induwara.lk
Opinionai-securityexport-controlsopen-source

Why Cyber Export Controls Keep Failing — And Why That Helps You

Anthropic's Mythos is the latest target of cyber export controls. Three decades of history say borders don't hold software back — here's what that means for builders outside the US.

Induwara Ashinsana5 min read
Abstract illustration of code and a padlock crossing a national border checkpoint
Image: TechCrunch

Cyber export controls are back in the news, and the target this time is an AI model. A new piece from TechCrunch, Encryption, spyware, and now Mythos: History shows why cyber export control doesn't work, argues that 30 years of trying to stop the flow of security-related software has not worked, and that Anthropic's cybersecurity model Mythos is unlikely to be the exception.

I think the article is right, and the practical takeaway matters more for someone building from Colombo than someone lobbying in Washington. If you write code outside the US, the rules that get written about "dangerous" software are mostly written about you. So it's worth understanding why they keep missing.

📜 The same fight, three times over

The TechCrunch framing puts three eras side by side, and the pattern is hard to miss. Each time, a powerful new capability appears, governments treat it as a weapon, and controls follow. Each time, the capability spreads anyway.

Era The "dangerous" thing The control idea What actually happened
1990s Strong encryption Treat crypto as a munition, restrict export Code crossed borders anyway; strong crypto became standard
2010s–2020s Commercial spyware License and restrict surveillance exports Tools kept reaching buyers through gaps and resellers
2026 AI security model (Mythos) Limit who can access the model Open question — but the prior two rounds set the odds

Key takeaway: Software is information, and information leaks. A control that assumes code behaves like a physical missile starts from the wrong model of the thing it's trying to stop.

The encryption fight is the cleanest example. The US once classified strong cryptography alongside weapons for export purposes. The result was not weaker encryption worldwide. It was strong encryption everywhere, baked into every browser and messaging app you use today.

🌐 Why borders don't hold code

A missile is heavy, scarce, and traceable. Software is none of those. Once a capability exists, copying it costs nothing and moving it costs almost nothing. That asymmetry is the whole story.

There are a few reasons controls keep slipping:

  1. Reproducibility — once an idea is published, anyone can rebuild it. You can restrict a binary; you can't un-teach a technique.
  2. No physical chokepoint — there's no port to inspect. A model or a tool moves over the same wires as everything else.
  3. Global talent — the people who can rebuild a capability are not all in one country. Restrict access in one place and the work continues in another.
  4. Dual use — the same tool that finds vulnerabilities for an attacker finds them for a defender. You can't ban the offense without crippling the defense.

Controls aimed at the artifact fail because the real asset is the knowledge, and knowledge does not have a customs form.

For a Sri Lankan engineer, point three is the one that should land. Talent here is real, and global security research already includes people working far from the places that write the export rules.

🛡️ What this means for security tools you actually use

Here's the part that affects daily work. The same logic that makes export controls leaky is the logic that puts genuinely good security tooling within reach of a small team or a student on a free tier.

The defensive primitives are not gated behind a license:

  • Hashing and integrity checks are public algorithms, free to use.
  • Token inspection and validation are open standards anyone can implement.
  • Strong encryption ships in the standard library of nearly every language.

If you want to feel how ordinary these "controlled" capabilities have become, you don't need special access. You can verify a file's integrity with our free hash generator, or inspect a token in seconds with the JWT decoder. Both run in your browser. Both rely on cryptography that was once treated as a munition. That history is exactly the point: the controls lost, and the loss is why these tools are free and everywhere.

Bottom line: the encryption fight was settled in your favour decades ago. The tools you build security on top of are open, standardised, and not waiting on anyone's permission.

🤖 The Mythos question is different in one way

I don't want to flatten the differences. An AI security model is not the same shape as a crypto library. A model can lower the skill floor, meaning it lets someone who couldn't previously do the work get further faster. That's a real concern, and it's a fair reason for a vendor to gate access.

But gating access by vendor policy is not the same as a national export control, and the TechCrunch piece is specifically about the second one. The argument is narrow and, I think, correct:

Approach Who decides How well it scales History's verdict
Vendor access controls The company Works while the model is closed Holds until a comparable open model appears
National export controls Governments Poorly — no chokepoint Failed for crypto, leaked for spyware

The honest position is that vendor-side gating can buy time. National export controls, applied to something as copyable as a model, have a 30-year losing record behind them. I won't claim to know what Mythos can or can't do — I'm commenting on the export-control logic, not the model's internals.

💡 What this means for you

If you build software outside the US, treat this as a planning input, not just news.

  • Don't architect around access you might lose. If a capability matters, prefer open, standardised primitives you control over a single gated vendor. Crypto history shows the open option usually wins long term.
  • Lean into dual-use defensively. The same AI that worries regulators is available to you as a defender. Use it to read your own logs, audit your own code, and find your own bugs first.
  • Keep your fundamentals in your own hands. Hashing, signing, token validation, and encryption are free and unrestricted. Build on those and you're not exposed to anyone's licensing mood.
  • Watch the policy, but don't fear it. Rules written for a missile model of software tend to inconvenience honest builders more than they stop determined ones.

The repeating lesson across encryption, spyware, and now an AI model is simple. You cannot fence in information. For most of us building small and building honest, that's the good news hiding inside a worried headline.

Original source

Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work
#ai-security#export-controls#open-source
IA

Induwara Ashinsana

Information Systems student at UCSC and Executive Director at Ryzera Technologies. Writes about software, AI, and what it means for builders in Sri Lanka.

About the author →

Keep reading

Opinion

AI's real bottleneck is electricity, not chips

FERC just gave US AI data centers a fast lane to the grid without fixing the power shortage. Here's what that signals for builders in Sri Lanka.

19 June 2026Opinion

Amazon vs Nvidia: what cheaper AI chips mean for you

Amazon wants to sell its AI chips to other data centers and challenge Nvidia head-on. Here's what a second serious chip supplier actually changes for SL builders.

19 June 2026Opinion

Why 47% Distrust of AI in Dating Is a Lesson for Builders

Match says nearly half of U.S. singles dislike AI in dating, yet many want help writing profiles. That gap is the real product lesson for builders.

19 June 2026