Three decades. That's how long the U.S. government has been trying to lock down the digital frontier, and three decades of failure. From the Crypto Wars of the 1990s to the spyware skirmishes of the 2010s, the pattern is as predictable as a sunrise: Washington declares a new security threat, slaps export controls on some piece of software, and then watches helplessly as the code leaks out anyway.
Now, it's Anthropic's turn. The AI safety darling has developed a cybersecurity model codenamed Mythos, a piece of software so powerful that the Bureau of Industry and Security has slapped it with an interim final rule: no exporting without a license. The rationale? National security. The reality? A rehash of every failed policy that came before it.
Let's be clear: Mythos is not the first piece of software to terrify the suits at the Department of Commerce, and it won't be the last. The history of cyber export control is a graveyard of good intentions and porous borders.
Pretty Good Privacy and the First Crypto War
The year is 1991. A programmer named Phil Zimmermann releases a piece of encryption software called Pretty Good Privacy, or PGP. It's a tool that allows anyone with a computer to encrypt their emails so that only the intended recipient can read them. Sounds like a basic human right in a digital age, right? The U.S. government didn't think so. They classified PGP as a munition—yes, a weapon on par with a tank or a missile—and launched a criminal investigation into Zimmermann for violating the Arms Export Control Act.
The government's logic? Strong encryption in the hands of foreign nationals could be used by terrorists and drug cartels to hide their communications. The result? Within months, PGP had been smuggled out of the U.S. on floppy disks, posted to Usenet groups, and printed in books that were shipped overseas. The code escaped faster than the government could draft the regulations. By the time the investigation was dropped in 1996, the genie was not only out of the bottle—it had built a fortress of its own.
The lesson: export controls on software don't stop the technology; they just ensure the rest of the world builds it first.
The Surveillance Industry's Loophole Economy
Fast forward to the 2010s. The threat du jour is spyware—commercial surveillance tools like Pegasus from the Israeli firm NSO Group. The U.S. government, horrified that these tools were being used to hack the phones of journalists and dissidents, added NSO and other spyware vendors to the Entity List, effectively banning American companies from doing business with them.
But here's the thing: NSO is an Israeli company. They weren't exporting from the U.S. They had their own supply chain, their own developers, and a growing client list of authoritarian regimes. The U.S. export controls? They mostly hurt American companies that might have competed in that market. The spyware industry kept thriving—just with fewer American players. The result? A booming global market for surveillance tech, with zero U.S. leadership or oversight.
The same pattern repeats with Mythos. The U.S. can restrict exports of Anthropic's model, but that doesn't stop a team of engineers in Beijing, Moscow, or Tel Aviv from building something similar. The only difference might be safety standards. American AI companies like Anthropic have invested heavily in red-teaming and safety evaluations. Their Chinese and Russian counterparts? Not so much. By restricting exports of the safer model, the U.S. may inadvertently push the world to adopt less regulated, more dangerous alternatives.
The Open Source Paradox
And then there's the elephant in the room: open source. Mythos is a model, not a physical object. It lives on servers, in code repositories, and in the brains of the engineers who built it. Trying to control its export is like trying to stop a rumor at a high school. Once the model's architecture or training methodology is published—even partially—it can be replicated anywhere.
The open source community has already proven this with large language models. When Meta released LLaMA, it was supposed to be gated. Within days, a researcher leaked the weights on 4chan. Now, anyone with enough compute can run their own version. Mythos will face the same fate. The only question is whether the restrictions slow it down by weeks or months.
This is the fundamental paradox of cyber export control: the more you lock down a technology, the more you incentivize the underground to crack it open. The U.S. can't secure the entire digital ecosystem by fiat. It can only choose between leading the conversation or leaving the room.
A Smarter Approach
None of this means the U.S. should just roll over and let anyone export every piece of powerful software. There are genuine national security concerns. But the current approach—shoehorning 21st-century code into 20th-century arms control frameworks—is a fool's errand. What's needed is a strategy that acknowledges the reality of a connected world.
That means investing in international norms and treaties for responsible AI development. It means building export controls that focus on outcomes—like preventing the use of AI for autonomous weapons or mass surveillance—rather than trying to stop the code itself. And it means recognizing that the safest AI is the one that's been stress-tested by the most people, not the one locked in a vault.
The Mythos controversy is a wake-up call. The U.S. can either repeat the mistakes of the past three decades, or it can finally write a new chapter. My bet? If history is any guide, we'll see the same old story—just with a different name.
