Five Eyes Says AI Is Changing Cyber Risk

Today, the heads of the Five Eyes cybersecurity agencies signed a joint statement on AI and cyber risk. Canada, the United States, the United Kingdom, Australia, and New Zealand. Same message, same day.

That does not happen often. When it does, it is worth paying attention to what they said and who they said it to.

The brief version. AI is shortening the timeline between when a vulnerability is discovered and when it is exploited. The tools attackers use are improving fast enough that the agencies say the timeline is "not years, it is months." Leadership, not IT departments, owns the responsibility to act.

Read the full statement on the Canadian Centre for Cyber Security site.

We Have Been Writing About This

If you have been reading Nitap Insights, you're likely nodding your head as you read this.

We wrote about what the AI vulnerability storm means for smaller organizations when the first wave of AI-accelerated exploit research started making headlines. We wrote about why First Nations organizations are higher-value targets than they think and what makes that risk profile distinct. We have written about data sovereignty and what it means in practice when communities evaluate the tools they are being sold.

The Five Eyes statement validates what we have been saying. The game is changing. Agency leaders are now saying it out loud, and the fundamentals they are calling for are exactly the ones we have been urging communities to build.

This is an opportunity to act, and the urgency has just increased.

What the Statement Calls For

The agencies listed five priorities. Here is what they mean in everyday language.

Know what is connected to your network. You cannot protect what you do not know about or cannot see. If nobody in your organization can list every computer, server, and device on your network, that is the first thing to fix.

Update your software faster. When a software company releases a security fix, test it and then install it quickly. AI is shortening the window between disclosure and exploitation from weeks to days. Every day you wait is a day your systems are exposed.

Replace old systems. Computers and software that no longer receive security updates are easy targets. The agencies call them "strategic liabilities." That is a polite way of saying they are still critical to your operations but represent a massive business exposure.

Control who can access what. If staff share logins, or if former employees still have access to community systems, that is a manageable risk. Every person should have their own account with only the access they need.

Have a plan for when something goes wrong. Not if. When. Know who to call, who makes decisions, and where your backups are. Write it down. Walk through it once.

These are the fundamentals. AI is raising the cost of leaving them unfinished.

The Audience Gap Is Not New Either

These briefings are written for large enterprises and federal departments. It is an observation, and it is one we have made before.

The Five Eyes agencies are speaking to organizations with dedicated vulnerability management teams, capital budgets for technology refresh, and incident response plans ready to test. That is their audience.

First Nations communities and small to mid-sized organizations are not usually in that room. Even so, they face a similar threat landscape. A band council running its entire technology operation through a single person is subject to the same AI-accelerated phishing campaigns, the same shrinking patch windows, and the same automated attacks that now make smaller targets worth hitting.

The question is not whether this applies to you. It does. The question is what you do about it.

Smaller Organizations Can Lead Here

There is an argument that gets overlooked in these conversations. Smaller organizations have advantages that large enterprises do not.

A band council or a 40-person organization doesn't typically have 20 years of accumulated technical debt spread across eight business units. It does not need 7 months and a steering committee to deploy multi-factor authentication. It does not have a change management process that takes longer than the patch window.

Smaller organizations can move faster. Leadership is closer to operations. Decisions that take a Fortune 500 company a quarter can happen in a week when the senior leadership (i.e., Chief and Council) are in the same room as the person who manages the network. At this scale, cybersecurity stops being an isolated IT project and becomes an act of community resilience, protecting local continuity and acting as stewards for community data.

The Five Eyes agencies are telling large organizations to do things that many of them should have done years ago. First Nations communities and SMBs building their technology foundations now have a chance to build them right from the start. That is an opportunity.

Asset inventory. Access controls. Patch management. Incident response planning. These are achievable at community scale. They do not require enterprise budgets. They require attention, priority, and a leadership decision to start.

What You Can Do This Month

You do not need a cybersecurity budget to start. Here are things community leadership can act on now.

• Ask your IT person one question. "Do we have a list of every system and device on our network?" If the answer is no, that is the first project. Everything else depends on knowing what you have.

• Check for shared logins. If staff share passwords to access community systems, change that. One person, one account. This costs nothing but time in most cases.

• Find out when your systems were last updated. If nobody is sure, that is your answer. Security updates need to happen regularly. Ask your IT person what is preventing that and what they need to make it happen.

• Write down your emergency contacts. If your systems went down tomorrow morning, who would you call? Your IT person, your internet provider, your software vendors, your regional tribal council. Put those numbers on paper. Not just in a computer that might be offline.

• Talk to your neighbours. Other First Nations communities and SMBs face the same challenges. Tribal councils and regional Indigenous organizations can help coordinate shared resources. The community or organization that figures this out first can help the next one.

This Is a Leadership Conversation

The Five Eyes agencies clearly point out that cybersecurity is not solely an IT problem. It is a business problem: how can we keep our lights on in a disruptive marketplace?

For Chiefs and Councils, that means putting cyber risk on the agenda the same way you would discuss a flood risk or a building safety issue. You do not need to understand the technical details. You need to ask the right questions and make sure the people responsible for your community's technology have what they need to protect it.

The threats are real. The timeline is compressing. The immediate response does not have to start with a budget. It starts with a decision.

First Nations communities and small organizations have been told for years that cybersecurity is someone else's problem, built for someone else's scale. The Five Eyes statement is a reminder that the threat does not see it that way. It is also a reminder that the fundamentals are within reach. Communities that build them now will not be playing catch-up. They will be leading.

---