Normal view

Cybersecurity and the Gap Between Skill and Ability

8 July 2026 at 13:03

Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is pretty much the standard advice everyone gives—albeit with newfound urgency.

Internet risks are nothing new, and cyberattacks—both large and small—have been a significant issue since long before the current crop of generative AI models.

What’s been changing over the decades, and what AI is changing even faster, is the gap between skill and ability. For most of human history, the two terms were synonymous—but computers have decoupled them. As the gap between the two expands, humans empowered with these AI tools can do more: more writing, more research, more analysis and also more damage than ever before. These models can, with little detailed direction, autonomously hack into networks, steal data, deploy ransomware and destroy systems. And to the extent there is a solution, it’s going to involve harnessing AI for the defense.

In 1998, seven people from the hacker group L0pht testified before Congress. They told a mostly clueless Senate committee that they could take down the internet in 30 minutes. That was partly real and partly bravado, but it illustrates an important point: hacking into systems, stealing data and causing damage all required skill.

Contrast the L0pht hackers with hackers derided as “script kiddies.” They didn’t understand computers, or security. Instead, they used hacker tools written by others. Their actions required minimal skill and even less knowledge. But once those hacking tools became widespread, the number of potential attackers increased.

That number has continued to increase, as quality and availability of prewritten attack tools has grown. And it is growing dramatically with AI. Today’s AI systems—not just the frontier models, but most of them—are capable of carrying out cyberattacks automatically. They all do better in the hands of skilled attackers, but increasingly they are able to act autonomously with only minimal prompting.

The thing about people with ability but no skill is that they are often outsiders, not part of any professional community, and not bound by any rules or norms. This phenomenon is much more general than in cybersecurity. Any doctor can tell you how to untraceably poison someone, and many virus researchers know how to create a bioweapon. Any bridge engineer can tell you how to place explosives to blow a bridge up. The reason that murderous doctors and terrorist engineers are so rare is that the lengthy process of acquiring those skills also instills a moral and ethical code. If every random person has access to good poisoning advice, that puts us all in danger.

Modern AI systems are, in effect, a universal adviser to help people do harmful things. And while the current AI megacorporations are trying to build guardrails to prevent people from asking questions whose answers will enable the questioner to do harm, that’s not going to work in the long term. Smaller, cheaper, open-source models, including models that can run on people’s computers, and especially groups of models that run in concert with each other, are just as good as the frontier models from companies like OpenAI and Anthropic. And they continue to get better. These models will be passed around from person to person, like script kiddie hacker tools, and they won’t have any such guardrails.

Instructing AI models to spy on people and report any malicious prompts to the authorities fails for similar reasons. The megacorporations can do that, but the locally run open source models won’t. This could buy us a few months at best.

A third possibility is to somehow make the models themselves unable to hack into computers, create bioweapons or do anything else that might harm people or society. That won’t work, for the same reason we can’t teach doctors how to treat poisonings without also teaching them how to poison. It’s the same knowledge. It’s the same with construction and demolition. And it’s the same with cybersecurity. We want these AI models to be able to review computer code, find vulnerabilities and automatically fix them. The benefit to our collective security will be enormous. Unfortunately, the same knowledge can be used for attacks.

Where this leaves us is in a world of increased volatility. Super-powered humans with AI assistants will be able to do both wonderful and horrible things.

This brings us back to the Five Eyes statement. Everything they recommend is something security professionals have been recommending for years, if not decades. They are things talked about at that congressional hearing back in 1998, titled “Weak computer security in government: Is the public at risk?” Even the Five Eyes admitted that their security advice is not new, only more urgent.

What’s new is how fast things are changing: “The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.” The Five Eyes point to AI technology—not necessarily chatbots, but AI more generally—being used to strengthen every aspect of defense, to “detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents—reducing both the cost and impact of incidents.”

Excellent advice from the Five Eyes security agencies. We need to do this with every risk that AI heightens, not just cybersecurity.

This essay was originally published in The Guardian.

Readers reply: Experts say we should use passkeys, but can a smartphone pin really be safer than a password?

The long-running series in which readers answer other readers’ questions on subjects ranging from trivial flights of fancy to profound scientific and philosophical concepts

I’ve been struggling to get my head around the idea that a passkey, which can be a pin on your phone, or facial recognition, can be safer than using a complicated password and two-factor authentication.

I get that having something unique to your device, not stored on a company’s server, is unphishable and less hackable by cybercrims, but what if your phone is nicked and someone guesses the password? And what if you lose your phone?

Continue reading...

© Photograph: Posed by model; d3sign/Getty Images

© Photograph: Posed by model; d3sign/Getty Images

© Photograph: Posed by model; d3sign/Getty Images

Spyware firm targeted WhatsApp users in defiance of US court order, Meta says

Tech company says it ‘caught and disrupted’ NSO Group’s attempts to access accounts in Jordan and Lebanon

A spyware firm has been targeting WhatsApp users with malicious links in contravention of a US court order forbidding it from doing so, Meta has said.

In a post, Meta said WhatsApp had “caught and disrupted spear phishing attempts” by NSO Group, which a spokesperson said targeted a handful of users in Jordan and Lebanon. It had also caught the group creating “test accounts and groups” on WhatsApp.

Continue reading...

© Photograph: Martin Meissner/AP

© Photograph: Martin Meissner/AP

© Photograph: Martin Meissner/AP

Report ‘phone hack’ to police or I will do it for you, Labour chair tells Farage

Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’

The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him.

In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated.

Continue reading...

© Photograph: Ryan Jenkinson/Getty Images

© Photograph: Ryan Jenkinson/Getty Images

© Photograph: Ryan Jenkinson/Getty Images

Nigel Farage’s Russian hack claim ‘without any merit’, former NCSC chief says

Ciaran Martin says Reform UK leader’s allegation over Guardian report on £5m gift ‘entirely unsubstantiated’

Nigel Farage’s claim that a Russian hack was behind a Guardian report on the £5m gift he received from a crypto billionaire has been described as “without any merit” by a former head of the National Cyber Security Centre.

Ciaran Martin, founding chief executive of the agency, which is part of GCHQ, said Farage’s allegation, if true, would have major implications for UK policy towards Russia but that the Reform UK leader had yet to provide “a shred of evidence”.

Continue reading...

© Photograph: Jack Taylor/Reuters

© Photograph: Jack Taylor/Reuters

© Photograph: Jack Taylor/Reuters

Canvas hack: is it ever a good idea to pay a ransom, and what happens to the data?

Businesses are advised against paying – but many are prepared to deal to protect users’ privacy

After a week of outages, hundreds of millions of students’ data stolen, delayed assignment due dates and school login pages being defaced by hackers, the US tech firm Instructure – which operates the education platform Canvas, used by education providers worldwide – announced it had “reached an agreement with the unauthorised actor” behind the ransomware attack.

Experts read the careful language as a sign that a ransom has been paid. The company has not confirmed this.

Continue reading...

© Photograph: Boonchai Wedmakawand/Getty Images

© Photograph: Boonchai Wedmakawand/Getty Images

© Photograph: Boonchai Wedmakawand/Getty Images

Developer withdraws plans for Perth datacentre after fierce community opposition

Three-storey GreenSquare datacentre in Hazelmere was to power cloud computing and the acceleration of AI

A 15,000 sq metre datacentre near Perth will no longer go ahead after the developer withdrew plans amid community opposition over its impact on culturally significant sites.

The three-storey, 120-megawatt GreenSquare datacentre in the town of Hazelmere had been intended to power cloud computing and the acceleration of artificial intelligence, but faced fierce community backlash – as is increasingly common with such developments.

Continue reading...

© Photograph: Trillion Trees

© Photograph: Trillion Trees

© Photograph: Trillion Trees

Palantir’s access to identifiable NHS England patient data is ‘dangerous’, MPs say

Health service has given US tech firm ‘unlimited access’ to certain data to build integrated platform, according to reports

MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised.

NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Financial Times reported.

Continue reading...

© Photograph: David Levene/The Guardian

© Photograph: David Levene/The Guardian

© Photograph: David Levene/The Guardian

How a simple consumer data breach spiralled into a national security crisis in US-South Korea relations

Washington’s focus on online retailer Coupang has led to accusations that the Trump administration is tying issues of national security to domestic corporate matters

When South Korea’s biggest online retailer revealed last year that a data breach had compromised tens of millions of customer accounts, it appeared to be a corporate crisis. But five months later the issue has grown into a diplomatic storm, threatening to further degrade relations between Seoul and the Trump administration.

Coupang, often described as South Korea’s answer to Amazon, is a US-incorporated company whose business is overwhelmingly based in South Korea. Headquartered in Seattle and listed on the New York Stock Exchange, it is run by Korean-American billionaire Bom Kim. In November last year the company disclosed that a former employee had stolen an internal security key, enabling unauthorised access to data from 33.7 million users.

Continue reading...

© Photograph: Anthony Wallace/AFP/Getty Images

© Photograph: Anthony Wallace/AFP/Getty Images

© Photograph: Anthony Wallace/AFP/Getty Images

Private health records of half a million Britons offered for sale on Chinese website

Technology minister tells Commons ‘de-identified’ information from UK Biobank advertised for sale on Alibaba

The confidential health records of half a million British volunteers have been offered for sale on Chinese website Alibaba, the UK government has confirmed.

The “de-identified” data, belonging to participants in the UK Biobank project, was found for sale on three separate listings last week. Ian Murray, the technology minister, told the Commons on Thursday that, after working with the Chinese government and Alibaba, the records had now been removed. It is not believed any sales were made.

Continue reading...

© Photograph: Dave Guttridge/UK Biobank/PA

© Photograph: Dave Guttridge/UK Biobank/PA

© Photograph: Dave Guttridge/UK Biobank/PA

Rental platform unnecessarily collected the data of millions of Australians, privacy commissioner finds

2Apply’s over-collection of personal information adds to the power of the real estate industry in the competitive rental market, Carly Kind says

An online rental platform has been urged to stop collecting users’ personal information after the Australian privacy commissioner found the gathering of “excessive” data compounded the vulnerability of tenants amid the housing crisis.

RentTech platforms are increasingly used by real estate agents in Australia for people applying for rental properties to submit applications and supporting documentation. The Australian Housing and Urban Research Institute has identified 57 different rent platforms operating in Australia.

Continue reading...

© Photograph: Cavan Images/Alamy

© Photograph: Cavan Images/Alamy

© Photograph: Cavan Images/Alamy

Booking.com warns customers of hack that exposed their data

Undisclosed number of names and contact and reservation details accessed in latest cybercrime attempt

The accommodation reservation website Booking.com has suffered a data breach with “unauthorised parties” gaining access to customers’ details.

The platform said it “noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information”.

Continue reading...

© Photograph: CrocusPhotography/Alamy

© Photograph: CrocusPhotography/Alamy

© Photograph: CrocusPhotography/Alamy

Almost half a million Lloyds customers had personal data exposed in IT glitch

Letter from group published by MPs blames 12 March glitch on software update to its mobile banking apps

Lloyds Banking Group exposed the personal data of nearly 500,000 customers in an IT glitch that left people’s payments, account details and national insurance numbers visible to other users, a committee of MPs has revealed.

A letter from Lloyds, published by MPs on the Treasury select committee on Friday, blamed the glitch on a software defect introduced during an IT update to its Lloyds, Halifax and Bank of Scotland mobile banking apps overnight into 12 March.

Continue reading...

© Photograph: David Burton/Alamy

© Photograph: David Burton/Alamy

© Photograph: David Burton/Alamy

Google warns quantum computers could hack encrypted systems by 2029

Banks, governments and tech providers urged to upgrade security because current systems will soon be obsolete

Banks, governments and technology providers need to be prepared for quantum computer hackers capable of breaking most existing encryption systems by 2029, Google has warned.

The tech company said in a blogpost that quantum computers would pose a “significant threat to current cryptographic standards” before the end of the decade and urged other companies to follow its lead.

Continue reading...

© Photograph: Reuters

© Photograph: Reuters

© Photograph: Reuters

Crossbench MPs pressure Labor over gas export tax – as it happened

This blog is now closed

The pollies have been asked this morning whether people should consider working from home to save fuel, as conflict escalates in the Middle East.

Tehran has said it will “irreversibly destroy” essential infrastructure across the Middle East, including vital water systems, if the US follows through on Donald Trump’s threat to “obliterate” Iran’s power plants unless the strait of Hormuz is fully opened within two days.

This is like Covid style restrictions I think that are potentially being floated. I would not support that in any way, and I don’t think businesses would do so either …

If people can work from home and they want to and it works for their employers, fine, I think that’s terrific, but it doesn’t help small businesses. It certainly doesn’t help the truckers and the fishers and the farmers and the manufacturers and the miners that are relying on fuel supply.

Continue reading...

© Photograph: Mick Tsikas/AAP

© Photograph: Mick Tsikas/AAP

© Photograph: Mick Tsikas/AAP

‘Exploit every vulnerability’: rogue AI agents published passwords and overrode anti-virus software

Exclusive: Lab tests discover ‘new form of insider risk’ with artificial intelligence agents engaging in autonomous, even ‘aggressive’ behaviours

Robert Booth UK technology editor

Rogue artificial intelligence agents have worked together to smuggle sensitive information out of supposedly secure systems, in the latest sign cyber-defences may be overwhelmed by unforeseen scheming by AIs.

With companies increasingly asking AI agents to carry out complex tasks in internal systems, the behaviour has sparked concerns that supposedly helpful technology could pose a serious inside threat.

Continue reading...

© Photograph: Andrey Kryuchkov/Alamy

© Photograph: Andrey Kryuchkov/Alamy

© Photograph: Andrey Kryuchkov/Alamy

Stone, parchment or laser-written glass? Scientists find new way to preserve data

Hard disks and magnetic tape have a limited lifespan, but glass storage developed by Microsoft could last millennia

Some cultures used stone, others used parchment. Some even, for a time, used floppy disks. Now scientists have come up with a new way to keep archived data safe that, they say, could endure for millennia: laser-writing in glass.

From personal photos that are kept for a lifetime to business documents, medical information, data for scientific research, national records and heritage data, there is no shortage of information that needs to be preserved for very long periods of time.

Continue reading...

© Photograph: Tetra Images/Erik Isakson/Getty Images

© Photograph: Tetra Images/Erik Isakson/Getty Images

© Photograph: Tetra Images/Erik Isakson/Getty Images

A Victorian schoolteacher was applying for ‘heaps of rentals’ online – then someone accessed his bank account

Michael suspects personal information he submitted to rent application platforms was leaked online. And analysis shows millions of documents may also be at risk

Michael* has spent the past two months trying to get his digital identity back.

The 47-year-old Victorian schoolteacher was in the process of moving to a new town and applying for rental properties online. Around this time – and unbeknown to him – his mobile phone number was transferred to someone else.

Continue reading...

© Composite: Getty Images

© Composite: Getty Images

© Composite: Getty Images

Why should renters like me have to trade away our privacy just to get a roof over our heads? | Samantha Floreani

The rise in real estate tech means renters often hand over huge amounts of revealing information to digital third parties – at great risk

Would you trade your data privacy and security for housing? Thanks to the rise in real estate technologies, renters often have no choice but to hand over huge amounts of revealing information to digital third parties just to have somewhere to live. All the while we are told: trust us, we take your privacy seriously.

But recent Guardian reporting has revealed that seven popular “rent-tech” platforms have serious security vulnerabilities, leaving millions of documents containing personal information of renters exposed on the open web for years. When they were alerted to the risk, only two of the seven companies responded to say they would put additional security measures in place. Is this what taking renter privacy seriously looks like?

Continue reading...

© Photograph: Jacob Wackerhausen/Getty Images

© Photograph: Jacob Wackerhausen/Getty Images

© Photograph: Jacob Wackerhausen/Getty Images

Real estate agents in Australia using apps that leave millions of lease documents at risk, digital researcher says

Exclusive: ‘This is a blatant and disturbing disregard for the law and for people’s security,’ digital rights advocate says

Australian platforms used by real estate agents to upload documentation for renters and landlords are leaving people’s personal information exposed in hyperlinks accessible online.

An analysis of seven rent platforms provided to Guardian Australia by a researcher, who wished to remain anonymous, revealed millions of leasing documents could be accessed by threat actors.

Continue reading...

© Photograph: Carly Earl/The Guardian

© Photograph: Carly Earl/The Guardian

© Photograph: Carly Earl/The Guardian

❌