From PGP to Mythos: Why Cybersecurity Export Controls Never Work

For three decades, governments have attempted to restrict the global flow of cybersecurity software, consistently failing to achieve their goals. Despite this long and documented history of ineffectiveness, regulators appear poised to repeat past mistakes with their latest target: Anthropic’s advanced cybersecurity model, Mythos. The fundamental reality of the digital age is that code respects no borders, and the historical record proves that export controls on encryption and security tools do little more than hinder legitimate research while failing to stop malicious actors.

The most famous early example of this futile effort occurred in the 1990s with PGP (Pretty Good Privacy). Created by Phil Zimmermann, PGP provided robust encryption to the masses. The US government classified it as a munition, subjecting it to strict export controls. Zimmermann famously circumvented these restrictions by publishing the source code in a printed book, leveraging First Amendment protections to make the software globally available. The PGP saga established a precedent: when security tools are restricted, the open-source community and determined individuals will inevitably find alternative distribution methods.

Fast forward to 2026, and the regulatory landscape is shifting its focus from traditional encryption algorithms to artificial intelligence. Anthropic’s Mythos, a sophisticated AI model designed for advanced cybersecurity applications, is now facing the scrutiny of export control regimes. Lawmakers argue that such powerful AI could be weaponized by adversarial nations to launch devastating cyberattacks. Consequently, there is a growing push to classify Mythos and similar models as restricted technologies, limiting their deployment to vetted domestic entities.

However, as TechCrunch highlights, the fundamental dynamics of software distribution have not changed. Restricting the export of an AI model like Mythos ignores the decentralized nature of modern technology. Model weights can be leaked, replicated, or independently developed by foreign actors. Open-source alternatives are already rapidly closing the gap with proprietary systems. If a tool exists and is useful, the global hacker and developer community will access it, regardless of Washington's regulatory ambitions.

The core issue is that export controls operate under the flawed assumption that innovation can be geographically contained. In the realm of bits and bytes, this is a physical impossibility. Instead of stifling the proliferation of defensive and offensive cybersecurity tools, export restrictions often penalize domestic industries and slow down collaborative global security research. As we move from the era of PGP to the era of Mythos, the lesson remains unchanged: stopping the flow of cybersecurity software is an exercise in futility, and it is unclear why anyone expects a different outcome this time around.