A Thirty-Year Pattern Governments Can't Seem to Shake
There is a particular kind of optimism that drives export control policy — the belief that if a government can just draw the right line on a map, dangerous technology will stay safely on one side of it. For cybersecurity software, that optimism has been tested repeatedly over the past three decades, and repeatedly it has come up short. The story of encryption export controls, from the PGP wars of the early 1990s to today's conversations around Anthropic's restricted AI model Mythos, reads less like a cautionary tale and more like a loop that policymakers refuse to exit.
The Crypto Wars: Where It All Began
To understand why export controls on cybersecurity tools so rarely work, you have to go back to Phil Zimmermann and Pretty Good Privacy. In 1991, Zimmermann released PGP, a free encryption program that put military-grade cryptographic protection in the hands of ordinary civilians. The United States government was not pleased. At the time, strong encryption was classified as a munition under the International Traffic in Arms Regulations (ITAR), meaning exporting it was legally equivalent to shipping a weapon overseas.
What followed was a years-long standoff between the government and the cryptographic community — one the government ultimately lost. Zimmermann's supporters found a creative workaround: they printed the PGP source code in a book, exported the book (protected as free speech), and had it scanned and compiled on the other side. The software spread globally anyway. By the late 1990s, the Clinton administration quietly walked back the most restrictive export rules, acknowledging that the cat was already out of the bag.
The Bernstein Case and the Legal Reckoning
The PGP episode wasn't just a practical embarrassment for policymakers — it generated a legal one, too. Mathematician Daniel Bernstein sued the U.S. government over restrictions that prevented him from publishing his own encryption algorithm, Snuffle. In 1996, a federal court ruled that source code constituted protected speech under the First Amendment. Cryptography, the court recognized, is a form of expression. Export controls that functioned as prior restraint on speech faced serious constitutional headwinds.
That ruling, combined with the obvious reality that encryption software was already available worldwide, forced a regulatory rethink. The technology had escaped. No amount of paperwork was going to bring it back inside U.S. borders.
The Pattern Repeated: Security Tools Keep Crossing Borders
The post-PGP decades offered no shortage of repeat performances. Security research tools, vulnerability frameworks, penetration testing software — all of them have consistently found their way across the jurisdictions meant to contain them. Metasploit, for instance, began as an open-source project and became a global standard in security testing. Intrusion detection systems, firewall bypass techniques, and zero-day research have circulated across international boundaries through academic papers, open-source repositories, conference talks, and private markets with remarkable ease.
Even when the export controls weren't being circumvented by idealistic researchers, they were being circumvented by commercial pressure. Foreign companies simply built competing tools. The Wassenaar Arrangement, the multilateral export control regime that covers dual-use technologies including cybersecurity tools, has been criticized consistently by security professionals for being both overbroad and underenforced. It routinely captures legitimate defensive research while doing little to prevent the actual proliferation of offensive capabilities.
Enter Anthropic's Mythos: A New Target for Old Thinking
This brings us to the present moment. Anthropic has developed Mythos, an advanced AI model with significant cybersecurity capabilities. Recognizing the sensitivity of the technology, Anthropic has made Mythos available only to a limited number of trusted organizations through Project Glasswing, rather than releasing it to the general public. The logic is understandable: a model with deep offensive and defensive security knowledge, in the wrong hands, could cause serious harm.
But observers of the long history described above are entitled to ask a pointed question: will restriction work here any better than it has worked before?
There are genuine arguments that AI models present a harder containment problem than software code ever did. A trained model is not a printable source file; the weights represent billions of parameters that encode knowledge in ways that are not trivially reproduced. The argument goes that, unlike PGP, a frontier AI system cannot simply be photocopied into a paperback and shipped across the Atlantic.
Why Skepticism Remains Warranted
And yet the structural incentives that defeated past export controls haven't disappeared. Consider the following dynamics that history suggests will reassert themselves:
- Independent development: Well-resourced foreign actors — state or commercial — are not waiting for access to Mythos. They are building their own equivalents. Export controls slow diffusion; they do not stop parallel development.
- Knowledge leakage: The research community around large language models and AI security is internationally distributed. Papers, preprints, conference proceedings, and informal knowledge-sharing mean that the conceptual advances underlying a model like Mythos will not remain proprietary indefinitely.
- Commercial pressure: The history of cryptography shows that whenever a capability is genuinely useful, market forces find ways to make it available. Security professionals who need advanced AI tools will find them, whether from Anthropic's controlled release or from an alternative that fills the gap.
- The dual-use problem: Defensive and offensive security capabilities are not easily separated. Any model sophisticated enough to find vulnerabilities is sophisticated enough to exploit them. Controls focused on the offensive application are inherently difficult to enforce when the underlying capability is the same.
What Actually Works — and What Doesn't
None of this is an argument against thoughtful access controls. Anthropic's caution with Mythos through Project Glasswing reflects a genuine attempt to introduce a powerful technology responsibly, rather than through an indiscriminate public release. That kind of graduated, trust-based deployment is meaningfully different from a government export prohibition and may prove more durable.
What history does argue against is the illusion that any technical or legal restriction on cybersecurity software creates lasting, reliable containment. The more realistic goal is slowing proliferation, shaping norms, and ensuring that the most responsible actors are the best-equipped ones for as long as possible. It is a race, not a wall.
The Lesson Policymakers Keep Refusing to Learn
From PGP to Mythos, the central lesson of three decades of cybersecurity export controls is frustratingly consistent: determined actors get the technology, the controls impose costs primarily on legitimate users and researchers, and the window of exclusivity is always shorter than the architects of restriction hope. The question worth asking today is not whether Mythos can be contained, but whether the current moment can be used productively — to establish norms, build trust, and ensure that the institutions deploying the technology are equipped to do so responsibly.
That is a harder, slower, less satisfying project than drawing a line on a map. History suggests it is also the only one that has any chance of actually working.