The abrupt appearance and equally abrupt removal of export controls on Anthropic’s Fable 5 and Mythos 5 AI models created uncertainty about the reliability of the US as a partner and US companies as suppliers. Frankly, these concerns are justified.
The ban was irrelevant. The White House reportedly instituted the export controls because Mythos improves hacking capabilities and threatens cybersecurity. But the degree of increased risk was overstated. The absence of demonstrable (rather than hypothetical) risk is one reason why AI regulations tend to go off course. AI cyber risks are real, but the Mythos ban didn’t address them.
AI cybersecurity risks reflect two things. First, much of the commercial software in use today has exploitable flaws. Efforts to create mandatory safety standards have been blocked for decades on the grounds that they would impede innovation and adoption. Given the immense opportunities for hacking in the cyber environment, automated tools to find vulnerabilities have been developed and used for years. Mythos is the latest — or perhaps noisiest — iteration. Some estimates say Mythos can do in hours what takes other discovery tools weeks.
Second, other countries have similar capabilities when it comes to hacking. There are at least four others at the top of the league with peer or near-peer capabilities. The illusion that the US has a unique monopoly on technology is one of the greatest flaws in export control practice. The US overestimates the uniqueness and superiority of its technology. It is advanced, but not unique. What give the US an advantage is not the tools themselves, but the skill of US forces in using the tools.
The federal export controls ignored the larger problem of software safety. There have been no efforts to create the same kind of safety requirements for software that we have for cars, airplanes, or other critical products — although the last administration tried, albeit at a tortoise-like pace. On the bright side, this means that there will be real benefits from tools like Mythos as we figure out how to use them. The automated discovery of vulnerabilities and coding errors will improve cybersecurity immensely. But the executive order did not address this. It did not even go as far as the recent quantum encryption regulatory executive order, which mandated actions to reduce quantum risk. If the goal is to reduce the risk AI creates for cybersecurity, then the US will need to mandate the use of AI tools to improve software and network security.
There was also a significant exaggeration of the risks posed by artificial intelligence. Some of this exaggeration is likely the result of corporate shenanigans. Anthropic is not the first to use pronouncements of grave threats as a public relations tool. It’s unclear whether the leaders of Anthropic actually believe this — it’s possible. But whether they believe it or not, it’s still wrong.
The ban on using Fable and Mythos was built on an unstable foundation of sand. The US does not have unique capabilities, nor does AI pose an existential threat. Effective export controls rest on risk assessments that are based on experience and actual evidence. If such evidence exists in intelligence channels, some of it should have been released. For other technologies, there are real-world examples of the risk, such as missiles or chemical and biological weapons. None of this exists for AI. It’s hard to make a compelling case for an imaginary threat, and it looks a bit like panic to suddenly impose controls.
AI cyber threats should not have been a surprise. China has significant AI capabilities, not at the same level as the US, but sufficient enough to allow it to successfully compete. China recently announced that it has two or three programs that produce Mythos-like effects in finding vulnerabilities. If the goal is to deny China capabilities, what if China already has them? We’re not denying China very much.
One of the lessons of export controls is that when misapplied, the result is to spur foreign competition. This is the most likely consequence of the Mythos misadventure. Encouraging the Administration to apply the brakes without warning damages companies’ brands in ways that will be difficult to repair. European and Asian customers now look to other, less erratic sources to meet their AI needs.
And those sources exist. China’s combination of open-weight models and low-cost chips has produced cheaper alternatives to high-end US AI. The US model is not out of the race, but it faces significant competition for market share. The Mythos ban didn’t help. Currently, China has a larger share of the global AI market, including customers in the United States. One of the attractions of open-source AI is that it’s open — and no country can suddenly announce a ban on its use. The US helped create this attraction.
It will be difficult to undo the damage of the Mythos and Fable ban because it requires persuading others that the US is a reliable supplier. But the US public debate on AI exaggerates risk and could stampede again. Fear of AI is not official policy or law (yet), but it forms a constant droning in the media background that leads to policy-making irruptions like Mythos. Few countries or companies wish to subject themselves to the vagaries of US policy. They won’t turn to Europe, and that leaves only one alternative supplier.
AI creates new risks, often overstated, and as we gain more experience using it, it will be possible to identify them. Most appear to be incremental. But a culture that can be anxious, fearful, and perhaps seduced by Chinese propaganda — there are reports that China seeks to inflate Americans’ concerns over AI and data centers to slow US progress — will make mistakes as it develops policy. The combination of anxiety, free PR, and a media that’s quick to trumpet the latest fear, means we should expect more false alarms in the future.
James Lewis is a Distinguished Fellow at CEPA’s Tech Policy program.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Tech 2030
A Roadmap for Europe-US Tech Cooperation