Encryption, spyware, and now Mythos: History shows why cyber export control doesn't work

The recent discussion surrounding Anthropic’s cybersecurity model, Mythos, has reignited a familiar debate in the tech policy world. Critics are raising alarms about the potential for this advanced AI to be weaponized by malicious actors. This concern is not new, but the proposed solution of strict export controls is deeply flawed according to historical precedent.

For the last thirty years, governments have attempted to stop the flow of cybersecurity-related software across borders. These efforts have consistently proven to be ineffective in preventing misuse. The technology has always found a way to spread, often through open-source communities or dual-use commercial channels. Restricting it now seems like a repetition of past mistakes.

According to reporting on the topic, the core issue is that cybersecurity tools are inherently dual-use. The same capabilities that help defend networks can also be used to exploit them. This ambiguity makes it nearly impossible to draw a clear line between legitimate commercial software and malicious code. Any attempt to censor the flow of such tools creates more problems than it solves.

The argument for controlling Mythos ignores the reality of modern software distribution. Code can be replicated, shared, and adapted in minutes. A ban in one country does nothing to stop developers in another from creating similar models. In fact, such bans may drive innovation underground, making it harder to audit or secure these tools. Transparency is a far better defense than secrecy.

Furthermore, restricting access to advanced AI models hinders the very researchers who need them to build defenses. Security professionals rely on cutting-edge tools to understand emerging threats. By limiting their access, we weaken our collective ability to protect against cyberattacks. This approach ultimately makes the global digital infrastructure more vulnerable, not less.

The history of encryption export controls offers a clear lesson here. Attempts to ban strong encryption in the nineties failed because the market demanded it. The technology evolved regardless of government restrictions. Today’s AI models are even more powerful and easier to distribute. Trying to contain them through export laws is a losing battle.

What this means for you: Instead of fearing the spread of AI tools, focus on building robust security practices. Use AI assistants to audit your own code and identify vulnerabilities before they are exploited. Try this prompt with your AI assistant: "Analyze this Python script for potential security flaws and suggest three specific patches to mitigate them." This proactive approach is far more effective than hoping for regulatory barriers to keep threats at bay.