Critical infrastructure

Dutch central bank tells public to prepare for outages

Dutch citizens have been advised to keep emergency cash at home due to growing concerns over cyber threats and geopolitical instability.

The Netherlands’ central bank (DNB) recommends holding €70 per adult and €30 per child to cover essential needs for up to three days.

This guidance follows recent disruptions to payment systems in southern Europe. The advisory comes in response to fears that cyberattacks or power failures could make digital payments temporarily unavailable.

Cash would enable people to buy food, water, medicine, or transport even during system outages. The DNB also encouraged the use of contactless payments via phones or smartwatches as backups. Such steps are seen as vital amid increasing risks across the continent.

The warning follows a major blackout that affected Spain and Portugal in April, during which electronic transactions were disrupted. The European Commission has similarly urged households to be prepared for at least 72 hours with cash and basic supplies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

M&S website still offline after cyberattack

Marks & Spencer’s website remains offline as the retailer continues recovering from a damaging cyberattack that struck over the Easter weekend.

The company confirmed the incident was caused by human error and may cost up to £300 million. Chief executive Stuart Machin warned the disruption could last until July.

Customers visiting the site are currently met with a message stating it is undergoing updates. While some have speculated the downtime is due to routine maintenance, the ongoing issues follow a major breach that saw hackers steal personal data such as names, email addresses and birthdates.

The firm has paused online orders, and store shelves were reportedly left empty in the aftermath.

Despite the disruption, M&S posted a strong financial performance this week, reporting a better-than-expected £875.5 million adjusted pre-tax profit for the year to March—an increase of over 22 per cent. The company has yet to comment further on the website outage.

Experts say the prolonged recovery likely reflects the scale of the damage to M&S’s core infrastructure.

Technology director Robert Cottrill described the company’s cautious approach as essential, noting that rushing to restore systems without full security checks could risk a second compromise. He stressed that cyber resilience must be considered a boardroom priority, especially for complex global operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

West Lothian schools hit by ransomware attack

West Lothian Council has confirmed that personal and sensitive information was stolen following a ransomware cyberattack which struck the region’s education system on Tuesday, 6 May. Police Scotland has launched an investigation, and the matter remains an active criminal case.

Only a small fraction of the data held on the education network was accessed by the attackers. However, some of it included sensitive personal information. Parents and carers across West Lothian’s schools have been notified, and staff have also been advised to take extra precautions.

The cyberattack disrupted IT systems serving 13 secondary schools, 69 primary schools and 61 nurseries. Although the education network remains isolated from the rest of the council’s systems, contingency plans have been effective in minimising disruption, including during the ongoing SQA exams.

West Lothian Council has apologised to anyone potentially affected. It is continuing to work closely with Police Scotland and the Scottish Government. Officials have promised further updates as more information becomes available.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft adds quantum-resistant encryption to Windows 11

Microsoft is rolling out quantum-resistant encryption algorithms in Windows 11 as part of its effort to prepare for the eventual arrival of quantum computers. The new cryptographic tools were announced at the BUILD 2025 conference and are now available in Insider Preview Build 27852 and higher.

These updates introduce post-quantum algorithms—ML-KEM and ML-DSA—into SymCrypt, Windows’ core cryptographic library.

The algorithms, formerly known as CRYSTALS-Kyber and CRYSTALS-Dilithium, were selected by the US National Institute of Standards and Technology (NIST) and are part of the agency’s recommended post-quantum cryptography (PQC) standards.

The algorithms have also been added to SymCrypt-OpenSSL, Microsoft’s open-source extension for integrating SymCrypt with OpenSSL. Developers can now access the algorithms via Microsoft’s Cryptography API: Next Generation (CNG), enabling early testing and migration.

Quantum computers, which are still in experimental stages, promise to outperform classical systems in solving problems like factoring large numbers—a cornerstone of traditional encryption methods like RSA and elliptic curve cryptography.

Experts warn that these legacy systems could be broken in the coming decades, potentially compromising the security of global communications, financial systems, and data infrastructure.

The new PQC algorithms are designed to resist quantum attacks, but they bring additional complexity. Their encryption keys are significantly larger than those used in current standards.

For now, NIST recommends using them alongside RSA or elliptic curve keys in hybrid configurations, to mitigate risks from undiscovered vulnerabilities.

The transition to quantum-safe encryption is expected to be one of the most complex in cybersecurity history. Developers will need to address compatibility issues, including ensuring software can handle longer key lengths without introducing system-breaking errors.

Microsoft’s early adoption is a step toward broader post-quantum readiness. Experts emphasize the importance of rigorous testing now, as the timeline for quantum threats remains uncertain.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UK research body hit by 5 million cyber attacks

UK Research and Innovation (UKRI), the country’s national funding body for science and research, has reported a staggering 5.4 million cyber attacks this year — a sixfold increase compared to the previous year.

According to data obtained through freedom of information requests, the majority of these threats were phishing attempts, with 236,400 designed to trick employees into revealing sensitive data. A further 11,200 were malware-based attacks, while the rest were identified as spam or malicious emails.

The scale of these incidents highlights the growing threat faced by both public and private sector institutions. Experts believe the rise of AI has enabled cybercriminals to launch more frequent and sophisticated attacks.

Rick Boyce, chief for technology at AND Digital, warned that the emergence of AI has introduced threats ‘at a pace we’ve never seen before’, calling for a move beyond traditional defences to stay ahead of evolving risks.

UKRI, which is sponsored by the Department for Science, Innovation and Technology, manages an annual budget of £8 billion, much of it invested in cutting-edge research.

A budget like this makes it an attractive target for cybercriminals and state-sponsored actors alike, particularly those looking to steal intellectual property or sabotage infrastructure. Security experts suggest the scale and nature of the attacks point to involvement from hostile nation states, with Russia a likely culprit.

Though UKRI cautioned that differing reporting periods may affect the accuracy of year-on-year comparisons, there is little doubt about the severity of the threat.

The UK’s National Cyber Security Centre (NCSC) has previously warned of Russia’s Unit 29155 targeting British government bodies and infrastructure for espionage and disruption.

With other notorious groups such as Fancy Bear and Sandworm also active, the cybersecurity landscape is becoming increasingly fraught.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ascension faces fresh data breach fallout

A major cybersecurity breach has struck Ascension, one of the largest nonprofit healthcare systems in the US, exposing the sensitive information of over 430,000 patients.

The incident began in December 2024, when Ascension discovered that patient data had been compromised through a former business partner’s software flaw.

The indirect breach allowed cybercriminals to siphon off a wide range of personal, medical and financial details — including Social Security numbers, diagnosis codes, hospital admission records and insurance data.

The breach adds to growing concerns over the healthcare industry’s vulnerability to cyberattacks. In 2024 alone, 1,160 healthcare-related data breaches were reported, affecting 305 million records — a sharp rise from the previous year.

Many institutions still treat cybersecurity as an afterthought instead of a core responsibility, despite handling highly valuable and sensitive data.

Ascension itself has been targeted multiple times, including a ransomware attack in May 2024 that disrupted services at dozens of hospitals and affected nearly 5.6 million individuals.

Ascension has since filed notices with regulators and is offering two years of identity monitoring to those impacted. However, critics argue this response is inadequate and reflects a broader pattern of negligence across the sector.

The company has not named the third-party vendor responsible, but experts believe the incident may be tied to a larger ransomware campaign that exploited flaws in widely used file-transfer software.

Rather than treating such incidents as isolated, experts warn that these breaches highlight systemic flaws in healthcare’s digital infrastructure. As criminals grow more sophisticated and vendors remain vulnerable, patients bear the consequences.

Until healthcare providers prioritise cybersecurity instead of cutting corners, breaches like this are likely to become even more common — and more damaging.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

ENISA unveils cyber stress testing handbook to strengthen critical infrastructure resilience under NIS2

The European Union Agency for Cybersecurity (ENISA) has released a Handbook for Cyber Stress Testing to support national and sectoral authorities in assessing the cybersecurity and resilience of critical infrastructure, in line with the NIS2 Directive. The guidance is intended for use at the national, regional, and EU levels and complements regulatory frameworks such as the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) directive.

Cyber stress tests are defined as targeted assessments of an organisation’s capacity to maintain critical services during and after significant cybersecurity incidents. The handbook outlines five main steps for organising these tests:

  1. Defining scope and objectives – identifying relevant sectors, entities, risk scenarios, and test goals;
  2. Designing the test – developing methodologies, resilience metrics, and timelines;
  3. Executing the test – engaging participants and providing guidance;
  4. Conducting a gap analysis – identifying key findings and resilience gaps;
  5. Concluding and follow-up – compiling lessons learned and formulating recommendations.

The structured process enables authorities to evaluate both organizational preparedness and systemic sectoral risks. Practical recommendations are provided for each step, and an example from the health sector illustrates potential applications.

Authorities may use cyber stress tests to inform national risk assessments, prepare for cyber exercises, identify sector-wide vulnerabilities, and support supervisory planning. Tests can also serve as a basis for dialogue between regulators and operators.

While audits and certifications remain standard supervisory tools, stress tests offer an additional method tailored to specific risk scenarios. Depending on sector maturity and regulatory context, authorities may adopt either a voluntary or more prescriptive approach to testing. ENISA recommends clearly communicating the scope, purpose, and use of test results in advance.

Cyber stress tests can be conducted at national, regional, or EU-wide levels. National-level exercises are typically overseen by authorities responsible for specific critical sectors, either broadly assessing sector maturity or focusing on selected entities. Cooperation with sectoral regulators—such as those in finance or civil protection—can enhance the design and implementation of tests.

Regional and EU-wide stress tests, though more complex to coordinate, may be suited to sectors with cross-border dependencies. Recent examples include joint efforts in the energy and financial sectors, coordinated by the European Commission and the European Central Bank. EU funding through the Digital Europe Programme is available to support such initiatives, including development of common tools and methodologies.

In parallel, ENISA has launched the European Vulnerability Database (EUVD), mandated under NIS2. The EUVD is a centralised, authoritative source of publicly available vulnerability information, supporting coordination among national CSIRTs, vendors, and regulators.

The Handbook for Cyber Stress Testing contributes to broader efforts to strengthen risk-informed cybersecurity oversight across the EU and encourages the consistent integration of cyber stress testing into national and sectoral supervisory practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Lawmakers discuss reported temporary pause in US offensive cyber operations against Russia

During a recent House Armed Services cyber subcommittee hearing, Chair Rep. Don Bacon (R-Neb.) stated that the U.S. Department of Defense briefly paused offensive cyber operations against Russia following a directive from Defense Secretary Pete Hegseth in late February. Bacon noted that the pause lasted one day and described it as consistent with broader policy aims.

Rep. Eugene Vindman (D-Va.) referenced an anonymous DOD rapid response account statement that disputed the claim, calling it ‘at least misleading.’ Deputy Assistant Secretary of Defence for Cyber Policy Laurie Buckhout did not confirm or deny the reports but stated that multiple elements are involved in cyber operations targeting Russia.

The hearing also included bipartisan concerns regarding the recent dismissal of National Security Agency and US Cyber Command Director Timothy Haugh, particularly in light of cyber threats facing US critical infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

OpenAI, G42 plan world’s largest AI data facility

OpenAI is reportedly set to become the anchor tenant in a 5-gigawatt data centre project in Abu Dhabi, part of what could become one of the largest AI infrastructure builds globally, according to Bloomberg.

The facility, spanning approximately 10 square miles, is being developed by UAE-based tech firm G42 as part of OpenAI’s broader Stargate initiative, a joint venture announced with SoftBank and Oracle to establish high-capacity AI data centres worldwide.

While OpenAI’s first Stargate facility in Texas is projected to reach 1.2 gigawatts, the Abu Dhabi project would more than quadruple that. The planned scale would consume power equivalent to five nuclear reactors.

OpenAI and G42 have collaborated since 2023 to accelerate AI adoption in the Middle East. The partnership has sparked concerns among US officials, particularly around G42’s past ties to Chinese firms, including Huawei and BGI.

G42 has since pledged to divest from China and shift its focus. In early 2024, Microsoft invested $1.5 billion in G42, and company president Brad Smith joined its board, reinforcing US–UAE tech ties. An official statement from OpenAI on the project is still pending.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Uber is ready for driverless taxis in the UK

Uber says it is fully prepared to launch driverless taxis in the UK, but the government has pushed back its timeline for approving fully autonomous vehicles.

The previous 2026 target has been shifted to the second half of 2027, despite rapid developments in self-driving technology already being trialled on British roads.

Currently, limited self-driving systems are legal so long as a human remains behind the wheel and responsible for the car.

Uber, which already runs robotaxis in the US and parts of Asia, is working with 18 tech firms—including UK-based Wayve—to expand the service. Wayve’s AI-driven vehicles were recently tested in central London, managing traffic, pedestrians and roadworks with no driver intervention.

Uber’s Andrew Macdonald said the technology is ready now, but regulatory support is still catching up. The government insists legislation will come in 2027 and is exploring short-term trials in the meantime.

Macdonald acknowledged safety concerns, noting incidents abroad, but argued autonomous vehicles could eventually prove safer than human drivers, based on early US data.

Beyond technology, the shift raises big questions around insurance, liability and jobs. The government sees a £42 billion industry with tens of thousands of new roles, but unions warn of social impacts for professional drivers.

Still, Uber sees a future where fewer people even bother to learn how to drive, because AI will do it for them.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!