Cyberconflict and warfare

US sets post-quantum cryptography deadlines for federal systems

US President Donald Trump has signed an executive order setting deadlines for federal agencies to migrate high-priority systems to post-quantum cryptography.

Executive Order 14409 says large-scale quantum computers could threaten widely used cryptographic systems and create risks for sensitive government data, critical infrastructure and the digital economy. It also highlights ‘harvest now, decrypt later’ attacks, where adversaries collect encrypted information today and decrypt it once quantum capabilities become available.

The order makes it US policy to transition federal information systems to National Institute of Standards and Technology-approved Federal Information Processing Standards for post-quantum cryptography. It also directs the federal government to assist critical infrastructure owners and operators with their own migration planning.

Within 30 days, each federal agency must name a post-quantum cryptography migration lead responsible for cryptographic inventories, migration planning and cross-agency coordination.

The Office of Management and Budget must issue guidance within 90 days requiring agencies to review inventories of high-value assets and high-impact systems (excluding National Security Systems) and submit migration plans.

Federal high-value assets and high-impact systems must transition to post-quantum cryptography for key establishment by 31 December 2030 and for digital signatures by 31 December 2031.

The order also directs CISA, in coordination with NIST, to publish public guidance within 270 days on minimum elements for a cryptographic bill of materials, supporting automated assessment of cryptographic assets in hardware and software.

Procurement rules are also expected to change. The Federal Acquisition Regulatory Council must propose requirements for covered contractors to comply with NIST cryptographic standards, including applicable post-quantum standards, by 31 December 2030.

Why does it matter?

The order gives the US post-quantum transition concrete deadlines and turns cryptographic migration into an operational, procurement and critical infrastructure issue. Quantum-capable attacks remain a future risk, but encrypted data can be stolen now and decrypted later. By requiring inventories, migration leads, contractor obligations and cryptographic bills of materials, the EO pushes agencies and suppliers to understand where vulnerable cryptography is used before quantum threats become practical.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ChatGPT set to join Pentagon’s GenAI.mil platform

Mohammed Husain, OpenAI’s Strategic Delivery Lead for Cyber, said at the Defense One Tech Summit in Virginia that the company expects to launch ChatGPT on GenAI.mil, the US Department of Defense’s enterprise-wide generative AI platform, in early July. The deployment would extend ChatGPT access to more than 3 million defence, civilian, and military personnel.

According to Husain, the version of ChatGPT deployed on GenAI.mil will be certified to handle Controlled Unclassified Information (CUI) and operate at Impact Level 5 (IL5), a Defense Department cloud security classification for systems processing sensitive unclassified information. Husain said OpenAI continues to coordinate with the Pentagon’s Chief Digital and Artificial Intelligence Office (CDAO) on the rollout.

The Department of Defense launched GenAI.mil in December 2025, initially centred on Gemini for Government, before announcing plans to integrate models from OpenAI and xAI. Outside GenAI.mil, federal agencies have had access to ChatGPT since at least January 2025 through ChatGPT Gov.

In August 2025, OpenAI and the General Services Administration reached a OneGov agreement that reduced the price of ChatGPT access for federal agencies. Most recently, OpenAI’s GPT-5.4 model became available to federal government users on Amazon Bedrock and AWS GovCloud earlier this month.

Husain said that as the Department of Defense adopts more capable models, token consumption, the units used by AI systems to process and generate information, is likely to increase, particularly for higher-value tasks.

He pointed to Amazon’s early June announcement that OpenAI’s GPT-5.5, GPT-5.4, and Codex models are now available on Amazon Bedrock as an example of broader access to more capable, token-intensive models.

Husain said token efficiency, measured by the cost of completing tasks rather than raw processing speed, is expected to become an increasingly important consideration in government AI deployments as model capabilities advance.

Why does this matter?

The planned rollout highlights how frontier AI models are moving from experimental deployments into core government and defence infrastructure. Rather than relying on a single provider, the Pentagon is building an ecosystem that includes models from OpenAI, Google and xAI, reflecting a broader strategy of integrating commercial AI capabilities into operational environments.

The development also illustrates the growing institutionalisation of relationships between leading AI companies and national security organisations. As advanced AI systems become embedded in government workflows, questions around security, procurement, oversight, interoperability, and strategic dependence on private-sector AI providers are likely to become increasingly important.

The deployment of ChatGPT on GenAI.mil, therefore, represents not only a technology upgrade but also a step in the evolving governance of AI within national security institutions.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU extends Cybersecurity Reserve support to Ukraine

Ukraine can now activate emergency EU cyber support during significant or large-scale cybersecurity incidents after the Council of the European Union approved its inclusion in the EU Cybersecurity Reserve.

The Reserve, managed by the European Union Agency for Cybersecurity, provides incident response services from trusted private-sector providers to help contain and mitigate major cyber incidents.

The European Commission said the decision reflects closer EU-Ukraine cooperation and forms part of wider efforts to strengthen preparedness, rapid response and shared expertise against evolving cyber threats.

The move also aligns with the EU’s strategic digital partnership agenda and follows Moldova’s inclusion in the Cybersecurity Reserve in 2024 under the Cyber Solidarity Act.

European Commission Executive Vice-President Henna Virkkunen said Ukraine’s inclusion strengthens collective cyber defences and reaffirms European solidarity at a time of persistent cyber threats.

Why does it matter?

Ukraine’s inclusion in the Cybersecurity Reserve extends EU cyber crisis support to a country facing sustained cyber pressure linked to geopolitical conflict. The decision shows how the EU is using the Cyber Solidarity Act and related mechanisms not only for internal resilience, but also for strategic partnerships. It also strengthens the role of ENISA-coordinated incident response services and trusted private providers in Europe’s wider cyber crisis management framework.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Study warns of self-replicating AI malware using real-time reasoning

Cybersecurity researchers have demonstrated an AI-powered computer worm capable of identifying vulnerabilities, generating attack strategies and spreading autonomously across networks. The study suggests that advances in AI agents could enable a new class of adaptive cyber threats capable of operating with minimal or no direct human intervention.

The research, conducted by teams from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow, describes malware that uses large language models to tailor its behaviour to each target. Unlike traditional worms, the system can adapt its attack methods in real time instead of relying solely on pre-programmed exploits.

Testing in a controlled virtual environment showed the system could successfully compromise multiple machines and replicate across a simulated network over several days. The worm also operated without relying on cloud infrastructure, running AI models locally on infected systems and using those resources to support its operations.

Researchers warned that such capabilities could signal a shift towards what they describe as ‘autonomous generative adversaries’ and stressed the need for stronger detection systems, evaluation frameworks and governance mechanisms. While details were limited to reduce misuse risks, the authors said the findings reflect how rapidly AI-enabled cyber capabilities are evolving.

Why does it matter? 

The research signals a shift in cyber risk from static, signature-based malware to autonomous systems capable of reasoning, adapting, and scaling attacks without human input.

As AI models become more capable and widely deployed, the line between tool and autonomous threat blurs, increasing pressure on cybersecurity systems, patching cycles, and regulation to keep up with real-time, evolving attacks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

New Washington initiative targets legal frameworks for collective cyber defence

A new policy coalition has been launched in Washington to develop frameworks governing collaboration between government agencies and private companies on cyber operations, amid growing concerns that unresolved legal questions are limiting deeper cooperation.

Venable’s Center for Cybersecurity Policy and Law established the Cyber Operations Policy Coalition this week. The coalition aims to bring together industry representatives, government officials, legal experts, academics and civil society organisations to develop policy frameworks for collective cyber defence.

Corporate members include Microsoft, Lumen, Halcyon, Autonomous Cyber, and Voreas Labs. Non-corporate members span think tanks and academic institutions, including the Foundation for Defense of Democracies, the Cyber Threat Alliance, the Institute for Security and Technology, McCrary Institute for Cyber and Critical Infrastructure Security, and American University’s Tech, Law, and Security Program. The International Committee of the Red Cross and the Stimson Center participate as observers.

The coalition is coordinated by Stacy O’Mara and advised by a panel that includes former NSA Cybersecurity Director Rob Joyce, former CISA official Bryan Ware, and former Representative Jim Langevin.

During the launch event, current and former officials identified legal authorities, liability arrangements and operational rules as key areas requiring clarification before public-private cyber collaboration can expand at scale. Katie Sutton, assistant secretary of defence for cyber policy, noted that legal expertise would be central to closer integration, pointing to existing authority frameworks on both the government and industry sides.

Tonya Ugoretz, head of PwC’s Cyber & Risk Innovation Institute, highlighted the need for clearer liability frameworks to enable cyber operations without requiring case-by-case authorisation.

The initiative reflects the structure of the cyber domain, where much of the internet and critical infrastructure is privately owned, making companies both potential targets of cyberattacks and key partners in cyber defence efforts.

Several parallel developments add context to the coalition’s launch. The Joint Cyber Defense Collaborative, the CISA-led body for public-private cyber coordination, is mapping both defensive and potential offensive options for use in geopolitical crisis scenarios involving major infrastructure providers, according to JCDC deputy assistant director Matt Springer.

The US military has also more openly discussed offensive cyber operations in recent months, while Congress is considering a proposal for a dedicated cyber service branch.

The emergence of increasingly capable AI systems with cybersecurity applications has further expanded the range of technical, operational and legal questions facing policymakers.

Why does it matter?

Cybersecurity increasingly depends on cooperation between governments and private companies because much of the infrastructure targeted by cyberattacks is privately owned and operated. However, legal questions surrounding authority, liability and operational responsibilities remain unresolved in many jurisdictions.

The coalition reflects growing recognition that existing frameworks may not be fully suited to large-scale cyber defence efforts, particularly as geopolitical tensions, critical infrastructure threats and AI-enabled cyber capabilities increase. Its work could help shape future approaches to collective cyber defence and public-private cybersecurity cooperation.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

GCHQ outlines AI-driven cyber defence programme for protecting critical infrastructure

The UK’s signals intelligence agency GCHQ has announced plans to develop an AI-powered national cyber defence capability that would use autonomous software agents to identify and respond to cyber threats at machine speed. Speaking publicly, GCHQ director Anne Keast-Butler described the initiative as a ‘blueprint for a new national cyber defence capability’ to be operational within five years.

The programme would apply agentic AI to monitor and protect critical sectors including energy, water, healthcare, transport, and financial services. According to Keast-Butler, advances in AI are accelerating the discovery of software vulnerabilities, increasing pressure on defenders to identify and mitigate risks more quickly.

UK Security Minister Dan Jarvis had previously outlined the national cyber shield concept in April, noting that protecting critical infrastructure in an AI-enabled environment would require approaches beyond standard commercial security products. The Cabinet Office has since approached AI companies to contribute to the development of these capabilities.

GCHQ is separately integrating AI into its intelligence analysis workflows, including language translation and large-scale data processing.

Alongside the cyber defence announcement, Keast-Butler addressed two further technical priorities. On quantum computing, she noted that post-quantum encryption is now an active planning requirement rather than a future consideration, pointing to National Cyber Security Centre guidance on transitioning to quantum-resistant algorithms. On space, she observed that the volume of orbital infrastructure has grown substantially — over 10,000 new objects launched in three years — with GCHQ working to secure space-based systems that underpin data transmission globally.

GCHQ’s Mathematics directorate is developing new cryptographic methods suited to the post-quantum environment, building on the agency’s role in pioneering public-key cryptography in the 1970s.

Taken together, the announcements sketch a broader shift in how GCHQ positions its role. The announcements suggest a broader role for GCHQ, combining intelligence, cybersecurity, cryptography and infrastructure protection as part of the UK’s wider digital resilience strategy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ENISA to host 2026 telecom and digital infrastructure security forum

The European Union Agency for Cybersecurity (ENISA) has announced its Telecom and Digital Infrastructure Security Forum 2026, bringing together telecom experts, policymakers and national authorities to address emerging cybersecurity risks.

The forum will focus on challenges, including cyberattacks on telecom networks, resilience issues such as power dependencies, and the security implications of new technologies. It aims to support strategic and technical dialogue across the sector.

Organised with the Cyprus Presidency of the Council of the EU, the event provides a private setting for collaboration among industry specialists, regulators and the wider cybersecurity community, without public broadcasting.

Discussions will contribute to ongoing efforts to strengthen coordinated telecom security measures and policy development across the EU, with the event taking place in Nicosia, Cyprus.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Peacebuilding and AI in focus at UNSSC webinar series

The United Nations System Staff College has highlighted growing interest across the UN and the wider peacebuilding community in how artificial intelligence is shaping conflict prevention, arguing that the technology can support peace efforts but cannot replace human judgement, diplomacy, and oversight.

The reflection draws on a three-part webinar series launched by UNSSC to examine AI governance, field use, and ethical risks in peacebuilding. According to the text, one message ran across all three discussions: AI may offer real value for conflict prevention, but its role should remain supportive rather than substitutive.

The piece argues that AI is already being used across the UN peace and security pillar and should be introduced only where it improves effectiveness, such as by handling repetitive tasks and allowing staff to focus on analysis, leadership, and political judgement. It also stresses that principles long associated with peacebuilding, including trust and ‘do no harm’, should apply across the full AI stack, from data and infrastructure to model design and deployment.

Examples cited from the webinar series include the use of augmented intelligence in early warning systems, where machine learning is combined with human contextual knowledge, and an AI-enabled WhatsApp chatbot used in Yemen to broaden participation in mediation, particularly among women and young people. The text presents these cases as evidence that AI can extend the reach of peacebuilding tools without replacing practitioners.

The final part of the reflection focuses on governance and ethics. It argues that while ethical AI principles are widely discussed, they need to be translated into practical, context-specific safeguards, especially in conflict settings. It also notes that risks differ across use cases such as early warning, social media monitoring, and mediation support, and says meaningful governance requires input from diplomats, researchers, mediators, and the private sector.

UNSSC says the webinar series drew between 300 and 500 registrants per session, which it presents as evidence of strong demand for more targeted learning on AI and peacebuilding. The college argues that its role should extend beyond convening discussion to turning those debates into practical knowledge for UN practitioners working at the intersection of AI and conflict prevention.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

US military expands AI deployment across classified networks

The US Department of Defence has announced agreements with leading technology firms to deploy advanced AI capabilities across classified military networks. The initiative forms part of a broader effort to position the United States as a more AI-enabled military power.

Companies including OpenAI, Google, Microsoft, Amazon Web Services, NVIDIA, and SpaceX are reported to be involved in supporting deployment within high-security Impact Level 6 and 7 environments. The integration is intended to improve data synthesis, situational awareness, and operational decision-making across defence systems.

The department’s internal platform, GenAI.mil, is also being presented as a central part of this push, with senior officials describing it as a way to put advanced AI tools into the hands of personnel across the department and across different classification levels.

Officials have emphasised that maintaining access to a range of AI providers is important to avoid vendor lock-in and preserve long-term flexibility. In that sense, the move reflects a wider attempt to strengthen national security through advanced technology while keeping the military AI stack diversified rather than dependent on a single company or model family. However, this is an inference based on the reported Pentagon framing of the agreements.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Swisscom says AI and geopolitics are reshaping the cyber threat landscape

Swisscom has published its 2026 Cybersecurity Threat Radar, warning that cyber threats have grown more complex over the past year as geopolitical tensions and disruptive technologies put added pressure on digital systems. The report presents AI, supply chain exposure, digital sovereignty, and operational technology security as four strategic risk areas for organisations.

The report highlights state-linked cyber activity, hybrid influence operations such as disinformation, and supply chain attacks as key drivers of the current threat environment. It argues that digital transformation has increased dependence on cloud services, third-party software, AI systems, and networked industrial infrastructure, making organisations more exposed to cascading failures and external dependencies.

On AI, Swisscom describes insecure AI use as a risk multiplier. While AI can improve productivity, the report warns that poor governance, weak visibility into models, and uncontrolled use of AI tools in operational environments can expand attack surfaces, affect data quality, and create new compliance challenges.

Software supply chains are also identified as a persistent vulnerability. Swisscom says a single compromised component or manipulated update process can have far-reaching consequences across interconnected systems, making software integrity, origin verification, and traceability increasingly important as mitigation measures.

The convergence of information technology and operational technology is presented as another growing area of concern. In sectors such as energy, healthcare, manufacturing, and building automation, incidents can have consequences that go well beyond financial loss, affecting critical infrastructure, production, and even human safety.

The report also places greater emphasis on digital sovereignty, arguing that organisations need clearer visibility over where data is processed, which legal regimes apply, and how dependent they are on cloud and technology providers. In that sense, Swisscom frames cybersecurity less as a narrow IT function and more as a strategic governance issue tied to resilience, control, and trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.