In an open letter to the US government, over 150 executives and technical leaders from the cybersecurity industry have called for the export restrictions on Anthropic’s Fable and Mythos language models to be lifted. The letter is addressed to US Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross. Beyond reversing the directive, the signatories demand that future risk assessments of AI models follow an open, scientific, and transparent process.

What it’s about

The US government had restricted the export of Anthropic’s powerful Mythos class — which includes the publicly available Fable model — citing cybersecurity risks. The trigger was research into the models’ ability to identify vulnerabilities in software and write exploits. The signatories do not dispute that AI is fundamentally changing cybersecurity, significantly lowering the difficulty of finding security flaws and writing exploits. Nor do they deny that the Mythos models are good at these tasks.

Their central objection: these capabilities are not unique. According to them, comparable results can also be achieved with other models such as GPT-5.5, Opus, Sonnet, or China’s Kimi 2.7. The authorities’ justification — that Fable provides a unique capability boost (“uplift”) over other systems — therefore does not hold, they argue: AI has been finding flaws and generating working exploits at superhuman levels for more than a year.

The signatories’ argument

The experts argue that the capability underlying the original research consisted primarily of checking human-submitted code for vulnerabilities. This, they say, is a necessary property of any model intended to write secure code, and not an offensive capability. Anthropic, they add, also built multiple safeguards into Fable to prevent offensive use — protections that were so restrictive at launch that they became a source of amusement within the security community.

In the signatories’ view, it is essential to give developers and security teams powerful AI so they can find and fix vulnerabilities in both newly written and decades-old legacy code faster than potential attackers. Chinese open-weight models, they note, are only months behind the best US models; it is also likely that the Chinese state has access to undisclosed capabilities. Stripping defenders of their best tools while adversaries rapidly catch up is therefore dangerous, they argue.

The measure, the letter states, has taken the best models away from defenders, created market uncertainty, and jeopardized America’s leadership in AI — without any real risk to justify it. Security research, they argue, never leads to a final state of complete safety; its purpose is continuous improvement, not banning the technology.

A call for clear rules

Not all signatories share the view that AI regulation is the right path. However, should securing critical infrastructure involve regulating models, that regulation must, in their view, meet four criteria: it should be grounded in scientific evaluations developed jointly with industry and academia, created through a democratic rule-making process, enforced transparently and fairly with adequate time for remediation, and applied only to the minimum extent necessary.

Prominent voices

The letter carries the signatures of numerous well-known industry figures, with the affiliations listed explicitly provided for reference only and not indicating endorsement by the respective organizations. Among the most prominent corporate representatives are:

• Bruce Schneier
• Alex Stamos, Chief Product Officer at Corridor and former security chief at Facebook
• Joe Levy, CEO of security company Sophos
• Mikko Hyppönen, CRO at Sensofusion and a longtime security researcher
• Chris Wysopal, co-founder of Veracode
• Katie Moussouris, CEO of Luta Security
• Talha Tariq, CTO of Vercel

The letter was also signed by researchers from universities such as Harvard, Johns Hopkins, the University of Pennsylvania, and Purdue, by representatives of major firms including Adobe, Vercel, Zoom, and Chainguard, as well as by well-known figures such as encryption pioneer Philip Zimmermann and security expert Bruce Schneier.

Aus Datenschutz-Gründen ist dieser Inhalt ausgeblendet. Die Einbettung von externen Inhalten kann in den Datenschutz-Einstellungen aktiviert werden: