Critical infrastructure

EU tests cyber crisis response for rail and maritime networks

The European Commission has carried out Cyber Europe 2026, a large-scale cybersecurity exercise testing how Europe would respond to attacks on rail and maritime transport networks.

Organised by the EU Agency for Cybersecurity, the exercise took place on 10 and 11 June and involved around 5,000 experts from across the EU, industry and partner countries. Participants included cybersecurity specialists from the public and private sectors, policymakers, the EU institutions and representatives from the UK, Norway, Switzerland and Ukraine.

The scenario simulated cyberattacks on Europe’s rail and maritime networks, causing severe operational disruption and escalating into a wider cybersecurity crisis. The exercise was designed to test coordination between authorities, industry and institutions during a major cross-border incident affecting critical transport infrastructure.

Cyber Europe 2026 was also the first EU-wide test of the 2025 EU Cyber Blueprint, which clarifies roles and responsibilities during a cyber crisis. The exercise also tested the Cybersecurity Reserve, created under the Cyber Solidarity Act to provide support during significant cybersecurity incidents.

The Commission said lessons from the exercise will help consolidate the Cyber Blueprint and embed cyber crisis management more firmly into the EU’s wider emergency preparedness and response frameworks.

Why does it matter?

Transport networks are critical infrastructure, and cyber incidents affecting ports, railways or logistics systems can disrupt trade, supply chains, military mobility and emergency response across borders. Cyber Europe 2026 is important because it tests not only technical response, but also EU-level coordination, crisis decision-making and support mechanisms under newer cyber resilience tools such as the Cyber Blueprint and Cybersecurity Reserve.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

CISA updates vulnerability remediation rules

The US Cybersecurity and Infrastructure Security Agency has issued a binding directive requiring federal civilian agencies to prioritise vulnerability remediation based on risk.

Binding Operational Directive 26-04 directs agencies to align their vulnerability management policies around four criteria: whether an affected asset is exposed, whether a vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalogue, whether exploitation can be automated and the likely technical impact after exploitation.

CISA said the directive consolidates and updates earlier requirements for internet-accessible systems and known exploited vulnerabilities. The agency said the approach is intended to help federal civilian agencies focus remediation on the vulnerabilities most likely to cause serious harm.

The directive comes as threat actors continue to exploit unpatched vulnerabilities, with CISA warning that AI software services could help attackers identify and exploit weaknesses more quickly. The agency said AI-enabled exploitation may further reduce the time defenders have between a patch release and attempted compromise.

The directive also requires agencies to consider whether a system may already be compromised before applying a patch. CISA said applying a patch generally does not remove an attacker who already has access to a system, making compromise checks important for risk management.

CISA will monitor agency compliance and provide implementation support. Although the directive is binding only for federal civilian agencies, CISA encouraged other organisations to adopt similar risk-based vulnerability management practices.

Why does it matter?

The directive reflects a shift in federal cybersecurity from treating vulnerability remediation as a fixed checklist to prioritising flaws based on exploitation risk, exposure, and potential impact. That matters because attackers increasingly move quickly from disclosure to exploitation, and AI tools may further shorten that window. For governments and critical organisations, vulnerability management is becoming a continuous risk-management process rather than a periodic patching exercise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New NIST study reveals inherent weaknesses in AI defences 

A new study by a researcher at the US National Institute of Standards and Technology suggests that fixed AI guardrails cannot provide complete protection against adaptive adversarial prompts.

The paper, published in IEEE Security & Privacy by NIST senior scientist Apostol Vassilev, uses logic linked to Kurt Gödel’s incompleteness theorems to argue that a finite set of AI safety rules cannot be universally robust against every possible prompt-based attack.

According to NIST, the finding does not mean AI systems cannot be hardened. Instead, it supports moving away from a ‘one and done’ security model towards continuous monitoring, testing and updating.

The recommended approach includes ongoing red-team work to identify adversarial prompts before attackers exploit them, continuous updates to strengthen guardrails and operational resilience measures that limit the impact of successful attacks and enable quick recovery.

NIST said the goal is not to eliminate all vulnerabilities, but to make exploitation more difficult and costly. As AI systems are deployed more widely, organisations should treat AI security as a permanent operational process rather than a problem that can be solved through a fixed set of controls.

Why does it matter?

The study reinforces a central challenge in AI governance: security controls for AI systems cannot be treated as static compliance measures. As AI tools are integrated into business operations, public services and security-sensitive environments, organisations may need continuous red-teaming, guardrail updates, monitoring and incident response. The policy relevance lies in shifting AI risk management from one-time assurance towards ongoing operational resilience.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Anthropic launches Claude Fable 5 with advanced safety safeguards

Anthropic has launched Claude Fable 5, a new general-purpose AI model, alongside Claude Mythos 5, a more capable version reserved for selected cyber defence and infrastructure partners.

The company described Fable 5 as its most capable generally available model to date, with strong performance across software engineering, knowledge work, vision and scientific research. Anthropic said the model’s advanced capabilities pose misuse risks, particularly in cybersecurity and research biology.

To reduce those risks, Fable 5 includes additional safety classifiers designed to detect potential misuse, including attempts to bypass safeguards. When certain high-risk requests are detected, users may receive a response from Anthropic’s next-most-capable model, Claude Opus 4.8, rather than Fable 5.

Anthropic said the safeguards have been tuned conservatively and may sometimes block benign requests. According to the company, the fallback mechanism is triggered in less than 5% of sessions on average.

Claude Mythos 5 uses the same underlying model as Fable 5, but with some safeguards lifted in specific areas. Anthropic said it will initially deploy Mythos 5 through Project Glasswing, in collaboration with the US government, for a limited group of cyber defenders and critical software infrastructure providers.

The launch highlights a growing model governance approach in which access to frontier AI capabilities is tiered according to use case and risk. Anthropic said it plans to expand trusted access to Mythos 5 while continuing to refine safeguards for broader public use.

Why does it matter?

The release shows how frontier AI providers are increasingly linking capability deployment to access controls, model routing and domain-specific safeguards. As advanced systems become more useful for software engineering, cybersecurity and scientific research, companies face pressure to provide broad access while limiting misuse in dual-use areas. Anthropic’s split between Fable 5 and Mythos 5 reflects a wider governance question: who should receive access to the most capable AI systems, under what conditions, and with what oversight.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Study warns of self-replicating AI malware using real-time reasoning

Cybersecurity researchers have demonstrated an AI-powered computer worm capable of identifying vulnerabilities, generating attack strategies and spreading autonomously across networks. The study suggests that advances in AI agents could enable a new class of adaptive cyber threats capable of operating with minimal or no direct human intervention.

The research, conducted by teams from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow, describes malware that uses large language models to tailor its behaviour to each target. Unlike traditional worms, the system can adapt its attack methods in real time instead of relying solely on pre-programmed exploits.

Testing in a controlled virtual environment showed the system could successfully compromise multiple machines and replicate across a simulated network over several days. The worm also operated without relying on cloud infrastructure, running AI models locally on infected systems and using those resources to support its operations.

Researchers warned that such capabilities could signal a shift towards what they describe as ‘autonomous generative adversaries’ and stressed the need for stronger detection systems, evaluation frameworks and governance mechanisms. While details were limited to reduce misuse risks, the authors said the findings reflect how rapidly AI-enabled cyber capabilities are evolving.

Why does it matter? 

The research signals a shift in cyber risk from static, signature-based malware to autonomous systems capable of reasoning, adapting, and scaling attacks without human input.

As AI models become more capable and widely deployed, the line between tool and autonomous threat blurs, increasing pressure on cybersecurity systems, patching cycles, and regulation to keep up with real-time, evolving attacks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Canada warns of cyber threats targeting FIFA World Cup 2026

Canada’s Cyber Centre has warned that the FIFA World Cup 2026 will almost certainly attract cyber threat activity from cybercriminals, non-state actors and state-sponsored actors.

The tournament will run from 11 June to 19 July 2026 across Canada, the US and Mexico, with 104 matches in 16 cities. The Cyber Centre said the event’s global visibility, complex supporting infrastructure and broad ecosystem of suppliers and services create a large attack surface.

According to the bulletin, cybercriminals are expected to exploit public interest in the tournament through phishing, social engineering, ticket scams, fraudulent travel offers, fake livestreaming services, malicious apps and other forms of online fraud. The Cyber Centre cited research identifying more than 4,300 likely fraudulent domain registrations linked to the tournament as of August 2025.

Organisations connected to the event, including travel, hospitality, ticketing, broadcasting, telecommunications, utilities and transport providers, could also face ransomware, distributed denial-of-service attacks and website defacement. The Cyber Centre said attackers may target entities in the wider tournament ecosystem to maximise publicity, even when their targets are not part of the core World Cup infrastructure.

The bulletin also warned that threat actors are very likely to use the event for disinformation and influence activity, including campaigns involving AI-generated articles, images, videos and deepfakes. It found that there is roughly an even chance of disruptive state-sponsored cyber activity, depending on geopolitical tensions involving host nations or participating countries.

Canadian authorities urged fans, attendees, athletes, government officials and organisations linked to the tournament to strengthen cybersecurity practices and prepare for scams, disruptive attacks and information manipulation during the event.

Why does it matter?

The bulletin treats the World Cup as more than a sports event. It frames major tournaments as digitally dependent public safety environments involving ticketing systems, broadcasters, transport networks, hotels, mobile communications, local authorities and critical infrastructure. Cyber incidents during such events can cause financial loss, service disruption, data exposure, emergency communication risks and information manipulation, making cybersecurity part of event resilience and public trust.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

WhatsApp seeks contempt order against NSO over spyware targeting

WhatsApp has asked a US court to hold NSO Group in contempt, alleging that the spyware company violated a permanent injunction barring it from targeting WhatsApp and its users.

The company said it disrupted spear-phishing attempts linked to NSO after investigating user reports. According to WhatsApp, the activity involved malicious links that sought to redirect users to external websites outside the messaging platform.

WhatsApp also said it identified and removed test accounts and groups created on its service as part of the suspected NSO-linked activity. The company is sharing threat indicators to help users and researchers check whether targeting attempts may have occurred across WhatsApp, text messages, email, or other channels.

The latest filing follows WhatsApp’s earlier legal victory against NSO. The company said a court found that NSO violated federal and state anti-hacking laws and issued a permanent injunction barring NSO from targeting WhatsApp and its users.

WhatsApp described commercial spyware as a national security threat, arguing that surveillance-for-hire firms target not only messaging services but also browsers, operating systems, and other applications.
The company said the targets reported for such tools include journalists, government officials, military personnel, and humanitarian organisations. It also warned against easing US restrictions on NSO, which remains on the US government’s Entity List.

WhatsApp said it is contributing to the Spyware Accountability Initiative, which supports organisations working on forensic research, user support, and advocacy against spyware.

Why does it matter?

The case shows how legal orders against spyware companies may still require active technical monitoring and enforcement. WhatsApp’s contempt request also keeps pressure on the commercial spyware industry, where surveillance tools can move across platforms, devices, browsers, and operating systems. The story matters for encrypted communications because it shows that protecting users depends not only on encryption, but also on legal accountability, threat intelligence, vulnerability research, and support for civil society targets.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

European Commission welcomes the new G7 cybersecurity declaration

The European Commission has welcomed a new G7 Cybersecurity Working Group Declaration aimed at strengthening international cooperation in response to growing cyber threats.

Adopted under France’s G7 Presidency, the declaration calls for coordinated action to address cybersecurity challenges associated with quantum computing, AI, telecommunications infrastructure, and the protection of small and medium-sized enterprises (SMEs).

One of the declaration’s central priorities is accelerating the transition to post-quantum cryptography. As quantum computing capabilities continue to advance, governments and industry are being urged to accelerate preparations for new encryption standards capable of resisting future quantum attacks. The declaration describes migration to quantum-resistant encryption as an urgent cybersecurity priority that organisations should begin addressing now.

AI is another major focus of the declaration. The G7 declaration recognises that AI can both strengthen and threaten cybersecurity. Concerns include AI-enabled cyberattacks, model manipulation, data breaches, and software vulnerabilities.

The European Commission noted that it is preparing an action plan on AI and cybersecurity to help Member States and businesses address emerging risks while strengthening Europe’s cyber resilience.

The declaration also emphasises the importance of resilient telecommunications infrastructure and stronger protection for SMEs. Building on initiatives such as the NIS2 Directive and the Cyber Resilience Act, the EU said it will continue working with international partners to strengthen cybersecurity standards, protect critical infrastructure and support organisations facing increasingly sophisticated cyber threats.

Why does it matter?

The declaration reflects growing international recognition that cybersecurity challenges are increasingly transnational and require coordinated responses. Emerging technologies such as AI and quantum computing are creating new opportunities for innovation, but also introducing new vulnerabilities that could affect governments, businesses and critical infrastructure.

The emphasis on post-quantum cryptography is particularly significant, as organisations worldwide face the long-term challenge of protecting sensitive data against future quantum-enabled attacks. The declaration also highlights the growing importance of international cooperation in building cyber resilience and securing digital ecosystems.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK Ofcom sets out AI safety and innovation strategy

Ofcom has outlined its approach to enabling safe and secure AI adoption across the UK communications sectors it regulates and within its own work.

The regulator said its approach is technology-neutral and outcomes-based, aligning AI oversight with its wider mission of making communications work for everyone while supporting innovation and growth.

Ofcom’s report uses case studies to show how AI is already shaping regulatory work and the sectors it oversees. Planned and recent initiatives include building a pilot data lake to make spectrum licensing and online safety data more accessible, engaging with innovators to identify regulatory uncertainty, and assessing public trust in AI chatbots.

The regulator is also examining the impact of AI on telecoms customer experience, exploring AI deployment in broadcasting, assessing AI use in cybersecurity for telecommunications networks, and considering how AI could support network management and optimisation.

Alongside innovation support, Ofcom said it is monitoring AI-related risks and emerging harms. Its work includes guidance on technology-led mitigation against deepfakes, research into chatbot-related harms, and action to address risks posed by AI systems to users.

Ofcom said it coordinated with the AI Security Institute and the National Cyber Security Centre to brief stakeholders on the frontier AI cybersecurity implications following Anthropic’s preview of Claude Mythos, which caused concern. It also said it launched a formal investigation into X’s Grok chatbot.

The regulator is also piloting responsible AI use internally, including tools to support policy development, research, consultation processes, tracking of technical standards, and operational efficiency. Ofcom said it will take a safety-first approach and roll out internal AI tools only once it is confident they are safe and secure.

Why does it matter?

Ofcom’s approach shows how AI governance is becoming operational inside sector regulators, not only debated at the government level. The strategy links innovation support with risk monitoring across online safety, telecoms, broadcasting, cybersecurity, spectrum management, and consumer protection. It also shows regulators experimenting with AI in their own workflows while trying to maintain safety, accountability, and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

European Commission unveils roadmap for AI and digitalisation in energy

The European Commission has published a Strategic Roadmap for Digitalisation and AI in the Energy Sector, outlining how digital technologies could support a more resilient, competitive and secure European energy system.

The roadmap outlines how digital tools and AI could help consumers and businesses reduce energy costs through greater efficiency, smarter energy consumption and improved management of electricity demand. It also highlights the role of digital technologies in supporting the integration of renewable energy into electricity grids.

The Commission has structured the roadmap around three main priorities. These priorities include integrating data centres into energy systems in a sustainable manner, accelerating the deployment of digital and AI-enabled technologies such as smart meters and intelligent grid solutions, and establishing a framework for secure cross-border energy data sharing.

The Commission said the plan will also focus on cybersecurity, AI trust, digital skills and international cooperation. As part of the next phase, the Commission plans to support industry cooperation initiatives and launch the AI.grids community, which will focus on developing AI models for energy network management across the EU.

Why does it matter?

The energy sector is becoming increasingly dependent on digital technologies to manage growing electricity demand, integrate renewable energy sources and maintain grid stability. AI and advanced data analytics could help improve efficiency, reduce costs and support more flexible energy systems.

At the same time, greater digitalisation introduces new challenges related to cybersecurity, data governance and infrastructure resilience. The roadmap signals the EU’s intention to ensure that digital transformation in the energy sector supports both sustainability goals and long-term energy security.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.