Cybersecurity

OpenAI previews GPT-5.6 Sol model with stronger safeguards

OpenAI has begun a limited preview of GPT-5.6 Sol, a new flagship model in its new GPT-5.6 family, which also includes Terra and Luna. The company said all three models are expected to become generally available in the coming weeks.

The company said the preview is initially limited to a small group of trusted partners. OpenAI said it shared its release plans and model capabilities with the US government before launch and is initially limiting access at the government’s request.

The company said it does not consider government pre-release access an appropriate long-term default. Instead, it described the limited preview as a temporary measure while working with the US administration on a repeatable release framework linked to a cybersecurity Executive Order.

OpenAI described GPT-5.6 Sol as its most capable model to date, highlighting improvements in agentic coding, biology and cybersecurity while saying a broader set of evaluation results will be published when the model becomes generally available.

For coding, OpenAI said GPT-5.6 Sol set a new state of the art on Terminal-Bench 2.1, which tests command-line workflows involving planning, iteration and tool coordination.

The company also reported improvements in biology workflows. On GeneBench v1, which evaluates long-horizon genomics and quantitative biology tasks, OpenAI said the model performed better than GPT-5.5 while using fewer tokens.

Cybersecurity is a major focus of the preview. OpenAI said GPT-5.6 Sol is its most capable model yet for cybersecurity tasks, including vulnerability research and exploitation-related workflows.

OpenAI said the model performs better at identifying and helping remediate vulnerabilities than at carrying out end-to-end offensive cyber operations. According to the company, GPT-5.6 Sol did not exceed the Cyber Critical threshold under its Preparedness Framework.

OpenAI said the GPT-5.6 release includes its most robust safeguards to date, with configurations tailored to each model’s capabilities. The company said these safeguards are intended to constrain prohibited offensive use while preserving access for legitimate work such as code review, vulnerability research, patch development, debugging, security education and defensive testing.

Safeguards include model-level protections, real-time generation checks, account-level monitoring, differentiated access controls, enforcement mechanisms and ongoing testing. OpenAI said some higher-risk requests may be delayed or blocked during the preview period.

The company said it devoted more than 700,000 A100-equivalent GPU hours to automated red-teaming, complemented by third-party expert testing, to evaluate the model’s resilience against jailbreak attempts.

During the preview, GPT-5.6 models will initially be available through the API and Codex to selected trusted partners and organisations. OpenAI said broader access for ChatGPT, Codex and API users is planned soon.

During the preview, GPT-5.6 models will be available through the API and Codex to selected partners. OpenAI said broader access across ChatGPT, Codex and the API is planned soon. It also announced pricing for the model family and said GPT-5.6 Sol will launch on Cerebras in July, initially for a limited group of customers.

Why does it matter?

GPT-5.6 Sol illustrates how frontier AI releases are becoming increasingly governed by phased deployment, targeted access and extensive safety testing rather than immediate public availability. OpenAI’s emphasis on cybersecurity evaluations, automated red-teaming and layered safeguards reflects growing efforts to manage the risks associated with increasingly capable foundation models.

The rollout also highlights the evolving relationship between AI companies and governments. By combining limited pre-release access, enterprise deployment and structured safety frameworks, OpenAI is helping shape emerging norms for how advanced AI systems are evaluated, governed and introduced into real-world use.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF urges EU to restore legal basis for voluntary CSAM detection

The Internet Watch Foundation has urged the EU policymakers to adopt a permanent legal framework allowing technology companies to voluntarily detect, report and remove child sexual abuse material online.

The organisation said Europe cannot keep relying on children to protect themselves from online predators, warning that awareness campaigns and digital literacy measures cannot replace platform responsibility, technical safeguards and proactive detection tools.

The IWF said the EU’s failure to agree on a long-term Child Sexual Abuse Regulation has created legal uncertainty after the expiry of the temporary framework that previously allowed online services to use voluntary detection measures.

According to the organisation, child sexual abuse increasingly begins online through grooming, coercion, sextortion and blackmail. The IWF said that more than a quarter of the 500,000 unique child sexual abuse images and videos it identified in 2025 were self-generated after children were manipulated into creating explicit material.

The group argues that voluntary detection should become a minimum standard across the EU, supported by legal safeguards that protect privacy and prevent misuse.

The debate remains one of the EU’s most contested digital policy issues. Child-safety organisations warn that legal uncertainty could reduce the detection of abuse, while privacy advocates have raised concerns about surveillance, false positives and the scanning of private communications.

The IWF said policymakers should not treat child protection and privacy as a binary choice, but should create a framework that allows technology companies to detect abuse while maintaining appropriate safeguards.

Why does it matter?

The debate goes to the heart of EU online safety policy: how to protect children from grooming, sextortion and the circulation of abuse material while preserving privacy and communications rights. The IWF’s intervention highlights the child-protection argument for legal certainty around voluntary detection tools. At the same time, the controversy shows why any permanent framework will need strong safeguards, transparency and limits on how detection technologies are used.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Türkiye steps into quantum race with strategic roadmap

Türkiye has published an updated quantum technology roadmap, setting out 85 priority technology topics across quantum computing, quantum sensing and quantum communication.

The roadmap was developed through the Quantum Focus Technology Network (OTAĞ), coordinated by the Presidency of the Republic of Türkiye, Secretariat of Defence Industries. The process involved 305 experts from 123 institutions and organisations, including civilian and military stakeholders.

The roadmap classifies the 85 proposed technology topics into 34 near-term and 51 long-term priorities. Technologies were assessed using an analytical prioritisation method that considered Türkiye’s needs, existing capabilities, infrastructure, and end user requirements.

The strategy focuses on building domestic capability in quantum computing, sensing and communication by strengthening research infrastructure, developing skilled human capital and expanding cooperation between universities, industry, research centres and public institutions.

Priority steps include postgraduate programmes in quantum engineering and hardware technologies, researcher exchange and internship schemes, international research partnerships and critical infrastructure such as nanofabrication, cryogenic testing, precision measurement laboratories and sensor packaging.

The roadmap forms part of Türkiye’s wider effort to build a coordinated quantum ecosystem and improve its international competitiveness in a field with implications for cybersecurity, secure communications, advanced sensing and future computing.

Why does it matter?

Quantum technologies could reshape encryption, secure communications, sensing, navigation and high-performance computing. Türkiye’s roadmap is important because it turns quantum capability-building into a structured national programme with defence and strategic-technology relevance. By aligning universities, public institutions, industry and research centres around shared priorities, Türkiye is trying to reduce dependence on foreign technologies and position itself earlier in a field where global leadership is still being contested.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Microsoft and Europol disrupt Amadey and StealC malware infrastructure

Microsoft has disrupted more than 200 command-and-control servers linked to Amadey and StealC, two widely used cybercrime tools that support credential theft, fraud and ransomware attacks.

The company’s Digital Crimes Unit said the action targeted the shared infrastructure behind the two tools rather than treating them as separate threats. In the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers worldwide.

Amadey is often used to gain access to devices, while StealC is used to steal passwords and sensitive information. Microsoft said the tools form part of a wider cybercrime supply chain in which specialised malware services help attackers turn initial access into fraud, ransomware, espionage or other operations.

Microsoft said investigators used AI, including Copilot, to analyse malware and identify connections between the two tools more quickly. The company said the analysis helped its legal team treat both malware families as part of a single conspiracy under the US Racketeer Influenced and Corrupt Organizations Act.

The action was carried out with Europol and industry partners, including ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Europol’s European Cybercrime Centre also investigated StealC as part of Operation Endgame, alongside European law enforcement partners and cybersecurity companies, including IBM X-Force and Proofpoint.

Microsoft said it has identified more than 18,000 victim computers since the start of the operation and is working with telecommunications providers to help protect affected users.

The company said findings from the case will feed into its Statutory Automated Disruption programme, which accelerates the removal of malicious domains and infrastructure.

Why does it matter?

The operation reflects a shift in cybercrime disruption strategy. Instead of targeting one malware family or service at a time, Microsoft and its partners focused on the shared infrastructure that allows criminal tools to work together. That matters because modern cybercrime increasingly operates as a modular supply chain: one tool gains access, another steals credentials, and other actors monetise that access through fraud, ransomware or espionage. The use of AI to accelerate malware analysis also points to how defenders are trying to match the speed and scale of cybercriminal operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK’s Youth Justice Board highlights growing risks of online harms for children

The UK Youth Justice Board has published new evidence on how online harms affect children across England and Wales, warning that digital risks are increasingly linked to safeguarding, well-being and youth justice outcomes.

The Evidence and Insights Pack brings together research, data and practice examples to improve understanding of the risks children face online and how services can protect them more effectively.

The report says children face overlapping digital harms, including cyberbullying, sexual abuse, radicalisation, exploitation and the non-consensual sharing of intimate images. It also warns that harmful content and image-based abuse are becoming increasingly normalised among children, disproportionately affecting girls.

The YJB says many children who engage in problematic online behaviour have complex needs or have experienced abuse themselves. Weak platform design and limited digital literacy among adults can increase children’s vulnerability and make safeguarding more difficult.

The report calls for responses that go beyond criminal justice. It identifies promising approaches, including safety-by-design and teen-by-default platform measures, early intervention, harm-reduction responses, digital media and gaming literacy, healthy relationships education and gender-sensitive programmes.

The YJB also highlights strength-based interventions that promote belonging, critical thinking and positive identity building for children. It says such approaches can help reduce harm while avoiding unnecessary criminalisation.

The publication comes as the UK implements the Online Safety Act and prepares to ban social media for under-16s by spring 2027. The YJB said protecting children will require coordinated action across education, health, policing, local government, housing and social care.

Why does it matter?

The report strengthens the case for treating online harms as a safeguarding and public policy issue, not only a matter for platforms or the police. It shows that children can be victims, perpetrators and vulnerable participants in the same digital environments, especially where abuse, exploitation, misogyny or harmful content are normalised. The YJB’s focus on prevention and early support is important because punitive responses can deepen children’s contact with the justice system without addressing the underlying risks.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

NIST explores OT asset management to strengthen cybersecurity

NIST’s National Cybersecurity Center of Excellence (NCCoE) is seeking public feedback on a new project focused on operational technology (OT) asset management as the foundation for stronger OT cybersecurity.

The draft project description, Asset Management as a Foundation for OT Cybersecurity, outlines the project’s scope, challenges and technical approach. The NCCoE plans to demonstrate practical methods for OT asset discovery, inventory, configuration and change management.

The project will involve collaboration with asset owners, operators, and solution providers. The NCCoE plans to demonstrate real-world OT asset management and visibility solutions using commercially available products.

The proposal also includes a high-level reference architecture, desired technical capabilities and alignment with relevant standards, including outcomes from the NIST Cybersecurity Framework 2.0.

The NCCoE said AI is accelerating both the discovery and exploitation of vulnerabilities, making strong OT asset management increasingly important as organisations modernise industrial systems, adopt zero trust architectures and respond to AI-driven cyber threats.

Many organisations struggle to maintain a complete inventory of OT assets. Without effective asset management, activities such as risk assessment, network segmentation, vulnerability management, incident response and technology modernisation become significantly more difficult.

The NCCoE said the laboratory demonstration will support the development of source code, scripts, architectures, procedures, and guidelines. These resources are intended to help organisations gain the visibility needed to detect and respond to modern cyber threats in OT environments.

The centre is seeking input from asset owners, operators, technology providers, and cybersecurity practitioners. Feedback will help refine the project scope, use cases, reference architecture, and demonstration objectives.

Following the consultation, the NCCoE plans to recruit collaborators for project demonstrations and development activities. Public comments on the draft are open until 31 July 2026.

Why does it matter?

Operational technology underpins critical infrastructure, manufacturing and industrial operations, making accurate asset visibility a prerequisite for effective cybersecurity. As AI enables attackers to identify and exploit vulnerabilities more quickly, organisations need reliable inventories, configuration management and continuous monitoring to support risk assessments, zero trust strategies and incident response.

The project also reflects a broader shift towards practical cybersecurity guidance. By working with industry to develop reference architectures, tools and implementation guidance aligned with the NIST Cybersecurity Framework 2.0, the NCCoE aims to help organisations translate cybersecurity best practices into operational improvements across industrial environments.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

NCSC warns of growing cyber risks to critical infrastructure

Hostile state actors were linked to around three-quarters of cyber attacks affecting the UK’s critical national infrastructure over the past year, according to the head of the National Cyber Security Centre.

Speaking at the Royal United Services Institute’s Annual Security Lecture, NCSC CEO Dr Richard Horne said the agency managed more than 200 cyber incidents affecting critical national infrastructure and its supporting ecosystem in the year to May 2026.

Horne said around 75% of those incidents were believed to be linked to state actors. He warned that hostile states are increasingly targeting the systems that underpin essential services in the UK.

The NCSC chief said cybersecurity should not be treated only as a technical risk to be managed, but as an ongoing contest with capable adversaries. He urged executives and board members to improve resilience by understanding their exposure to threats, strengthening proven security fundamentals and ensuring organisations can continue operating and recover quickly after attacks.

Horne also warned that AI is likely to accelerate the threat. The NCSC assesses that by 2028, attackers will probably use AI-enabled cyber capabilities to exploit known vulnerabilities in legacy technology at scale across critical national infrastructure.

He said many serious incidents still occur because basic cybersecurity measures are not in place. The warning places legacy systems, board-level accountability and operational resilience at the centre of the UK’s critical infrastructure security debate.

Why does it matter?

The NCSC warning shows that cyber attacks on critical infrastructure are no longer just an operational IT risk. They are part of a wider geopolitical contest involving hostile states, essential services and national resilience. The AI warning makes the issue more urgent: if attackers can use AI to exploit known weaknesses in legacy systems at scale, organisations that have tolerated unresolved vulnerabilities may face attacks much faster and broader.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Google proposes a balanced approach to AI governance in the US

Google has published a policy paper proposing a two-track approach to AI governance in the United States, separating oversight of frontier AI models from rules for widely deployed AI applications.

The paper argues that AI policy should avoid what Google describes as a false choice between over-regulation and no regulation. Instead, the company calls for a pragmatic, evidence-based framework that treats the most advanced AI systems differently from everyday AI tools such as chatbots.

For frontier AI, Google proposes the creation of a Frontier AI Regulatory Organisation, or FARO. The industry-funded body would operate under federal oversight and develop standards for safety, security, incident reporting and transparency.

Google says FARO could set scientific benchmarks for frontier capabilities, particularly in areas such as cybersecurity and chemical, biological, radiological and nuclear risks. It could also oversee independent audits and require frontier AI companies to publish and follow safety frameworks before releasing highly capable models.

For widely deployed AI applications, Google argues that the federal government should rely mainly on existing legal frameworks, with targeted updates where needed. The paper says policy should focus on real-world harms and outputs rather than micromanaging AI development.

The company identifies several priority areas, including workforce preparedness, child safety, information integrity, copyright, privacy and energy infrastructure for data centres.

Google supports measures such as AI interaction guidelines for children, disclosures that chatbots are not sentient, rules for self-harm-related queries, watermarking and provenance standards for generative AI, privacy-enhancing technologies and workforce reskilling.

The paper presents the model as a way to address national security and consumer protection risks while preserving US leadership in AI development.

Why does it matter?

Google’s paper is a significant industry intervention in the US AI policy debate. Its two-track model reflects a broader governance trend: frontier AI is increasingly being treated as a national security and safety issue, while everyday AI applications are being handled through consumer protection, child safety, privacy, copyright and labour policy. The proposal could influence federal discussions, but it also reflects Google’s own regulatory preferences, including industry-funded oversight, confidential audit reports and reliance on existing law for many AI applications.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Canadian ministers to discuss Safe Social Media Act

Canadian Heritage will hold an in-person roundtable in Winnipeg on Bill C-34, the Safe Social Media Act, as the government continues public discussion on its proposed online safety framework.

The event will bring together Marc Miller, Minister of Canadian Identity and Culture and Minister responsible for Official Languages, and Adam van Koeverden, Secretary of State for Sport. Media representatives have been invited to attend the conclusion of the discussion, followed by an informal media availability.

The Safe Social Media Act was introduced on 10 June 2026 and would create new duties for social media services, AI chatbot services and other regulated online services. The government says the bill is intended to make platforms more responsible for addressing harmful content and creating safer online spaces, especially for children and young people.

The bill would enact the Digital Safety Act and establish the Digital Safety Commission of Canada. The proposed framework focuses on platform accountability, child protection, transparency and the prevention of online harms before they occur.

The legislation comes amid growing international debate over children’s access to social media, age restrictions, harmful content, platform design and the role of AI chatbots in online safety.

The Winnipeg roundtable signals continued government engagement with stakeholders as Bill C-34 moves through the parliamentary process.

Why does it matter?

Canada’s Safe Social Media Act is part of a wider global shift towards stronger online safety rules focused on children and young people. By covering social media services and AI chatbots, the bill reflects growing concern that harmful content, platform design and AI-driven interactions can affect child safety, mental health and exposure to exploitation. The proposed Digital Safety Commission would also create a new federal oversight structure for platform accountability.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU targets AWS and Azure under the DMA

The European Commission has informed Amazon and Microsoft of its preliminary view that their cloud computing services, Amazon Web Services and Microsoft Azure, should be designated as gatekeepers under the Digital Markets Act.

The move could extend the DMA’s reach into cloud infrastructure, a sector the Commission describes as critical to Europe’s digital economy and AI development.

The Commission opened market investigations into AWS and Azure in November 2025. It has now been provisionally concluded that both services act as important gateways between businesses and customers in the EU, despite not meeting the DMA’s standard quantitative thresholds.

According to the Commission, AWS and Azure benefit from large and established user bases, high switching costs, loyalty effects, broad cloud ecosystems and long-standing market positions. It also said their AI tool portfolios and partnerships are becoming increasingly important for cloud customers.

Amazon and Microsoft now have the opportunity to examine the investigation files and respond to the preliminary findings. If the Commission confirms its assessment, AWS and Azure would be designated as gatekeepers, and the companies would have six months to comply with DMA obligations.

The Commission said fair and competitive cloud markets are important for secure, sustainable and interoperable cloud services in Europe. It also linked the case to Europe’s wider technological sovereignty objectives, as cloud infrastructure underpins AI systems, enterprise software and public services.

Why does it matter?

The case shows how the EU competition policy is moving deeper into the infrastructure behind the AI economy. Cloud platforms are no longer just business services; they shape access to compute, data, AI tools, software ecosystems and switching options for companies and public institutions. If AWS and Azure are designated as DMA gatekeepers, the decision could affect cloud interoperability, customer lock-in and the balance of power between US hyperscalers and European cloud providers.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!