## The Uncomfortable Truth Governments Keep Ignoring
For thirty unbroken years, every attempt by Western governments to cage cybersecurity software behind export control walls has ended the same way — in failure, circumvention, and ultimately, policy reversal. Yet here we are again. Anthropic’s newly unveiled cybersecurity AI model, Mythos, is already drawing regulatory scrutiny and whispered conversations in Washington about whether AI-powered security tools should face export restrictions. History has a loud, clear answer to that question, and it is not the one policymakers want to hear.
## The Context: A Pattern Written in Code
The story begins in the early 1990s with Phil Zimmermann’s Pretty Good Privacy — PGP. When Zimmermann released PGP as free software in 1991, the U.S. government treated strong encryption as a munition under the International Traffic in Arms Regulations (ITAR). Zimmermann faced a federal criminal investigation for nearly three years. The software, however, spread across the internet with the enthusiasm of a wildfire. Printed in books, smuggled on floppy disks, mirrored on servers in Finland and Australia, PGP became globally ubiquitous precisely because the government tried to stop it. By 1996, the criminal investigation was dropped. By 2000, the Clinton administration dramatically relaxed encryption export rules, acknowledging what the market had already decided.
Then came the Crypto Wars of the mid-1990s, epitomized by the Clipper Chip — the NSA’s attempt to embed a government backdoor into all U.S. encryption hardware. The proposal collapsed under pressure from industry and civil liberties groups. Security researchers, including Bruce Schneier and Matt Blaze, systematically dismantled its technical credibility. The internet built its own encryption standards anyway — SSL, TLS — standards that now secure trillions of dollars in global commerce daily, including Kenya’s booming mobile money ecosystem.
## The Wassenaar Arrangement: The Next Failed Chapter
The 1996 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was supposed to bring multilateral discipline to the problem. It did not. The 2013 expansion of Wassenaar to cover intrusion software and vulnerability research tools triggered immediate alarm from the cybersecurity community. Defenders argued — correctly — that the same tools used to penetrate systems maliciously are identical to those used to find and fix vulnerabilities. Bug bounty hunters, penetration testers, and security researchers found themselves theoretically in violation of rules designed to stop nation-state attackers. The controls were watered down after years of pushback.
Each chapter of this history follows the same arc: control proposed, industry and researchers object, software spreads anyway, control quietly abandoned or hollowed out. The technology, unlike a tank or a missile, exists entirely as information — and information, as the digital age has conclusively demonstrated, wants to be free in the most literal, physics-like sense of the term.
## Why Mythos Changes the Stakes — But Not the Outcome
Anthropic’s Mythos represents a meaningful leap. It is not simply an encryption library or a packet analyzer. It is an AI system trained specifically to reason about cybersecurity — identifying vulnerabilities, suggesting attack vectors, and potentially automating offensive and defensive security operations at a scale no human team could match. The concern from a national security perspective is legitimate on its face: a sufficiently capable AI security model in adversarial hands could accelerate cyberattacks against critical infrastructure.
But the question is not whether the threat is real. The question is whether export controls are the right tool to contain it. The evidence from three decades says no. Anthropic is an American company, but the global AI research community is not American. Chinese labs, European universities, and independent researchers worldwide are building comparable models. The moment Mythos-equivalent capabilities exist inside Anthropic’s walls, the clock starts ticking until equivalent capabilities exist elsewhere — with or without American export permission. Restricting Mythos exports does not delete the underlying research; it only disadvantages American companies and allies who would benefit from legitimate access.
## The Breakdown: Why This Matters Beyond the Headlines
The deeper issue here is a category error that governments repeat with disarming consistency. Export controls work reasonably well for physical objects — centrifuges, specialized alloys, missile guidance hardware — because atoms are hard to duplicate and easy to track. Software, and especially AI models that exist as mathematical weights distributed across servers, is not a physical object. It is closer to a mathematical proof or a scientific paper. Restricting its export does not destroy the knowledge; it simply determines who gets first-mover advantage in deploying it.
There is also a defensive paradox at play. The countries and actors most likely to use AI cybersecurity tools maliciously are the least likely to be deterred by American export law. Russia’s GRU, China’s APT groups, and ransomware syndicates operating from ungoverned digital spaces are not filing export license applications. The only entities actually constrained by export controls are law-abiding companies, allied governments, and legitimate security researchers — precisely the people who should have access to the best defensive tools available.
## The Impact: What This Means for Kenya and the African Cybersecurity Landscape
For Kenya, the stakes are direct and immediate. Kenya is Sub-Saharan Africa’s most significant technology hub, home to Safaricom’s M-Pesa infrastructure, a growing fintech ecosystem, and a government that has staked national development strategy on digital transformation through the Ajira Digital Programme and the Konza Technopolis project. The country’s digital economy processes billions of shillings in transactions daily across mobile platforms that are constant targets for increasingly sophisticated cyberattacks.
If AI-powered cybersecurity tools like Mythos become subject to export restrictions, Kenyan financial institutions, telcos, and government agencies face a structural disadvantage. They would be locked out of cutting-edge AI defensive tools precisely as adversaries — who face no such restrictions — continue to upgrade their offensive capabilities. Kenya’s cybersecurity sector, represented by organizations like the Communications Authority of Kenya and a growing community of local security professionals, needs access to the best available technology. Export controls on AI security models would widen the gap between Kenya’s defensive capabilities and the threats it faces, not narrow it.
The irony would be darkly complete: rules designed to keep dangerous technology out of dangerous hands would succeed mainly in keeping protective technology away from the people who most need protection.
## Strategic Implications: What Should Actually Happen
The historical record suggests a more productive path than export controls. International information-sharing frameworks — the kind that allow CERTs (Computer Emergency Response Teams) to share threat intelligence across borders — have proven far more effective at improving global cybersecurity posture than technology restrictions. Investing in capacity building, supporting organizations like the African Union’s cybersecurity initiatives, and ensuring that allies and developing nations have access to defensive AI tools would do more to reduce global cyber risk than any export license regime.
Anthropic, for its part, should engage aggressively with policymakers to prevent a regulatory framework that would cripple legitimate security research and international deployment of Mythos while doing nothing to stop the adversaries it is supposedly meant to contain. The burden of proof should fall on those proposing new controls to explain why this time will be different from every previous attempt. Thirty years of evidence suggests it will not be.