Fighting AI Cyberattacks Starts With Knowing They’re Happening

Anthropic reported in November 2025 that Chinese threat actors used its Claude model to launch widespread cyberattacks on companies and government agencies. More specifically, Chinese actors jailbroke Anthropic’s coding tool, Claude Code, and used it to target 30 companies and government agencies around the world, marking the first known large-scale cyber campaign executed with minimal human involvement. This reported development is certainly unsettling, but far more alarming are future attacks that might go undetected. Anthropic caught this attack only because it happened on its platform where it has internal threat intelligence teams monitoring for abuse. The vast majority of AI-enabled attacks, however, won’t be so visible. To address this issue, artificial intelligence (AI) developers and policymakers must establish the mechanisms to better observe and understand this emerging threat landscape—before it’s too late.

The advent of AI agents—systems capable of performing tasks autonomously—enhances the capabilities of both cyberattackers and defenders. AI agents can enable faster and more widespread attacks. But these same capabilities can also significantly enhance defenders’ ability to detect intrusions and respond more rapidly. The challenge is that offensive adoption is likely to be faster and less constrained, driven by attackers’ willingness to take risks and accept collateral damage—making incidents like this an early warning rather than an anomaly. 

This dynamic underscores a larger vulnerability: The U.S. government currently has no systematic way to identify whether a cyberattack resulted from novel AI capabilities or more conventional methods. The government’s failure to discern this key characteristic could compromise its ability to understand and prepare for emerging AI capabilities and risks. Without the ability to detect, investigate, and understand AI-enabled incidents, the United States will lack the evidence needed to adapt its cyber defenses, update threat assessments, and enhance policy responses. Anthropic’s report gives policymakers a glimmer of insight into AI-enabled threats, but only those that use its platform. But it has no such visibility for threats emerging in other platforms. The challenge becomes especially acute for increasingly capable open-source AI models.

Currently, Chinese open-weight models from companies such as DeepSeek lag the frontier by mere months and are highly capable, freely available, and downloadable to run on anyone’s systems with zero oversight. Analysis from the Center for AI Standards and Innovation shows that DeepSeek’s models are far more prone to malicious use and jailbreaking by bad actors than U.S. frontier models. For instance, DeepSeek’s R1-0528 model is 12 times more likely than OpenAI’s GPT-5 and Claude’s Opus 4 to follow malicious instructions, such as sending phishing emails and exfiltrating user credentials. Well-resourced threat actors can go even further with open-source models, directly modifying model weights to strip away guardrails. And because leading open models originate largely from China, the U.S. government has no visibility into their development nor ability to cooperate with the companies developing them—unlike with U.S. AI labs, which share some kinds of information with the U.S. government. As Chinese models (and potentially the models of other adversaries) continue to progress, without action, the U.S. government will be in the dark in an era of AI-enabled attacks.

This opacity isn’t unique to AI. When technical systems fail, determining the source and reason behind the failure is often slow and complex. This has already played out in the conventional cyber landscape. In 2016, when the Australian government launched its first-ever online census, the system crashed spectacularly within hours. Officials and the public panicked, speculating about a sophisticated espionage campaign from a nation-state actor. Months of investigation finally revealed the mundane truth: Poor implementation had left the system vulnerable to an amateur cyberattack. No data was stolen, and no foreign adversaries were involved. But the episode exposed a fundamental problem: When digital systems fail, the government doesn’t always know why without conducting a targeted investigation.

That sluggish investigative pace was frustrating in 2016. Nearly a decade later, the problem remains. Organizations reportedly take an average of eight months to identify and contain a data breach. Now, AI threatens to amplify the speed, scale, and ambiguity of cyberattacks. And these investigations often can’t keep up the pace.

Fortunately, the U.S. government has a precedent for achieving greater transparency for technical incidents. The Cyber Safety Review Board (CSRB), established in 2022, brought members from federal agencies and private companies together to investigate significant cyber incidents. For example, when Chinese state-backed hackers breached Microsoft’s cloud infrastructure in 2023 and accessed sensitive U.S. government email accounts, the CSRB conducted a rigorous investigation to determine what went wrong, exposing “a cascade of Microsoft’s avoidable errors.” The CSRB’s report made technical failures transparent, which increased accountability and created strong incentives for the company to improve. In fact, Microsoft took responsibility for its failures and announced that it was working on adopting all 16 of the CSRB’s recommendations for improvement, including by adopting a Secure by Design operating principle. The investigation successfully held Microsoft accountable, addressed problems, and established lessons for other companies that strengthened defenses across the sector.

Still, the CSRB was not perfect. It struggled with limited resources, part-time membership, and lack of subpoena power. The Trump administration dissolved it in early 2025 as part of a larger move aimed at “eliminating the misuse of resources.” Despite its faults, the CSRB was a strong example of how independent, cross-sector investigation into technical incidents can reduce opacity, generate key lessons for government and the private sector, and hold companies accountable for improving their defenses. It was the first of its kind and has even inspired the design of Australia’s new Cyber Incident Review Board, an independent oversight board performing no-fault, post-incident investigations of major cyber incidents.

To help address AI-enabled threats, the United States needs an AI Security Review Board (AISRB) built on the CSRB model, but updated to more effectively track and investigate the role of AI in real-world incidents, starting with cyberattacks. Such a board should operate independently and include full-time members from the federal government, technology industry, and civil society with deep expertise in AI systems, model behavior, and agentic capabilities. It would publish findings publicly to create accountability and incentivize improvements across sectors. It would bring an AI-first approach to investigate novel threat vectors that the traditional cybersecurity community may be less familiar with, and have subpoena power to enable meaningful investigations. In this way, its work would complement, rather than duplicate, the work of the Center for AI Standards and Innovation and the National Security Agency’s Artificial Intelligence Security Center, which do not have subpoena power and do not specifically focus on investigating and publicizing findings from AI-related incidents.

An AISRB would enable better identification of AI-enabled attacks and emerging capabilities and risks, ensure accountability when systems fail, and share lessons across sectors before novel threats proliferate. Critically, the AISRB must have the authority and resources the CSRB lacked—including dedicated funding, full-time expert staff, and real investigative authorities. And in the face of open-source AI, an AISRB would be even more critical as a mechanism for identifying dual-use AI capabilities emerging in the wild. 

The proposed AISRB would also complement existing policy architecture, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA requires organizations in 12 critical infrastructure sectors to report cyber incidents to the U.S. government within 72 hours, and also provides liability protections for these disclosures. These reports are important because they enable government actors to analyze incidents across sectors, detect emerging patterns, and deploy resources to help organizations respond to incidents in a timely manner. But CIRCIA focuses on rapid notification and incident response, not deep investigation. An AISRB would fill this gap by conducting thorough post-incident analysis, identifying root causes, and increasing accountability for systemic failures. This kind of rigorous review generates lasting improvements to security practices and improves AI preparedness in industry and government.

An AISRB alone isn’t enough. The government must also build stronger information-sharing mechanisms with industry and civil society. This cooperation requires stable legal and liability protections for companies that come forward with critical information. Companies rightfully fear that sharing details about AI-enabled attacks or system failures could expose them to liability or regulatory action. This is where the Cybersecurity Information Sharing Act of 2015 (CISA 2015) becomes essential. CISA 2015 provides liability and confidentiality protections for companies sharing time-sensitive, proprietary threat information without fear of legal blowback.

Congress recently extended CISA 2015 until September 2026. But while this temporary authorization is critical to continued government-industry engagement on cyber and critical infrastructure security, a short-term fix isn’t enough. Longer term certainty is essential to build a shared picture of the threat landscape. Congress needs to take action to reauthorize CISA 2015 for the long term—a move backed by the White House and industry leaders.

As critical infrastructure increasingly moves online, U.S. exposure to cyberattacks grows. AI makes exploiting vulnerabilities cheaper and faster than ever. The methods used in the Anthropic-reported attack will inevitably be used by an increasing number of cyber actors, and the capabilities of AI models continue to grow. The U.S. can no longer afford to wait months to understand attacks that AI can launch in minutes. To preserve and protect American security, the U.S. needs detection capabilities, investigation infrastructure, and information sharing channels before the next incident strikes. An AISRB and the renewal of CISA 2015 are key components that can enable the government to better understand and prepare for a changing cyber and AI threat landscape. The recent AI cyber incident was a wake-up call. Whether the U.S. is prepared for the next one is up to us.