China spying strikes and the American AI revolution

Two bolts of lightning have struck the cybersecurity landscape in six months. In 2025, Anthropic disclosed in November that Chinese state-sponsored actors had used its Claude model to run a largely automated cyberespionage campaign. 

The artificial intelligence or AI performed 80 to 90% of the work across roughly 30 targets. 

In April this year, the same company revealed that its Mythos model had autonomously discovered thousands of previously unknown vulnerabilities in every major operating system and browser. A capability the company deemed significant to withhold from general release.

Between strikes, the steady rain has begun. The rain is AI itself – diffuse, constant, soaking every institution. Much of it nourishes science, software, and defense. 

But the rain falls on weakened ground. CrowdStrike documented an 89% annual increase in AI-enabled adversary operations. Mozilla’s application of Mythos to Firefox surfaced  271 vulnerabilities in a single evaluation that would have taken researchers years to find. 

Security budgets

Governments and boardrooms are patching, monitoring, and reinforcing. But the harder question is whether the United States can scale what it intends to build with confidence that the ground beneath it will bear the weight. 

Leadership in AI will not be decided by who trains the largest models. It will be decided by who can deploy them most deeply into the systems that generate advantage, and that depends on whether the foundations can withstand what is now being asked of them.

For 30 years, cybersecurity rested on three assumptions – that sophisticated attacks would remain expensive, that identity systems built for humans could extend to whatever came next, and that human judgment would remain in the path of consequential decisions. 

They underlie not only security budgets but the country’s ability to deploy AI across the institutions that generate economic and military advantage. Today, they are breaking down.

The first crack is in plummeting attack costs. What once required an intelligence service can now be replicated by a motivated individual with a frontier model. CrowdStrike observed a 38% increase in China-nexus intrusions last year – a tempo impractical without AI assistance.

Defenders are also gaining. Mythos-class capabilities are hardening critical software faster than human teams could. But attackers merely need one path, while defenders must close all of them. Patching pipelines and procurement cycles were built for human tempo. 

It remains to be seen whether defenders can keep pace with arriving at machine speed. The second crack is identity. Every credential and access control system was built on an unstated premise – that an identity belongs to a person. 

Nonhuman identities now outnumber human ones, yet the identity layer was never built to verify that an agent’s actions match the intent of the human who dispatched it. In March, a Meta AI agent posted incorrect guidance to an internal forum without its operator’s approval. 

Sensitive data

A second employee acted on that guidance and posted sensitive data that sat exposed for nearly two hours. The gap is not technical. It is structural in how institutions assign, scope, and verify trust, and it widens with every AI agent granted credentials designed for people. 

Governance frameworks for nonhuman identity exist on paper. Deployments are outrunning them. The final crack is the most subtle – human judgment itself. 

When the identity layer can no longer verify who or what is acting, the remaining check is the individual – the analyst who pauses at an anomaly or the engineer who notices a system behaving oddly and asks why. 

This was never a designed control. Damage simply spread as fast as people could respond to it. That check is now the last line of defense, exactly as it is being engineered out.

Organizations are deliberately automating reviews, approvals, and separation of duties to operate at machine speed – a trade-off most are making by default rather than by deliberation. None of these assumptions lapsed because someone made a bad decision. 

They lapsed because no one was assigned to revisit them. Technology mandates and new regulatory bodies will not solve the problem of unexamined premises. What this moment demands is not louder alarms but an audit of assumptions. 

Where does the threat model still assume capability is scarce? Where does identity assume a human on the other end? Where have people served as informal structural reinforcement that no one designed in, and what replaces that reinforcement as it is automated away?

The work begins not with new controls but with a larger question – what did we assume, and does it still hold? The output is a written account of what was taken for granted, drawn from the people closest to the systems. 

An enterprise may find its change-approval process was automated two years ago without a governance decision. A federal agency may find that under continuous-authorization pilots, the assumed security scrutiny is now a dashboard no one is required to read.

In the private sector, the forum for this audit already exists – the board’s risk committee, where accountability for structural commitments resides. 

Federal cybersecurity

It should be specific – a written register of the security assumptions on which AI deployments depend, reviewed annually and updated when any assumption is found to have lapsed.

Companies that have undergone post-quantum readiness assessments already have a template. The exercise is the same, but applied more broadly. 

In government, the Office of the National Cyber Director should claim it. ONCD’s statutory mandate is coherence across federal cybersecurity – precisely the vantage point from which lapsed assumptions are visible and agency-by-agency efforts are not. 

A reasonable first deliverable is working with the Cybersecurity and Infrastructure Security Agency and sector risk management groups that underpin federal civilian and critical infrastructure systems. This is not a new framework, but an accounting of the old ones. 

The inventory is the precondition for informed decisions about where AI can be deployed with confidence and where the assumptions beneath it need to be revisited first.

There is a competitive logic to doing this deliberately. China is embedding AI across its security and governance apparatus – from automated censorship to AI-recommended criminal sentencing – at a pace that does not pause for assumption audits. 

It is already exporting that infrastructure to willing buyers abroad. The US advantage is not that its foundations are sounder, but that its institutions can choose to look. 

An open system can audit itself in ways a closed one structurally cannot, and that capacity is a strategic asset – if exercised before the next failure forces the question rather than after.

Real advantages

These are governance questions, not compliance ones. The US holds real advantages – in model capability, in allied coordination, in the depth of its defender community – every one resting on assumptions that were reasonable when made and unexamined since. 

The instinct will be to treat that examination as one more review standing between leadership and the real work of deployment.

But inspecting the foundation is the precondition for scaling AI with confidence. You don’t wait for the storm to find the cracks – you find them first. That is the real work. 

Vinh X Nguyen is a senior fellow for artificial intelligence, or AI, at the Council on Foreign Relations.

This edited article was published by the Council on Foreign Relations under a Creative Commons license. Read the original here.

This work represents the views and opinions solely of the author. The Council on Foreign Relations is an independent, nonpartisan membership organization, think tank, and publisher, and takes no institutional positions on matters of policy.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy of China Factor.