An open letter: On transparent AI cyber protections

Executives and technical leaders from the US and its allies urge Commerce Secretary Lutnick and National Cyber Director Cairncross to lift export controls on Anthropic's Fable and Mythos AI models, arguing the restrictions harm defenders while adversaries advance. The letter claims the models are not uniquely capable for cyber offense and calls for transparent, science-based AI risk assessments.

Dear Secretary Lutnick and National Cyber Director Cairncross, We, the undersigned executives and technical leaders from across the United States and its allies, write to you to ask you to lift the export control directives on Anthropic’s Fable and Mythos large language models and commit to an open, scientific and transparent process of handling AI risk assessments in the future. First, we would like to state that we believe that: AI is having significant impacts on cybersecurity , including by greatly reducing the difficulty of finding flaws in software and writing exploits for those flaws.- Anthropic’s Mythos-class models are quite good at finding flaws and weaponizing exploits . - However, they are not at these tasks, and many of the undersigned individuals regularly use other foundation and open-source models for security audits and red-teaming every day. uniquely good - Anthropic has built to prevent its use for cyber offensive uses. These protections were so aggressive as to be the source of humor in the cyber community on launch day. multiple protections https://www-cdn.anthropic.com/d00db56fa754a1b115b6dd7cb2e3c342ee809620.pdf into the Fable model - It is essential to provide AI to coders and security teams so they can find and fix flaws in their own newly-written as well as decades of legacy code faster than our adversaries. - The Chinese open-weight models are only months behind the best American models https://artificialanalysis.ai/ , and those are the models we know about . It seems likely that the PRC government has access to private capabilities beyond what has been published. - To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous . It is our understanding that underlying model capabilities in the original research that triggered this action: Were focused on determining whether a human-prompted section of code was insecure . This is a necessary capability in any model that is intended to write secure code and should not be considered an offensive capability. Can be replicated on GPT-5.5, Opus, Sonnet and even Chinese models like Kimi 2.7 . The justification for this unprecedented action was that Fable provides a unique “uplift” of capabilities beyond other AI models, but AI has been finding bugs and generating working exploits at superhuman levels since last year. Anthropic is addressing the research. As security professionals, we recognize that our work does not lead to a simple end-state where a system is fully safe, and the purpose of research like this is to enable continuous improvement, not to ban the technology. As a result, this action has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership without any real risk to justify it. Not all of us agree that AI regulation is the right way forward. But if this Administration’s laudable goal of securing our nation’s critical infrastructure is going to include models being regulated, then the regulations should be: - Grounded in scientific evaluations developed with input from industry and academia; - Created through a democratic rule-making process; - Enforced transparently and fairly with appropriate time given to remediate; and - Used only to the minimal extent necessary to ensure the safety of the American public. Thank you for your consideration and partnership in helping us maintain America’s lead in technology while protecting critical software and systems. Signed, Affiliations are included for reference only and do not indicate organizational endorsement. Alex Stamos https://www.linkedin.com/in/alexstamos/ Chief Product Officer, Corridor https://corridor.dev Derek Abdine https://www.linkedin.com/in/derekabdine/ CEO, Furl https://furl.ai Feross Aboukhadijeh https://www.linkedin.com/in/feross/ CEO, Socket https://socket.dev Ben Adida https://www.linkedin.com/in/benadida Executive Director, VotingWorks https://voting.works Iftach Ian Amit https://www.linkedin.com/in/iamit/ Former CSO, Founder and CEO at Gomboc.ai https://gomboc.ai Omkhar Arasaratnam https://www.linkedin.com/in/omkhar/ Matthew Areno https://www.linkedin.com/in/matthew-areno-phd CTO Abhishek Arya https://www.linkedin.com/in/abhishek-arya-a565373 Principal Engineer, Google https://www.google.com and Founder, OSS-Fuzz https://github.com/google/oss-fuzz James Nicholas Ashworth https://www.linkedin.com/in/james-ashworth-5a49bb266/ AI Village https://aivillage.org Emily Austin https://www.linkedin.com/in/emilylaustin/ Principal Security Researcher Megan Baker https://www.linkedin.com/in/megan-gillikin-baker/ CISO, Georgian https://georgian.io Kevin Bankston https://www.linkedin.com/in/kevinbankston/ Senior AI Governance Advisor, Center for Democracy & Technology https://cdt.org Kurt Baumgartner https://www.linkedin.com/in/kurtbaumgartner/ Co-Founder, TLPBLACK https://tlpblack.net Andrew Becherer https://www.linkedin.com/in/andrewbecherer/ CISO, Socket https://socket.dev Brian Behlendorf https://www.linkedin.com/in/brianbehlendorf/ Open Source Pioneer Anthony Bettini https://www.linkedin.com/in/anthonybettini/ CEO, VulnCheck https://www.vulncheck.com Manish Bhatt https://www.linkedin.com/in/manishbhatt132123/ 0-day Connoisseur, OWASP https://owasp.org Matt Bishop https://www.linkedin.com/in/matt-bishop-427104/ Distinguished Professor, University of California Davis https://www.ucdavis.edu Christopher Bleckmann-Dreher https://de.linkedin.com/in/christopher-bleckmann-dreher-18a14220 Principal Offensive Security, Mercedes-Benz https://www.mercedes-benz.com JP Bourget https://www.linkedin.com/in/jpbourget/ CEO, Blue Cycle https://www.bluecycle.net Aaron Brown https://www.linkedin.com/in/aaronwaynebrown/ Head of Security, Mercor https://mercor.com Jack Cable https://www.linkedin.com/in/jackcable/ CEO & Co-founder, Corridor https://corridor.dev Jon Callas https://www.linkedin.com/in/joncallas/ Indiana University https://www.iu.edu Justin Calmus https://www.linkedin.com/in/jcalmus/ CISO Jeffrey Caruso https://www.linkedin.com/in/jeffreycaruso/ Author and Researcher Sven Cattell https://www.linkedin.com/in/sven-cattell-5748a311/ AI Village https://aivillage.org Jason Chan https://www.linkedin.com/in/jasonbchan Retired CISO Anupam Chander https://www.linkedin.com/in/anupam-chander-0a00562/ Professor of Law and Technology, Georgetown https://www.georgetown.edu Matthew Creager https://www.linkedin.com/in/matthewcreager Co-Founder, Keycard https://keycard.ai Andrew Cunje https://www.linkedin.com/in/andrc/ CISO, Appian https://www.appian.com Dino A. Dai Zovi https://www.linkedin.com/in/dinodaizovi J. Michael Daniel https://www.linkedin.com/in/j-michael-daniel-cta President & CEO, Cyber Threat Alliance https://www.cyberthreatalliance.org Sam Davison https://www.linkedin.com/in/samantha-davison-77903421/ Drew Dennison https://www.linkedin.com/in/drewdennison/ CTO & Co-Founder Justin Dolly https://www.linkedin.com/in/justindolly/ Chief Security Officer, Ory Corp https://www.ory.sh Justin D'Souza https://www.linkedin.com/in/jqdsouza/ CEO, Asymptote Labs https://asymptotelabs.ai Donald E. Eastlake 3rd https://www.linkedin.com/in/eastlake/ Principal Engineer Moona Ederveen-Schneider https://www.linkedin.com/in/mederveen/ Founder, Resilia Connect Casey John Ellis https://www.linkedin.com/in/caseyjohnellis/ Founder, disclose.io https://disclose.io and Bugcrowd https://www.bugcrowd.com Gary Ellison https://www.linkedin.com/in/garyellison/ Former VP Trust and Product Security Chris Eng https://www.linkedin.com/in/realchriseng Cybersecurity Executive Maggie Engler https://www.linkedin.com/in/maggie-engler/ Sergej Epp https://www.linkedin.com/in/sergejepp/ Multi-CISO Gadi Evron https://www.linkedin.com/in/gadievron/ Founder and CEO, Knostic https://www.knostic.ai Ed Felten https://www.cs.princeton.edu/~felten/ Co-founder and Chief Scientist, Offchain https://www.offchainlabs.com ; former Deputy U.S. CTO Jaime Figueres https://www.linkedin.com/in/jfigueres/ President, Fundación Costarricense de Inteligencia Artificial Responsable FAIR Costa Rica Joe FitzPatrick https://www.linkedin.com/in/securelyfitz/ Founder, SecuringHardware.com https://securinghardware.com Robert Fly https://www.linkedin.com/in/robertfly/ CEO/Co-Founder, detections.ai https://detections.ai Richard F. Forno https://rickf.org/ Teaching Professor, UMBC https://www.umbc.edu Erick Galinkin https://www.linkedin.com/in/erickgalinkin/ AI Security Research Scientist Harley Geiger https://www.linkedin.com/in/harleylorenzgeiger/ Steve Gentry https://www.linkedin.com/in/scgentry/ CISO Daniel Gorecki https://www.linkedin.com/in/dangorecki/ CISO/Founder, NGC Risk https://ngcrisk.com Andy Grant https://www.linkedin.com/in/andywgrant/ Head of Security Assurance, Zoom https://zoom.us Yael Grauer https://www.linkedin.com/in/yaelgrauer/ Matthew D. Green https://www.linkedin.com/in/matthew-green-47850018 Associate Professor, Johns Hopkins University https://www.jhu.edu Joseph Lorenzo Hall https://www.linkedin.com/in/josephhall Distinguished Technologist, Internet Society https://www.internetsociety.org Arabella Hallawell https://www.linkedin.com/in/arabella-hallawell-438243/ CMO, Sovera Security Andrew Hay https://www.linkedin.com/in/andrewhay/ COO, Damovo https://www.damovo.com Tyler Healy https://www.linkedin.com/in/tyler-healy-93528a18/ CISO, DigitalOcean https://www.digitalocean.com Ariel Herbert-Voss https://www.linkedin.com/in/adversariel/ CEO, RunSybil https://www.runsybil.com Michael Hicks https://www.linkedin.com/in/mike-hicks-a053311 Cecilia Fitler Moore Professor and Director of the Schlein Center for Cybersecurity, University of Pennsylvania https://www.upenn.edu Cyrus Hodes https://www.linkedin.com/in/hodes/ Co-founder, Stability AI https://stability.ai , Venture Partner Lionheart Ventures https://www.lionheart.vc Christofer Hoff https://www.linkedin.com/in/choff/ Cyber Security Executive Keith Hoodlet https://www.linkedin.com/in/securingdev/ Director, Security Research Rick Howard https://www.linkedin.com/in/rickhoward/ CEO, Cybersecurity Canon Project https://cybercanon.org Jared Hunter https://www.linkedin.com/in/rocketjared/ Rocket Software, Inc. https://www.rocketsoftware.com Mikko Hypponen https://www.linkedin.com/in/hypponen/ CRO, Sensofusion Finland https://sensofusion.com Vlad Ionescu https://www.linkedin.com/in/vladionescu0000000000/ CTO, RunSybil https://www.runsybil.com Dipendra Jain https://www.linkedin.com/in/dipendrajain Founder Jeevan Jutla https://www.linkedin.com/in/jeevan-jutla/ CEO, Gecko Security https://gecko.security Chad Kalmes https://www.linkedin.com/in/chadkalmes CISO, Benchling https://www.benchling.com Dhillon Kannabhiran https://www.linkedin.com/in/l33tdawg/ Founder, Hack In The Box https://www.hitb.org Eoin Keary https://www.linkedin.com/in/eoinkeary/ CEO & Founder, Edgescan https://www.edgescan.com Jake King https://www.linkedin.com/in/jakeking1/ Founder, Minimal Software Research Dr. Joseph Kiniry https://www.linkedin.com/in/kiniry/ CEO and Chief Scientist, Sigil Logic Jonathon Klobucar https://www.linkedin.com/in/klobucar/ Security Engineer Benjamin Knauss https://www.linkedin.com/in/racter/ CEO, Racter Holdings https://racterholdings.com Mitja Kolsek https://www.linkedin.com/in/mitjakolsek/ 0patch https://0patch.com co-founder Martin Koopman https://www.linkedin.com/in/martinkoopman/ Managing Director, Aditat AI Madeline Lawrence https://www.linkedin.com/in/madelinelawren/ Co-Founder, Aikido Security https://www.aikido.dev Nate Lee https://www.linkedin.com/in/natetrustmind/ CEO/Founder, TrustMind https://trustmind.com and CloudsecAI https://cloudsec.ai Joe Levy https://www.linkedin.com/in/j0313vy/ CEO, Sophos https://www.sophos.com Ian Livingstone https://www.linkedin.com/in/irlivingstone/ CEO Max Loeffler https://www.linkedin.com/in/maxsloef/ Researcher, Goodfire https://www.goodfire.ai Dan Lorenc https://www.linkedin.com/in/danlorenc/ CEO, Chainguard https://www.chainguard.dev Mark Loveless https://www.linkedin.com/in/markloveless/ Security Architect Myke Lyons https://www.linkedin.com/in/mykelyons CISO, Cribl https://cribl.io Greg Martin https://www.linkedin.com/in/gregcmartin/ CEO of Ghost Security https://ghost.security Ross Matican https://www.linkedin.com/in/ross-matican Investor, Halcyon Ventures https://halcyonfutures.org Jack McGivney https://www.linkedin.com/in/jackmcgivney/ CISO, Anaplan https://www.anaplan.com Jeff McJunkin https://www.linkedin.com/in/jeffmcjunkin/ SANS https://www.sans.org Instructor and Author Ross McKerchar https://www.linkedin.com/in/ross-mckerchar-42bb548 CISO, Sophos https://www.sophos.com Sandra McLeod https://www.linkedin.com/in/sandra-mcleod-7a6a61b/ CISO, Zoom Communications https://zoom.us Amanda Minnich https://www.linkedin.com/in/amandajeanminnich AI Security Researcher, Microsoft https://www.microsoft.com Rich Mogull https://www.linkedin.com/in/richmogull/ Analyst, Security Executive Joe Moles https://www.linkedin.com/in/josephmoles CTO, Furl https://furl.ai Christopher Monson, Ph.D. https://www.linkedin.com/in/chrismonson Founding Engineer, Abundant Security https://www.ssil.ai Katie Moussouris https://www.linkedin.com/in/kmoussouris/ CEO, Luta Security https://www.lutasecurity.com Vinh Nguyen https://www.linkedin.com/in/vxnguyen Former Chief Responsible AI Officer, National Security Agency https://www.nsa.gov T.C. Theodore Niedzialkowski https://www.linkedin.com/in/tc-niedzialkowski/ CISO, Head of Security & IT; former Opendoor https://www.opendoor.com , Nextdoor https://nextdoor.com , Federal Reserve https://www.federalreserve.gov National Incident Response Team Charles Nwatu https://www.linkedin.com/in/cnwatu/ Security Leader, GRC Engineering Dave Ockwell-Jenner https://www.linkedin.com/in/daveoj Head of Information Security, Narvar https://www.narvar.com Carey Parker https://www.linkedin.com/in/firewall-dragons/ Firewalls Don't Stop Dragons https://firewallsdontstopdragons.com Efrain Orsini Jr https://www.linkedin.com/in/eorsinijr/ Director of Security Operation & Deputy CISO, SilverSky https://silversky.com Bryan Payne https://www.linkedin.com/in/bdpayne/ Vesko Pehlivanov https://www.linkedin.com/in/pehlivanov/ Stephen D Pelletier https://www.linkedin.com/in/stephenpelletier/ CEO John Peterson https://www.linkedin.com/in/john-peterson-a7b82814/ CTO, Sophos https://www.sophos.com Riana Pfefferkorn https://www.linkedin.com/in/riana-pfefferkorn-2b93651/ Policy Fellow, Stanford HAI https://hai.stanford.edu Niels Provos https://www.linkedin.com/in/nielsprovos/ Security Blueprints LLC Nils Puhlmann https://www.linkedin.com/in/npuhlmann CISO Muralidharan Ramachandran https://www.linkedin.com/in/muralidharan-ramachandran-9239992/ Founder & Strategic Advisor Ashwin Ramaswami https://www.linkedin.com/in/ashwin-r CTO & Co-founder, Corridor https://corridor.dev Jason Rebholz https://www.linkedin.com/in/jrebholz/ CEO, Evoke Security https://www.evokesecurity.com Gavin Reid https://www.linkedin.com/in/gavinsreid/ CISO, Human Security https://www.humansecurity.com Jonathan Reiter https://www.linkedin.com/in/jonathan-reiter-sec670/ Mark Risher https://www.linkedin.com/in/mrisher/ Fmr. Head of Google https://www.google.com Identity Esteban Rodriguez https://www.linkedin.com/in/estebanxrodriguez Marc Rogers https://www.linkedin.com/in/marcrogers CTO, NBHD.ai https://nbhd.ai Olivia Rose https://www.linkedin.com/in/oliviarosecybersecurity/ CISO Jason Ross https://www.linkedin.com/in/algorythm OWASP https://owasp.org GenAI Red Team co-lead Jim Routh https://www.linkedin.com/in/jmrouth Advisor Bob Rudis https://www.linkedin.com/in/hrbrmstr/ Distinguished Engineer, Applied AI Dragos Ruiu https://www.linkedin.com/in/dragosruiu CanSecWest https://cansecwest.com Mike Sample https://www.linkedin.com/in/mikesample/ CTO, Minimal.dev Software https://minimal.dev Chris Sandulow https://www.linkedin.com/in/csandulow/ CISO, Confluent https://www.confluent.io Joshua Saxe https://www.linkedin.com/in/joshsaxe/ Co-Founder, Abundant Security https://www.ssil.ai Ty Sbano https://www.linkedin.com/in/tysbano/ CISO, Webflow https://webflow.com Alex Schapiro https://www.linkedin.com/in/aschap/ Co-Founder, Strix https://usestrix.com Bruce Schneier https://www.schneier.com Harvard University https://www.harvard.edu and the University of Toronto https://www.utoronto.ca Cory Scott https://www.linkedin.com/in/coryscottlinkedin/ Center for Cybersecurity and Privacy Protection https://www.law.csuohio.edu/academics/centersandprograms/cybersecurity , CSU|LAW; Former CISO Joshua Scott https://www.linkedin.com/in/joshuascott/ CISO, Hydrolix https://hydrolix.io James Shank https://www.linkedin.com/in/jamesshank Director of Threat Operations, Expel https://expel.com Akram Sheriff https://www.linkedin.com/in/akram-sheriff-81749316/ Co-Founder/CTO Ex-Cisco Systems, Ex-Hippocratic.ai Ram Shankar Siva Kumar https://www.linkedin.com/in/rssk Affiliate, Berkman Klein Center for Internet and Society https://cyber.harvard.edu at Harvard University Matthew Southworth https://www.linkedin.com/in/matthew-southworth/ CSO, Priceline https://www.priceline.com Eugene H. Spafford https://www.linkedin.com/in/spafford Distinguished Professor, Purdue University https://www.purdue.edu John N Stewart https://www.linkedin.com/in/john-n-stewart/ President, Talons Ventures John Stringer https://www.linkedin.com/in/jastringer/ Divisional CTO, ImageNet Consulting https://www.imagenetconsulting.com Talha Tariq https://www.linkedin.com/in/talhatariq/ Chief Technology Officer Security , Vercel https://vercel.com Glenn Thorpe https://www.linkedin.com/in/glennthorpeiii Sr. Director – Applied AI, Intelligence Per Thorsheim https://www.linkedin.com/in/thorsheim/ Founder, PasswordsCon https://www.passwordscon.org Rachel Tobac https://www.linkedin.com/in/racheltobac/ CEO, SocialProof Security https://www.socialproofsecurity.com Emily Vandewater https://www.linkedin.com/in/emily-vandewater/ vCISO, Elteni Cybersecurity Consulting https://www.elteni.com John Villasenor https://johnvillasenor.com/ Professor of Electrical Engineering, Law, and Public Policy, UCLA https://www.ucla.edu Paul Vixie https://www.linkedin.com/in/paulvixie/ Internet Pioneer Jason Waits https://www.linkedin.com/in/jason-waits/ CISO, Inductive Automation https://inductiveautomation.com Nancy Wang https://www.linkedin.com/in/wangnancy/ Venture Partner, Felicis Ventures https://www.felicis.com Steven Weber https://www.linkedin.com/in/steven-weber-3a3156/ Professor of the Graduate School, UC Berkeley School of Information https://www.ischool.berkeley.edu Tarah Wheeler https://www.linkedin.com/in/tarah/ Chief Security Officer, TPO Group https://www.tpo.group Jeff Williams https://www.linkedin.com/in/jwill5333/ CISO, Sigma360 https://www.sigma360.com Royce D. Williams https://www.linkedin.com/in/roycewilliams/ public-interest technologist Dave Willner https://www.linkedin.com/in/davewillner/ Cofounder, Zentropi https://zentropi.ai Allen Wilson https://www.linkedin.com/in/allenmwilson/ 3x CISO Beau Woods https://www.linkedin.com/in/beauwoods Founder/CEO, Stratigos Security https://stratigossecurity.com Chris Wysopal https://www.linkedin.com/in/wysopal/ Co-founder, Veracode https://www.veracode.com Josh Yavor https://www.linkedin.com/in/joshyavor/ CEO, Credible Security https://credible.security Philip Zimmermann https://philzimmermann.com Associate Professor Emeritus of Cybersecurity, Delft University of Technology https://www.tudelft.nl