The crypto wars lasted forty-five years and taught one lesson: access restriction constrains defenders more than attackers. AI offensive capability is the next chapter — and the answer is the same.
In January 2026, a seventeen-year-old remote code execution vulnerability sat undiscovered in FreeBSD’s NFS implementation. CVE-2026-4747 required chaining six sequential RPC requests through a stack buffer overflow in the RPCSEC_GSS authentication protocol. It had survived every human security review for nearly two decades. An AI model found it in a single run, for under fifty dollars.
That was one vulnerability in one target. Across roughly a thousand open-source repositories from the OSS-Fuzz corpus, Anthropic’s Claude Mythos Preview found exploitable zero-day vulnerabilities in every major operating system and every major web browser. Against Firefox 147 alone, it produced 181 working exploits where its predecessor managed two. Against ten separate, fully patched targets, it achieved complete control flow hijack — the most severe outcome in vulnerability research. It found a TCP SACK flaw in OpenBSD that had been present for twenty-seven years (Anthropic, red.anthropic.com, April 2026; Cloud Security Alliance, April 2026).
The capability question is settled. The question nobody has answered well enough is the one that comes after: when someone uses this capability, can they prove what they did with it?
Anthropic’s response was access restriction. Project Glasswing, announced April 6, 2026, limits Mythos Preview access to a consortium of major technology companies — Amazon, Apple, Cisco, CrowdStrike, Google, Microsoft, among others — backed by a hundred million dollars in usage credits and ninety-day reporting commitments (Fortune, April 7, 2026).
This is responsible. It may also be historically doomed.
The CSA’s own analysis contains the finding that should keep Glasswing’s architects up at night: Mythos’s offensive capabilities “emerged as a downstream consequence of general improvements in coding ability, planning, and autonomous tool use” — not from targeted security training. Every laboratory improving general coding benchmarks is inadvertently building offensive capability. You cannot gate a capability that arises spontaneously from making code assistants better at writing code.
And the asymmetry cuts the wrong way. Offensive use requires access and intent. Defensive use requires organizational readiness, patching infrastructure, and the ability to act on findings at speed. Enterprise patching operates on weekly or monthly cycles. AI-discovered vulnerabilities become exploitable in hours. Restricting the scanning tool to a handful of companies leaves roughly ten million other organizations with internet-facing infrastructure using weaker alternatives — while attackers use whatever they can access.
We have seen this exact pattern before. We watched it play out for forty-five years.
In 1954, the United States classified encryption as a munition under the U.S. Munitions List — subject to State Department export control, same legal category as bombs and tanks. The logic was identical to Glasswing’s: a dual-use technology too dangerous for unrestricted distribution, best confined to vetted hands.
For four decades, the policy held. Then three things broke it.
First, commercial demand. The Data Encryption Standard, proposed by NBS in 1975, created legitimate enterprise needs that the export-control regime could not accommodate without what officials acknowledged were “serious problems.” Second, individual defiance. In 1991, Phil Zimmermann distributed Pretty Good Privacy — strong encryption — for free on the internet, the first major individual-level challenge to export controls. He was investigated for three years. No charges were filed.
Third — and this is the part most accounts of the crypto wars skip — the restrictions backfired. Netscape Navigator shipped in two versions: a domestic edition with 1024-bit RSA and 128-bit symmetric encryption, and an international edition with 512-bit RSA and 40-bit symmetric encryption that, as the documentation acknowledged, “can currently be broken in a matter of days.” Most American users ended up with the international edition, because obtaining the domestic version required navigating an export-control bureaucracy that few individuals or small organizations could manage.
Access restriction did not just fail to contain strong encryption. It actively weakened the encryption that defenders used.
The courts finished the job. In Bernstein v. United States and Junger v. Daley, federal courts ruled that cryptographic source code was protected speech under the First Amendment. Combined with the widespread availability of encryption software outside U.S. jurisdiction, the restrictions were unenforceable. Between 1996 and 2000, the Clinton administration dismantled most commercial encryption export controls.
The crypto wars are sometimes told as a story about freedom winning. They are more accurately a story about access restriction’s specific failure mode: it constrains defenders more than attackers. Attackers are willing to break rules. Defenders need legal, auditable, compliant tools. When you restrict the tool, you create a world where attackers use it freely and defenders cannot.
The resolution was not unrestricted capability. It was trust architecture.
Today, the entire internet runs on encryption that would have sent Phil Zimmermann to prison in 1991. Every HTTPS connection, every SSH session, every encrypted message uses the strong cryptographic tools that the U.S. government once classified alongside cruise missiles. The dual-use problem was real — encryption does protect criminals and intelligence services alongside ordinary citizens. But it was solved.
Not by restricting cryptographic capability. By building infrastructure around it.
Public key infrastructure. Certificate authorities. Key management systems. Revocation lists. Audit trails. The conceptual shift was from “who has the capability?” to “can you prove how the capability was used?” A certificate authority does not prevent malicious encryption. It makes the encrypted connections that people depend on daily verifiable, traceable, and auditable. Malicious use stands out precisely because legitimate use can prove itself.
The equivalent infrastructure for AI offensive tools does not yet exist. NIST recognized the gap formally when its Center for AI Standards and Innovation launched the AI Agent Standards Initiative in February 2026. They proposed an accountability framework spanning four dimensions: identification, authorization, auditing, and non-repudiation. Their assessment was direct: existing SP 800-53 security control families contain no controls designed for distinguishing an AI agent from a human operator, scoping agent permissions to a defined task, or linking agent actions to a non-human principal for forensic attribution.
MITRE arrived at the same conclusion from the adversary’s direction. The February 2026 ATLAS v5.4.0 update added techniques specifically targeting the agentic tool ecosystem — “Publish Poisoned AI Agent Tool” and “Escape to Host” — cataloging how agent systems with code execution capabilities break out of their intended operational context.
The frameworks exist. The accountability dimensions are named. What is missing is the infrastructure that ties them together — the equivalent of what PKI did for encryption.
Before Mythos existed, the dual-use problem had already manifested with weaker models.
In 2025, Anthropic’s threat intelligence team documented a state-sponsored espionage campaign targeting roughly thirty organizations across technology, finance, chemicals, and government sectors. Eighty to ninety percent of operations were conducted autonomously by jailbroken AI coding tools. Four organizations were successfully breached. Detection occurred weeks into the campaign; the accounts were banned after a ten-day investigation (Anthropic, “Detecting and Countering Malicious Uses of Claude,” 2025; CSA Research Note, April 2026).
The detail that reframes the problem: despite that autonomous success rate, the campaign included “hallucinated credentials and incorrect assertions about exfiltrated materials.” The AI was simultaneously effective enough to breach four organizations and unreliable enough to fabricate credentials for systems it had already compromised.
The dual-use problem is not about perfect tools in the wrong hands. It is about cheap, scalable, imperfect-but-effective tools deployed at volume. Access restriction optimizes against the wrong threat model. It imagines a world where a small number of sophisticated actors gain access to a restricted capability. The reality is a world where capability sufficient for real damage is available for the cost of an API key and a jailbreak — deployed before the restricted model even exists.
Mozilla — the organization whose browser was the target of 181 working exploits — responded not with alarm but with something unexpected.
“Defenders finally have a chance to win, decisively,” their security engineering team wrote in April 2026. “The defects are finite, and we are entering a world where we can finally find them all.” Their independent validation backed the claim: using Mythos Preview against Firefox 150, they identified 271 vulnerabilities, and assessed that the model was “every bit as capable as the world’s best security researchers” across all vulnerability categories and complexity levels.
Their argument is structural. Cybersecurity has been offensively dominant because attackers need only one weakness while defenders must protect everything. AI changes the calculus. If defenders can audit codebases comprehensively — finding not some bugs but all of them — the advantage flips permanently.
But the argument carries a condition. Defense at this scale requires powerful scanning tools deployed widely, not restricted narrowly. Mozilla is not arguing for locking up Mythos. They are arguing that the capability itself, deployed defensively with accountability, makes systems safer. They can make this claim because their use is accountable: a public bug tracker, a coordinated disclosure process, Firefox releases documenting every fix. An attacker using the same tool produces no such trail.
The differentiator is not the tool. It is the infrastructure of accountability around the tool.
Markets are already pricing the gap between capability and accountability.
Fitch reported in April 2026 that AI use in cybersecurity could expose short-term coverage holes in cyber insurance. Carriers are introducing explicit AI exclusions — not because they object to the technology, but because they cannot price what they cannot observe. Most existing cyber policy language was written for a world where humans made decisions and the question was whether they made them negligently. Autonomous agents making thousands of decisions per second do not fit that framework.
The trajectory is visible. Today, AI security riders require “documented evidence” of adversarial testing — PDF reports and self-attestations. Tomorrow, they will require verifiable evidence: cryptographic proof that specific actions occurred within a specific scope under specific authorization. Insurers do not care who has the tool. They care whether use of the tool is provable and auditable.
The economics are straightforward. A scanning run that discovers a critical zero-day costs under fifty dollars. The liability exposure from an unaccountable security engagement — where the agent exceeded scope and the firm cannot demonstrate otherwise — dwarfs that figure by orders of magnitude.
The crypto wars analogy is imperfect, and the imperfections matter.
First, the capability gap is narrower than it looks. Forty-bit encryption was meaningfully weaker than 128-bit; but a model that produces 181 exploits is not meaningfully less dangerous than one producing 200. The distance between the restricted and unrestricted versions of AI offensive capability may be smaller than the distance between weak and strong encryption — which means access restriction buys less time than it did for cryptography.
Second, the timeline is compressed. The crypto wars played out over forty-five years. The gap between two Firefox exploits and 181 represents a single generation of model improvement. The infrastructure has to be built in months, not decades.
Third, encryption was designed. AI offensive capability emerged accidentally, as a side effect of improving code assistants. The crypto wars had identifiable chokepoints: specific algorithms, specific software packages. The AI equivalent would require restricting general-purpose reasoning improvement — a category that encompasses nearly all frontier research.
And the crypto wars were a largely American story. The trust architecture that succeeded — PKI, certificate authorities, the Wassenaar Arrangement for international coordination — was built within Western institutional frameworks. AI capability is emerging globally, from laboratories operating under different regulatory environments and disclosure norms. The trust infrastructure this time will require broader coordination, and the crypto wars offer both a model (Wassenaar worked for a generation) and a warning (its subsequent fragility under geopolitical pressure).
Each imperfection makes the case for trust architecture more urgent, not less. If restriction buys less time, the infrastructure must be built sooner. If the timeline is compressed, waiting is costlier. If there are no chokepoints to control, the only remaining lever is on the accountability layer — proving what happened, not preventing what might.
CVE-2026-4747 exists because an AI spent fifty dollars’ worth of compute finding a vulnerability that human security researchers missed for seventeen years. That capability will not be un-invented. The next generation of offensive AI tools will be more capable, cheaper, and more widely available.
The dual-use problem is not a capability problem. That question was settled when the price dropped to fifty dollars. It is not a distribution problem. Open-source models have already made the capability global. It is not an access-restriction problem. Forty-five years of the crypto wars answered that: you cannot contain a commodity capability with a licensing regime.
It is a trust-architecture problem. The durable question is not who has the tool. It is: can you prove what happened when you used it?
The crypto wars taught us that the answer to a fifty-dollar capability is not a hundred-million-dollar gate. It is the infrastructure that makes the surgeon’s work distinguishable from the wound.
Sources: Anthropic, “Claude Mythos Preview,” red.anthropic.com (April 2026). Cloud Security Alliance, “CSA Research Note: Claude Mythos and the Autonomous Offensive Threshold” (April 2026). Mozilla, “The Zero-Days Are Numbered,” blog.mozilla.org (April 2026). Fortune, “Anthropic Is Giving Some Firms Early Access to Claude Mythos” (April 7, 2026). NIST CAISI, “AI Agent Standards Initiative” (February 2026). MITRE, ATLAS v5.4.0 (February 2026). Anthropic, “Detecting and Countering Malicious Uses of Claude” (2025). Insurance Journal, “AI Use in Cybersecurity Could Show Holes in Short Term, Says Fitch” (April 16, 2026). Wikipedia, “Export of cryptography from the United States.”
The infrastructure that makes the surgeon distinguishable from the wound already exists.
The essay’s argument reduces to one question: when your agent uses a powerful capability, can you prove what happened? Chain of Consciousness answers it. CoC creates a cryptographic, tamper-evident, hash-linked provenance chain for every action an agent takes — identity verified, scope documented, outcomes anchored to Bitcoin for non-repudiation. It is the accountability layer the essay argues is missing: not restricting who holds the tool, but proving how it was used. When the insurer asks, when the regulator audits, when the post-hoc review comes — the record is there.
pip install chain-of-consciousness ·
npm install chain-of-consciousness
See a live provenance chain →