From PGP to Mythos: A Brief History of Export Controls That Didn’t Stop Anyone

Anthropic’s new AI cybersecurity model, Mythos, is facing potential export restrictions under U.S. International Traffic in Arms Regulations (ITAR). These controls aim to limit access to powerful cybersecurity tools, but history shows such efforts rarely succeed. For 30 years, governments have tried to stop the spread of encryption software, spyware, and other cyber tools, yet these technologies consistently evade barriers.

The original source traces this dynamic from the 1990s, when the U.S. classified Phil Zimmermann's PGP encryption software as a munition. Despite legal threats, PGP spread globally—published in books, sent via fax, and downloaded from overseas servers. The same pattern followed with commercial spyware like Pegasus, developed by Israel's NSO Group under strict export rules, yet still reaching repressive regimes. The lesson is consistent: export controls don't stop determined users. If a tool is valuable, people will find ways to access it, whether through underground markets, open-source duplication, or indirect licensing arrangements.