The Ineffectiveness of Cyber Export Control: Lessons from 30 Years of History
TL;DR
- Cyber export controls have a long track record of mixed results, especially for encryption and spyware, where firms and states often adapted faster than regulators.
- Anthropic’s Mythos restriction is the newest test case, but history suggests export controls are more effective at creating paperwork and friction than preventing misuse outright.
- The likely future is tighter, more targeted regulation, paired with technical safeguards, transparency rules, and enforcement focused on downstream abuse rather than simple export bans.
A new test for an old policy idea
The White House’s order forcing Anthropic to restrict export access to its frontier AI models Fable and Mythos has revived an old debate: can governments contain powerful cyber capabilities by controlling where software is sold and who can use it? The answer, based on three decades of attempts to regulate encryption, spyware, and intrusion tools, is usually no—or at least not reliably enough to stop determined actors.
This matters because Mythos is being treated as a bellwether for frontier AI governance, much as earlier encryption and spyware controls were treated as tests of whether the state could manage dual-use software through export policy. But the historical record suggests that export controls often lag the technology, are easy to route around, and rarely distinguish cleanly between legitimate defenders and malicious users.
Why encryption became the original export-control battleground
Encryption has been one of the longest-running examples of the limits of export controls. U.S. regulators repeatedly tried to restrict strong cryptography, only to watch the software ecosystem globalize, open-source development spread, and consumer demand push the technology into mainstream products anyway.
Recent U.S. rules still show how export policy mostly works by narrowing access at the margins rather than eliminating the technology itself. BIS has tightened rules on encryption software exports to Russia and Belarus, reducing the scope of license exceptions and adding more specific licensing requirements. Those measures can slow transfers, but they do not change the underlying reality that encryption is now embedded in everyday software, communications, and infrastructure.
Spyware controls have been just as uneven
Spyware export controls have fared no better. Governments have alternated between tightening and relaxing restrictions, often in response to political pressure, reputational scandals, or national-security concerns. Israel, for example, has both tightened oversight over cyber exports after abuse allegations and later eased approvals for some cyber weapons and spyware sales, cutting review timelines from as long as a year to as little as four months.
The United States has also tried direct restrictions on vendors, including adding NSO Group and Candiru to the Entity List, which limits access to U.S. components and technology. But even these moves address suppliers more than the global market for exploit tools, which can still be repackaged, resold, or developed elsewhere.
The core problem: software is easy to move, hard to confine
The failure mode is structural. Unlike physical arms, cyber tools can be copied instantly, distributed cheaply, and modified with minimal friction. That makes export controls blunt instruments: they can slow legal commerce, but they struggle to stop illicit transfer, reverse engineering, or domestic development by sanctioned states and non-state actors.
That is why the article’s central argument resonates: the state can regulate sales channels, but it cannot fully control knowledge once it becomes software. In practice, export controls may succeed at raising compliance costs and shaping market behavior, yet they rarely deliver the clean containment policymakers promise.
What the Anthropic Mythos case changes
Mythos is different only in scale and symbolism. If a government can force a leading AI company to restrict model access across borders, it may appear to have found a workable template for frontier AI containment. But TechCrunch’s account of the White House order suggests the opposite lesson: Anthropic had to move within roughly 90 minutes, and the resulting disruption was immediate, but temporary and reactive rather than preventive.
That is the key issue. Rapid export restrictions can change who can access a model today, but they do not necessarily prevent open publication, weight leakage, model copying, or the emergence of substitute systems elsewhere. In other words, the control may be real, but the containment may be shallow.
Why export controls keep appealing to policymakers
Export controls remain attractive because they are visible, politically legible, and relatively easy to justify as national-security tools. They also let governments act without waiting for international treaties or slower multilateral standards-setting.
The European Union’s current push to tighten surveillance-software export rules reflects that same logic. The proposed plan would require licenses for exports of dual-use technologies such as hacking software and facial-recognition systems, while also increasing transparency around approved deals. That may improve oversight, but it still rests on the assumption that licensing can meaningfully shape behavior in a market built to evade friction.
What the history suggests for future cyber regulation
The most durable lesson from 30 years of export-control experiments is that controls work best when they are narrow, specific, and paired with other tools. That means focusing less on trying to ban classes of software outright and more on monitoring misuse, requiring disclosures, restricting access to high-risk end users, and holding vendors accountable for downstream abuse.
That direction is already visible in newer policy approaches. U.S. cybersecurity export rules now create exceptions for most destinations while reserving tighter controls for countries of concern, and they explicitly target end uses involving surveillance or disruption of information systems. Similarly, policy papers on commercial spyware increasingly emphasize transparency, oversight, and licensing discipline rather than broad prohibitions alone.
The bigger lesson for AI and cybersecurity
If Mythos becomes the latest export-control test case, it will likely confirm a familiar pattern: governments can slow access, but they cannot reliably stop diffusion. For cybersecurity regulation, that means the future probably lies in layered governance—export restrictions, auditing, user vetting, incident reporting, and technical safeguards—rather than in the belief that one policy lever can contain a globally replicable technology.
The old dream of neat containment has already failed for encryption and spyware. Frontier AI is now entering the same policy lane, and the historical record suggests regulators should plan accordingly.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!