Why Public Defense Infrastructure Can't Wait
- Apr 13
- 7 min read
Updated: Apr 16
Christopher Smith is an award-winning author and entrepreneur dedicated to protecting people from cybercrime. After being the target of a major cyberattack, he founded DFend, a digital safety platform, and wrote Privacy Pandemic, inspired by his real-life story.
Earlier this month, Jen Easterly, former Director of the Cybersecurity and Infrastructure Security Agency (CISA), described what Anthropic's Claude Mythos Preview represents in a single phrase, the beginning of the end of cybersecurity as we know it.
The protection architecture emerging around frontier AI will initially cover a narrow set of critical institutions. The remaining majority, millions of small businesses, local governments, schools, and community institutions, remain outside that perimeter. The U.S. Small Business Administration counts 36.2 million small businesses employing 45.9% of American workers. That is the other 99.9%.
This dynamic is not confined to the United States. Across Europe, Asia, and emerging markets, the same structural divide is forming between institutions capable of deploying frontier-grade security infrastructure and the millions of organizations operating outside those protection layers.
Cybercrime networks already operate globally, moving capital, data, and attack infrastructure across jurisdictions faster than national defense systems can coordinate responses. The challenge unfolding is therefore not simply national, it is a global infrastructure lagging behind globalized digital threats.
What Mythos preview actually signals
Anthropic's assessment of Claude Mythos Preview documents a genuine inflection point. The model identified and exploited zero-day vulnerabilities across all major operating systems and web browsers tested. Engineers with no formal security training found complete, working exploits overnight. Anthropic's own researchers noted that the same improvements making the model more effective at finding and fixing vulnerabilities also make it more effective at exploiting them.
This is not primarily a story about what one model can do. It is a story about capability asymmetry accelerating faster than protection infrastructure can keep pace.
Anthropic has not made Mythos Preview generally available. Project Glasswing deploys these capabilities first to a limited set of critical infrastructure partners. That is a responsible and necessary choice. It is also not the whole story.
The gap project glasswing doesn't close
Frontier AI capabilities do not remain exclusive to their original developers. Other frontier labs are on similar trajectories. Some will exercise Anthropic's restraint, while others will not. Bad actors will find ways to access, replicate, or approximate these capabilities, and when they do, they will not limit their targets to institutions already hardened by Project Glasswing.
Think of it like the period before municipal fire codes existed. Wealthy buildings hired private fire brigades. Institutions that could afford protection received it. Everyone else absorbed the risk individually until the scale of collective harm made coordinated public infrastructure the only viable response.
Anthropic will not reach every company that holds our data. They will not reach every government agency, hospital, school system, or small business. And they cannot control what other frontier AI developers build. The capability is now in the threat landscape.
The question is whether public defense infrastructure will meet it.
Main street is already exposed
The Identity Theft Resource Center's 2025 Business Impact Report found that 81% of small businesses surveyed experienced a cyber or data breach in the past year, with AI-driven techniques accounting for 40% of those incidents. That data predates the public emergence of Mythos-class capabilities.
This is not a technology problem awaiting a technology solution. It is an infrastructure problem, the same coordination failure the series has documented in prior briefs, now applied at AI-accelerated speed and scale.
These businesses don't have CISOs or Security Operations Centers. They have human-speed defenses against attack infrastructure that is now operating at the frontier. LexisNexis Risk Solutions found that 85% of identity fraud cases already involve generative AI tools, based on an analysis of 104 billion digital transactions in 2025.
When businesses close due to cyberattacks, the downstream costs don't appear in fraud statistics. They appear as unemployment, loss of community economic activity, and price increases absorbed by consumers. Thirty-eight percent of small business leaders raised prices specifically to cover cyberattack costs. That is not a business statistic. That is a hidden tax on every household in the communities that those businesses serve.
The borderless asymmetry
This is not a localized vulnerability. While Project Glasswing focuses on protecting critical infrastructure within the G7, the "polycriminal" networks identified in INTERPOL’s 2026 assessment operate across borders with no comparable constraints. Cybercrime infrastructure already moves fluidly between jurisdictions, exploiting differences in regulation, enforcement capacity, and defensive maturity.
In emerging markets across Africa and Southeast Asia, where digital adoption is accelerating faster than security infrastructure can develop, the 4.5× profitability multiplier associated with AI-enhanced fraud is already creating conditions reminiscent of a pre-grid era of exploitation.
Without a coordinated global infrastructure response, these regions risk becoming durable proving grounds for frontier-grade attacks, environments where tactics, tools, and monetization strategies are refined before eventually cycling back into Western financial and digital ecosystems.
You have to fight AI with AI
Jen Easterly's thesis is that frontier AI may finally offer the tools to move security upstream, from reactive defense to prevention at the point of creation. That principle applies beyond the institutions currently inside the Glasswing architecture.
The answer to AI-powered attacks at scale is AI-powered public defense at scale. Not as a product, but as infrastructure, just as cities eventually built municipal water systems not because every household could afford a private well, but because everyone bore the collective cost of leaving them without clean water.
The current model asks 36.2 million U.S. small businesses, thousands of local governments, and hundreds of millions of citizens to defend themselves individually against attacks that are now coordinated, automated, and AI-accelerated. That architecture cannot hold.
Structural signal
California's DROP platform shifted the remediation burden from individuals to coordinated state infrastructure. The UK committed £250 million to a national fraud defense architecture. Project Glasswing demonstrates that AI-assisted vulnerability remediation is operational at an institutional scale. Each signal points to the same structural conclusion, coordinated public defense infrastructure reduces harm that would otherwise be distributed among individuals and small businesses lacking an equivalent protective layer.
The Cybersecurity and Infrastructure Security Agency, responsible for protecting 340 million Americans, operated on approximately $3 billion in FY2025. That budget predates the public emergence of Mythos-class capabilities. The coordination architecture being built at the institutional level is necessary. The question is whether public defense infrastructure will expand to reach everyone else before the window closes.
What the numbers say
81% of small businesses surveyed experienced a cyber or data breach in 2025, according to the Identity Theft Resource Center, with AI contributing to 40% of incidents.
36.2 million small businesses employ 45.9% of American workers, according to the U.S. Small Business Administration, the majority of these organizations will never join an institutional AI security partnership.
85% of identity fraud cases now involve generative AI tools, according to LexisNexis Risk Solutions, which analyzed 104 billion digital transactions in 2025.
38.3% of small business leaders raised prices to cover cyberattack costs, according to the ITRC, a hidden economic burden distributed across consumers and communities.
$3 billion is the approximate FY2025 budget of CISA, responsible for protecting 340 million Americans across every sector before the emergence of Mythos-class capabilities.
The economics of digital safety (opinion)
Project Glasswing is the right initiative, responsibly deployed. The institutions it reaches will be meaningfully better protected. That matters.
The data suggest that the threat will not wait for the protection architecture to expand. Frontier AI capabilities will proliferate. Some developers will exercise restraint with Anthropic. Others will not. The gap between frontier-grade attacks and consumer-grade defenses is widening now, before Mythos-class models are broadly available.
The answer is AI-powered public defense infrastructure, available not just to the institutions that underpin the global economy, but to the businesses that employ half of America's workforce, the governments that serve its citizens, and the individuals whose data flows through systems that will never appear on a Project Glasswing partner list.
The question is who builds that infrastructure, who finances it, and how much time remains before the gap between frontier-grade attacks and public-grade defenses becomes permanent.
Disclaimer
This article is provided for general informational and educational purposes only and reflects the author's analysis as of April 2026. It does not constitute legal, financial, investment, cybersecurity, or other professional advice. Readers should consult qualified professionals for advice specific to their circumstances.
The content represents a synthesis of publicly available third-party data and the author's interpretation of systemic trends, it is not based on specialized professional expertise in any regulated field. While the author has made every effort to verify information against primary sources, including Anthropic, the Identity Theft Resource Center, the U.S. Small Business Administration, LexisNexis Risk Solutions, and the U.S. Department of Homeland Security, no representations are made regarding the ongoing accuracy or completeness of such third-party data.
Market projections and structural assessments represent scenario analysis based on published data and institutional reporting. These should not be interpreted as predictions. Actual outcomes may differ materially based on technological, regulatory, and market developments.
This article does not advocate for or endorse any specific product, service, organization, or policy position and does not target or assign liability to any individual company or organization.
Read more from Christopher A. Smith
Christopher A. Smith, Author & Digital Safety Advocate
Christopher Smith is the award-winning author of Privacy Pandemic and the founder of DFend, a digital safety platform built to protect people from cybercrime. After being the target of a major cyberattack, he transformed his story of loss into one of purpose, turning a personal crisis into a global mission. His experience inspired him to develop technology that helps individuals safeguard their identity and privacy in the age of AI. Through his work and writing, Chris advocates for greater awareness, protection, and resilience online. He believes the future of digital safety is personal, because the threat already is.
References:
Anthropic. (2026). Assessing Claude Mythos Preview's Cybersecurity Capabilities.
Easterly, J. (2026). The Beginning of the End of Cybersecurity. LinkedIn.
Identity Theft Resource Center. (2025). 2025 Business Impact Report.
U.S. Small Business Administration. (2025). Small Business Facts.
LexisNexis Risk Solutions. (2026). Global State of Fraud and Identity Report 2026.
