Ice Executives Detail Ai Cybersecurity Efforts Through Project Glasswing

At the start of June, Intercontinental Exchange (ICE) announced it had joined Anthropic’s cybersecurity initiative, Project Glasswing. ICE will deploy Anthropic’s Claude Mythos Preview across its operations, including the New York Stock Exchange, to identify and remediate vulnerabilities before they can be exploited.

By participating in Project Glasswing, ICE joins a select group of organizations using advanced AI tools to secure critical financial and technology systems. ICE said it’s overseeing the AI tool’s deployment, security architecture and governance internally as it works to strengthen protections for critical financial infrastructure.

In an interview with HousingWire just a few weeks into the inititative, Bob Hart, president of ICE Mortgage Technology, and Steve Pugh, ICE’s chief information security officer, shared how the initiative supports the company’s efforts to enhance cybersecurity resilience efforts.

Editor’s note: This conversation has been lightly edited for length and clarity

Sarah Wolak: Can you give an overview of Project Glasswing and what the pilot entails?

Steve Pugh: Mythos came out right after the RSA conference. It was [Anthropic’s] next generation of model. They had a core group of folks within that program to really help them figure out what to do with this thing. There was a lot of excitement, but they knew it was pretty powerful. So they created this program called Project Glasswing.

A number of companies have been in it. The U.S. government got involved and started talking about how these models should be rolled out, given they’re incredibly powerful. We got invited as part of one of the waves and have been using it for the last few weeks.

From everything we’ve seen, it is living up to all expectations. It’s certainly a step change in the models we’ve been using historically. It’s not a doomsday scenario; it’s just part of the journey we’re on with AI. At ICE, we’re trying to figure out how we leverage this to make our products and our customer data as safe as possible.

Wolak: What kinds of AI-enabled threats are you preparing for?

Pugh: The nuance there is that the AI models aren’t necessarily creating new exploits. They’re basically taking advantage of things that were already there, stuff humans may have found or overlooked. It’s not a new AI-type attack pattern.

The one difference is the speed at which AI moves. That’s what’s been interesting about Mythos is how broad it will scan and how quickly it can determine whether something is a defect versus a vulnerability that could lead to exploitation or lead to full control over your system.

That speed that it does that is quite remarkable. For us, we’ve been on this journey for a while. We started leaning in last year around AI-powered attack patterns, and we’ve always measured ourselves on that time scale. While that time continues to compress, I believe somebody came up with the “zero-day clock”— the time it takes to go from a vulnerability to a zero-day. That’s in a matter of minutes now.

Wolak: Cybersecurity has long been a board-level issue for mortgage companies. What are ICE customers telling you about cybersecurity concerns in the era of AI?

Bob Hart: Cyber has always been one of the top priorities of the executives we talk to. That being said, I personally have not seen the emergence of concerns yet around AI. At this point, it feels like people are viewing AI more as an altruistic means of efficiency gains.

I do think there is going to be more curiosity and concern around the capabilities AI will bring to cybersecurity. So I suspect this will bring a heightened level of awareness and interrogation. You’re also seeing an emergence of a lot of new tech vendors, and what is the level of scrutiny they need to go through to make sure the end customer is protected?

We’re just at the cusp of starting to see that. On security, I’m not seeing as much of it yet. I’m seeing more around governance of how you use AI, not as much yet on security. I’ve had a couple of customers, based on the press release we did around Mythos, reach out and say thank you for being a part of this, but I don’t think we’ve seen a tipping point on the security side.

Pugh: I do think what Mythos did was push the conversation around security — and specifically AI security — into the boardrooms and into the executive staff meetings. We’ve always heavily invested in security. We’re highly regulated. Leadership has always felt that security was important to invest in, and it’s become a strategic enabler and a market differentiator.

But what we also do is pull in lessons learned from other business units — things like the New York Stock Exchange and our energy business. These are unique attack surfaces. We’re able to centralize that, create a common defense and push that out.

Hart: I think it also would be good to understand why ICE got included in Project Glasswing.

Pugh: I think it’s a sort of nod from Anthropic and others, certainly at high levels of government, that we are a critical company on the national and international stage. Getting Mythos in our hands early helps give us a head start in finding and fixing some of these vulnerabilities that other models may discover in time. We’ve got about nine months before open-weight models are freely available to everyone. So we’re trying to get ahead of that. As a systemically important financial market utility and owner of the New York Stock Exchange, it was important for us to get into the program early and start testing and providing feedback.

Wolak: Does participation in the partnership create new standards or best practices that you think could eventually benefit the broader mortgage ecosystem? Or is there work to address these capabilities to be applicable to the mortgage market?

Pugh: I think it’s going to go both ways. There have been a lot of lessons learned around how to handle vulnerabilities we discover and the quickest way to remediate them. It’s not just ICE software — we’re also looking at open-source software that everyone uses. Pretty much every participant in Glasswing is looking at open source, and that vibrant community will benefit from vulnerabilities being discovered and fixed.

Over time, this will trickle down, and everybody will be at a new standard. The one thing Mythos has showed us is that we can’t just sit back and use the same security paradigms we have historically. It’s a brave new world and we need to be positioned to essentially deal with the onslaught of vulnerabilities.

Wolak: How does ICE validate AI findings and avoid false positives?

Pugh: A lot of people’s immediate reaction is just to fix everything thay Mythos finds. That’s not the most judicious way to do it. Maybe sometime we’ll get there, but there has to be prioritized remediation. How you would treat a remote code execution vulnerability is different from a simple inefficiency.

One of the nice things about Mythos is that it can create a proof-of-concept exploit for the vulnerability, so you know it’s real. … It’s running an adversarial run against the findings to try to eliminate the false positives, and so what you’re left with at the end of all of this is a really tight, consolidated viewpoint of the vulnerabilities and what’s real versus what’s potentially a false positive.

Hart: I’ll piggyback a little bit off your previous question around security questions coming out of the boardroom. While I’m not seeing as many yet, although we are starting to see more, particularly on the depository side, I do think regulators are going to start digging into this more … so I think safety and soundness around customer data is going to become more of a focus.

I think back to Steve’s point that, even from the top down, from our CEO down, in terms of protecting both our customers and the consumer data that we have, I think this will become a much larger conversation in mortgage going forward, particularly now that Mythos is getting more press.

Wolak: Internally, what metrics will ICE use to determine whether its participation in the program has been successful? How will that influence feedback given to Project Glasswing?

Pugh: Metrics are something we think about a lot, and I think the efficacy of the model and finding the real stuff is probably the truest measure. And then the question becomes, “What made that better than hiring a team of pen testers? What made that better than using an application like a static and application security scanning tool?”

And the way that we’re thinking about that right now is one, as you mentioned, the false positives. Is the output of the model giving us what we would want to know about? The other thing is the speed: Is it finding stuff faster than our other tools are finding it? And then the third is, are we able to actually turn that into a fix fast enough for the benefit of our customers?

We have pretty good confidence in what it costs to find a critical vulnerability in our software and things like that. It’s still pretty early days, but I’m really interested in those numbers. So we’re looking at it from a number of different angles, and certainly feeding that back to the other participants within Glasswing as well as Anthropic themselves.

Wolak: Broadly speaking, what does ICE’s participation in Project Glasswing mean for the broader mortgage industry?

Hart: If you think about the customer base that we have — and you think about the consumers that are leveraging our technology from origination all the way through servicing — we think what it means for the industry is we’re taking cybersecurity incredibly seriously. Steve and his team worked with the Anthropic team to get us into Project Glasswing. Our security posture is critical.

I do believe our customers expect us to be at the forefront of this, because they don’t want their name to be on a headline. And they also don’t want to have to deal with the fallout — both from a reputation perspective but also a financial perspective of a vulnerability or an exploit that’s discovered.

Pugh: I think the results will be a new high-water mark for security standards across the mortgage industry. I think that customers will come to expect a high level of security, and I don’t think you could be in the mortgage business without coming with a very mature security backing.

Mythos certainly has the first mover advantage with Project Glasswing, but OpenAI has Daybreak. We’re also part of that program, and so as we look to deploy additional capabilities, ICE is going to continue to lean forward with these various models to ensure that our customers and our customers’ data are secure as they can be.