CivilsWisdom.
Updated · Today
Polity IR Econ Env S&T Security Geo Social Culture History
Science & Technology April 28, 2026 5 min read Daily brief · #3 of 15

Union government speaking to Anthropic about concerns over Mythos: top MeitY official

The Ministry of Electronics and Information Technology (MeitY) Secretary S. Krishnan stated that the impact of artificial intelligence on cybersecurity has e...

GS Paper 3 (Science & Technology Cybersecurity) GS Paper 2 (Governance International Relations)

What Happened

  • The Ministry of Electronics and Information Technology (MeitY) Secretary S. Krishnan stated that the impact of artificial intelligence on cybersecurity has emerged as a "very real threat," specifically citing the release of Anthropic's advanced AI model Mythos as a concrete catalyst for this concern.
  • The Indian government is in active discussions with Anthropic about concerns related to Mythos — an advanced AI model designed to handle complex cybersecurity tasks including identifying software vulnerabilities, analysing systems, and potentially generating exploits at scale.
  • Anthropic declined a public release of the Claude Mythos Preview, citing serious cybersecurity and national security risks, noting the model can identify and exploit thousands of vulnerabilities — including long-standing flaws in operating systems and web browsers — potentially compressing exploit timelines from weeks to hours.
  • A high-level inter-ministerial meeting chaired by the Finance Ministry brought together the Reserve Bank of India, MeitY, and leading banks to assess systemic risks from AI-enabled cyber threats to India's financial infrastructure.
  • India's government and technology industry simultaneously pressed Anthropic for early access to Mythos, citing the need to assess risks and protect critical infrastructure before any broader deployment.

Static Topic Bridges

MeitY — Ministry of Electronics and Information Technology

MeitY is the nodal ministry for matters relating to information technology, electronics, internet governance, cybersecurity policy, and digital public infrastructure in India. It operates under the Union Government and is responsible for the administration of the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

  • Established: Carved out of the Department of Electronics and the Department of Information Technology; reconstituted as MeitY in 2017
  • Key responsibilities: Promoting digital India, regulating cyberspace, overseeing CERT-In (Indian Computer Emergency Response Team), AI governance guidelines, and administration of DPDP Act 2023
  • MeitY released a framework of seven AI governance principles (sutras): trust, human centricity, responsible innovation, fairness and equity, accountability, understandability by design, and safety/resilience/sustainability
  • CERT-In, under MeitY, mandates breach reporting within 6 hours (one of the strictest globally) under the 2022 cybersecurity directions

Connection to this news: MeitY's engagement with Anthropic is squarely within its mandate as India's nodal cybersecurity and IT governance ministry; the Mythos episode has accelerated calls for a formal AI regulatory framework under MeitY's oversight.

AI and Cybersecurity: The Dual-Use Challenge

Advanced AI models — particularly those trained on large corpora of software code, vulnerability databases, and security research — represent a new class of dual-use technology. They can dramatically accelerate both defensive security (automated patch analysis, threat detection) and offensive capabilities (automated vulnerability discovery, exploit generation). This mirrors the regulatory challenge posed by earlier dual-use technologies such as encryption software and advanced semiconductors.

  • The concept of "offensive AI" — AI systems that autonomously identify and exploit security weaknesses — poses risks qualitatively different from earlier malware because of the speed, scale, and adaptability of AI-generated attacks
  • The vulnerability exploitation timeline compression: traditional exploit development (weeks/months) → AI-assisted (hours) is a structural shift that strains existing cyber incident response doctrines
  • India's CERT-In was established under Section 70B of the IT Act, 2000; it is the national nodal agency for cybersecurity incident response
  • The National Cyber Security Policy 2013 was India's foundational cybersecurity strategy; a revised policy has been under discussion
  • The National Cyber Security Coordinator (NCSC) office, under the NSA, coordinates cross-ministry cybersecurity strategy at the apex level

Connection to this news: The Mythos episode illustrates exactly the dual-use risk that cybersecurity governance frameworks must address — and is driving India to engage bilaterally with AI developers before models are released, representing a shift from reactive to pre-emptive AI governance.

Digital Personal Data Protection Act (DPDP Act), 2023

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is India's comprehensive personal data protection legislation enacted on August 11, 2023. It replaces the earlier framework under the IT Act and establishes obligations for Data Fiduciaries (entities processing data), rights for Data Principals (individuals), and creates the Data Protection Board of India as the adjudicatory body.

  • Mandates "reasonable security safeguards" by all Data Fiduciaries; breach reporting required
  • Introduces the concept of Significant Data Fiduciaries (SDFs) — entities subject to enhanced obligations including annual audits and Data Protection Impact Assessments (DPIA)
  • The DPDP Rules 2025 are being implemented in three phases with full compliance expected by May 2027
  • AI systems that process personal data (e.g., AI models analysing user behaviour, financial records) fall within the DPDP Act's ambit as Data Fiduciaries
  • As of early 2026, there is no dedicated AI-specific legislation in India; AI governance is spread across IT Act 2000, DPDP Act 2023, and sectoral regulators (RBI, SEBI, TRAI)

Connection to this news: Mythos's potential to extract, analyse, and exploit data at scale — including personal and financial data — directly implicates the DPDP Act's data security obligations and underscores the urgency of comprehensive AI-specific regulation that MeitY is now accelerating.

Key Facts & Data

  • Anthropic Mythos: Advanced AI model; designed for complex cybersecurity tasks including vulnerability identification and exploit generation
  • Mythos Preview: Not publicly released by Anthropic — withheld due to national security and cybersecurity risks
  • Exploit timeline compression: Weeks/months → hours (AI-enabled)
  • MeitY Secretary: S. Krishnan (as of April 2026)
  • MeitY AI Governance Principles: 7 sutras (trust, human centricity, responsible innovation, fairness and equity, accountability, understandability by design, safety/resilience/sustainability)
  • CERT-In breach reporting requirement: Within 6 hours of detection (under 2022 MeitY direction)
  • DPDP Act enacted: August 11, 2023 (Act No. 22 of 2023)
  • Data Protection Board of India: Adjudicatory body under DPDP Act
  • NCSC (National Cyber Security Coordinator): Under the NSA, apex inter-ministry coordination for cybersecurity
  • IT Act, 2000: Section 70B establishes CERT-In; Section 66 deals with computer-related offences
  • India's AI regulation status (early 2026): No dedicated AI law; MeitY guidelines are non-binding; sectoral regulations apply
On this page
  1. What Happened
  2. Static Topic Bridges
  3. MeitY — Ministry of Electronics and Information Technology
  4. AI and Cybersecurity: The Dual-Use Challenge
  5. Digital Personal Data Protection Act (DPDP Act), 2023
  6. Key Facts & Data
Display