Christophe Nicolas
Comment by Christophe Nicolas: When Claude Mythos Challenges Switzerland’s Critical Infrastructures
For twenty-seven years, the digital world rested on a foundation of cryptographic certainty that evaporated in a single weekend. With the sudden emergence of Claude Mythos, an AI capable of dismantling decades of security architecture in mere days, the global landscape has fractured.
What if, in just a few days, decades of certainty about our digital security had collapsed without us yet fully realizing it? The shock comes down to one sentence: a bug invisible to hundreds of experts for 27 years, surfaced in a week by a machine.
Three weeks ago, an AI model called Claude Mythos found a vulnerability in OpenBSD that had gone undetected through decades of human verification. It also identified flaws in every major operating system and every major web browser, and built targeted, working attacks for each. The engineer using the model had no security training. He needed only one instruction: please find a vulnerability.
Anthropic, the company behind Mythos, chose not to release the model publicly. Access was restricted to a US consortium called “Project Glasswing” — Microsoft, Google, AWS, NVIDIA, JPMorgan, CrowdStrike. Switzerland was not invited.
And it is precisely this gap — between technological capability accelerating elsewhere and Switzerland’s position on the sidelines — that makes the situation urgent. This is not an essay on the future of AI. It is a question about Switzerland’s critical infrastructure, and it must be asked now.
What Mythos changes
For thirty years, cybersecurity rested on a single assumption: serious vulnerabilities are rare because they are hard to find. That assumption is now shattered. AI takes on the hard part — at machine speed, in parallel, across every highly sensitive or strategic codebase.
Patching cycles have always been slow. They were tolerable only because attackers were slow too. That is decisively no longer the case.
The uncomfortable truth
Switzerland has built its country on three pillars: trust, neutrality, meticulous engineering. All three are now exposed.
Trust rests on systems that count among the most attractive targets in Europe. Switzerland, a country of dialogue and compromise, operates in a European and global context in which the principle of neutrality is a fundamental basis. That principle positions Switzerland as a country that applies the decisions of major initiatives such as Project Glasswing but does not take part in the discussions. In other words, we see the threat, but the defense playbook will not be handed to us. Finally, meticulous engineering means that we consider our infrastructure robust because it has been so for decades. Mythos now tells us: experience alone will probably no longer be enough. The Swiss economic and political landscape can no longer simply reflect and adapt — it must anticipate. And act.
The myth challenging our three Swiss pillars
The country’s financial reputation rests on respected institutions. Swiss Post, SBB, the federal administration, cantonal health systems, the energy grid and private wealth-management platforms together form this solid base. Mythos can today audit every one of them. The result? None of these systems was designed to face an adversary capable of finding a decade-old vulnerability in a week.
When academics and policymakers are asked what Switzerland would do if AI were to identify vulnerabilities faster than we can patch them, the same intuition comes back: the need to accelerate. A relevant intuition, but one which, lacking concrete translation, leaves a worrying strategic vacuum today.
Preparing concretely. And now
Software updates alone will no longer suffice. They are too slow, while attack capabilities accelerate and become widespread. To keep pace, security must now be built directly into the hardware. Concretely, that means systems able to prove their identity and integrity through elements inscribed at the heart of the chips; sensitive actions that are systematically signed, so that no important operation goes unnoticed; encryption methods designed to withstand tomorrow’s computers, including quantum ones; and secure spaces inside the processors, able to lock down cleanly in case of trouble rather than letting data leak out. None of this is futuristic: these technologies already exist, and Switzerland has the skills to develop them.
But putting them in place is not a simple purchase or a technical decision. It is a strategic choice. It amounts to treating cybersecurity as a pillar of sovereignty, on the same footing as neutrality — a capacity Switzerland must master itself and cannot fully delegate to others.
A new strategic context
For executives. Your exposure to vulnerabilities changed three weeks ago. Planned update cycles no longer match the new reality. Ask one simple question: can your critical systems prove they are trustworthy, and trace every sensitive action? If the answer remains “we follow the patching schedule,” your strategy is already behind today’s threats.
For parliamentarians. In November 2023, Switzerland chose a sector-by-sector approach to AI. A coherent choice at the time, but no longer sufficient today. Faced with threats that evolve very fast, a coordinated response becomes necessary — not in five years, but within this legislative cycle. Without it, Switzerland risks following decisions made in Brussels rather than helping to shape them.
For all of us. In 2026, sovereignty no longer plays out only where data is stored. It depends on our ability to understand, verify and master the security foundations of our systems. Switzerland has the technical skills to achieve this. What is missing now is a clear political decision to act.
Christophe Nicolas is Group CIO iof Kudelski Group and Executive Committee Member of digitalswitzerland
Written with the support of Claude Opus 4.7 (suggestions and proofreading), the opinions expressed here remain personal and do not necessarily reflect the views of digitalswitzerland.