Risk of Repeating PGP's Mistakes with Export Restrictions on Anthropic's Mythos
The White House has banned the export of Anthropic's AI models Mythos and Fable. Past failures in encryption export controls cast doubt on the effectiveness of this move.
On June 19, 2026, citing national security concerns, the White House issued a directive prohibiting Anthropic from exporting its advanced AI models Mythos and Fable overseas. Within approximately 90 minutes, the company blocked access to both models, restricting their use not only internationally but also for foreign nationals within the U.S. This marks the U.S. government’s first attempt at imposing export controls in the frontier AI sector, potentially influencing the future regulatory landscape of the AI industry.
Background of the Export Restrictions
Anthropic introduced Mythos this past April, positioning it from the outset as a tool that, if widely released, could cause significant harm to the internet. Prior to the restrictions, access to Mythos was strictly limited to about 150 carefully vetted companies and government organizations. The aim was to allow defenders to strengthen their systems before malicious actors could acquire similar capabilities.
Two incidents reportedly triggered the export ban. The first was Anthropic granting SK Telecom, a South Korean telecommunications company, access to Mythos. U.S. authorities became wary of SK Telecom due to suspected ties with China, although the company has denied any such connections.
The second trigger came from Amazon CEO Andy Jassy, who reported to the White House that Amazon researchers had discovered a way to bypass the safeguards of Anthropic’s Fable 5 model. While Anthropic denied this as a “jailbreak,” calling it a “narrow, localized, and already fixed issue,” the U.S. Department of Commerce issued the export restriction directive, forcing Anthropic into immediate compliance.
Historical Limits of Export Controls
This incident recalls the repeated failures of export controls on cyber technologies throughout history.
One of the most notable examples is the early 1990s case of PGP (Pretty Good Privacy). PGP, a leading encryption technology used to secure online data, was classified by the U.S. government as a “dangerous weapon” that hindered intelligence agencies’ ability to intercept communications. Efforts to block its distribution abroad escalated to the point of customs investigations.
Three decades later, government attempts to control encryption exports have largely failed. The technology spread across borders, became standardized, and is now embedded in virtually every browser and messaging app. In many respects, these regulations ended up undermining the competitiveness of U.S. companies.
Challenges of Regulating Frontier AI
The export restrictions imposed on Anthropic’s Mythos face similar dilemmas to past encryption controls.
First, the restrictions are limited to specific models. AI technologies proliferate rapidly through open-source communities and non-U.S. research institutions. Models equivalent to Mythos could potentially circumvent restrictions and flow abroad via other channels.
Second, there is a lack of transparency in the review process. The restrictions are justified on the vague grounds of “national security,” with no detailed threats disclosed. This makes it difficult for companies to predict which actions might fall under regulatory scrutiny, increasing compliance costs.
Third, the move could reshape the global competitive landscape. The more the U.S. tightens export restrictions on its AI companies, the greater the incentive for China and the European Union (EU) to develop their own AI ecosystems. This could weaken the U.S.’s technological edge in the long run.
Overlapping Vulnerability Concerns
The current case also highlights differing interpretations of “vulnerability” between Anthropic and Amazon researchers. While Amazon claimed to have discovered a “safeguard bypass,” Anthropic downplayed it as a “localized issue.” Such discrepancies in defining vulnerabilities have been a recurring issue in past cybersecurity cases.
For example, a recently reported vulnerability in Microsoft Defender, known as “RoguePlanet”, drew attention when proof-of-concept code was made public. Similarly, in AI safety measures, the criteria for what constitutes a “serious vulnerability” remain unclear, and regulations seem to be outpacing the establishment of clear standards.
At the same time, the balance between regulating AI technologies and preserving academic freedom is a critical issue. As seen in research such as Subquadratic’s independent evaluation of breakthroughs in Transformer limitations, rapid technological advancements in AI continue. Overly restrictive regulations could stifle innovation in defense technologies as well.
Editorial Opinion
In the short term, these export restrictions could influence other countries’ AI policies. The EU and China might seize this as an opportunity to accelerate the development of their domestic AI models. China, in particular, is advancing large-scale language model development as a national strategy and is likely to intensify efforts to fill the void left by Anthropic’s absence. Meanwhile, other AI labs will closely monitor U.S. regulatory trends and may be forced to reconsider their strategies for international expansion.
From a long-term perspective, as the history of encryption technology demonstrates, completely containing a technology is extremely difficult. There are multiple potential pathways for capabilities equivalent to Mythos to spread globally through non-restricted means. The U.S. government should focus on fostering international collaborative investments in post-quantum encryption and AI safety research. Developing new frameworks that democratize defensive technologies while managing offensive ones is imperative.
The editorial team raises a fundamental question: as AI capabilities become increasingly tied to national security, how should traditional definitions of “weapons” be applied to AI models? To avoid repeating the mistakes of the PGP era, it is crucial to establish dynamic regulatory systems that adapt to rapid technological advancements and to create mechanisms for transparent information sharing between public and private sectors.
References
- Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work — TechCrunch — Published on 2026-06-19
Frequently Asked Questions
- What is Mythos?
- Mythos is a cybersecurity-focused AI model launched by Anthropic in April 2026. Designed to strengthen defense systems ahead of potential malicious attacks, it was accessible to around 150 carefully selected companies and government agencies prior to the restrictions.
- Why did the U.S. government ban the export of Mythos?
- The ban was reportedly triggered by concerns over SK Telecom's access to Mythos due to suspected ties with China, as well as a report from Amazon researchers claiming they had found a way to bypass Fable 5's safeguards.
- How does this differ from past encryption export restrictions?
- Unlike 1990s PGP restrictions, which aimed to prevent the spread of encryption technology, today's AI model restrictions involve version control and access management. However, it remains uncertain whether such measures can fully curb the global dissemination of these technologies.
Comments