Skip to main content
AI & Machine LearningQuantum Computing

Pentagon Cyber Official Sees AI as Revolutionary Warfare Catalyst

Formal conference setting with podium, empty chairs, and large window reflecting natural light and abstract technology…

"This is not evolutionary warfare, but revolutionary warfare," Paul Lyons said Thursday, describing the arrival of frontier artificial intelligence models as a turning point for U.S. cyber operations.

Paul Lyons at Rubrik’s Federal Cyber Resilience Breakfast

Paul Lyons, the principal deputy assistant secretary for cyber policy at the Department of Defense, made the remarks while speaking at Rubrik’s Federal Cyber Resilience Breakfast produced by FedScoop. Lyons called the development of frontier AI models such as Mythos a “watershed moment,” and said the department is both optimistic and challenged by the speed of change. He emphasized that because the technology is being developed by American companies, it presents a significant opportunity for the United States.

Mythos and Anthropic: a tension between risk labeling and operational use

The Pentagon has labeled Mythos a “supply chain risk” after its creator, Anthropic, resisted commands from the department to use its Claude model in ways the firm opposed. Despite that formal designation, Lyons said the department has nonetheless been using Mythos to hunt for cyber vulnerabilities. The juxtaposition—an official supply-chain warning on one hand and operational use on the other—illustrates the tradeoffs the department faces as it adopts frontier models.

How frontier AI models change offense and defense for critical infrastructure

Lyons argued that models like Mythos will “change both offense and defensive posture within the Department of War to something that’s close to you for critical infrastructure.” He described the technology’s ability to “hunt and speed across the domain and outside the fence line in critical dependencies with water, power, compute.” That language ties the AI capability directly to systems that support civilian life and military operations alike, and frames the models as tools that can reach beyond traditional network boundaries.

He also flagged practical questions that must be answered as the department integrates these capabilities. “To be blunt, we’re trying to figure out, what authorities do we need? How do you leverage that within both decisionmaking and employment?” Lyons said, adding that “we have the right people looking at the speed, scale and complexity of cyber and how it’s going to be affected through the advent of AI.”

Recent conflicts, layered cyber operations, and a maturing domain

Lyons pointed to recent conflicts as evidence that cyber operations have matured. “We saw it in spades in Venezuela, where you can layer cyber to create conditions that are favorable to the warfighter, that lower risk to mission, lower risk to force that where paired with both no kinetic and kinetic effects, can increase lethality,” he said. He added, “We see it in Iran today.” Those examples were offered to show how cyber tools, when combined with other effects, can alter risk calculations and operational outcomes.

What this means for technologists, policymakers, and critical infrastructure operators

  • Technologists and security teams: Expect operational experimentation. Lyons confirmed the department is using Mythos to hunt vulnerabilities even after designating it a supply chain risk, indicating security teams will see frontier models applied to active vulnerability discovery and threat-hunting tasks.
  • Policymakers and regulators: Lyons’ direct question—“what authorities do we need?”—places a spotlight on legal and policy frameworks. Those crafting authorities will need to reconcile the department’s desire to leverage AI rapidly with the supply-chain and governance concerns that prompted the Mythos risk label.
  • Critical infrastructure operators (water, power, compute): Lyons singled out “critical dependencies with water, power, compute” as domains where frontier AI can operate “outside the fence line,” signaling that operators should expect new forms of cyber activity aimed at dependencies that sit at the nexus of civilian and defense missions.

Lyons framed frontier AI as both an operational accelerant and a governance puzzle: American-made models give the United States an opening, but rapid adoption raises questions about authorities, safety, and risk. For now, the department has chosen to balance caution—labeling Mythos a supply chain risk—with pragmatic use—deploying it for vulnerability hunting—leaving the central policy question he voiced as the clearest next step: what authorities will enable safe, effective employment?

Original story