New evidence that hackers are using artificial intelligence to launch sophisticated attacks has intensified concerns about cybersecurity vulnerabilities, raising critical questions about how the costs and risks of this escalating threat will be distributed across society and whether adequate public oversight exists to protect critical infrastructure and personal data.
A report this week from the Google Threat Intelligence Group documented a landmark development: for the first time, a threat actor used an AI-developed zero-day exploit designed to circumvent two-factor authentication. Google researchers found that adversaries are increasingly leveraging AI to automate vulnerabilities, phishing campaigns, and malware development—a trend that dramatically lowers the technical barriers to launching sophisticated cyberattacks.
The findings underscore a fundamental asymmetry in cybersecurity: while defenders must protect against an expanding array of threats, attackers can now use AI to identify and exploit vulnerabilities at scale. This dynamic raises urgent questions about the adequacy of current regulatory frameworks, the distribution of cybersecurity costs between corporations and the public, and whether market-driven solutions alone can protect critical systems that affect millions of people.
The Expanding Threat Landscape
Barclays analysts, in a Monday research note, emphasized that hackers are increasingly using large language models to find and exploit vulnerabilities, a trend that "will only accelerate with more advanced AI models." The firm predicted that this escalation "could only drive more spending on cybersecurity" and suggested that security vendors could see "real revenue opportunity" this year from safeguarding against AI-driven attacks.
The timing of Google's threat report coincides with broader industry efforts to address AI-enabled security risks. One month ago, Anthropic launched Project Glasswing, a defensive cybersecurity initiative tied to its Claude Mythos model, in partnership with CrowdStrike, Palo Alto, Amazon, Apple, Broadcom, Alphabet, Microsoft, Nvidia, Cisco Systems, JPMorganChase, and the Linux Foundation. The initiative is designed to help companies use Mythos to identify vulnerabilities and strengthen defenses after Anthropic said the model has already found "thousands of high-severity vulnerabilities."
Public and Private Responsibility
CrowdStrike CEO George Kurtz articulated a central industry argument in recent remarks, stating: "You can't have AI without security. We're the experts at it." He added that one of the things holding back AI adoption is AI securitization, and explained that this is why CrowdStrike was chosen to be part of the solution in the Mythos partnership.
This framing—that cybersecurity is primarily a private sector responsibility—reflects how the technology industry has approached these challenges. However, the escalation of AI-enabled attacks raises questions about whether private market solutions adequately protect public interests. Critical infrastructure, financial systems, healthcare networks, and government agencies depend on cybersecurity systems. When attacks succeed, the consequences extend far beyond individual companies to affect public safety, economic stability, and democratic institutions.
The concentration of cybersecurity expertise and capability in private companies also raises accountability questions. When private firms control the defenses protecting essential systems, the public has limited transparency into how those defenses work, whether they are adequate, and what happens when breaches occur. Regulatory frameworks have not kept pace with the sophistication of AI-enabled threats or the critical role that cybersecurity plays in protecting public welfare.
Unequal Costs and Benefits
While cybersecurity companies may benefit from increased spending driven by heightened threats, the costs of inadequate protection fall on individuals and communities. Data breaches expose personal information, compromise medical records, and enable identity theft. Attacks on critical infrastructure can disrupt essential services. The burden of these risks is not equally distributed: smaller organizations and less-resourced communities often lack the financial capacity to invest in advanced cybersecurity measures, creating widening disparities in protection.
Google's findings suggest that the cybersecurity landscape is becoming more complex and dangerous even as it becomes more dependent on proprietary private systems. The question of how society collectively responds to these threats—through regulation, public investment, transparency requirements, and accountability mechanisms—remains inadequately addressed in current policy discussions.
Why This Matters:
The escalation of AI-enabled cyberattacks represents a critical vulnerability in systems that millions of people depend on daily. When hackers can use AI to automate the discovery and exploitation of security flaws, the asymmetry between attackers and defenders fundamentally shifts, potentially creating risks that private market solutions alone cannot manage. The concentration of cybersecurity responsibility in private companies raises questions about public oversight, transparency, and accountability. When breaches occur—and they will—individuals and communities bear the costs through compromised data, disrupted services, and eroded trust in essential systems. Additionally, the unequal distribution of cybersecurity resources means that smaller organizations and less-wealthy communities face disproportionate vulnerability. From a center-left perspective, this dynamic suggests the need for stronger regulatory frameworks, public investment in cybersecurity infrastructure, transparency requirements for critical systems, and accountability mechanisms that ensure private companies protecting essential services operate in the public interest, not solely for shareholder returns.