WASHINGTON, D.C. – Today, Rep. Chrissy Houlahan and Rep. George Whitesides sent a letter to Secretary of Defense Pete Hegseth demanding answers on the national security implications of the Department's supply chain risk designation on Anthropic – a restriction that is preventing DoD components and contractors from accessing advanced AI-powered cybersecurity capabilities at a critical moment.

“Anthropic’s announcement of the incredible and dangerous capabilities of their new model highlights the importance and value of public-private partnerships in ensuring our continued security in cyberspace,” said Rep. Houlahan.“Until recently, government agencies and private companies gladly worked together on cybersecurity issues, even if they had disagreements over policy; but today, the politization of public-private partnerships by the administration has damaged our cybersecurity and our AI-enabled military capabilities, as well as weaken efforts to hold AI companies accountable over trust and safety concerns. We asked the Department of Defense how it has changed its approach towards AI given the revelations of how much the AI landscape has changed in just a few months; we call on the Department to review its AI policies and ensure that, if they are going to bear the risks of leveraging AI, they should leverage the benefits of AI as well.”

“American companies are building the most powerful cybersecurity tools in the world, and we're blocking our own military from using them,” said Rep. Whitesides. “We cannot afford to leave our defense systems vulnerable while our adversaries race to develop the same capabilities. The Pentagon needs to explain how it plans to close the gap – and fast.”

The letter follows recent reporting on Anthropic's newly released Mythos model, an artificial intelligence system with advanced cybersecurity capabilities, which was able to autonomously find and exploit previously unknown security flaws across every major operating system and web browser. The model also uncovered a series of hidden vulnerabilities in the Linux operating system, which is utilized by Department of Defense systems, that could allow an attacker to take complete control of an affected machine.

While Anthropic has limited the broader release of Mythos due to misuse concerns, the company is actively working with other U.S. government departments and agencies and major defense-adjacent companies including Amazon Web Services, Microsoft, Cisco, Palo Alto Networks, and CrowdStrike to use the model to identify and remediate vulnerabilities in critical infrastructure. DoD’s current designation of Anthropic as a “supply chain risk” means the Department is unable to work with or test their own vulnerabilities using the same tools already available to private sector partners.

In their letter, the Members ask Secretary Hegseth to respond to five specific questions:

• If DoD has assessed whether the vulnerabilities Mythos identified in systems the Department depends on have been fully remediated, including any not yet publicly disclosed, and what steps the Department is taking to ensure any unpatched vulnerabilities are addressed expeditiously;
• How DoD is ensuring its acquisition and compliance processes aren't inadvertently ceding ground to adversaries who face no restrictions;
• Whether DoD has been engaged in Anthropic's outreach to U.S. government agencies, and if not, why not;
• DoD's own assessment of the timeline for adversaries to develop comparable AI-powered hacking capabilities, and the Department's contingency planning; and
• Whether DoD has conducted a formal assessment of the national security costs of its supply chain risk designation on Anthropic, and if so, what it found.

--end--