Logo
FrontierNews.ai

The Export Control Reversal That's Reshaping U.S.-China AI Competition

The U.S. Department of Commerce has lifted export restrictions on Anthropic's Claude Mythos 5 and Claude Fable 5 models after the company agreed to work closely with the government on security protocols and malicious activity detection. The reversal marks a significant shift in how Washington is managing AI export controls, but it's also triggering an urgent strategic response from Beijing, which is building its own AI-powered vulnerability hunting tools to avoid dependence on American systems.

What Changed in the Export Control Decision?

On June 30, 2026, the Commerce Department sent a letter to Anthropic's Chief Compute Officer Tom Brown withdrawing the export controls that had been imposed just weeks earlier. The letter outlined the conditions that led to the reversal: Anthropic agreed to proactively detect and address security risks, work with the U.S. government on protocols and standards for future model releases, and inform authorities of any malicious activity detected in the systems.

The decision is notable because it shows the government is willing to negotiate with AI companies rather than impose blanket bans. However, the letter also included a critical caveat: the Commerce Department reserves the right to reimpose licensing requirements if Anthropic fails to meet its commitments or if circumstances change.

This conditional approach reflects a broader tension in U.S. AI policy. Companies building on frontier models now face an existential risk: government restrictions can interrupt their operations without legal notice, right to appeal, or compensation. Some developers are responding by shifting to open-source models they can control themselves, viewing dependence on commercial AI systems as too risky for mission-critical applications.

How Is China Responding to U.S. AI Dominance?

While the Commerce Department was negotiating with Anthropic, China's cybersecurity giant Qihoo 360 unveiled two new AI-powered tools designed to counter American advantages in AI-driven security research. On June 28, 2026, at the ISC.AI 2026 conference in Beijing, company founder Zhou Hongyi introduced Tulongfeng (a vulnerability hunting system) and Yitianzhen (an automated defensive operations tool) as a strategic response to Claude Mythos.

Qihoo 360 is operating under significant constraints. The U.S. Commerce Department placed the company on its Entity List in May 2020, and the Defense Department designated it as a Chinese military company in October 2022. This means the company cannot access American technology or compete directly on computing power. Instead, Zhou's team built around the limitation by creating a multi-agent system that substitutes domain expertise and proprietary threat intelligence for raw model capability.

"If the American approach is about cultivating a genius hacker, the 360 approach is about organizing a professional attack-and-defence team," said Zhou Hongyi, founder of Qihoo 360.

Zhou Hongyi, Founder, Qihoo 360

Tulongfeng has identified 3,432 vulnerabilities since deployment, with 105 confirmed by Chinese government authorities, according to Zhou. The system works by breaking vulnerability research into discrete phases: one cluster of AI agents models threat landscapes, another tracks data flows through code, and a third constructs sandbox environments to test exploits. Only vulnerabilities that survive this end-to-end confirmation process are reported.

The Intelligence Pipeline Problem Behind China's Approach

Zhou framed Tulongfeng as a form of cybersecurity deterrence, drawing a Cold War analogy: just as nuclear weapons prevented superpower conflict through mutual capability, China needs AI-powered vulnerability detection to balance American advantages. However, this comparison obscures a critical structural difference in how the two systems operate.

Under Chinese law, every vulnerability Tulongfeng discovers must be reported to the Ministry of Industry and Information Technology within 48 hours. This legal requirement, established through China's Data Security Law (2021) and associated cybersecurity regulations, means that zero-day discoveries are automatically funneled to the Chinese government before vendors are notified or patches are developed.

Three laws establish this framework:

  • National Intelligence Law (2017): Requires all organizations and citizens to support and cooperate with national intelligence efforts in accordance with law.
  • Cybersecurity Law (2017): Mandates that network operators provide technical support to public security and national security organs, including access to stored data.
  • Data Security Law (2021): Establishes the 48-hour vulnerability disclosure requirement to the government before public disclosure or vendor notification.

Eugenio Benincasa, a senior researcher at the ETH Zurich Center for Security Studies, explained the practical consequence: "China's vulnerability disclosure requirement effectively channels zero-day discoveries to state intelligence, and the Chinese government's wide-reaching domestic authority may give its AI capabilities greater operational impact, not because Tulongfeng is more powerful than Mythos, but because the institutional pipeline it feeds into has no independent check on how its findings are used".

"China's vulnerability disclosure requirement effectively channels zero-day discoveries to state intelligence, and the Chinese government's wide-reaching domestic authority may give its AI capabilities greater operational impact," noted Eugenio Benincasa, senior researcher at the ETH Zurich Center for Security Studies.

Eugenio Benincasa, Senior Researcher, ETH Zurich Center for Security Studies

This is not a theoretical concern. The institutional pipeline means that every Windows kernel flaw, Office vulnerability, or unpatched bug in widely-deployed software discovered by Tulongfeng becomes a Chinese government asset within two days. The government then controls whether the vulnerability is disclosed to the vendor, retained for intelligence purposes, or exploited offensively.

What This Means for the Future of AI Export Controls

The Commerce Department's decision to lift controls on Claude Mythos and Fable reflects a pragmatic recognition that outright bans may be less effective than negotiated agreements with clear commitments. However, the parallel development of Chinese AI vulnerability tools shows that export controls alone cannot prevent other nations from building competing capabilities.

The broader implication is that AI export policy is shifting from a binary approach (allow or ban) to a conditional one (allow with oversight commitments). This creates new risks for companies that depend on frontier models, since government restrictions can be reimposed if commitments are not met. At the same time, it demonstrates that countries cut off from American AI systems are investing heavily in alternative approaches, whether through open-source models, specialized multi-agent systems, or leveraging existing domain expertise.

The race between American and Chinese AI capabilities is no longer just about model power. It's increasingly about how each country's legal and institutional frameworks shape what happens when AI systems discover critical security vulnerabilities. The Commerce Department's conditional approval of Claude exports suggests Washington believes transparency and government coordination can manage the risks. China's legal requirement to report all zero-day discoveries to the state suggests Beijing is building a different kind of advantage: one rooted in institutional control over the intelligence pipeline itself.