Alex Stamos on Why the US Should Lift Its Fable and Mythos Export Ban

Audio of this conversation is available via your favorite podcast service.

Late on Friday, June 12, Anthropic announced it had received a letter from the United States Department of Commerce notifying the company that the government had issued an export control directive forcing it to suspend all access to its AI models Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including Anthropic's own foreign-national employees. To comply, the company disabled access to both models for all its customers. The Wall Street Journal called the episode “one of the most powerful examples yet of US government intervention in the AI race.”

The White House move has left many experts baffled. And, it is raising alarms in foreign capitals about the wisdom of relying on American AI, suggesting the US will operate ad hoc, with access to advanced models revoked on a case-by-case basis. Against that backdrop, a group of cybersecurity leaders organized by Alex Stamos has urged the administration to reverse course in an open letter. Currently, Stamos is chief product officer at an AI security startup called Corridor. Previously, he was chief security officer at Facebook, before he left to found the Stanford Internet Observatory. I caught up with him on Tuesday.

What follows is a lightly edited transcript of the discussion.

Alex Stamos:

Hi, my name is Alex Stamos. I'm the chief product officer at Corridor.

Justin Hendrix:

Alex, I'm pleased you could join me today. We're going to talk a little bit about the mess around Mythos and all the things that are happening in Washington DC and elsewhere as a result of the White House forcing Anthropic to take Fable 5 and Mythos 5 offline. You helped coordinate a letter to Secretary Commerce Howard Lutnick and National Cyber Director Sean Cairncross saying Mythos class models are quite good but not uniquely good at finding and weaponizing vulnerabilities. I want to talk about the purpose of the letter more generally, but I want to start there. Seems important to unpack why everyone has been describing these Mythos models as so powerful is finding thousands and thousands of unknown vulnerabilities that have been lurking around in code for decades. Why do you state that they are not uniquely good?

Alex Stamos:

Well, to be clear, Mythos, which is not the model that any normal person has access to, is probably the best model for bug finding, but it is not the unbeatable cyber God that everybody makes it out to be. As a number of people have pointed out, Anthropic has, to a certain extent, created the situation for themselves by playing up Mythos as something that is spectacularly beyond every other model in its capabilities. It does really well in all of the evaluations that we have access to. The security evaluation frameworks that we have are not fantastic to be honest. Mythos does significantly better in some, a little bit better in others, but what it does really well in is writing working exploits. But Mythos has never itself been released to the public. Fable was released. Fable has a couple of significant differences than Mythos. They come from the same base.

They're the same class of model, but Fable has been retrained to specifically refuse to do things that are offensive in nature and that might cause harm. So that is not true for Mythos. You can ask Mythos, write me an exploit. He'll write you an exploit. Fable at a deep level is supposed to refuse that for you. And the other thing Anthropic did was they put a front end classifier in front of Fable that is supposed to look at the prompt. So this is a much dumber algorithm than a large language model that should be harder to trick, that will look at what you ask it to do and see whether you're asking to do something that's really malicious. And if so, it will just kind of kill the connection. So instead of having the model have a kind of deep think about what it's doing, which is smart but also can be tricked because it's smart, you have kind of the dumb thing upfront that takes a look in this classifier and sees if something malicious happening.

And how this whole thing kicked off was it turns out Amazon was doing testing to try to get stuff past that front classifier and found some ways to get past it. What our letter is saying is other models can do a lot of damage and what it turns out is the things that Amazon were able to ask Fable to do, it turns out other models are able to do those things. It looks like we have no evidence that Amazon was able to ask Fable to do anything that the Opus series can't do, that GPT 5.5 can't do. And that turns out Chinese models can't do themselves, which raises the question of why this huge freakout if the quote unquote jailbreak allows you to ask Fable to do things that a huge swath of publicly available models can also do.

Justin Hendrix:

I mean, I do understand that the independent researchers who did analyze the Amazon report concluded it didn't reach the worst case of full jailbreak of producing working attack code. What does explain then this plead overstated reading of Amazon's findings? What does it sort of suggest to you when on behind the scenes here?

Alex Stamos:

So first off, I want to say I don't think Amazon did anything wrong in doing the research. Amazon runs Anthropic's models. So they have a shared responsibility model here with Anthropic. When they are hosting Anthropic's models, they have to do some of the security and safety work themselves. That includes in any situation where the US government is accessing Anthropic models, is my understanding that that is running on Amazon hardware. If the NSA is using Anthropic's models, if they're using Mythos, that is running at AWS top secret cloud, for example. And so those are quite possibly Amazon employees who are the ones who are looking at the output of those classifiers, for example. And so it is quite possible this is the kind of testing that Amazon would normally do of any model that they're deploying within their cloud. So what was like kind of I think a reasonable back and forth on what is a undefined standard, which is like, what should the front end prompt classifier prevent or not prevent in this situation got turned into this huge brouhaha.

And if you read Fable's model card, they actually go into some detail about what they do and do not want to allow from a cyber perspective. Anthropic never says that Fable will never do any cyber work. If you have a model that writes code, it needs to understand code security. It needs to be able to find bugs because there's no way it will be able to write code securely if it can't then look at that code and find its own flaws. And so Anthropic will allow Fable to look for individual flaws. And that is what Amazon was able to get it to do was to find individual CVEs. They're also able to get it to create individual proof of concept code, which then you can call and exploit. What they weren't able to get to do was what Mythos is really good at doing, which is you can feed Mythos the entire Linux kernel or all of Firefox or something like that.

And then you can have it grind for hours and hours and hours, which turns out to be spectacularly expensive from a token basis. Palo Alto Networks famously said that they've spent like a million dollars on Mythos grinding through their code base, but you can have Mythos look for hours and hours on a huge code base and then find a bunch of bugs and then you can ask it to write full working exploit chains. And Amazon does not claim that they were able to get it to do that. And so that's where this whole breakdown is you can also ask GPT 5.5 to do that and it won't refuse you at all. There is no front end classifier to make it not do that. Opus 4.8 will just do it no problem. And so that's like the kind of crazy thing here is, yeah, they were able to get past a protection, but it's a protection that doesn't even exist on other models.

There's a charitable reading and a less charitable reading of what happened in the administration. The charitable reading is that they are very concerned about cybersecurity and they kind of over freaked out on something they didn't totally understand. The less charitable reading is that they are punishing a politically disfavored company that has not bent the knee and they were just looking for an excuse and this gave them the excuse to once again punish Anthropic.

Justin Hendrix:

So I want you, as a CISO, I think you've just answered this in many ways, but in more basic terms for any listener that might not be thinking certainly about cybersecurity in the way that you are, what could a security officer at a hospital or a utility or another company do with Fable last Wednesday that they can't do today?

Alex Stamos:

Well, they can't do anything with Fable today, right? We're really lucky that Fable was only out for like a week before it was pulled. Otherwise, Friday would have been a really tough day. We should probably get into the long term implications of this for the US AI industry. But one of the things we talk about in the letter is we need to deal with the fact that AI models have gone very good at finding bugs. And this is the other thing when we talk about not being uniquely good. Again, Mythos is almost certainly the best model out there for finding bugs, but the real Rubicon was crossed last year, probably with like the Opus 4.5 level, the GPT5 series. At that moment, these models became better than human beings at finding bugs. And it's not just that they're better than any individual human. They're also way, way, way cheaper and they're way more scalable.

So there are individual bug finders that I would still take over one of these systems, but there's only a couple of them, right? There's only a couple of these guys and I know them all and they're spectacularly expensive and even though how good they are, they're very slow, right? It takes them weeks or months to find one bug. And so while I would love to have Dave Aitel just like work in my garage all day, realistically Mythos is way faster and way, way cheaper than what you'd have to pay for somebody of that caliber and you can just scale Mythos infinitely if you have the Nvidia chips and you have the power and that's the crazy thing about these systems. And again, it's not just Mythos. It's starting with the Opus series last year that you have LLMs that are as good or better than the best bug finders in the world.

And you can see that from if you were... People in the security industry started to notice that either they themselves or you're watching Twitter and you're watching Bug Bounties and you're watching what's going on, the Pone to Own competitions and such and all of a sudden these like 22 year old bug finders who were never that good, it's like imagine you go to like a high school track meet and all of a sudden everybody is posting world record times all the time, right? You'd be like, "Oh, okay, these people are all juicing." There's some kind of like new steroid that everybody's taking. That's what it was like last year is that all of a sudden every mediocre athlete was all of a sudden a world record holder. Every 22 year old, every bug finder was all of a sudden finding bugs that are spectacularly complicated and writing this really great exploit code and they're doing it over and over and over again, often in code that's been looked at by bug finders for 10, 15, 20 years.

And so that's what AI does is it just... It's not something that generally somebody who knows nothing about anything can use, but if you know a little bit about security, you can now take one of these models, you can find a piece of... The Linux kernel would not be a good option now it was last year, but you can find some esoteric piece of open source still and you can probably find 10 bugs and you can narrow it down to one or two that are really critical, right? Working exploit code and then go exploit it all day. People are doing that every single day and so that doesn't require Mythos, doesn't require Fable, that's just happening. And so that's the reality we're living with right now and a big open question is how long are we going to live with that reality? Is there one finite pool of flaws that we are now burning down and that will eventually run out or as these models get better, will these pools kind of be renewed over and over again over the next several years?

No matter what, we're probably not just going to be able to patch our way out of this. And so defenders are having to build their defenses to be able to respond to these issues and to do the offense much more quickly and they can only do that with AI. And so that's why we really both need to find the bugs really quickly. That's why Anthropic's been providing these capabilities via Project Glasswing, OpenAI and Google do kind of the equivalent where they let defenders and open source projects and such use their models to find bugs. And so we need to find and fix bugs, but we also need to build defensive systems that use these models to do things other than just find bugs to automate our operation centers, to automate detection and such. And Fable was looking really good for that until it got yanked off the market.

Justin Hendrix:

You mentioned the long-term implications of this, what it means for American leadership is a concern in your letter. I guess when you do step back from it, this does seem like the first test of what the government does about a frontier model's risks. In this case, the Trump administration acted after deployment. There is no specified standard here. This was ad hoc. I don't think anybody would argue that it wasn't. What is the precedent here? I mean, is there kind of any sense that we can move forward from this in a productive way?

Alex Stamos:

Yeah. It's a number of people in Silicon Valley who really aligned their politics around the idea that Joe Biden was possibly going to regulate and then if Kamala Harris had been elected, there'd be too much AI regulation and that was around some kind of like voluntary measures around looking at AI. And here we are with a model being yanked because of a standard that's never been written down that you can't follow, that you have no ability to predict and it's still down as of Tuesday evening because Anthropic has no idea of what they can do to possibly make the administration happy because there's no actual technical reason for it, right? It's just vibes-based regulation. It's really, really bad for the US tech industry and the US AI industry. It means that political risk has been interjected into the use of a US AI model.

Niels Provos, who is a very well respected security engineer, he built a great deal of the security infrastructure at Google. He's one of my heroes because he's retired now. He makes like Viking swords. You should look up his YouTube channel. It's very impressive. I've been in his metal shop in his garage. It's pretty awesome, but he also writes stuff about this kind of stuff. He wrote a good blog post about this, which is that now if you are a company either in the United States, but especially around the world, you will at least have a backup of an open source model, an open weight model because you cannot rely upon American AI providers anymore to do anything critical for you. Like I said, it was very good that Fable had only been out for a week. So it's really not enough time for people to have worked Fable into their critical path for systems that are super important. If say Opus 48 got pulled right now, that would cause Sev1s across the world.

Company systems would go down all over the place because most companies do not have kind of automatic LLM routers set up with backup providers, the ability to fall back to lesser models. If they do have the ability to fall back to models, they haven't actually tuned their prompts for that. They haven't tested what happens when they fall back to those other models. So all of a sudden you have like degraded capabilities, but you don't actually have the predictability of what's going to happen. It would be a real mess. So this interjection of unreliability of one of the most important US champions is really bad. It tells the world you cannot rely upon American tech companies. It's kind of like if somebody found a small web bug, a cross site scripting bug in Amazon.com and the government forced Amazon to shut down US East One as a result. That would really strike fear in the heart of any AWS customer and would really hurt the US cloud industry. That's effectively what happened here.

Justin Hendrix:

I want to ask you about the executive order. I mean, there's this idea of a voluntary 30-day classified testing process in it. I guess that was shortened from the version that was shelved before it was eventually released. In this case, we understand commerce moved against Fable using this export control directive. I don't think anybody's actually seen the documents or any of the specifics of that.

Alex Stamos:

I believe Bloomberg actually has the letter now, right? I think the letter leaked, is what that looks like.

Justin Hendrix:

Okay. I'll take a look at that. I haven't seen that yet myself, but I don't know is this mechanism sufficient? Could this potentially solve this? What are the problems with the EO as you see it or does it fit the purpose?

Alex Stamos:

Well, Anthropic had permission to release Fable and then that permission was yanked without any kind of warning on a Friday afternoon against no standard. If the FAA grounds a Boeing plane, Boeing knows why, right? FAA has voluminous rules that you have to follow. They have their employees sitting at Boeing headquarters, embedded in Boeing's factories. They have a constant back and forth with every manufacturer, but I'm just going to use Boeing as an example. Something has to go really wrong for them to ground a plane, right? And Boeing knows both why the plane was grounded and then they know exactly what they have to do to get it ungrounded. Anthropic has no idea how to get their model turned back on because there's no written standard here. This is not how the law is supposed to work in the United States of America. We are supposed to have laws that are written down, that are predictable that you can follow and then due process in the enforcement of that law.

If there was due process here, then most of the commercial models in the United States would be banned right now because almost every other commercial model can do what they are accusing Fable of being able to do here and it makes no sense because there's a ton of Chinese models that can do it too. So there's no possible national security argument for the action that was taken here. And so I think that's one of the problems of why it can't be turned on because the administration has taken a step for which there's no justification and for which then if their standard is Fable can never do anything cybersecurity related, then that is a ridiculous standard. It's also one they can't really justify because how do you justify that against all of the other models that are out there? And so I don't know how the White House backs down after setting such a spectacularly high standard without any kind of written justification.

It's quite possible we end up just in the lawsuit where Anthropic challenges the legal authority for them to do this. My understanding is the authority under IEEPA to do this is extremely, extremely thin. I don't think Anthropic wants to be in another legal fight on the verge of a potential IPO, but that might be their only option here if the White House doesn't find some way to back down.

Justin Hendrix:

I guess I'm wondering about the scenario that the White House seems to want to put in place with this kind of voluntary model, the different pieces of that, the involvement of the NSA, the kind of turning this into a sort of intelligence question almost primarily. Are these models kind of... Do they cross the threshold from a national security perspective being the kind of primary question that everyone's asking? I suspect that means that it'd be very hard to ultimately get access to the type of documentation or the kind of public understanding of where the risks are. Your example about the airplanes, for instance, we have mechanisms to see that work. The Congress gets to follow that. Regulatory agencies file documents, people can FOIA things. Is any of that going to necessarily happen if we kind of, I don't know, leave this all up to the three letter agencies and a handful of kind of White House connected bits and pieces?

Alex Stamos:

Yeah, I think that would... You're right, that would be a really non-transparent and a really silly way to do this. One, there's an incredible arrogance of this idea that the embedded in all of this is the idea that the United States is far, far ahead of everybody else in our foundation models. Just today, a model called GLM 5.2 was released by Z.ai, which is a Chinese lab. This is a open weight model. It is MIT licensed. Anybody can download the weights and use it however they want. This model is only a couple percentage points behind OPUS 4.8 and a bunch of coding tasks. So it is by far the best open weight model for a bunch of coding tasks and is only a tiny little percentage point behind Opus 4.8 and lots of different tasks. This is going to be revolutionary for lots of people because practically it's not something that it's a very, very large model.

You cannot run it on normal hardware at home, but you can run it very cheaply at a number of providers. You don't have to run it at a Chinese data center, but you can run it in an American data center and people are going to be doing that because doing so will be much, much cheaper than using Opus 4.8, which is quite expensive. What is its security capabilities? There's no evals out yet, but we'll get them soon. It will be very interesting to see if its security capabilities are close to Opus 4.8. I guarantee it can do all the things that Fable was given the death penalty for. And so this idea that we should be doing these intense secret evaluations in Fort Meade while the Chinese are apparently able to do whatever they want and to ship these models and to lap the American AI industry is well beyond anything that was ever considered by the Biden administration and is really, really going to slow down innovation in the United States.

I think the Chinese are laughing at us in Beijing that we are kneecapping the AI industry at the moment of maximum pressure from the most aggressive adversary we have faced since the fall of the Soviet Union, perhaps even more aggressive than the Soviet Union if you think from an actual economic powerhouse perspective. And this is a really critical race for us to at least stay equal in. And so the idea that we have to control, control, control these models because we are obviously ahead is not so obvious to me and it's not so obvious to people who actually work in AI. It seems obvious to people in DC, but that is not based upon any kind of empirical fact.

Justin Hendrix:

So if you had 15 minutes with Lutnick and Cairncross, others, what would you ask them to do differently right now? How would you ask them to resolve this? What would you tell them they should do next?

Alex Stamos:

So I would tell them that I believe Anthropic has already made small tweaks to the classifier. I would say call that a victory. You can call it whatever you want, but you can say that you won, that you got Anthropic to make fixes, take away the export restrictions, and then move towards a regime where there are written safety rules that are imposed fairly and that are only imposed... That are enforced specifically on the ability to create full usable exploit chains. The ability to find bugs is become really cheap, right? It is the ability to create actual real working exploits that is what we should be concerned about at this point. In a year, this will all seem silly because the off the shelf open-weight Chinese stuff will be way past mythos, but for this moment, that is probably what we need to be worrying about.

And then I would tell them what you need to be thinking about is not controlling these models. It is getting them in the hands of more American defenders. We are in a race against our adversaries to find and fix these bugs. We are in a race against our adversaries to build defenses and you are thinking about this completely the wrong way. You think we are winning. We are losing. So start thinking that we are behind and need to catch up. Do not pretend that we are way ahead and need to protect our place in the race. Start trying to catch up because you did something terrible last week and you kneecapped one of America's great champions. I know you don't like them, that you think they're San Francisco liberals, but they are one of the greatest companies that this country have ever produced. And if you destroy them, you will absolutely destroy the ability of the United States to compete against the People's Republic of China and you will give up the 21st century to the People's Republic of China.

You need to understand that and the Trump administration will be known as the presidential administration who lost the 21st century to China.

Justin Hendrix:

Alex, do you believe that we are in that type of existential race? And do you think that's where we're headed with this? I mean, I don't know. I struggle sometimes with how far to take this particular narrative. Is that really the case, where it's zero-sum in this way? Do you see it that way?

Alex Stamos:

I don't think it's totally zero-sum, but I don't think we can afford to just seed the field. I mean, I think what's going to happen is we will reach some kind of stable equilibrium where both the United States and China will end up with champions who have good enough models that are good enough for most things. I don't think it is okay for us to end up in a situation where US companies are just completely lapped. I think that would be an extremely bad outcome for us. It's not zero-sum in the same way other kind of races have been in that there can only be one winner, but I also think it would be a really bad outcome for the US to end up in a situation where our labs are not allowed to move forward and then we wake up one day and most of the world is running on Alibaba and Moonlight and Z.ai and such. And that would be, I think, a really bad outcome, not just for America, but honestly for the world.

Justin Hendrix:

And I think one of the things I struggle with these days is everyone's talking about democratic AI and the kind of American alternative to Chinese authoritarianism and repression. I'm not so convinced that our democracy is as strong as we might like it to be, necessarily that we're going to end up with a happy outcome in this country as well, which makes me, I don't know, almost concerned about investing too much in the idea that we're the true alternative and that we must retain that scenario.

Alex Stamos:

Well, unfortunately for the world, there's not a lot of alternatives, right? Mistral isn't really in the game and that's basically it, right? It's the three big US companies and four or five Chinese labs are really the only ones who are anywhere in the game at this moment. I wish this was like other situations where there is some nice cute Finnish alternative run by some cyberpunks with cute hair, but it's just like it's too capital and cost and research intensive for it to be the kind of technology. As of this moment, it's not the kind of thing that some courageous cipher punks can do in a garage at this moment at least. It's still something that it costs billions and billions of dollars and takes a huge amount of power and training material and PhDs to be competitive in. And I am not happy with where our democracy is, that is for sure.

I also think the country's going to look very different in 30 months is my hope and we have to play the long game here because unfortunately People's Republic of China is not going to look that different in 30 months. I mean, that is the nice thing about American democracy is it does have the ability for renewal in a way I think some other systems do not. And so I'm just trying to be a little bit hopeful, right?

Justin Hendrix:

That's my last question. You already mentioned this, your paper does suggest that eventually we need regulations that are, you say, grounded in scientific evaluations, developed with input from industry and academia, created through a democratic rulemaking process enforced transparently and fairly with appropriate time given to remediate and used only to the minimal extent necessary to ensure the safety of the American public. I mean, these seem like very common sense things. In some ways they do sort of sound a bit like the Biden era approach. Is that what we need to do, go back to the Biden era approach or is there a different paradigm that you think that we need to consider?

Alex Stamos:

So I mean, honestly, I mean, that was the proposal is if we're going to have regulations, it should be like that. I think in the end, regulations of the core models are not going to be useful because of the open weight models. And so regulating the foundation models themselves is not going to have the impact people are going to want. From my perspective where I sit, the place where we first need regulation is and the actual consumer use. That's where the vast majority of harm is happening.

We've talked all this time about cyber harms and kind of big picture, lots of people worry about the big existential harms, but what's really hurting people is the much smaller scale individual harms that don't get the press coverage, that's the nudifier apps, it's the people who are falling in love with their chatbots, it's the AI psychosis and that's about either if not regulation, the creation of liability regimes that are much more appropriate for the AI era than the social media era of making sure that the companies that apply AI are doing so responsibly and that's much less about the core models and much more about how those models are used and retrained and such.

A lot of that stuff is actually using open weight models because they have way fewer safety protections built in and so regulating the foundation labs doesn't get you much. And from where I sit, those kinds of harms are actually much more real right now than a lot of the... I mean, there's significant cyber risks for sure. I just think those things are much harder to regulate. That's just something we have to take care of in our industry, in the cyber industry. We have to build defenses. We have to get ready for adversaries. When we talk about teenagers committing suicide because somebody built a chatbot that intentionally is intentionally addictive and then that chatbot suggests that they take their own life so that they can join the chatbot in the afterlife. That is something for which I think a regulatory response is totally appropriate.

Justin Hendrix:

Alex Stamos, thank you so much for joining me.

Alex Stamos:

Yeah, thanks Justin.