WASHINGTON — In the wake of a report accusing China of using publicly available AI tech to launch cyberattacks, experts are warning cyber defenders they’re going to need some AI help of their own.

“Last week, we had the first revelation that there is a capability here that our adversaries can use that can get us to a speed and a scale [of attacks] we haven’t seen before,” said Paul Nakasone, the former four-star chief of the NSA and Cyber Command, at Tuesday’s Aspen Cyber Summit here in Washington. “The question becomes, what are we going to do about it?

“I think what we are going to do about it, and what you will see in the next six months, truly, is how does AI come on the cyber defense [side],” Nakasone continued. “I think we’re going to see tremendous, tremendous advances with regards to what we can do with artificial intelligence in a defensive mindset.”

A “Chinese state-sponsored group,” posing as legitimate cybersecurity testers, recently tricked Anthropic’s Claude Code AI into hacking roughly 30 government and industry targets on their behalf, the company reported.

While AI isn’t replacing human hackers, yet, it can multiply the number and speed of attacks one moderately well-trained human can conduct, experts agreed. In essence, it’s the cyberspace equivalent of unmanned “loyal wingmen” drones directed by a single fighter pilot. But there is, so far, no matching force multiplier for defense.

“We’re now going to see agentic cyber defenses deployed against agentic cyber attacks,” said Jack Shanahan, founder of the Pentagon’s Joint Artificial Intelligence Center.

Pitting algorithm against algorithm at superhuman speeds, however, could lead to results no human on either side expected, let alone desired.

“Algorithmic warfare at the speed of agents is enticing for any military. Yet if executed in this kind of slap-dash way, we’re in for a bit of a wild ride,” Shanahan told Breaking Defense. “In this case, the known limitations of these LLMs highlighted themselves in a way that suggests humans would be crazy to trust agentic AI to operate without human involvement and oversight.”

There are “all sorts of risks to consider,” Shanahan said. “One that should be at the top of the list in global conversations between nuclear states right now is the potential implications of allowing these kinds of automated agentic cyber attacks against NC3 [nuclear command, control, and communications]. That doesn’t end well.”

RELATED: ChatNC3: Can the US trust AI in nuclear command, control and communications?

What’s unprecedented about the Claude Code attack, Anthropic’s report and the experts noted, is that it’s the first reported case of hackers using publicly available AI tools to conduct cyber attacks autonomously, with minimal human oversight.

These AI “agents” still required humans to make some key strategic choices, doublecheck AI-generated reports for hallucinations, and hand-code the most exquisite forms of malware to penetrate the hardest targets, experts told Breaking Defense. But the AI took a virtual buzzsaw to what’s normally time-consuming grunt work: scouting out potential weak points to stealing passwords, writing custom malware, exfiltrating data, analyzing it, even tidily documenting the results.  

Overall, Anthropic estimated Claude Code performed “80-90 percent of tactical operations independently” and at speeds “physically impossible” for humans to match.

“Two of the most time-intensive aspects of cyber operations are [first] assessing the networks, and then, once you penetrate the network and export the files that you’re targeting, sifting through all those files and assessing what has actual intelligence value to it,” said David Lin, a senior advisor at the Special Competitive Studies Project (SCSP). “Getting Gen AI and chatbots and LLMs to do [those] things, like the report says, increases optimization by 80 to 90 percent.”

What’s especially impressive is that the hackers were able to use Claude Code in every stage of their campaign, from initial reconnaissance to after-action analysis, argued Jason Healey, a senior research scholar at Columbia.

Until now, Healey told Breaking Defense, “whenever there are stories about AI helping some part of offense or defense, it has ever only applied to one or a few parts of the NIST Cybersecurity Framework (if it helps defense) or MITRE ATT&CK or Kill Chain (if offense). [But] Claude seems to have automated substantially the entire chain.”

That doesn’t mean Claude Code or other agents can perform all those actions against all targets. “I can imagine this being great to hit the smaller DIB [Defense Industrial Base] companies but not the majors,” Healey said. “Likewise for federal agencies.”

In fact, all the experts who spoke to Breaking Defense agreed that the AI agents aren’t up to hacking the hardest targets, at least for now. In particular, top-priority national security systems like nuclear command and control — or the Iranian nuclear sites famously attacked by the Stuxnet virus —  are often “air-gapped,” with no connection (whether physical or wireless) to the global internet, making it hard for commercially available tools to even find them in the first place.

“I can’t imagine Claude would be super useful for a very bespoke, very intricate attack, which also required physical penetration, à la Stuxnet, but would be useful for attacks at scale,” said Joshua Wallin, a defense program fellow at the Center for a New American Security. “My read from the Anthropic report [PDF] is that the speed and automation were of value, even to an otherwise highly capable actor.

“The use of open-source cybersecurity tools [like Claude Code] also helps a high-end actor avoid exposing their more bespoke tooling,” Wallin told Breaking Defense. “They can save the ‘special sauce’ for later.”

Agentic AI “won’t necessarily make it any easier to crack into well-secured government networks,” Shanahan agreed. “[But] one bad actor working with LLMs can act like a dozen or more human actors operating solo, [so] it offers a cheap, easy leg up — and those whose networks are not well-secured will learn the hard way.”

In other words, while AI agents aren’t a silver bullet that can kill even the toughest target, they’re still a digital shotgun blast, and many networks are as fragile as clay pigeons.

So even highly sophisticated nation-states with elite cyber teams will still want to leverage legions of AI assistants, the experts agreed. In cyber war, as on the physical battlefield, quantity has a quality all its own.

“If Chinese APTs [Advanced Persistent Threats] are using AI to automate an entire incident, it means their weakest teams will be far more productive,” Healey said. “This means more targets are hit for less cost and saving their higher performing teams for the hardest targets.”

“If an AI startup achieved this on the defensive side — success across almost the entire NIST Cybersecurity Framework — they would have a $5 billion valuation, and it would be widely touted as a gamechanger,” he added.

Unfortunately, it seems no one has gotten agentic AI defenses up and running yet.

“We know that there are bevy of new companies that sprouted up in the last year or so to do this sort of thing, but this incident should lend momentum to those efforts,” said Chip Usher, senior director for intelligence at SCSP. “This points up the importance for defenders to get cracking and using AI-enabled systems for defense. … If you’re going to defend against these AI enabled attacks, you need to have AI on your side to counter it, just because of the speed and scale.”