Critical infrastructure

Microsoft adds quantum-resistant encryption to Windows 11

Microsoft is rolling out quantum-resistant encryption algorithms in Windows 11 as part of its effort to prepare for the eventual arrival of quantum computers. The new cryptographic tools were announced at the BUILD 2025 conference and are now available in Insider Preview Build 27852 and higher.

These updates introduce post-quantum algorithms—ML-KEM and ML-DSA—into SymCrypt, Windows’ core cryptographic library.

The algorithms, formerly known as CRYSTALS-Kyber and CRYSTALS-Dilithium, were selected by the US National Institute of Standards and Technology (NIST) and are part of the agency’s recommended post-quantum cryptography (PQC) standards.

The algorithms have also been added to SymCrypt-OpenSSL, Microsoft’s open-source extension for integrating SymCrypt with OpenSSL. Developers can now access the algorithms via Microsoft’s Cryptography API: Next Generation (CNG), enabling early testing and migration.

Quantum computers, which are still in experimental stages, promise to outperform classical systems in solving problems like factoring large numbers—a cornerstone of traditional encryption methods like RSA and elliptic curve cryptography.

Experts warn that these legacy systems could be broken in the coming decades, potentially compromising the security of global communications, financial systems, and data infrastructure.

The new PQC algorithms are designed to resist quantum attacks, but they bring additional complexity. Their encryption keys are significantly larger than those used in current standards.

For now, NIST recommends using them alongside RSA or elliptic curve keys in hybrid configurations, to mitigate risks from undiscovered vulnerabilities.

The transition to quantum-safe encryption is expected to be one of the most complex in cybersecurity history. Developers will need to address compatibility issues, including ensuring software can handle longer key lengths without introducing system-breaking errors.

Microsoft’s early adoption is a step toward broader post-quantum readiness. Experts emphasize the importance of rigorous testing now, as the timeline for quantum threats remains uncertain.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UK research body hit by 5 million cyber attacks

UK Research and Innovation (UKRI), the country’s national funding body for science and research, has reported a staggering 5.4 million cyber attacks this year — a sixfold increase compared to the previous year.

According to data obtained through freedom of information requests, the majority of these threats were phishing attempts, with 236,400 designed to trick employees into revealing sensitive data. A further 11,200 were malware-based attacks, while the rest were identified as spam or malicious emails.

The scale of these incidents highlights the growing threat faced by both public and private sector institutions. Experts believe the rise of AI has enabled cybercriminals to launch more frequent and sophisticated attacks.

Rick Boyce, chief for technology at AND Digital, warned that the emergence of AI has introduced threats ‘at a pace we’ve never seen before’, calling for a move beyond traditional defences to stay ahead of evolving risks.

UKRI, which is sponsored by the Department for Science, Innovation and Technology, manages an annual budget of £8 billion, much of it invested in cutting-edge research.

A budget like this makes it an attractive target for cybercriminals and state-sponsored actors alike, particularly those looking to steal intellectual property or sabotage infrastructure. Security experts suggest the scale and nature of the attacks point to involvement from hostile nation states, with Russia a likely culprit.

Though UKRI cautioned that differing reporting periods may affect the accuracy of year-on-year comparisons, there is little doubt about the severity of the threat.

The UK’s National Cyber Security Centre (NCSC) has previously warned of Russia’s Unit 29155 targeting British government bodies and infrastructure for espionage and disruption.

With other notorious groups such as Fancy Bear and Sandworm also active, the cybersecurity landscape is becoming increasingly fraught.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ascension faces fresh data breach fallout

A major cybersecurity breach has struck Ascension, one of the largest nonprofit healthcare systems in the US, exposing the sensitive information of over 430,000 patients.

The incident began in December 2024, when Ascension discovered that patient data had been compromised through a former business partner’s software flaw.

The indirect breach allowed cybercriminals to siphon off a wide range of personal, medical and financial details — including Social Security numbers, diagnosis codes, hospital admission records and insurance data.

The breach adds to growing concerns over the healthcare industry’s vulnerability to cyberattacks. In 2024 alone, 1,160 healthcare-related data breaches were reported, affecting 305 million records — a sharp rise from the previous year.

Many institutions still treat cybersecurity as an afterthought instead of a core responsibility, despite handling highly valuable and sensitive data.

Ascension itself has been targeted multiple times, including a ransomware attack in May 2024 that disrupted services at dozens of hospitals and affected nearly 5.6 million individuals.

Ascension has since filed notices with regulators and is offering two years of identity monitoring to those impacted. However, critics argue this response is inadequate and reflects a broader pattern of negligence across the sector.

The company has not named the third-party vendor responsible, but experts believe the incident may be tied to a larger ransomware campaign that exploited flaws in widely used file-transfer software.

Rather than treating such incidents as isolated, experts warn that these breaches highlight systemic flaws in healthcare’s digital infrastructure. As criminals grow more sophisticated and vendors remain vulnerable, patients bear the consequences.

Until healthcare providers prioritise cybersecurity instead of cutting corners, breaches like this are likely to become even more common — and more damaging.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

ENISA unveils cyber stress testing handbook to strengthen critical infrastructure resilience under NIS2

The European Union Agency for Cybersecurity (ENISA) has released a Handbook for Cyber Stress Testing to support national and sectoral authorities in assessing the cybersecurity and resilience of critical infrastructure, in line with the NIS2 Directive. The guidance is intended for use at the national, regional, and EU levels and complements regulatory frameworks such as the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) directive.

Cyber stress tests are defined as targeted assessments of an organisation’s capacity to maintain critical services during and after significant cybersecurity incidents. The handbook outlines five main steps for organising these tests:

  1. Defining scope and objectives – identifying relevant sectors, entities, risk scenarios, and test goals;
  2. Designing the test – developing methodologies, resilience metrics, and timelines;
  3. Executing the test – engaging participants and providing guidance;
  4. Conducting a gap analysis – identifying key findings and resilience gaps;
  5. Concluding and follow-up – compiling lessons learned and formulating recommendations.

The structured process enables authorities to evaluate both organizational preparedness and systemic sectoral risks. Practical recommendations are provided for each step, and an example from the health sector illustrates potential applications.

Authorities may use cyber stress tests to inform national risk assessments, prepare for cyber exercises, identify sector-wide vulnerabilities, and support supervisory planning. Tests can also serve as a basis for dialogue between regulators and operators.

While audits and certifications remain standard supervisory tools, stress tests offer an additional method tailored to specific risk scenarios. Depending on sector maturity and regulatory context, authorities may adopt either a voluntary or more prescriptive approach to testing. ENISA recommends clearly communicating the scope, purpose, and use of test results in advance.

Cyber stress tests can be conducted at national, regional, or EU-wide levels. National-level exercises are typically overseen by authorities responsible for specific critical sectors, either broadly assessing sector maturity or focusing on selected entities. Cooperation with sectoral regulators—such as those in finance or civil protection—can enhance the design and implementation of tests.

Regional and EU-wide stress tests, though more complex to coordinate, may be suited to sectors with cross-border dependencies. Recent examples include joint efforts in the energy and financial sectors, coordinated by the European Commission and the European Central Bank. EU funding through the Digital Europe Programme is available to support such initiatives, including development of common tools and methodologies.

In parallel, ENISA has launched the European Vulnerability Database (EUVD), mandated under NIS2. The EUVD is a centralised, authoritative source of publicly available vulnerability information, supporting coordination among national CSIRTs, vendors, and regulators.

The Handbook for Cyber Stress Testing contributes to broader efforts to strengthen risk-informed cybersecurity oversight across the EU and encourages the consistent integration of cyber stress testing into national and sectoral supervisory practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Lawmakers discuss reported temporary pause in US offensive cyber operations against Russia

During a recent House Armed Services cyber subcommittee hearing, Chair Rep. Don Bacon (R-Neb.) stated that the U.S. Department of Defense briefly paused offensive cyber operations against Russia following a directive from Defense Secretary Pete Hegseth in late February. Bacon noted that the pause lasted one day and described it as consistent with broader policy aims.

Rep. Eugene Vindman (D-Va.) referenced an anonymous DOD rapid response account statement that disputed the claim, calling it ‘at least misleading.’ Deputy Assistant Secretary of Defence for Cyber Policy Laurie Buckhout did not confirm or deny the reports but stated that multiple elements are involved in cyber operations targeting Russia.

The hearing also included bipartisan concerns regarding the recent dismissal of National Security Agency and US Cyber Command Director Timothy Haugh, particularly in light of cyber threats facing US critical infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

OpenAI, G42 plan world’s largest AI data facility

OpenAI is reportedly set to become the anchor tenant in a 5-gigawatt data centre project in Abu Dhabi, part of what could become one of the largest AI infrastructure builds globally, according to Bloomberg.

The facility, spanning approximately 10 square miles, is being developed by UAE-based tech firm G42 as part of OpenAI’s broader Stargate initiative, a joint venture announced with SoftBank and Oracle to establish high-capacity AI data centres worldwide.

While OpenAI’s first Stargate facility in Texas is projected to reach 1.2 gigawatts, the Abu Dhabi project would more than quadruple that. The planned scale would consume power equivalent to five nuclear reactors.

OpenAI and G42 have collaborated since 2023 to accelerate AI adoption in the Middle East. The partnership has sparked concerns among US officials, particularly around G42’s past ties to Chinese firms, including Huawei and BGI.

G42 has since pledged to divest from China and shift its focus. In early 2024, Microsoft invested $1.5 billion in G42, and company president Brad Smith joined its board, reinforcing US–UAE tech ties. An official statement from OpenAI on the project is still pending.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Uber is ready for driverless taxis in the UK

Uber says it is fully prepared to launch driverless taxis in the UK, but the government has pushed back its timeline for approving fully autonomous vehicles.

The previous 2026 target has been shifted to the second half of 2027, despite rapid developments in self-driving technology already being trialled on British roads.

Currently, limited self-driving systems are legal so long as a human remains behind the wheel and responsible for the car.

Uber, which already runs robotaxis in the US and parts of Asia, is working with 18 tech firms—including UK-based Wayve—to expand the service. Wayve’s AI-driven vehicles were recently tested in central London, managing traffic, pedestrians and roadworks with no driver intervention.

Uber’s Andrew Macdonald said the technology is ready now, but regulatory support is still catching up. The government insists legislation will come in 2027 and is exploring short-term trials in the meantime.

Macdonald acknowledged safety concerns, noting incidents abroad, but argued autonomous vehicles could eventually prove safer than human drivers, based on early US data.

Beyond technology, the shift raises big questions around insurance, liability and jobs. The government sees a £42 billion industry with tens of thousands of new roles, but unions warn of social impacts for professional drivers.

Still, Uber sees a future where fewer people even bother to learn how to drive, because AI will do it for them.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

China launches first AI satellites in orbital supercomputer network

China has launched the first 12 satellites in a planned network of 2,800 that will function as an orbiting supercomputer, according to Space News.

Developed by ADA Space in partnership with Zhijiang Laboratory and Neijang High-Tech Zone, the satellites can process their own data instead of relying on Earth-based stations, thanks to onboard AI models.

Each satellite runs an 8-billion parameter AI model capable of 744 tera operations per second, with the group already achieving 5 peta operations per second in total. The long-term goal is a constellation that can reach 1,000 POPS.

The network uses high-speed laser links to communicate and shares 30 terabytes of data between satellites. The current batch also carries scientific tools, such as an X-ray detector for studying gamma-ray bursts, and can generate 3D digital twin data for uses like disaster response or virtual tourism.

The space-based computing approach is designed to overcome Earth-based limitations like bandwidth and ground station availability, which means less than 10% of satellite data typically reaches the surface.

Experts say space supercomputers could reduce energy use by relying on solar power and dissipating heat into space. The EU and the US may follow China’s lead, as interest in orbital data centres grows.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU to propose new rules and app to protect children online

The European Commission is taking significant steps to create a safer online environment for children by introducing draft guidelines under the Digital Services Act. These guidelines aim to ensure that online platforms accessible to minors maintain a high level of privacy, safety, and security.

The draft guidelines propose several key measures to safeguard minors online. These include verifying users’ ages to restrict access where appropriate, improving content recommendation systems to reduce children’s exposure to harmful or inappropriate material, and setting children’s accounts to private by default.

Additionally, the guidelines recommend best practices for child-safe content moderation, as well as providing child-friendly reporting channels and user support. They also offer guidance on how platforms should govern themselves internally to maintain a child-safe environment.

These guidelines will apply to all online platforms that minors can access, except for very small enterprises, and will also cover very large platforms with over 45 million monthly users in the EU. The European Commission has involved a wide range of stakeholders in developing the guidelines, including Better Internet for Kids (BIK+) Youth ambassadors, children, parents, guardians, national authorities, online platform providers, and experts.

The inclusive consultation process helps ensure the guidelines are practical and comprehensive. The guidelines are open for feedback until June 10, 2025, with adoption expected by summer.

Meanwhile, the Commission is creating an open-source age-verification app to confirm users’ age without risking privacy, as a temporary measure before the EU Digital Identity Wallet launches in 2026.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Japan approves preemptive cyberdefence law

Japan’s parliament has passed a new law enabling active cyberdefence measures, allowing authorities to legally monitor communications data during peacetime and neutralise foreign servers if cyberattacks occur.

Instead of reacting only after incidents, this law lets the government take preventive steps to counter threats before they escalate.

Operators of vital infrastructure, such as electricity and railway companies, must now report cyber breaches directly to the government. The shift follows recent cyber incidents targeting banks and an airline, prompting Japan to put a full framework in place by 2027.

Although the law permits monitoring of IP addresses in communications crossing Japanese borders, it explicitly bans surveillance of domestic messages and their contents.

A new independent panel will authorise all monitoring and response actions beforehand, instead of leaving decisions solely to security agencies.

Police will handle initial countermeasures, while the Self-Defense Forces will act only when attacks are highly complex or planned. The law, revised to address opposition concerns, includes safeguards to ensure personal rights are protected and that government surveillance remains accountable.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!