AI such as Mythos Preview raises the urgency of cross-border flows of cybersecurity data

Cybersecurity defenders are scrambling to respond to frontier artificial intelligence systems such as Claude’s Mythos Preview. The leading expert report from the Cloud Security Alliance describes a “storm of vulnerability disclosures” in this “first of many large waves of AI-discovered vulnerabilities that may occur in rapid sequence.” To face the newly discovered vulnerabilities and other AI-created risks, it becomes increasingly urgent for cybersecurity-related information to be shared among aligned defenders across national borders. 

Data sovereignty measures including data localization laws, however, may set limits on the lawful transfer of cybersecurity-relevant data to other jurisdictions. A 2026 report published by the Bank of International Settlements highlighted the problem of data fragmentation, saying it is “exacerbated by different privacy laws and regulatory frameworks” with the result that defenders often “cannot easily share data across borders.” 

The nature of the new threats

The importance of cross-border data stems from the three-prong nature of the augmented attacks. First, as the CSA states, AI is “autonomously finding thousands of critical vulnerabilities across every major operating system and browser.” Second, the vulnerabilities get turned into actual attacks, “generating working exploits without human guidance.” Third, AI chains attacks together, “empowering autonomous attack orchestration, all at a speed and scale that outpaces any prior capability.”

Over the last eight years, as documented in the CSA report, the defenders’ time to respond to attacks has plummeted. Back in 2018, there was an average gap of 2.3 years from discovery of a vulnerability to confirmed exploitation by a real attacker. By 2025, the gap shrank to 23.2 days. Now, a working attack emerges, on average, just 20 hours after the vulnerability is discovered. The time to respond to each new attack is collapsing toward zero.

Three ways cross-border sharing helps cybersecurity

As previous academic studies have shown, cross-border data is essential to defeating rapidly developing attacks. Three components of a cybersecurity program are especially reliant on access to cross-border data: threat detection, privilege escalation attack identification and penetration testing/red teaming. This point is discussed in a 2024 Journal of Cyber Policy article by a team that included me and the senior vice president for data science at CrowdStrike.

Even before the recent improvements in AI attacks, it was important for cybersecurity defenders to access personal data across borders. Any mature cybersecurity organization is expected to use threat detection, protect against privilege escalation and conduct pen testing. A 2025 article I wrote with DeBrae Kennedy-Mayo examined the organizational effects of limiting cross-border data. We examined the key controls expected under the widely used ISO 27001 and 27002 standards. The article showed that 13 of the 14 key cybersecurity controls would be negatively affected by limits on cross-border transfers of cybersecurity information.

How new AI attacks make cross-border data even more important

Today, new AI attacks mean that it is far more urgent to ensure cybersecurity defenders can draw on relevant data from around the globe. Rapid identification of threats is essential. Defenders can no longer wait for weeks or years to respond after a vulnerability is first detected. The CSA report emphasizes the need to “share threat intelligence” and ensure “early detection of compromise” because “threat intelligence is lagging behind on vulnerability discovery and exploitation.” 

The CSA report also emphasizes the need for better pen testing and similar defensive measures. The authors call on organizations to “introduce AI agents to the cyber workforce across the board, enabling defenders to match attackers' speed and begin closing the gap.” They note that quarterly pen tests are no longer good enough. Their overall conclusion is tentatively optimistic, due to improvements in using AI for defense: “the same AI capabilities that create this risk also create a defensive opportunity: organizations can now identify their own weaknesses before attackers do, review code at machine speed, and respond to incidents faster than any human team can.” That optimism, however, depends on pen testing and other defensive measures having access to the global range of information that defenders can access. 

Data for both cybersecurity and anti-fraud

Responding to new AI risks implicates anti-fraud efforts as well as cybersecurity. The scale of fraud is immense and responding to it requires the same velocity of defender detection and response as responding to vulnerabilities and exploits. In its most recent cybersecurity report, Microsoft states that its anti-fraud systems “blocked approximately 1.6 million bot-driven or fake account signup attempts per hour.” Thus, a “unified approach that integrates diverse data sources is essential to expose abuse patterns and reduce harm.”

Recent research has shown an important synergy between cybersecurity and anti-fraud efforts. In a 2025 survey of anti-fraud leaders at top financial institutions, most study participants reported that 50% to 70% of all confirmed fraud contains cyber data elements. Indeed, a majority of the leaders reported that notice of data breaches only occurs after fraud losses begin. A lead cybersecurity expert at Javelin Strategy and Research stated that “new doors are opening for advanced threat intel” using “cyber fusion that incorporates a myriad of tools across identity verification, fraud detection, and indicators of compromise.” Put simply, cybersecurity information is helping anti-fraud efforts, and anti-fraud efforts are helping cybersecurity if the relevant data can be shared.

Conclusion and next steps

Attackers probe systems across the globe. With new AI tools, they will do so far more rapidly than before. As a result, each country and region has a new, urgent reason to share data useful for cybersecurity defense, although presumably not with adversary countries. With sharing, a country ensures that the first signs of attack against it are integrated into the defenders’ early response. With sharing, countries ensure that they remain part of international information sharing efforts so that the country and its organizations can learn about needed defensive measures as quickly as possible.

As for next steps, the first goal is to do no harm. Policymakers should refrain from imposing new limits on defenders sharing data needed for cybersecurity purposes. Although policymakers have sometimes supposed that better security is achieved by keeping data locally and under local control, the opposite is often true: Defenders who share information on cyber and fraud attacks can respond more quickly and accurately than defenders who can analyze only a partial data set.

Other policy measures can affirm that defenders can share data where needed for cybersecurity purposes. For instance, rather than only assessing the risks of a data transfer, law and policy could encourage a balanced approach that also explicitly recognizes the benefits of information sharing among aligned defenders. Where necessary, regulators can consider creating an explicit safe harbor for such data sharing or define a cybersecurity exception from any applicable limits on cross-border sharing.

As a more specific measure, the U.S. is currently facing a sunset this September of the Cybersecurity Information Sharing Act, which promotes company-to-company and company-to-government sharing of cybersecurity information while protecting individual privacy. The challenge posed by Mythos Review and other similar AI developments provides a newly persuasive reason to reauthorize CISA.

In sum, attackers will use all information available — whether legally obtained or not. Therefore, responsible cybersecurity defenders should be able to share data where needed if they are to keep pace.