Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work

Last Friday, citing unspecified national security concerns, the White House ordered Anthropic to restrict the export of its powerful AI models Fable and Mythos to anyone outside of the United States, as well as foreign nationals inside the country. Shortly after, the AI giant hastily pulled the plug on both models, which have now been unavailable to anyone for a week.

The episode is the first real test of whether the U.S. government can use export controls to contain frontier AI the way it has tried, with very uneven results, to contain encryption and spyware before it. And dramatic as it may sound, how this standoff gets resolved could shape not just Anthropic’s access to foreign markets but the rulebook that other AI labs will have to build around.

Some context first. Ever since Anthropic launched Mythos in April, the company has marketed it as some kind of Doomsday cyber machine that could wreak havoc on the internet if released too widely — which is why, before the ban, only around 150 vetted companies and government organizations had access to it at all. The goal was helping defenders secure their software and services before the bad guys could reach Mythos-like capabilities.

So what triggered the ban? Two subsequent events, reportedly. The first: Anthropic gave a South Korean telecom access to Mythos through its limited partner program, and U.S. officials grew alarmed after identifying the company as one they suspected had ties to China. (The company, widely reported to be SK Telecom, has denied any China connection.) Amazon CEO Andy Jassy also reportedly alerted the administration after Amazon’s own researchers, he said, found a way around Fable 5’s safeguards. Anthropic disputes the “jailbreak” label, calling it a narrow, already-patched issue rather than a wholesale defeat of the model’s safety measures.

The result was the same: the Commerce Department issued an export control directive, and Anthropic had to scramble to immediately limit access to its products within roughly 90 minutes of being notified, by some accounts.

None of this is new, though. Governments have tried to use export controls to limit the proliferation of what they see as dangerous cyber technology for decades, but their track record has been middling at best.

The U.S. government was behind what is perhaps history’s most spectacular failure of this approach in the early to mid-1990s. At the time, computer scientists were developing encryption technologies to secure data as it traveled over the internet. One of those encryption products was called Pretty Good Privacy, or