No one hacked the NSA

The NSA lost access to Mythos. The cause was not an intrusion. No CVE, no exploit primitive, no record exfiltrated. Access was revoked at the control plane by a third party in the dependency chain, reportedly amid a commercial dispute involving Anthropic. The specifics - which entitlement was pulled, the exact downstream scope, the contractual fault - are not confirmed. The mechanism is, and the mechanism is the point.

This is a supply chain failure. Not the version that ships a trojanised package or a substituted scanner binary. The version where a dependency the consumer does not control decides the consumer no longer has access. The decision propagates at API latency. No malware required.

The framing in circulation is that this exposes weak assumptions about third-party security. That framing is half right and aimed at the wrong axis. Confidentiality held. Integrity held. Nothing was read that should not have been read, nothing was modified. The failure was availability - and availability of an external dependency is a property the external party owns, not the consumer. The consumer holds a contract. The provider holds the switch.

Treat the dependency as what it is - a control surface operated by someone else. Every managed service, API entitlement, license server, model endpoint, and SaaS control plane in a stack is code and policy running under an identity the consumer does not administer. When that service is queried, the request is authorised or denied by logic on the far side of a trust boundary. The consumer sees a 200 or a 403. The consumer does not see, and cannot veto, the decision behind it.

Map this to CWE. CWE-1357, reliance on a component without adequate control over its provenance and behaviour. CWE-829, inclusion of functionality from an untrusted or externally-controlled sphere. These are usually read as integrity classes - the worry is malicious code entering the boundary. Read them again for availability. The same uncontrolled component that can inject can also withdraw. The trust boundary is bidirectional. A dependency that can serve you can stop serving you.

The control-plane versus data-plane split is where the exposure concentrates. Data-plane dependency is visible - requests, responses, throughput, latency. Control-plane dependency is the entitlement check that gates the data plane, and it is mostly invisible until it denies. Authentication, license validation, quota enforcement, contractual access state. A consumer can monitor every byte of the data plane and never observe the control-plane condition that is one policy change away from returning denied on every call. By the reported account, Mythos did not degrade. It stopped. That is a control-plane revocation signature, not a data-plane fault.

The revocation itself is a small write. On the provider side, severing a consumer takes no exploit - it is a state change in an entitlement table. An OAuth grant is revoked. A bearer token is invalidated server-side before its expiry. A tenant is flagged disabled. An API key is rotated out of the allow-list. Each is a single authoritative mutation, and each takes effect on the next request without cooperation from, or notice to, the consumer’s runtime. The cached credential is still syntactically valid. It is semantically dead. The gap between those two states is where every retry, refresh, and reconnect loop spins uselessly.

The named upstream is a model provider. That detail sharpens the class rather than changing it. A model API is a control-plane dependency with the same shape as a license server or an identity provider - a metered, entitlement-gated endpoint whose availability is governed by a contract the consumer does not write. An application built on a single model endpoint inherits that endpoint’s access state wholesale. If the capability the application delivers is the model’s capability, the provider’s decision to stop serving is the application’s decision to stop functioning, transmitted without consent. The dependency is not a library that can be vendored and frozen at a known-good version. It is a live service, and the version that matters is the contractual one.

The path from dispute to outage is short. A contractual disagreement resolves, on one side, into a configuration change - an account flag, a revoked key, a disabled tenant. That change is authoritative the instant it is written. There is no negotiation layer between the provider’s policy state and the consumer’s runtime. The consumer’s next request carries a credential that was valid and is now refused. Retries do not help. Failover does not help if the failover target depends on the same upstream. The dependency was a single point of control, and the point was exercised.

This is not novel. It is recurrent and documented. The Okta compromises mapped to MITRE T1199, trusted relationship - adversary value came from the identity provider’s position in the chain, not from any flaw on the consumer side. Cloudflare control-plane outages have taken down properties with no fault of their own, because the dependency’s availability was the consumer’s availability. Different cause, same structure. When a third party sits in the critical path, that party’s state - compromised, misconfigured, or contractually withdrawn - becomes the consumer’s state.

MITRE ATT&CK has a technique for the access-removal case. T1531, account access removal - an adversary revoking, locking, or deleting access to deny a target use of its own resources. The Mythos outcome is functionally that technique, executed not by an intruder but by the legitimate holder of the access-granting position. The defensive lesson does not care about intent. A SOC that models T1531 only as a malicious post-compromise action will not have instrumentation for the same outcome arriving through a contract. The telemetry is identical. The runbook is not.

What this produces in telemetry is the tell. There is no Sysmon Event ID 1 for a process that should not exist, no Event ID 10 for anomalous LSASS access, no EDR alert category that fires. The signal is application-layer. HTTP 401 and 403 returns where 200 was the baseline. Authentication failures clustered in time and originating from the provider, not from credential-stuffing volume. Control-plane API errors. A sharp transition from uniform request success to uniform denial across every call to one upstream, with the consumer’s own systems healthy. Packet captures show TLS sessions completing and the application response carrying the rejection. The packets are clean. The entitlement is gone.

That is the detection gap. Monitoring is overwhelmingly tuned to confidentiality and integrity events - process creation, file writes, lateral movement, exfil volume, anomalous authentication into the environment. Availability loss from an external dependency resembles none of those. It looks like the application working correctly and being told no. Most SIEM correlation rules will not fire on a clean 403 from a sanctioned vendor endpoint, because on any normal day that is expected traffic. The blind spot is structural. The stack watches for the breach and does not watch the dependency’s right to remain in the path.

Most dependency inventory stops at build time. An SBOM enumerates the libraries linked into an artifact - useful for tracing a CVE in a transitive package, useless for this class. The Mythos failure was not in a linked library. It was in a live runtime relationship with an external control plane that no SBOM records, because the dependency is not in the binary - it is a network call to a service governed by a contract. The artifact that matters here is a runtime dependency map: every external entitlement the system calls, who administers it, what the system does when it returns denied, and whether a second source exists. Few stacks maintain one. The ones that do can answer what breaks if this provider cuts us off in minutes. The ones that do not learn the answer in production.

For critical-infrastructure operators the availability of upstream dependencies is not only an engineering concern. Under the SOCI Act, operators of regulated assets carry obligations to manage material risks to the availability of their systems, and a single-source external dependency with a contractual kill switch is a material risk by any honest reading. The Privacy Act dimension is narrower - no personal information appears to have been disclosed - which is precisely why this incident sits outside the reporting reflexes most teams have built. A breach triggers notification machinery. A revocation triggers a support ticket. Where the dependency sits in a critical path, that asymmetry is itself the risk, and it belongs in front of the security and resilience teams that own continuity, not the procurement thread that opened the dispute.

There is no patch boundary here. That is what separates this class from a memory-corruption CVE. A type confusion gets a point release and the window closes. A dependency that can revoke access has no fixed version that removes the capability - the capability is the relationship. The residual exposure after the immediate Mythos event is resolved is every other place in the stack with the same shape: one external provider, one control plane, one entitlement, no fallback. The dispute is incidental. The architecture is the vulnerability.

The thesis that this is about assuming dependencies are secure understates it. The assumption that failed was that secure - confidential, intact, un-breached - was the dimension that mattered. For a dependency in the critical path, availability under someone else’s control is the dimension that mattered, and it was never the consumer’s to assure. Mythos did not get breached. It got switched off. The defenders watching for the first event were structurally blind to the second. That is the finding, and it applies to every third-party endpoint in production that has never once been modelled for the day it returns denied.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.