Margin of Safety #51: Mythos, International Traffic in Arms Regulations (ITAR), and the Limits of Glasswing

Anthropic’s Mythos model may carry ITAR implications, and Project Glasswing’s hardening effort appears too narrowly focused on enterprise IT vs critical infrastructure targets that actually matter

Forgepoint makes no secret of its military ties, so it was no surprise when one of our MDs (the very pragmatic Ernie Bio) watched Anthropic’s Mythos/Glasswing announcement – including the part about how Mythos broke out of its own sandbox — and immediately said “This has ITAR written all over it.” We’ll assume everyone is familiar with Glasswing (if not, go here), but for readers less immersed in national defense: ITAR, or the International Traffic in Arms Regulations, is a set of US regulations governing the development and export of military and defense related capabilities. For example, they require that some technologies only be shared with US persons and require special license and review prior to export. Ernie isn’t the type to make casual proclamations, so we think it’s worth sitting with his response. Mythos falling under ITAR would have huge implications for Anthropic, so what could they do to avoid it and is Glasswing sufficient?

As a caveat, we’re taking Anthropic’s messaging with a grain of salt. We believe code models pose real security threats and that industry faces a legitimate wave of vulnerabilities. But at the same time, we’ve seen enough Anthropic marketing to conclude that they lean toward maximalist framing. Plus, AISLE, an AI security startup operating in the same space, has published evidence suggesting that existing small models can recover many of the same vulnerabilities when pointed directly at the relevant code.[1] This suggests that the capabilities may be more in line with continual improvement and less of a step function than Anthropic’s blog might suggest. This makes us want to look beyond the press release to evaluate the national security risk of Mythos.

Before that, we think a key question is whether it’s possible to de-risk this type of highly capable with guardrails alone. We expect not for two reasons. First, Anthropic’s own behavior with Glasswing says no. Second, and more importantly given their marketing tactics, Anthropic asserts these capabilities emerged as a side effect of increases in core code reasoning capabilities. This implies that it’s hard to tease apart the skills, which we believe. After all, at the end of the day, what does it take to find vulnerabilities in old code bases? Primarily the ability to successfully read, reason about, and contextualize the code — the same capabilities you need to patch, update, or otherwise interact with it.

Given that, we think distillation [2] is a very real threat. Extensive guardrails would be able to provide some security [3] if we believed that Anthropic could exclusively control the underlying capability. But if offensive security capability is inherently coupled to code competency, then anyone who successfully distills the coding capabilities of a Mythos-class model likely acquires some portion of its offensive security capabilities. Chinese entities have successfully distilled western models including Claude in the pas [4], and we believe they will continue to enjoy some degree of distillation success with any broadly available model. As a result, we must assume that a mythos-backed Claude Code would open the door to adversarial capability acquisition.

If guardrails can’t safely contain a model with these properties, what can? We think the only safe release path is pre-launch degradation of the value of the offensive capabilities. This means aggressively hardening potential high-value targets so that the model can’t exploit them. This is what Project Glasswing claims to be doing: use Mythos to patch what it can break before adversaries are able to distill the model or bypass guardrails. The critical question is whether the scope of “harden” is consistent with Mythos’s claimed capabilities.

Glasswing’s launch partners are largely companies that own kernels, compute clouds, and core networking infrastructure. That’s perfect for hardening the commercial software stack, but not against nation-state offensive cyber operations. For nation-states, high-value targets include power grid SCADA systems, telecommunications infrastructure, transportation systems, and hospital networks. These sectors run on older, less-maintained codebases and often have fewer security resources than the Glasswing partner list. But the infrastructure they power is of critical importance.

We can’t be sure who’s a Glasswing partner, since Anthropic says they’ve extended access to over 40 additional unnamed organizations that build or maintain critical software infrastructure, in addition to their listed public partners. But we can estimate how this count compares to the actual scale of the attack surface.

CISA lists 16 distinct critical infrastructure sectors, most with a wide variety of subsectors. [5] Drilling in on a few areas that seem particularly software-heavy – defense industrial, smart grid, aviation & rail, financial clearing systems, payment rails, and healthcare – we can easily find 5-6 major software and embedded system vendors per category. While some multi-nationals like Honeywell, Thales, GE and Siemens are present across a wide variety of categories, it’s mostly segment-specific players. Think entities like Epic Systems, Medtronic, DTCC, Boeing, Raytheon, Hitachi Rail, Schneider Electric, and others. Looking at industrial control systems alone can get us close to 40 vendors, and that omits software-heavy brand names (and critical providers) like Epic Systems.

Unfortunately, all of these vendors are notably absent from the named partner list. Broadcom is probably the nearest, but Broadcom’s footprint is more the underlying network than industrial control systems. Instead, all named partners skew heavily toward enterprise IT and cloud. If the unlisted 40 are similar, it means critical infrastructure outside IT is left behind. As a result, Anthropic will continue to possess a model that has military grade impact and potentially trigger relevant regulatory scrutiny.

To be fair, Anthropic may be working with these sectors but intentionally being vague. Many of them are infamous for having decade-old software and slow patch cycles. It could be deeply responsible to extend longer confidentiality windows in exchange for good-faith efforts to patch critical vulnerabilities. But it could also be a sign that while the announcement is heavily marketed, and the capabilities are not being genuinely assessed as a universal threat to all software infrastructure. In this world, neither Anthropic nor Ernie has to worry about ITAR because Mythos hasn’t met the bar to produce a uniquely weapons-grade model.

But the ultimate authority here is DDTC.[6] The business implications of an ITAR classification would be significant for Anthropic. It could restrict Mythos-class models to US persons only, complicate API delivery to foreign nationals even for defensive use cases, and require Anthropic restrict foreign national employees’ access to the model and its development. For a company whose commercial ambitions almost certainly include foreign government and allied-nation customers, that’s a serious limitation.

As a result, we’ll be watching this space. We believe Anthropic is largely comprised of highly capable, intelligent people. So, the more Mythos fully delivers on its advertised capabilities, the more we’re expecting to learn they’ve been quietly working key vendors across a broader set of critical infrastructure. If the quiet-partner list is mostly more enterprise software vendors and cloud providers, the hardening effort is optimized for commercial relationships and press rather than the national-security attack surface. In that case, the broader threat from code models will remain real, but Mythos might not be a singular tipping point. Anthropic’s 90-day reporting commitment gives us a natural checkpoint. We’ll be reading that report for sector breadth, not just vulnerability count.

If you’re building something in this space, feel free to reach out to jpark@forgepointcap.com and kshih@forgepointcap.com.

This blog is also published on Margin of Safety, Jimmy and Kathryn’s Substack, as they research the practical sides of security + AI so you don’t have to.