Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work

Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work

The U.S. government’s recent decision to restrict Anthropic’s access to its most advanced AI models, Fable and Mythos, is the latest chapter in a long-running struggle to control the spread of powerful cyber technologies — a battle that has been fought before with little success. Mythos, designed to help secure software infrastructure, was already limited to just 150 vetted organizations, yet the government still intervened, raising questions about the effectiveness of export controls in an era of rapidly evolving digital tools.

The Mythos Ban and the Limits of Export Controls

The ban, issued under the guise of national security, highlights the inherent limitations of export controls when it comes to regulating software that can be replicated, shared, or reverse-engineered with relative ease. Anthropic had already implemented strict access controls, limiting Mythos to just 150 vetted organizations, yet the government still found cause to intervene. This suggests that the criteria for such restrictions are as much about geopolitical strategy as they are about actual risk.

The immediate consequence has been a disruption in the availability of Mythos, which was designed to help secure software infrastructure. But the broader implications are about how the U.S. attempts to use export laws to maintain a competitive edge in AI — a field where other nations, notably China, are rapidly catching up.

A History of Futility in Cyber Export Controls

The U.S. government’s approach to controlling cyber technologies is not new. In the early 1990s, the Crypto Wars emerged when the government tried to block the spread of encryption software like PGP. Officials feared that strong encryption would make it harder for intelligence agencies to monitor communications. But when the source code was published and encryption gained widespread use, the government was forced to retreat, recognizing that it could not stop the global adoption of secure digital communication.

Similarly, the Wassenaar Arrangement — an international treaty meant to regulate the export of dual-use technologies — failed to prevent the spread of spyware. Despite its intent, the agreement’s reliance on voluntary compliance and the lack of enforcement mechanisms allowed countries like Israel and Saudi Arabia to become hubs for surveillance software.

• Spyware companies have moved operations to countries with lax regulations.
• European nations have been slow to act on spyware exports.
• Even when laws are passed, enforcement is often inconsistent or ineffective.

The Future of AI and the Illusion of Control

With AI’s rapid evolution, the U.S. government may be repeating history. The Mythos ban is a clear indication that the administration is trying to assert control over the flow of advanced AI models — but the reality is that these technologies are not as easily contained as hardware or traditional weapons.

If the government continues down this path, it risks creating a regulatory quagmire that could stifle innovation and push AI development underground or offshore. In the end, the real challenge is not in controlling the spread of software, but in ensuring that when these powerful tools are used, they are used responsibly — a task that no export control can fully address.

The Mythos episode may be a cautionary tale for policymakers. As AI becomes more ubiquitous and more powerful, the U.S. may find itself facing the same dilemma it did with encryption and spyware: the more it tries to control the flow of technology, the more it accelerates its leakage — and the more it undermines its own strategic advantage.