Cybersecurity

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Spain approves draft law adapting the EU AI Act into national legislation

Spain’s Council of Ministers has approved a draft Organic Law aimed at adapting the EU AI Act into the country’s national legal framework.

Digital Transformation and Public Service Minister Óscar López said the draft law will now be sent to the Cortes for parliamentary consideration. The proposal establishes obligations for AI providers and introduces requirements for human oversight of AI systems.

The draft law incorporates the EU AI Act’s risk-based classification framework into Spanish legislation while establishing sanctions, governance structures, and supervisory authorities.

López said the law follows Spain’s approach to AI regulation, including human oversight, algorithmic transparency, protection of minors, and data privacy. López rejected the idea that regulation undermines competitiveness, pointing to Spain’s broader AI strategy and investment initiatives.

The minister said the EU AI Act includes prohibitions covering subliminal techniques, exploitation of vulnerabilities, biometric classification, social scoring, predictive surveillance, emotion recognition, facial scraping, and real-time identification. He added that, following a request from Spain, the EU agreed on 7 May to add prohibitions on AI-generated sexual deepfakes and AI-generated child sexual abuse material.

The draft law designates Spain’s Artificial Intelligence Supervisory Agency, based in A Coruña, as the central authority. Other market surveillance authorities will also have roles, including the Bank of Spain for financial systems, the Spanish Data Protection Agency for data-related matters, and the General Council of the Judiciary for justice-related issues.

The proposal promotes responsible AI use in the state public sector, including stronger requirements for AI models and transparency in public administration, as well as the creation of an AI officer role. The law also sets rules for AI regulatory sandboxes and measures intended to help AI providers comply with the legislation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for verifying and ensuring that patient portals meet health-sector security standards.

A second phase of the inquiry will examine the broader impacts of the breach, including patient authorisation, information provided to patients, retention and deletion practices, breach communications, notification compliance, and whether the incident had a disproportionate impact on any group, particularly Northland Māori.

Why does it matter?

The findings show how privacy and cybersecurity failures in health portals can create large-scale risks when sensitive patient data is shared through third-party systems. The case also raises a wider governance issue for digital health: agencies cannot rely only on vendor assurances when transferring large volumes of health information. Independent security assessment, privacy-by-design, effective contracts, and ongoing monitoring are becoming essential safeguards for digital health infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Swiss IGF to tackle AI and digital sovereignty

The Swiss Internet Governance Forum will hold its 2026 meeting in Bern on 16 June, with discussions covering AI governance, cybersecurity, digital sovereignty, digital public infrastructure, platform regulation, and other internet governance issues.

The eleventh Swiss IGF will take place at Welle 7 and online, with registration open until 9 June. The forum is now organised by the Swiss Internet & Digital Governance Association, which describes itself as a neutral multistakeholder platform for internet and digital governance in Switzerland.

The draft programme includes sessions on digital sovereignty, cybersecurity and resilience, AI governance and regulation, digital work and education, e-government and democracy, AI and sustainability, digital public infrastructure, and platform regulation and child protection.

The programme also includes a lightning talk on the road to the Geneva 2027 AI Summit, linking the national forum to broader discussions on global AI governance.

The Swiss IGF is part of the wider UN Internet Governance Forum process, while EuroDIG serves as the regional European forum within that ecosystem. The 2026 Swiss IGF will conclude with the presentation of ‘Messages from Berne’ and contributions from the Swiss Youth IGF.

The Swiss Youth IGF will take place in Bern on 13 June as a capacity-building activity linked to the year-round IGF process. It provides an open platform for young people in Switzerland to discuss internet governance and develop messages and projects. The youth forum will focus on digital literacy, safety, and well-being, including generative AI, social media, and influence culture.

Why does it matter?

The Swiss IGF agenda reflects how national internet governance discussions are increasingly centred on AI governance, digital sovereignty, cybersecurity, platform regulation, and digital public infrastructure. Its link to the Geneva 2027 AI Summit also positions the Swiss debate within broader global discussions on AI governance and the future of multistakeholder internet governance.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK expert panel to shape online safety policy

The UK Department for Science, Innovation and Technology has published the terms of reference for the Growing Up in the Online World expert panel, an independent group that will advise the government on children’s digital experiences.

The panel will provide impartial, evidence-based advice to support government policy development on children’s online well-being. Its remit includes digital technology, social media, gaming, AI chatbots, and proposals under the Growing up in the online world consultation.

DSIT said the panel will help identify evidence gaps and priority research needs for 2026 to 2027 and beyond. It is also intended to provide independent assurance that policy options are considered in the context of the evolving evidence base.

The panel’s responsibilities include reviewing emerging data on children’s online experiences, online safety, and design interventions. It will also scrutinise DSIT’s presentation of consultation evidence, identify risks and dependencies, and provide recommendations to inform advice to ministers.

Members will serve in a personal capacity and must declare conflicts of interest. DSIT said it will publish the panel’s membership once it has been agreed, along with declarations of conflicts of interest.

The panel will bring together expertise in child development, psychology, education, digital harms, online safety, behavioural science, platform design, data infrastructure, algorithmic systems, ethics, safeguarding, equality, human rights, and lived experience.

DSIT expects the panel to meet monthly via Microsoft Teams for the initial 4-month period, with additional meetings around key milestones. The panel will not set government policy, publish independent reports, represent employers or sectors, or engage with media on behalf of DSIT.

Why does it matter?

The panel shows how the UK is trying to ground children’s online safety and well-being policy in a broader evidence base covering platform design, AI chatbots, gaming, behavioural science, safeguarding, and lived experience. Its creation also points to a more formal advisory process around future policy choices, even though the panel itself will not set policy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s ASD outlines AI opportunities and risks in cyber defence

The Australian Signals Directorate (ASD) has published new guidance outlining how organisations can use AI to strengthen cyber defence while managing risks associated with AI adoption.

According to ASD, malicious actors are increasingly using AI to scale and accelerate cyber operations, including reconnaissance, vulnerability analysis, and the generation of tailored malicious content. The guidance warns that AI may lower technical barriers for less experienced threat actors and shorten the time between vulnerability discovery and exploitation.

ASD says AI can support cyber defence by improving threat detection, vulnerability analysis, incident response, and prioritisation of security risks. However, ASD stresses that AI should complement rather than replace existing cybersecurity practices and controls.

The guidance maps AI use in cyber defence to six Information Security Manual functions: Govern, Identify, Protect, Detect, Respond, and Recover. Suggested uses include analysing supply chain risks, improving asset discovery, prioritising hardening actions, scanning source code, detecting anomalous behaviour, supporting incident triage, and assisting restoration planning.

The guidance also addresses so-called ‘agentic AI’ systems capable of autonomous planning and decision-making, warning that such technologies require clear operational limits, sandboxing, and strong human oversight. ASD warns that such systems require careful adoption, clear limits, permissions, sandboxing, and strong human oversight.

Organisations adopting AI for cybersecurity are advised to apply a strong baseline aligned with the Information Security Manual and Essential Eight. ASD recommends protecting AI systems from prompt injection, model evasion, and model extraction, while ensuring least-privilege access, auditability, secure integration, and validation of AI-assisted outputs.

ASD also recommends that organisations assess AI and cybersecurity vendors against criteria including explainability, human oversight, resilience, supply-chain dependencies, fallback mechanisms, and data protection practices.

ASD concludes that AI can strengthen cyber defence when deployed securely and responsibly, but warns that poorly governed systems may introduce new vulnerabilities and operational risks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

OECD warns on cybersecurity regulation fragmentation

The Organisation for Economic Co-operation and Development (OECD) has published a policy paper warning that growing fragmentation in cybersecurity regulation is increasing compliance burdens, weakening international cooperation, and potentially diverting resources away from core security work.

The paper, ‘Towards international coherence of cybersecurity regulations’, examines how diverging rules across jurisdictions and sectors are creating a complex regulatory landscape for governments and businesses. It says fragmentation can stem from differing national security priorities, sector-specific frameworks, legacy rules, protectionist measures, crisis-driven policymaking, overlapping mandates, and the absence of shared definitions.

According to the OECD, the consequences include higher compliance costs, duplicated reporting and documentation, weaker cross-border cooperation, distorted market incentives, and reduced trust in regulatory systems. Small and medium-sized enterprises may be especially affected because they often lack the financial and human resources to manage overlapping obligations.

The paper warns that fragmented rules can divert financial, human, and managerial resources from practical cybersecurity measures towards administrative adaptation and legal alignment. It says the growing complexity of cybersecurity regulation is itself becoming a challenge to stronger cybersecurity.

The OECD also highlights the rapid expansion of cybersecurity-related regulation in Europe. Its annex maps enacted and proposed EU legislation with cybersecurity provisions since 2020, covering areas such as incident reporting, security-by-design, critical infrastructure, data protection, digital services, and operational resilience.

The report also maps existing efforts to improve coherence at domestic, regional, bilateral, and multilateral levels. Examples include the US NIST Cybersecurity Framework, the EU initiatives linked to NIS2, bilateral cooperation, mutual recognition mechanisms, and international technical standards.

The OECD concludes that regulatory fragmentation is becoming a systemic challenge and says it is well placed to support dialogue, strengthen the evidence base, and help develop practical tools for more coherent cybersecurity regulation across jurisdictions.

Why does it matter?

The paper highlights a central tension in cybersecurity policy: more regulation can improve resilience, but poorly coordinated rules can also create duplication, raise costs, and divert resources away from practical risk reduction. For companies operating across borders, coherent reporting, shared definitions, and better regulatory alignment could become as important as the rules themselves.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU adopts unified cyber incident reporting templates under NIS2

The NIS Cooperation Group has adopted common templates for cybersecurity incident reporting across the EU, marking a step towards more harmonised compliance requirements for companies subject to the NIS2 Directive.

The templates were adopted during the group’s 39th plenary meeting in Cyprus and are intended to provide a uniform format for reporting cyber incidents across member states. The NIS Cooperation Group brings together the EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA) as part of wider EU cybersecurity coordination efforts.

According to the Commission, the standardised templates are designed to reduce administrative burdens and simplify compliance for companies required to report cybersecurity incidents under NIS2. The move also aligns with broader EU efforts to create a single-entry point for incident reporting under the proposed Digital Omnibus initiative.

The Commission now plans to adopt the templates through an implementing act, which would make them mandatory for all member states. The EU officials say harmonised reporting fields should reduce fragmentation, simplify reporting obligations, and help strengthen cybersecurity resilience across the bloc.

Why does it matter?

Cybersecurity reporting requirements across Europe have often created complexity for companies operating in multiple jurisdictions. Common templates could reduce duplication, make reporting procedures more predictable, and improve coordination between national authorities. The move also fits into the EU’s broader push to simplify digital compliance while strengthening cyber resilience under NIS2.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

New OECD measure compares AI and job capabilities

The OECD has published a new framework designed to assess how closely current AI capabilities align with the requirements of different occupations.

The paper, ‘The OECD AI Exposure Measure‘, maps OECD AI Capability Indicators to occupations and introduces an AI Capability Gap Index. According to the OECD, the framework is intended to support analysis of potential AI impacts on work, skills, education, and labour-market policy.

The framework compares AI capabilities with occupational requirements across nine domains: language, social interaction, problem-solving, creativity, metacognition and critical thinking, knowledge, learning and memory, vision, manipulation, and robotic intelligence. Occupations with smaller capability gaps are considered more exposed to current AI capabilities, while larger gaps indicate a greater distance between AI systems and occupational requirements.

The OECD emphasised that the measure is not intended as a prediction of automation or job loss. It measures potential exposure to current AI capabilities, while actual labour-market effects will also depend on adoption, costs, task structure, regulation, organisational uptake, and social choices.

The report found that occupations involving routine information processing and administrative tasks currently show the highest levels of AI exposure. Office and administrative support occupations record the lowest total gap index, followed by production, food preparation and serving, and sales-related occupations.

Occupations relying more heavily on judgement, social interaction, interpretation, and non-standardised physical activity showed larger capability gaps.

The paper also noted that different forms of AI may affect occupations differently depending on whether work relies more on reasoning, communication, robotics, or physical interaction.

The OECD said the framework could support future task-level analysis, scenario modelling, and country-specific assessments of AI-related labour-market change. Future work may extend the approach to task-level analysis, scenario applications, macroeconomic modelling, and country-level assessments.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

BEREC to present Digital Networks Act assessment

The Body of European Regulators for Electronic Communications (BEREC) will hold a public debriefing on 10 June 2026 in Brussels to present its final assessment of the Digital Networks Act proposal and the outcomes of its latest plenary meetings.

The event will take place at the IRG Secretariat and will be held in a hybrid format, allowing both in-person and online participation. BEREC Chair Marko Mismas of AKOS Slovenia will present the assessment with Working Group Co-Chairs and take questions from stakeholders.

The debriefing will also cover key outcomes from BEREC’s 67th plenary meetings, including updates on ongoing work and upcoming initiatives. The full agenda will be published on BEREC’s website after the plenary meetings.

BEREC experts will also introduce a newly launched public consultation on further draft guidance on 5G network slicing, prepared by the Open Internet Working Group.

The event is aimed at policymakers, industry stakeholders, and other interested parties following the evolving EU regulatory framework for electronic communications. Participants can submit questions in advance via the registration form, while online participants will be able to use a Q&A chat function during the livestream.

Why does it matter?

BEREC’s assessment will feed into the debate over the EU’s future telecoms framework, including how regulators approach network investment, competition, open internet rules, and emerging technical practices such as 5G network slicing. The debriefing also offers stakeholders an opportunity to engage directly with regulators before the Digital Networks Act debate advances further.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.