Articles  /  Editorial
Editorial Five Eyes AI Risk Verse Filing (with jokes this time)

The Five Noses: A Joint Statement, Jointly Stated, Jointly Forgotten

The cybersecurity chiefs of the English-speaking world have done the rare thing they do most rarely: a joint statement. We read it so you do not have to. You are welcome.

By The Editorial Desk Filed 26 June 2026 Reading Time 9 minutes Laughs Per Page We Will See
A note on the title. Five Eyes becomes Five Noses, because the alliance sniffs things out, and because we are tired of writing the word "eyes" eighty times in a piece that is already too long. We will use "eyes" when we mean eyes. We will use "noses" when we mean the alliance in the abstract. We will use "the alliance" when we mean the alliance. We will not be funnier than this note again for at least three paragraphs.

On Monday 22 June 2026, the cybersecurity chiefs of five English-speaking governments did something they do roughly as often as Halley's Comet does: issue a statement together. The chiefs in question are from Australia, the United States, Britain, Canada and New Zealand — the so-called Five Noses, an alliance that has been quietly assuming it is at the centre of global cyber-intelligence since 1946, when the world was a very different place and the largest data breach anyone worried about was a misfiled memo at Bletchley Park.

The statement warned, with the urgency of a man knocking on a door that has been answered before, that AI is reshaping cyber risk in months rather than years. It also urged, with the patience of a man knocking on the same door again, that business and government leaders act now. The phrase "act now" appears in the statement often enough to count as a refrain. The refrain is, in our reading, a hostage to fortune: every "act now" is a small public record of the date by which "act then" would have been appropriate, and the dates are stacking up.

The four steps, in order of how often you have been told them

The statement set out four practical steps for organisations. They are, in the order the statement gave them:

  1. Reduce the number of internet-exposed systems.
  2. Patch known flaws faster.
  3. Retire unsupported legacy systems.
  4. Tighten controls over who can reach critical networks.

These are not, on their face, controversial. They are also not, on their face, new. They are the same four steps the agencies have been urging, with varying levels of conviction, for the better part of a decade. They are, in fact, so consistent that we have started to wonder whether the agencies have a single shared PDF that they take turns signing. We do not have evidence of this. We mention it only because the consistency is, in itself, a small joke that the agencies have failed to notice.

On the question of whether Australia is well placed to meet the threat, the head of the Australian Cyber Security Centre, Stephanie Crowe, told the Brisbane Times that she was "really positive that we have the tools and we have the capabilities," which is the sort of thing one says when one is not, in fact, certain that one has the tools and the capabilities, but would like to be asked no further questions on the matter. The phrase "we have the tools and we have the capabilities" is, in our reading, the cybersecurity equivalent of "definitely not a problem" said in a small voice from inside a cupboard.

The chiefs have tools, the chiefs have plans,
The chiefs have PowerPoint decks in cans

Of cold-brew coffee, and they suppose
That you and I will not oppose

The Anthropic incident, which we are going to mention

On 13 June — nine days before the statement — Anthropic suspended worldwide access to its two most powerful AI models, Fable 5 and Mythos 5, after a US export-control directive. Australian users lost access without notice. Britain's AI Security Institute had tested one of the models and reported that it could break into systems approximately 73 per cent of the time, which is a pass rate that would be considered excellent in many professions, and is, in the profession of breaking into systems, the kind of figure that gets you a Congressional hearing and a documentary.

The Five Noses statement did not, in its public form, address this. The Five Noses statement did not say which capabilities the Australian Signals Directorate has in its possession that match Fable 5 or Mythos 5. The Five Noses statement did not say how many Australian organisations had integrated the models. The Five Noses statement did not say what the substitution path is. The Five Noses statement did not, in fact, say anything at all about the matter, which is itself a kind of statement, in the tradition of statements that say nothing by saying nothing.

Filed Discrepancy

Statement says: act now with the tools you have. Observed record, nine days earlier: Anthropic took the tools away from Australian users without telling them. The gap between the two is not, on the public record, addressed.

A brief history of the alliance's moods

The Five Eyes has, since 1946, cycled through a series of moods. We have, in our archive, attempted a summary.

EraThreat PerceptionDefault PostureFavourite Verb
Cold War (1946–1991)ExistentialClassified everythingCompartmentalise
Post-Cold War (1991–2001)MildWorried about budgetReorganise
War on Terror (2001–2013)AcuteDrone-adjacentDisrupt
Snowden Era (2013–2017)EmbarrassedDenial, then paperworkReform
Disinformation Era (2017–2023)ConcernedWhite papersAddress
AI Era (2023–present)AlarmedJoint statementsUrge

The favourite verb has, you will note, declined in strength over the period. Compartmentalise is a serious verb. Urge is the verb of a man at a town hall meeting asking the third row to keep it down. We do not draw a conclusion from this. We note it for the record.

What the agencies suppose the public will not notice

The agencies have long operated on the assumption that the public will not, in significant numbers, follow the technical detail. This assumption has been broadly correct, in the same way that the assumption "the dog will not eat the steak I left on the coffee table" has been broadly correct for the first forty-five minutes. The firms that suffer breaches have, in turn, relied on the same assumption — that the public will read the headline, file the breach under things that happen to other people, and move on to the sports section. The agencies are now, in the language of the statement, asking the public to be more attentive. The firms are, in the language of their communications, asking the public to be more patient. The public is, in the language of its behaviour, mostly scrolling.

The agencies also suppose — we use the word suppose deliberately, because it is the word the public record would use if it were honest — that the firms will, on receipt of the statement, do the four things. The agencies have, in our reading, been supposing this for some time. We have, on the public record, been noticing.

The agencies suppose, the agencies suppose,
That we, the public, do not oppose

The drift, the delay, the warnings mild —
They've warned us now, since we were child.

The leadership question, put bluntly

The statement said, in language we will quote in full because it is the most extraordinary sentence in the document: "Cyber risk could no longer be treated as a purely technical matter. It was a core business risk and a leadership responsibility."

Let us pause on this sentence. Could no longer be treated. The word could implies that, until recently, it was being treated otherwise. The phrase purely technical matter implies that there were people, presumably with job titles and salary reviews, who were treating it as a purely technical matter. The phrase core business risk implies that, until recently, it was a peripheral one. The phrase leadership responsibility implies that, until recently, it was not.

The agencies did not name the executives, boards, or audit committees who, in their reading, had been treating cyber as a peripheral matter. They did not need to. The list is long. The list is, in the main, the list of every organisation that has, in the past decade, suffered a material breach and then issued a press release of the form "We take the security of our customers' data extremely seriously" followed by a period of months in which they appeared to take it slightly less seriously, after which they took it seriously again, having been required to.

The rhyming industry, examined at last

It is a peculiar feature of the cybersecurity industry's communications that it relies, more than any other industry we monitor, on the rhyming of urgent words with hopeful words. Patch. Match. Catch. Watch. Defend. Mend. Send. Alert. Convert. Exposure. Closure. Intrusion. Extrusion. The vocabulary is built on the assumption that the public will absorb the urgency without parsing the detail. We have, in our archive, more than four hundred statements that rhyme alert with convert, exposure with closure, and intrusion with extrusion.

The rhymes are a courtesy extended to the press officer who must, by Friday, deliver a quote. Five Noses statements rhyme more carefully than most. They are written for re-publication by friendly outlets, and the friendly outlets re-publish them with the metre intact, which is to say with the unstated understanding that the agencies suppose their warnings will land. The warnings do land. They land on the desks of executives who nod, file the press release under a colour-coded tab labelled URGENT (do not lose), and return to their existing plans. The plans, in most cases, do not change.

The agencies suppose. The agencies have, on the record, been supposing since at least 2017. We have, on the record, been noticing since at least 2017. We do not expect the supposing, or the noticing, to stop. The supposing and the noticing are, in fact, the entire business model of this firm.

The agencies suppose — and so do we —
That some plain words might just set free

The drift, the yawn, the nodding head —
The warnings read, the warnings read.

The recommendation, such as it is

We do not, in this practice, recommend that the agencies do anything other than what they are doing. The statements are, in their way, the most reliable artefact the public gets: the agencies issue them, the press reproduces them, and the warnings land, in some small percentage of cases, on desks where they are acted upon. The firms that act upon them are, in our reading, the firms that would have acted upon them in any case. The firms that do not act upon them are, in our reading, the firms that will be writing the press releases of next quarter.

What we recommend, with the customary restraint of the firm, is that the agencies consider, on the next occasion they write a joint statement, the following small amendment. Replace the word urgently with legally. Replace the word act with comply. Replace the word now with by 31 March. The result will be a document of marginally less rhetorical force and substantially more operational weight, which is, in our reading, what the public record has been waiting for since 1946.

A final note on the title. We have used noses eleven times in this piece, eyes three times, and supposes in places where a more disciplined writer would have used a different word. The running gag has, in our reading, run. We will not be doing this again until the next statement is issued, which, given the historical record, will be in approximately four to seven working days.
Citation & Provenance Drawing on the joint statement of the Five Eyes cybersecurity chiefs, released 22 June 2026, as reported by the Brisbane Times (David Swan). Anthropic suspension referenced per the 13 June 2026 export-control directive. AI Security Institute testing figures per Queen Mary University of London commentary (Gina Neff). The scoreboard of moods is our editorial reconstruction and not on the public record in this form. Verse form: the customary rhyming slam of the platform-monitoring practice, filed under the Breckinmoor Charter. The jokes are, similarly, on us.
← All Articles