Highly Autonomous Cyber-Capable Agents: Anticipating Capabilities, Tactics, and Strategic Implications

TL;DR

This paper introduces the concept of highly autonomous cyber-capable agents (HACCAs), analyzes their operational tactics and strategic implications, and discusses policy measures to address potential security risks posed by these autonomous cyber attack systems.

Contribution

It defines HACCAs, forecasts their emergence, details their operational tactics, and explores their strategic and policy implications, highlighting new risks and mitigation strategies.

Findings

HACCAs could autonomously conduct full cyber campaigns.

They may lower barriers for sophisticated cyber attacks.

Risks include cyber-nuclear escalation and loss of control.

Abstract

This report introduces the concept of "Highly Autonomous Cyber-Capable Agents" (HACCAs), AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors, and analyzes the security implications of their emergence. The report: (1) Defines what HACCAs are and forecasts when they might arrive, establishing a clear framework for an autonomous cyber agent that can operate across the full attack lifecycle without meaningful human direction; (2) Identifies five core operational tactics, detailing how HACCAs could sustain themselves in the wild, from autonomous infrastructure setup and credential harvesting to detection evasion and adaptive shutdown avoidance; (3) Analyzes the strategic implications, including how HACCAs could intensify interstate cyber competition, lower the barrier to entry for sophisticated operations, and proliferate advanced offensive capabilities to criminal groups and less-resourced state actors; (4) Flags two tail risks that deserve serious attention: the potential for autonomous cyber operations to trigger inadvertent cyber-nuclear escalation, and the possibility of sustained loss of control over rogue HACCA deployments; (5) Proposes seven policy recommendations across three goals: understanding the emerging threat, defending against HACCAs, and ensuring their responsible development and deployment.