches |
| SaaS & Deep Tech Product Companies | Entire product ecosystem potentially exposed when Mythos goes public |
| Critical Infrastructure (SCADA, IoT) | Physical-world consequences; difficult to patch without downtime |
| Bug Bounty Researchers | AI may displace human vulnerability researchers |
| Sovereign Tech Firms (e.g. Zoho) | Dilemma: submit code to American LLM audit or risk unpatched exposure |
The Sovereign Dilemma
Indian firms building indigenous alternatives to foreign tech stacks — Zoho being the most prominent example — face an acute strategic dilemma:
- Option A: Submit proprietary code to Mythos-level scanning → accepts dependence on an American AI firm for security assurance of sovereign infrastructure
- Option B: Decline → risks operating with vulnerabilities that AI-powered adversaries (including state actors) may discover and exploit first
This dilemma has no clean resolution without India developing equivalent domestic AI-powered cybersecurity capability — a gap the article implicitly highlights.
India's Institutional Response
CERT-In (Indian Computer Emergency Response Team): Operating under MeitY, CERT-In is India's nodal agency for cybersecurity incident response. MeitY officials are currently studying Mythos's implications. CERT-In's response to attacks on government servers during the India-Pakistan conflict last year has been cited as a positive indicator of institutional readiness.
DSCI (Data Security Council of India): Under NASSCOM, DSCI is coordinating across IT industry verticals to assess exposure. Has declined to confirm whether India-specific conversations with Anthropic are underway.
Gaps:
- No Indian firm in Glasswing — India is absent from the core vulnerability remediation effort
- No public framework for AI-assisted vulnerability disclosure in India
- Uneven cybersecurity readiness across state governments and departments
Way Forward
- Negotiate Indian participation in Project Glasswing or equivalent programmes — particularly for critical government infrastructure
- Develop domestic AI cybersecurity capacity — invest in Indian LLMs capable of vulnerability scanning for sovereign infrastructure
- Mandatory security audits for all critical digital public infrastructure (Aadhaar, UPI, GSTN) using AI-grade tools
- Sector-specific CERT units for SCADA/OT systems in power, water, and manufacturing
- Update IT Act and CERT-In frameworks to address AI-generated vulnerability disclosures and responsible patching timelines
- Bug bounty programme scaling — AI will not eliminate the need for human researchers but will require them to operate at higher sophistication levels
Conclusion
The emergence of AI-powered vulnerability scanners like Claude Mythos represents a structural shift in cybersecurity — compressing the timeline between vulnerability discovery and potential exploitation from years to days. For India, the absence from Project Glasswing is not merely a missed opportunity but a strategic gap in the protection of digital public infrastructure that serves over a billion citizens. The transitionary period — between today's exposure and a future where AI defenders dominate — will be, in the words of Anthropic's own researcher, "very bad." India's response must combine immediate diplomatic and commercial engagement with Glasswing partners, long-term investment in domestic AI security capabilities, and a regulatory framework that treats cybersecurity not as an IT compliance exercise but as a matter of national security.
Attribution
Original content sources and authors
Syllabus classification
How this article maps to GS papers
Main syllabus
GS3Cyber SecurityQuick Q&A
What is Claude Mythos and how does Project Glasswing aim to transform global cybersecurity practices?
Project Glasswing is a collaborative initiative involving around 40 companies and open-source maintainers, supported by a $100 million budget. It aims to deploy Mythos across critical global software infrastructure such as Linux, OpenBSD, and FFMPEG. The objective is to identify and patch vulnerabilities before the model becomes publicly available, thereby reducing the risk of malicious exploitation.
This initiative reflects a broader transformation in cybersecurity practices where AI-driven auditing complements human expertise. For instance, vulnerabilities found in foundational systems like the Linux kernel can have cascading effects across industries worldwide, including India’s IT ecosystem. Thus, Glasswing represents a shift towards collective security responsibility and pre-emptive threat mitigation at a global scale.
Why is Claude Mythos considered both a cybersecurity tool and a potential threat?
On the other hand, the same capabilities make it a potential threat if accessed by malicious actors. Once publicly available, hackers or state-sponsored entities could use Mythos-like tools to discover and exploit vulnerabilities at an unprecedented scale and speed. This is particularly concerning for legacy systems such as Aadhaar or GST platforms, which may rely on older codebases with hidden weaknesses.
Thus, Mythos embodies a paradox: it can either strengthen cybersecurity or amplify risks, depending on who controls and uses it. This underscores the importance of responsible AI deployment, restricted access, and global cooperation to ensure that defensive advantages outweigh offensive misuse during the transition phase.
How could the emergence of Mythos impact the Indian IT industry and its security preparedness?
This creates both an opportunity and a challenge. On the positive side, Indian companies can benefit from improved baseline security in widely used platforms. However, they must also invest significantly in their own cybersecurity capabilities to address vulnerabilities in custom-built applications. As highlighted by industry experts, failure to do so could expose them to novel attack vectors enabled by advanced AI tools.
Additionally, sectors like SaaS and deep-tech startups may face heightened risks, as their products could become targets for automated vulnerability discovery. This may also disrupt traditional practices like bug bounty hunting, where human researchers identify flaws. Overall, Mythos could push Indian IT firms to transition from a reactive to a proactive, AI-driven security posture, requiring investments in talent, tools, and governance frameworks.
Critically analyse the implications of AI-driven vulnerability detection on the 'bug density vs. bug scarcity' debate in cybersecurity.
If Mythos consistently identifies large numbers of previously unknown bugs across diverse systems, it would support the bug density hypothesis. This implies that software ecosystems are inherently fragile, and cybersecurity will remain a continuous 'whac-a-mole' challenge where fixing one vulnerability reveals many more. Such a scenario could overwhelm organizations, especially those with limited resources, and necessitate continuous AI-assisted monitoring.
Conversely, if Mythos eventually exhausts most vulnerabilities and systems become relatively secure, it would validate the bug scarcity perspective. This would suggest that AI tools can help achieve a stable and secure digital environment over time. However, experts like Nicholas Carlini caution that the transition phase may be particularly dangerous, with attackers and defenders both leveraging similar capabilities.
In essence, while AI may tilt the balance in favor of defenders in the long run, the short-term implications include heightened uncertainty, increased attack surfaces, and the need for robust governance mechanisms.
Examine the potential risks posed by Claude Mythos to India's critical infrastructure, citing examples like SCADA and government IT systems.
For instance, platforms like Aadhaar and GST, which are central to governance and public service delivery, may become targets if vulnerabilities are revealed faster than they can be patched. Similarly, SCADA systems used in power grids, water supply, and manufacturing are not only digital but also have physical consequences. A successful cyberattack on such systems could lead to disruptions in essential services, posing risks to national security and public safety.
Additionally, the threat is not limited to financial hackers but extends to state-sponsored actors, who may exploit these vulnerabilities for strategic gains. However, India’s institutional mechanisms, such as CERT-In, have demonstrated resilience in responding to cyber threats, as seen during past geopolitical tensions.
This case highlights the urgent need for modernizing legacy systems, enhancing real-time monitoring, and adopting AI-driven defensive tools to safeguard critical infrastructure in an era of rapidly evolving cyber threats.
Provide examples of how global collaboration initiatives like Project Glasswing can benefit Indian firms despite limited direct participation.
For example, if Mythos detects a critical flaw in the Linux kernel, which underpins servers used by Indian IT firms, the subsequent patch will protect countless applications and services in India. Similarly, improvements in widely used libraries like FFMPEG can prevent vulnerabilities in multimedia processing systems used across industries, from entertainment to surveillance.
Another indirect benefit lies in knowledge diffusion. Indian cybersecurity professionals and organizations like the Data Security Council of India (DSCI) can learn from the methodologies and insights generated through Glasswing. This can help them upgrade their own security practices and frameworks.
Thus, even without direct participation, Indian firms gain through shared infrastructure security, global best practices, and improved resilience, highlighting the importance of international cooperation in addressing cybersecurity challenges.
Practice questions
1 question for mains preparation