The Ineffectiveness of Export Controls in Cybersecurity
TL;DR
- The U.S. is again tightening export controls around advanced cybersecurity and AI tools, but the latest measures revive an old debate: whether software controls can actually stop determined adversaries.
- Historical experience suggests the answer is limited at best. Export controls have repeatedly slowed sales and added compliance burdens, but they have not reliably prevented abuse, evasion, or the spread of dual-use tools.
- The newest case involving Anthropic’s Mythos 5 highlights the same structural problem: when capability lives in software and can be copied, accessed remotely, or re-created, traditional export-control logic becomes easy to outgrow.
A familiar policy response to a fast-moving threat
The United States has now extended export-control logic to advanced AI and cybersecurity software in a way that treats some models like strategic hardware, not ordinary code. Recent reporting says Anthropic was ordered to disable access to its most capable models, Fable 5 and Mythos 5, for foreign nationals, reflecting a broader shift toward controlling who can use advanced software rather than only where physical goods are shipped.
That move builds on a longer regulatory trend. In 2022, the U.S. Commerce Department’s Bureau of Industry and Security finalized new rules covering certain “cybersecurity items” used for malicious cyber activity, including licensing requirements for exports to higher-risk destinations and specific government end users. The policy goal is straightforward: make it harder for hacking and surveillance tools to reach adversarial states and abusive actors.
Why export controls keep running into the same wall
The core problem is that cybersecurity software is not like a machine tool or a missile part. Software can be copied instantly, distributed remotely, modified cheaply, and accessed across borders without a traditional shipment. That makes it far easier to evade borders than physical goods, and it makes enforcement heavily dependent on provider compliance, user screening, and post hoc investigations rather than interdiction at the border.
Export-control rules also tend to chase the last version of the threat. The 2022 BIS framework was aimed at items that could support malicious cyber activity, but it still carved out broad exceptions for many destinations and uses, including certain incident-response and vulnerability-disclosure cases. Those carve-outs are necessary for legitimate security work, but they also illustrate the basic tension: the more broadly the rules sweep, the more they risk impairing defense; the more narrowly they are written, the more room remains for abuse.
The historical record: restrictions, adaptation, repeat
For roughly three decades, policymakers have tried to constrain the spread of offensive cyber capabilities through export rules, licensing regimes, and end-user restrictions. The pattern has been consistent: regulations may slow some transfers, but they rarely eliminate access because vendors, brokers, and state-backed operators adapt.
That is especially true in the dual-use world, where the same tools can be used for defense, research, law enforcement, penetration testing, and surveillance. The 2022 BIS rule itself acknowledged this by building in exceptions for legitimate cybersecurity incident handling and certain government uses. But every exception creates administrative complexity, and every complex rule creates compliance gaps that sophisticated actors can exploit.
The Mythos 5 episode shows how the terrain has changed
The latest controversy around Anthropic’s Mythos 5 points to a new phase in the export-control debate. One report described the U.S. government as effectively treating a sufficiently capable AI model like controlled strategic infrastructure, extending export-control logic to whether a model can respond to a prompt from a foreign national.
That is a major shift from controlling hardware shipments to controlling access itself. But it also exposes the same weakness that has dogged cyber export controls for years: if the real object of concern is the underlying capability, then controlling one access path does not guarantee control over the capability everywhere else. A model can be reproduced, fine-tuned, or functionally replaced; a cyber tool can be recompiled, repackaged, or sold through intermediaries.
Compliance burden versus real security gain
The latest rules also raise the cost of doing legitimate business. Industry reporting on the BIS framework describes licensing obligations, destination-based restrictions, and end-user screening requirements that force companies to invest heavily in compliance systems. Those requirements may reduce casual misuse, but they do not solve the underlying asymmetry: defenders operate under public rules, while hostile actors can conceal identity, route through proxies, or rely on stolen infrastructure.
This is why critics argue that export controls often function more as a bureaucratic friction mechanism than as a decisive security barrier. They can delay proliferation, narrow access for some buyers, and create legal risk for vendors, but they do not reliably stop determined state actors, criminal groups, or sanctioned entities from acquiring capabilities through third countries, intermediaries, or domestic development.
What the latest crackdown is likely to accomplish
The strongest case for export controls is not that they end cyber proliferation, but that they can shape it at the margins. They may increase the cost of access, create audit trails, and force companies to think harder about misuse and end users. In some cases, they may also preserve leverage in strategic competition by keeping frontier capabilities out of the hands of adversaries for a time.
But the historical evidence suggests that those gains are temporary and incomplete. Once a capability becomes commercially valuable and technically reproducible, restriction tends to shift the market rather than eliminate it. That is why past export-control efforts on hacking tools, spyware, and cyberdefense software have repeatedly produced a cycle of announcement, compliance, evasion, and revision.
The bigger lesson for cyber policy
The central lesson from three decades of cyber export controls is that they are a blunt instrument for a fine-grained problem. They are most effective when tied to narrow, high-value chokepoints and when paired with intelligence, sanctions, procurement rules, and active counterproliferation efforts.
On their own, though, they cannot reliably stop the spread of software-based offensive capability. The Mythos 5 controversy may prove to be less a breakthrough than a reminder: when power is encoded in software, the state can regulate access, but it cannot easily regulate diffusion.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!