Cyberside Chats: Cybersecurity Insights from the Experts

Three days after Anthropic put its most powerful AI models in public hands, the U.S. government invoked export-control authority to bar foreign nationals from Fable 5 and Mythos 5. The result: Anthropic was forced to shut both models down for everyone, worldwide. We dig into what actually triggered the order, why the only outside expert known to have read the underlying report calls it an overreaction, and how the fight echoes the 1990s crypto wars, when Washington branded encryption software a weapon and investigated the people who shared it. For security leaders, we close on what to do about single-model dependencies, AI that can be talked into misbehaving, and a capability that's already global no matter what any export rule says.

Key takeaways for security leaders

1. Don't let a single AI model become a single point of failure. Fable 5 and Mythos 5 went from public launch to worldwide shutdown in three days — by government order, not an outage — and access dropped even for compliant US customers. If a business-critical workflow (AI code review, SOC triage, agentic automation) runs on a single model or provider, inventory it and build a fallback path now. Put model availability in your BC/DR and third-party risk register alongside any other critical vendor.

2. Assume any AI you deploy can be talked into doing something it shouldn't — and watch it accordingly. Even Anthropic says no provider can fully prevent its safeguards from being bypassed, and that new workarounds will keep being found. For most organizations the practical move isn't building better guardrails — it's logging what your AI tools and agents actually do, baselining normal behavior, and alerting on the abnormal. Treat vendor safeguards as one layer, not the whole control.

3. Leverage AI’s advanced capabilities to check for software bugs, both in code you buy and code you develop If you build software, fold AI-assisted review into your SDLC and red teaming. If you rely on third-party vendors for software, make their use of AI-assisted security testing a question in your due diligence and a clause in your contracts. Either way, the goal is to find the bugs attackers will find, first.

4. Update threat models to assume adversaries already have equivalent cyber-AI, regardless of export controls. The lesson from the crypto wars and the proliferation/distillation discussion is that a ban transfers a capability rather than eliminating it — the model, like the math before it, is already global. Don't let a US export action or one vendor's guardrails read as reduced adversary capability in your risk calculus. Plan defenses for a world where attackers have frontier bug-finding at machine speed.

Resources

1. Anthropic — Statement on the directive to suspend access to Fable 5 and Mythos 5 — the company's own account of the order and its safeguards. https://www.anthropic.com/news/fable-mythos-access

2. WSJ — Anthropic Dispatches Staff to D.C., Racing to Resolve AI Export Restrictions — the timeline, the players, and the weekend negotiations. https://www.wsj.com/tech/ai/anthropic-dispatches-staff-to-d-c-racing-to-resolve-ai-export-restrictions-71303d42

3. Luta Security — The Fable 5 Export Controls Harm US Cyber Defense — Katie Moussouris, the one outside expert known to have read the underlying report. https://www.lutasecurity.com/post/the-fable-5-export-controls-harm-us-cyber-defense

4. FreeFable.org — open letter to Commerce — 54 CISOs and security leaders calling for the controls to be lifted. https://freefable.org/

5. EFF — Bernstein v. United States — the case that established software source code as protected speech. https://www.eff.org/cases/bernstein-v-us-dept-justice