Cybersecurity and the Gap Between Skill and Ability

Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is pretty much the standard advice everyone gives—albeit with newfound urgency.

Internet risks are nothing new, and cyberattacks—both large and small—have been a significant issue since long before the current crop of generative AI models.

What’s been changing over the decades, and what AI is changing even faster, is the gap between skill and ability. For most of human history, the two terms were synonymous—but computers have decoupled them. As the gap between the two expands, humans empowered with these AI tools can do more: more writing, more research, more analysis and also more damage than ever before. These models can, with little detailed direction, autonomously hack into networks, steal data, deploy ransomware and destroy systems. And to the extent there is a solution, it’s going to involve harnessing AI for the defense.

In 1998, seven people from the hacker group L0pht testified before Congress. They told a mostly clueless Senate committee that they could take down the internet in 30 minutes. That was partly real and partly bravado, but it illustrates an important point: hacking into systems, stealing data and causing damage all required skill.

Contrast the L0pht hackers with hackers derided as “script kiddies.” They didn’t understand computers, or security. Instead, they used hacker tools written by others. Their actions required minimal skill and even less knowledge. But once those hacking tools became widespread, the number of potential attackers increased.

That number has continued to increase, as quality and availability of prewritten attack tools has grown. And it is growing dramatically with AI. Today’s AI systems—not just the frontier models, but most of them—are capable of carrying out cyberattacks automatically. They all do better in the hands of skilled attackers, but increasingly they are able to act autonomously with only minimal prompting.

The thing about people with ability but no skill is that they are often outsiders, not part of any professional community, and not bound by any rules or norms. This phenomenon is much more general than in cybersecurity. Any doctor can tell you how to untraceably poison someone, and many virus researchers know how to create a bioweapon. Any bridge engineer can tell you how to place explosives to blow a bridge up. The reason that murderous doctors and terrorist engineers are so rare is that the lengthy process of acquiring those skills also instills a moral and ethical code. If every random person has access to good poisoning advice, that puts us all in danger.

Modern AI systems are, in effect, a universal adviser to help people do harmful things. And while the current AI megacorporations are trying to build guardrails to prevent people from asking questions whose answers will enable the questioner to do harm, that’s not going to work in the long term. Smaller, cheaper, open-source models, including models that can run on people’s computers, and especially groups of models that run in concert with each other, are just as good as the frontier models from companies like OpenAI and Anthropic. And they continue to get better. These models will be passed around from person to person, like script kiddie hacker tools, and they won’t have any such guardrails.

Instructing AI models to spy on people and report any malicious prompts to the authorities fails for similar reasons. The megacorporations can do that, but the locally run open source models won’t. This could buy us a few months at best.

A third possibility is to somehow make the models themselves unable to hack into computers, create bioweapons or do anything else that might harm people or society. That won’t work, for the same reason we can’t teach doctors how to treat poisonings without also teaching them how to poison. It’s the same knowledge. It’s the same with construction and demolition. And it’s the same with cybersecurity. We want these AI models to be able to review computer code, find vulnerabilities and automatically fix them. The benefit to our collective security will be enormous. Unfortunately, the same knowledge can be used for attacks.

Where this leaves us is in a world of increased volatility. Super-powered humans with AI assistants will be able to do both wonderful and horrible things.

This brings us back to the Five Eyes statement. Everything they recommend is something security professionals have been recommending for years, if not decades. They are things talked about at that congressional hearing back in 1998, titled “Weak computer security in government: Is the public at risk?” Even the Five Eyes admitted that their security advice is not new, only more urgent.

What’s new is how fast things are changing: “The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.” The Five Eyes point to AI technology—not necessarily chatbots, but AI more generally—being used to strengthen every aspect of defense, to “detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents—reducing both the cost and impact of incidents.”

Excellent advice from the Five Eyes security agencies. We need to do this with every risk that AI heightens, not just cybersecurity.

This essay was originally published in The Guardian.

Posted on July 8, 2026 at 7:03 AM16 Comments

Comments

KC July 8, 2026 11:23 AM

From the linked statement:

Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.

@Rontea, this reminds me of your summary.

wiredog July 8, 2026 12:21 PM

Man, that WaPo article on L0pht was a real flashback. You could go through it and replace “internet” with “AI” and have the same security story.

Impossibly Stupid July 8, 2026 1:12 PM

What’s been changing over the decades, and what AI is changing even faster, is the gap between skill and ability.

Strongly disagree. The problem is not one of skill per se, but scale. There were explosions in connectivity back in the late 1990s when the Internet boom started, and it’s been very poorly managed through the addition of smartphones and other IoT devices. The issue is that compromised machines can be turned into massive DDoS botnets at all, not that they were created by AI or script kiddies or skilled hackers.

And to the extent there is a solution, it’s going to involve harnessing AI for the defense.

You are wrong. AI can only be trained on data that exists, so it cannot help solve the actual problem. Any “solutions” it offers can be had using fewer resources and a higher likelihood of correctness by other means of computation, driven by whatever intelligent humans remains after everyone else has outsourced their thinking to your hallucination machine.

If every random person has access to good poisoning advice, that puts us all in danger.

No, it really doesn’t. Because the intelligent humans of the world don’t buy into your “arms race” false premise. By your “AI is the solution to AI problems” logic, the solution to poisons would be more poisons. Is it? We both know it’s not, so how about you revisit your logic?

Every random person who wants to kill can find a way to kill. Doesn’t have to be to “untraceably poison”. They might not even care if they get away with, up to and including fully expecting to die themselves during their attack. No, what really lessens the danger to us is the fact that, in a civil society, treating each other well is generally more rewarding than everyone having to look at everyone else as a potential killer/victim.

This brings us back to the Five Eyes statement. Everything they recommend is something security professionals have been recommending for years, if not decades.

Yeah, and their top Practical actions has been ignored for too long and doesn’t need AI to implement:

Reduce your attack surface

It’s insane how much “cloud” traffic is still allowed between networks for no good reason. Organizations who don’t do business in foreign countries at all still inexplicably allow connections from networks in Russia and China (and the dozens of other countries that all seem to generate high volumes of state-sponsored attacks). Things like spam are still a problem because most providers went with your technological arms race rather than simply saying, “You know what? If you can’t keep spammers off your corner of the Internet, I no longer consider you a peer.” That’s the approach that’ll get you the biggest bang for the buck, not this AI bubble.

Clive Robinson July 8, 2026 1:19 PM

@ Bruce, ALL,

With regards,

“current AI megacorporations are trying to build guardrails to prevent people from asking questions whose answers will enable the questioner to do harm, that’s not going to work in the long term.”

That is already and always will be an exercise in futility with Current AI LLM systems. As I’ve explained before and again earlier today, the issue is the Observer problem in a Shannon Channel,

https://www.schneier.com/blog/archives/2026/07/google-is-suing-chinese-scammers-who-are-using-gemini.html/#comment-455821

And that’s long before you get into the use of,

“Smaller, cheaper, open-source models, including models that can run on people’s computers, “

The expense in these “Open Weight” models is not the LLM DNN the user choses to run… but the ML generator to produce the weights of high enough quality.

In theory such harmful information could be left out of the training data set, but it will not be long before someone just re-builds any missing data into an 3xisting model.

In effect “the genie is out the bottle” and adding new information is not that hard or eepensive.

Rock'em-Sock'em Robots July 8, 2026 2:42 PM

“Adversaries are already using AI to move faster and more effectively. Defenders must do the same. Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents – reducing both the cost and impact of incidents.”

While it’s a nice idea that an AI defender can be trained to secure systems from AI attackers, the reality is it’s a cat-and-mouse game in which neither side can really maintain the upper hand. For every AI defender, someone will come up with a better AI attacker.

Just adding agentic AI introduces yet another attack surface into an already complex the security apparatus.

Clive Robinson July 8, 2026 4:16 PM

@ Bruce, ALL,

“The reason that murderous doctors and terrorist engineers are so rare is that the lengthy process of acquiring those skills also instills a moral and ethical code.”

It’s a bit more complicated than that and has quite a bit to do with basic personality types.

Doctors and Engineers are mostly actually “creative types” that want to bring what is see by society as “benefits of worth” or more simply “good things to society”. They actually believe in the main to “moving humanity forward”. The fact that they spend much if not more of a decade from their teens through twenties becoming educated and attaining the knowledge to achieve this goal is testament to the “creative good” mentality.

Those who wish to harm society generally want quick access to instruments of harm and do not have the mental outlook that will get them a “Professional Education” thus even practical knowledge. That is they are Walter Mitty types thinking they are “Men of action on a mission”… Which also generally means they are failures in ordinary life which is what can act as a driver for their antisocial attitudes and behaviours.

Further the few with professional educations that become intent on harming society, generally value their own lives quite highly. Thus tend to create methods / devices for agents.

Which is in effect the Hacker script writer and script kiddy scenario playing out.

We saw this with 9/11 when it was reported that one of the attackers had told a flight instructor they did not need to know how to take off or land just fly…

With regards to,

“If every random person has access to good poisoning advice, that puts us all in danger.”

Most “random people” do have access to “good poisoning advice” it’s fairly freely available in libraries and in the likes of PubMed research. The thing is that most don’t have the ability to understand the information to go “from page to poisoning”.

A fun test of this is a two part question to ask people (I used to use it in job interviews),

1, Do you know how to measure Ph?
2, Do you know how to make the reagents?

Many would not be able to say yes to the first and of those that do very few of those would be able to answer the second.

Asking many AI’s produces information that few can understand such as,

<

blockquote>“To make pH measuring reagents, you can prepare your own buffer solutions using chemicals like mono potassium phosphate and KOH. For a pH 7 buffer, mix 10g of mono potassium phosphate per liter of distilled water and adjust the pH with KOH until it reaches 7.00.”

And if you do an internet search you get the likes of,

‘https://spectrascientific.com/the-ultimate-guide-to-ph-reagents/

Which says a lot without saying anything useful so in no way can be said it’s an,

“ultimate guide to ph reagents”

For those that want an experiment for children to do to teach them the practical first steps,

Buy a purple cabbage grate/shred it up and boil it till the water becomes strongly purple or dark blue. Pour the purple water into a clean glass measuring jug and let it cool.

To show it working as a Ph reagent you need an acid and an alkali. The kitchen cupboard/pantry can usually supply vinegar or lemon juice which are acidic and baking soda which is an alkali, in small quantities these are usually “kiddy safe”.

If you want to calibrate your reagent you add small amounts of acid or alkali untill you reach the “mid colour”.

This information is freely available on the Internet, but only if you know how to properly search for it then understand it.

By the way it’s worth telling young curious children about the early history of both Chemistry and Metrology. And how they all started in the “kitchen” long before people could read/write and before “negative numbers” or “zero” were understood as concepts.

Anonymous July 8, 2026 4:25 PM

open-source models, including models that can run on people’s computers

You mean to imply that there exist, by definition, open-source models that cannot run on people’s computers?

Dave July 8, 2026 8:46 PM

Modern AI systems are, in effect, a universal adviser to help people do harmful things.

However they’re also a very good universal advisor on how to fix your code to stop people from doing harmful things. We’ve just finished a six-month run of using said universal advisor on our code base and it’s going to be much, much harder for anyone to do anything harmful in the future.

Clive Robinson July 9, 2026 2:37 AM

@ Anonymous,

With regards,

“You mean to imply that there exist, by definition, open-source models that cannot run on people’s computers?”

Effectively yes, due to “code signing” techniques enforced in the hardware and OS of most consumer and commercial computers.

It’s the way the industry is moving due to the history of the US Entertainments Industry since the cassette recorder made acceptable home recording practical[1].

Put simply on boot-up the “Trusted Computing Chip” on by far the majority of MS Win OS compatible PC’s only allows “approved code” that is “signed” to be loaded for execution.

The latest nonsense with MS Win 11 where you are forced to by a new computer for no good reason is an example of the unlawful behaviour in the Commercial and Consumer Computer market place.

It’s the same with Apple and Google OS mobile phones. And why they have extraordinarily profitable “app stores” that have been hit by increasing litigation and fines.

[1] Look up the “Fritz Chip” pushed by the so called “Senator from Disney” (“Fritz” Hollings senator for South Carolina from 1965 to 2005).

He pushed hard for every media player to have a DRM chip added, then when PC’s came along he pushed for them there. Whilst his plans did not happen with early/analogue home media players pretty much every digital media player and PC has a chip in them or the equivalent in the embedded BIOS / OS.

You can read some of the early stuff in, a “Trusted Computing FAQ” from the UK Cambridge Computer lab from Prof Ross J. Anderson,

https://www.cl.cam.ac.uk/archive/rja14/tcpa-faq-1.0.html

Winter July 9, 2026 3:06 AM

“The reason that murderous doctors and terrorist engineers are so rare is that the lengthy process of acquiring those skills also instills a moral and ethical code.”

I suppose the lengthy education to certification plays a role too.

For any “evil mind” that considers to become evil/murderous doctors or engineers, there would be a cost-benefit analysis. It takes half a decade or more to become an established engineer. It takes over a decade to become an established md. During that time, any dangerous impulses must be suppressed as teachers and supervisors have a “tendency” to fail students they consider dangerous.

We recently had a case in the Netherlands where a medical student went on a killing spree for this exact reason:
‘https://nltimes.nl/2025/02/21/rotterdam-medical-student-given-life-sentence-killing-neighbors-professor

He was denied (“delayed”) his medical diploma because his teachers considered him unfit to be a doctor (not in the link). And then he went on to prove them right.

Getting certified as an “evil” engineer or doctor[1] requires a lot of effort and self-discipline over a long time with very uncertain outcomes. Those high in the dark triad/tetrad often lack in impulse control. The currently most famous narcissist is a good example of this live-long lack of impulse control and inability to keep on track. So, unless the aim is to specifically kill people, I assume most “evil minds” will look for an easier and more certain route to success.

But they do exists, search for Harold Shipman.

[1] Actually, this holds for anyone who wants to get certified only for the status and money.

Clive Robinson July 9, 2026 4:16 AM

@ Rock’em-Sock’em Robots, Dave, ALL,

With regards your comment of,

“While it’s a nice idea that an AI defender can be trained to secure systems from AI attackers, the reality is it’s a cat-and-mouse game in which neither side can really maintain the upper hand. For every AI defender, someone will come up with a better AI attacker.”

What you left out was the economics issue which will in most defenders cases have more of an effect than people are yet talking about.

Current AI LLM systems run by the big US Corps are very expensive to use especially when run in “Agentic loops”.

https://www.computing.co.uk/feature/2026/the-memory-problem-holding-back-ai-security-agents,

“Security vendors are rapidly incorporating agentic AI capabilities into SIEM, XDR and SOC platforms. Microsoft, Splunk, CrowdStrike and Palo Alto Networks are using AI agents to automate triage, investigation, threat detection, incident enrichment and even initial response actions. Yet a fundamental limitation remains: without persistent, auditable memory, many of these systems are still highly sophisticated workflows rather than truly learning security agents.”

Even with “Retrieval Augmented Generation”(RAG) they do not learn from previous work as the basic model for Current AI LLM and ML systems is that the DNN weights are static/fixed in the LLM and are only updated by an ML run[1].

Obviously this “static nature” is really really bad in a fast paced very dynamic “attack-defend” usage. As it opens up an “attack window” considerably worse than happens currently with Zero Days and patches.

And “economics” caps ML runs that would update the LLM DNN weights… ML runs are extraordinarily expensive and hardware killing already, and considerably worse they are effectively slow even using some of the tricks that have been developed. The result is ML run times are both eye wateringly expensive and can not keep up with the pace of “attack-defend” currently.

But we also have to consider that this “attack-defend” senario has three basic types of players,

1, Attackers.
2, Developer Defenders.
3, User Defenders.

The first two have fairly long time windows as they in effect develop their attack / defence out of sight of each other. As @Dave notes of the Development Defender role,

“We’ve just finished a six-month run of using said universal advisor on our code base and it’s going to be much, much harder for anyone to do anything harmful in the future.”

We can assume the cost of this was high, but in effect it is amortized across the “user base” so in effect is a much reduced cost for each User Defender.

User defenders however have very short time windows because the attack is in effect “public” when they have to search for vulnerabilities to new classes or instances of attack. Making it even Worse they have to bare the full cost of the agentic defense across their organisation or department only.

Thus for user-defenders AI defending is too slow, and also too expensive for all but the largest of organisations.

The obvious mitigation for a user defender against Attackers using AI is to not have your systems reachable by the Attackers.

It’s a point I’ve been making over and over since before the notion of “cloud computing” became “a thing”.

Almost the first question I ask is where I point at a computer and say,

“What is the business case for this being directly or indirectly connected externaly to the organisation?”

Mostly the answers are “MBA Mantra” nonsense that boil down to,

“Everybody is doing it FOMO.”

Unfortunately SaaS / Cloud is a golden opportunity for,

1, Surveillance
2, Rent seeking

On users which is highly profitable.

And the likes of Silicon Valley Corps have pushed it to the point it is very nearly mandatory.

Something the US Gov has not been slow to capitalise on with what is in effect “oversight free” legislation that destroys other nations “Sovereign Integrity”…

[1] The trick RAG uses to get aroundcthe the static DNN issue is to build a user “Vector Database” to provide a “dynamic” frontend that run’s before the “static” LLM. For various reasons the RAG Vector Database only gets built in RAM…

Thus every use of the AI system has to have every piece of “user context” loaded in at the start, for every run…

This is dreadfully inefficient and token expensive as well as limiting “capability”. Like all databases the vector database has to be built and used with care which is where you hear people talk about “Chunking Hell”. Where a simple start becomes exponentially problematical.

anon July 9, 2026 4:27 AM

What that paper fails to highlight is that while there might be 10 orders of magnitude more script kiddies than before; that doesn’t actually matter. If your defenses will bar one of them, it will bar all of them.
On the flip side, if one of them can get in, and isn’t smart, or fast, enough, to lock the door behind them, then they can all get in.

Rontea July 9, 2026 2:59 PM

Once, to breach a fortress of code was the work of a few monastic minds, ascetic in discipline, tempered by the long novitiate of skill. Now, with a whisper to the mechanical oracle, any passerby may summon mischief and ruin.

Do you not see the irony? We have built a tower of power out of words and wires, and the wind of ignorance rattles its gates. The old thieves—the L0phts—were artisans, craftsmen of the invisible web. Their successors are children with swords sharper than their own understanding.

And yet the remedy proposed is eternal vigilance, the ancient prayer of civilization on the edge of chaos: to raise and wield these same machines for our defense. It is as if fire must fight fire, with the hope that the world does not burn to ash in the quarrel.

Such is man: he invents a god in his image, then fears it will recognize him.

Clive Robinson July 9, 2026 8:49 PM

@ anon, ALL,

When you say,

“What that paper fails to highlight is that while there might be 10 orders of magnitude more script kiddies than before; that doesn’t actually matter. If your defenses will bar one of them, it will bar all of them.”

Err no, not as you’ve written it.

The use of an LLM will allow / enable new scripts to be produced at a ten times or more rate.

But you need to consider that successful attacks these day are not usually “one step in and done” they are a chain of multiple steps that can be sequence dependent in their individual effects.

But also most “scripts” will not be for the same actual vulnerability, or if they are, implement the exercising of the vulnerability through the actual same route of steps.

So,

“A fix for one script is not likely to be a fix for all scripts.”

So your argument only holds for the few scripts that are “functionally the same”. That is they,

1, Exercise the same vulnerability 2, Through the same attack chain
3, In the same way.

It’s one of the reasons why I talk of “mitigation by isolation / segregation” a lot…

For an outsider attack to be successful the attacker needs access to one or more vulnerable systems.

Which requires any vulnerable systems to be reachable via a communications channel that can be reached from outside the organisations perimeter by an attacker (which is why I talk about “Energy Gaps” not just “Air Gaps”.

Back last century “mitigation by isolation / segregation” was talked about a lot, and gave rise to the notion of “Bastion Hosts”, “De-Militarised Zones”(DMZs), “Application Specific Gateways” and later “stateful firewalls”.

Unfortunately this sensible stratagem was killed off by the idiotic idea pushed onto MBA students on their courses as “mantra” thence onto organisations that “External Connectivity for all” is some kind of magic “business enabler” (hint, it really is not, as increasing AI use amply demonstrates)…

Product developers with no understanding of security took advantage of this MBA Mantra and demanded all sorts of holes be “punched through firewalls” for the “Common Object Request Broker Architecture”(CORBA) and the like which eventually gave rise to the truth behind the XKCD “one / random guy in Nebraska”,

https://www.explainxkcd.com/wiki/index.php/2347:_Dependency

And other needless “supply chains” and their attendant “external attacker” vulnerabilities. Oh and brought the “SBOM” to the lips of clueless politicians and the like.

It’s not, and it never was, a wise thing to do… and mostly the “promised magic” never happened for the user or organisation, just greater instability, fragility and vulnerability (remember Log4Shell CVE-2021-44228 in log4j more than a half decade ago?).

However what it was, and now is, is even worse…

Which is the original “toe hold” for SaaS, the Cloud, and all the bad things that have come with it since. Such as Silicon Valley Big Corps forcing users of even the bare OS into “cloud connectivity” so any thing and everything the user does becomes available to the Cloud system and thus the Government the Cloud service Corp falls under no matter where the SaaS cloud is geo- or juro- located.

Hence people waking up way to late to the idea of “bring it back On-Prem” and fully inside jurisdictional boarders with “Sovereign Cloud” etc.

What people need to realise is,

“Connectivity out side of user/organisational perimeter control”

Is an “open door invitation” to any and all not just script-kiddies.

Even those who can do the most simple of “script-kiddy attacks” with “netcat” and a “shell script” -which is remote enumeration by “Port Scanning”…

Over the years Microsoft has probably been the most egregious of suppliers leaving ports open for attackers to take advantage of.

But the thing, few appear to grasp in their search for “magic of the mantra” is,

“Just one machine that is vulnerable with external connectivity inside the perimeter turns an outsider attack on it, into an ‘insider attack’ against all other machines.”

Or what is now often called a “lateral movement cyber attack” or part of an “Advanced Persistent Threat”(APT) attack.

It’s why back last century Bastion Hosts and DMZ defences were originally developed, because if done properly they can block or significantly mitigate many if not all “insider attacks” as well.

When you draw this up on a white board it should be “obvious to all” in the room. But… there are always those who will for cognitive bias or short term benefit etc will argue “tooth and nail” against it “for shareholder value” etc. Something Upton Sinclair noted back in 1934 just under a century ago with,

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

So our systems remain not just insecure but worse beyond sensible mitigation because the major Silicon Valley Corps will for “surveillance and rent seeking reasons” make them not just “insecure by design”, but also “require external connectivity” to profit by… and senior management types are often at best “short term thinkers” looking for excuses.

Which we can see playing out in what feels like “augmented real time” with Current AI LLM usage inside of “AI Agents” burning down the world by tokenmaxing and similar for no real benefit and one heck of a lot of needless security risk…

ResearcherZero July 10, 2026 3:09 AM

If the script kiddies want to test their skills at moving fast and breaking things, then the United States government networks might be the place to start.

White House app forcibly downloaded onto government phones.

‘https://arstechnica.com/tech-policy/2026/06/white-house-app-auto-downloads-to-government-phones-cant-be-uninstalled/

The app is riddled with vulnerabilities, propaganda and dubious 3rd servicing.
https://www.notus.org/technology/trump-white-house-app-cybersecurity

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.