Cybersecurity

ChatGPT down as users report login and conversation issues

OpenAI reported two resolved incidents affecting ChatGPT on 29 May, following user reports of issues with conversations, logins, and account creation.

The first incident affected users trying to log in or create an account. OpenAI classified the issue as degraded performance affecting ChatGPT and APIs. The company began investigating at 03:12 a.m., applied a mitigation at 03:28 a.m., and marked the incident resolved at 04:57 a.m.

A second incident affected ChatGPT conversations. OpenAI began investigating the issue at 03:18 a.m., applied a mitigation at 03:29 a.m., and marked the incident resolved at 04:58 a.m. The company said all impacted services had fully recovered.

OpenAI’s official status page listed both incidents as degraded performance rather than a full outage. The company did not provide further details on the cause of either disruption in the incident updates.

The brief disruption highlights the growing reliance on AI services for daily work, communication, and software development, as even short periods of degraded performance can affect users and organisations that depend on cloud-based AI tools.

Why does it matter?

The incidents show how widely used AI services are becoming part of everyday digital infrastructure. Even brief login or conversation failures can disrupt work for individuals, developers, businesses, and teams that rely on ChatGPT and related API services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK and Poland deepen cyber and defence cooperation under new treaty

The United Kingdom and Poland have agreed a broad package of defence, cybersecurity and security initiatives under a new Security and Defence Partnership Treaty. The agreement strengthens cooperation on defence, sanctions, border security, technology and energy resilience.

Defence cooperation is a central element of the treaty, with both countries planning joint work on missile systems, expanded ammunition production and closer defence-industrial cooperation.

Large-scale military exercises focused on counter-drone operations, electronic warfare and missile defence are also expected to strengthen interoperability between British and Polish forces on NATO’s eastern flank.

Cybersecurity and hybrid threat response feature heavily in the agreement. Britain and Poland plan to coordinate cybersecurity efforts, sanctions enforcement and responses to foreign information manipulation and interference.

A new counter-hybrid working group will support efforts to disrupt hostile state activity, while dedicated cooperation on disinformation aims to strengthen democratic resilience and expose coordinated influence campaigns.

Additional projects include cooperation on irregular migration, maritime security, science and technology, healthcare resilience and clean energy transition. The agreement also includes cooperation on quantum technologies, digital innovation, space security and hydrogen development to strengthen economic and security resilience.

Why does it matter? 

The treaty reflects a broader trend in European security policy, where cybersecurity, technology resilience, energy security and defence are increasingly treated as interconnected challenges.

As concerns grow over hybrid threats, disinformation campaigns and critical infrastructure vulnerabilities, governments are seeking closer cooperation across both military and civilian domains.

Cooperation on missile production, sanctions enforcement, disinformation response and emerging technologies signals a long-term effort to strengthen Europe’s eastern flank while reducing dependence on fragmented supply chains and external strategic vulnerabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Singapore warns of cybersecurity risks from autonomous AI agents

Singapore’s Cyber Security Agency (CSA) has issued an advisory warning that autonomous AI agents, including OpenClaw, can pose serious cybersecurity risks if deployed without appropriate safeguards.

The advisory references to Infocomm Media Development Authority (IMDA) case study on the responsible deployment of OpenClaw and highlights risks associated with AI agents that can understand context, plan tasks, use external tools, and act on behalf of users.

CSA said such agents can offer productivity benefits but may expose users and organisations to risks, including unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning.

The agency warned that unresolved risks could lead to agent hijacking, unauthorised actions through tool or API abuse, and unauthorised access to systems or data. It cited the IMDA case study’s warning that ‘accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked’.

For individuals, CSA recommends avoiding OpenClaw’s open-source form on devices containing sensitive data, running it under least-privileged accounts, installing skills only from trusted sources, keeping sensitive data out of reach, requiring human approval for high-risk actions, and promptly applying updates.

For organisations, the advisory calls for stronger safeguards, including Zero Trust principles, narrowly scoped agents, dedicated and regularly rotated credentials, policy-enforcing proxies, persistent logging, human approval for irreversible actions, negative testing before deployment, and recovery from a known-good baseline after compromise.

CSA also noted that variants, including NanoClaw and Nvidia’s NemoClaw, have emerged since OpenClaw’s launch. It said organisations requiring agentic AI capabilities should evaluate whether such variants meet their performance and security requirements, as safeguards for agentic AI are still maturing.

Why does it matter?

Agentic AI systems are increasingly being deployed to automate tasks that involve access to data, software tools, and online services. Singapore’s advisory highlights growing concerns that autonomous agents can create new attack surfaces if security controls, oversight mechanisms, and access restrictions are not built into deployments from the start.

The guidance also reflects broader efforts by governments and regulators to develop security practices for rapidly evolving AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EuroDIG 2026 debate strengthens Council of Europe digital governance push

The Council of Europe participated in EuroDIG 2026 in Brussels, contributing to discussions on digital governance, democracy, trustworthy AI, platform accountability, and the digital public sphere.

The European Dialogue on Internet Governance took place on 26 and 27 May, bringing together governments, businesses, civil society, academia, the technical community, and other stakeholders to exchange views on internet governance.

The Council of Europe participated under its New Democratic Pact for Europe, a year-long consultation focused on democratic backsliding and digital governance. The consultation covers issues including AI, data protection, media and information society, cybercrime, online discrimination and gender-based violence, digitalisation of justice, legal education, internet governance, and youth participation.

At the opening session, Claudia Luciani, Director of the Congress of Local and Regional Authorities, said democratic safeguards are critical for the integrity and functioning of Europe’s digital public sphere. She highlighted risks linked to disinformation, information bubbles, and foreign interference and manipulation campaigns.

The Council of Europe also co-organised a debate on trustworthy AI in public services, focusing on transparency, accountability, explainability, and crisis-resilient communication when automated decision-making and AI systems are used in public administration.

Another Council of Europe co-organised session addressed platform accountability and the need to strengthen the digital public sphere. Participants discussed how engagement-driven platform design, generative AI, and synthetic media can contribute to disinformation, hate speech, and other harms, and how governance frameworks could empower users as active citizens.

The Council of Europe’s European Commission for the Efficiency of Justice and its HELP programme also organised a session on how the use of AI in justice systems is changing legal professionals’ training needs.

EuroDIG 2026 was hosted by EURid, the .eu domain name registry, and supported by the European Commission.

The event was held under the theme ‘European voices for the future of the internet – celebrating 20 years of .eu and the beginning of a new internet governance era’.

Why does it matter?

The Council of Europe’s participation in EuroDIG shows how digital governance is being folded into broader debates on democratic resilience. Its focus on trustworthy AI in public services, platform accountability, synthetic media, online discrimination, and AI in justice systems reflects a broader policy shift: digital governance is increasingly treated as part of Europe’s democracy, human rights, and rule-of-law agenda, rather than solely as a technology issue.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Child safety online debate at EuroDIG 2026 shifts focus from bans to platform design

Participants at EuroDIG 2026 debated whether social media age bans are an effective way to protect minors online, with speakers warning that blanket restrictions may oversimplify a far more complex issue involving platform design, digital literacy, privacy, and children’s rights.

The session, titled ‘Youth Online Safety – Are Social Media Age Bans a Solution?’, focused on age verification, platform accountability, recommendation systems, and the broader European regulatory response to online harms affecting children and young people.

Speakers broadly agreed on the objective of improving child safety online, but many questioned whether blanket bans or rigid age restrictions would, in practice, effectively reduce harm.

Diya Aravinthan argued that protecting children online requires approaches that are proportionate, effective, and aligned with how young people actually use digital platforms. She warned that broad social media bans risk pushing children towards workarounds such as VPNs, shared accounts, or alternative services, potentially making online risks harder to monitor rather than reducing them.

Aravinthan also stressed that social media platforms cannot be understood only as sources of harm. She said young people often rely on online spaces for communication, friendships, creativity, civic participation, learning, and access to information.

Referring to Australian research conducted after the country’s under-16 social media restrictions, she said many young people increasingly consume news and current affairs through social media rather than traditional media channels.

Several speakers, therefore, argued that policymakers should focus more on safer platform design and stronger platform accountability rather than treating online safety primarily as an access-control problem.

Aravinthan called for layered protections based on age-appropriate design rather than a binary ‘access or no access’ model. She highlighted stronger privacy defaults, limits on profiling and targeted advertising, and safer platform features for minors as examples of more proportionate safeguards.

She also argued that recommendation systems and algorithmic feeds represent a central challenge because they actively guide minors toward attention-maximising and potentially harmful content.

Lennart Wetzel of Snapchat similarly argued that platforms carry major responsibility for protecting younger users. He said services should invest continuously in safety-by-design features, moderation systems, parental tools, and age-appropriate safeguards. Wetzel also warned that restrictions targeting only selected platforms may simply push young people towards other, potentially less safe or less regulated services.

He cited Australia’s social media restrictions as an example, noting that Snapchat had disabled or locked more than 415,000 accounts in response to the law while also observing migration to alternative services.

The debate also focused heavily on age verification and age assurance technologies.

Several speakers warned that current age-verification systems remain technically imperfect and raise significant privacy, proportionality, and inclusion concerns.

Aravinthan said platforms should not need to know users’ exact identities or precise ages to provide stronger protections for minors. She supported approaches based on data minimisation and privacy-preserving verification.

Wetzel added that even small error rates in age-assurance systems can produce large-scale consequences when applied across millions of users, potentially excluding legitimate users while failing to prevent circumvention.

Carmela Troncoso provided the strongest technical critique of age-verification systems. She argued that making age restrictions difficult to bypass often requires more intrusive forms of surveillance and data collection.

Troncoso warned that some systems rely on biometrics or behavioural analysis, creating additional privacy risks for children and young people. She also said stronger anti-circumvention measures may push minors towards unsafe tools or services that themselves collect and monetise user data.

According to Troncoso, current technologies risk creating substantial privacy and exclusion harms while offering only limited practical effectiveness.

The discussion also explored the wider European regulatory context.

Andrea Tognoni of the European Commission argued that debates about social media bans should not be separated from existing EU frameworks, including the Digital Services Act (DSA), the AI Act, the Audiovisual Media Services Directive, and the Better Internet for Kids strategy.

Tognoni said several member states are already advancing national measures on child protection and age restrictions, creating growing pressure for greater European harmonisation.

Speakers repeatedly warned that fragmented national rules could create inconsistent standards across Europe and undermine the coherence of the digital single market.

Wetzel argued that a risk-based European approach under frameworks such as the DSA offers a more sustainable path than isolated national bans.

The session also highlighted concerns that youth voices remain underrepresented in debates surrounding online safety regulation.

Stefanie Quintao of TikTok said many youth-led and child-rights organisations oppose blanket bans and believe they may unintentionally push children into less protected online spaces.

Both Quintao and Aravinthan stressed that young people use digital platforms for far more than entertainment, and that policy discussions often fail to reflect the lived realities of younger users.

Several audience interventions pushed the discussion further towards the broader political economy of social media platforms.

Some participants argued that the core issue lies not primarily in children accessing technology, but in platform business models built around surveillance, engagement maximisation, and algorithmic amplification.

Others stressed that digital literacy, parental support, and education remain essential complements to regulation.

One participant compared online safety to teaching children how to cross a road: legal rules and infrastructure matter, but children also require guidance, gradual learning, and the development of judgement.

The session concluded with broad agreement that protecting minors online requires a multi-layered and rights-based approach rather than a single regulatory instrument.

Participants broadly agreed that age bans alone are unlikely to solve underlying problems linked to harmful platform design, recommendation systems, and digital business models.

The closing synthesis stressed that effective child protection requires balancing privacy, proportionality, platform accountability, harmonised regulation, digital literacy, and meaningful youth participation.

EuroDIG 2026 took place on 26 and 27 May at the Charlemagne Building of the European Commission in Brussels under the theme ‘European Voices for the Future of the Internet – Celebrating 20 Years of .eu and the Beginning of a New Internet Governance Era’.

Digital Watch Observatory followed EuroDIG 2026 through a dedicated event page, featuring session information and reporting from Brussels.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK cyber guidance targets legacy trust in network access

The UK’s National Cyber Security Centre has issued new guidance on Zero Trust Network Access, warning that many deployments still rely on outdated assumptions about trust.

ZTNA is often introduced to modernise access to applications. However, the NCSC said many implementations still treat network location as a primary indicator of trust, meaning new tools can continue to rely on broad, network-based access rather than more granular and context-driven decisions.

The guidance explains how organisations can design and implement ZTNA to better align with zero-trust principles and modern network environments. It sets out the organisational and technical foundations required before deployment, describes key design requirements, and provides a reference architecture for accessing private applications and Software-as-a-Service.

A key focus is identifying common anti-patterns that undermine ZTNA security outcomes. The NCSC said many deployments fail not because of missing technology features, but because legacy trust assumptions are carried forward into new designs.

The guidance is aimed primarily at architects, security practitioners, and technical decision-makers responsible for designing or evolving access architectures. It is intended to support organisations exploring ZTNA as part of a broader zero trust strategy, replacing or reducing reliance on legacy ‘walled garden’ architectures, or reviewing existing deployments.

The NCSC said the guidance does not redefine zero trust, prescribe a single technical solution, or serve as a compliance checklist. Instead, ZTNA should be treated as part of a wider zero trust architecture shaped by an organisation’s users, systems, threats, and operational constraints.

Why does it matter?

The guidance highlights a common problem in cybersecurity modernisation: organisations can adopt new access technologies while still preserving older trust models. Poorly designed ZTNA deployments may leave broad access paths in place, weakening zero-trust goals and limiting resilience. NCSC’s message is that effective access control depends not only on deploying new tools, but on redesigning trust decisions around context, users, systems, risks, and operational needs.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Australia warns of serious frontier AI cyber risks

The Australian Government has issued a policy advisory urging Commonwealth entities to strengthen cybersecurity readiness for the frontier AI era.

Issued under the Protective Security Policy Framework, the advisory warns that frontier AI creates a dual-use challenge because advanced AI models can strengthen cyber defence while also being used by malicious actors to conduct cyber activities faster, cheaper, and at greater scale.

The Department of Home Affairs said frontier AI increases the risks posed by known vulnerabilities, legacy systems, and weak cyber hygiene, creating what it calls a ‘vulnerability storm’ for government entities.

The document says Australian Government entities do not need access to the most advanced frontier AI models to stay protected. Instead, effective readiness depends on applying existing cybersecurity mitigations and practices, including guidance from the Australian Signals Directorate and requirements under the Protective Security Policy Framework.

Commonwealth entities are told to prioritise compliance with the PSPF, Information Security Manual, and Essential Eight, confirm executive accountability for cybersecurity risk management, engage with ASD and Home Affairs guidance, and identify and remediate material gaps that AI-enabled threat actors could exploit.

The advisory also highlights requirements covering internet-facing systems, secure procurement and supply chains, attack surface reduction, patching, legacy technologies, zero-trust principles, gateway security, ASD’s Cyber Security Partnership Program, and the application of the Information Security Manual.

An annex from ASD says frontier AI is collapsing exploit timelines from days to hours and urges organisations to ‘lock down the fundamentals now’. It outlines actions to secure systems, reduce vulnerabilities, replace or isolate legacy IT, prepare for incidents, adopt AI for cyber defence, and modernise systems using secure-by-design and secure-by-default principles.

The advisory is aimed at accountable authorities, chief security officers, chief information security officers, procurement officers, and entity personnel.

Why does it matter?

The advisory frames frontier AI as an accelerant for existing cybersecurity weaknesses rather than a wholly new category of risk. Australia’s message to government entities is that AI-enabled threats make basic cyber hygiene more urgent: patching, reducing attack surfaces, managing legacy systems, securing supply chains, and preparing incident response plans. It also shows how governments are beginning to translate frontier AI risk into operational security requirements for public-sector organisations.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Spain approves draft law adapting the EU AI Act into national legislation

Spain’s Council of Ministers has approved a draft Organic Law aimed at adapting the EU AI Act into the country’s national legal framework.

Digital Transformation and Public Service Minister Óscar López said the draft law will now be sent to the Cortes for parliamentary consideration. The proposal establishes obligations for AI providers and introduces requirements for human oversight of AI systems.

The draft law incorporates the EU AI Act’s risk-based classification framework into Spanish legislation while establishing sanctions, governance structures, and supervisory authorities.

López said the law follows Spain’s approach to AI regulation, including human oversight, algorithmic transparency, protection of minors, and data privacy. López rejected the idea that regulation undermines competitiveness, pointing to Spain’s broader AI strategy and investment initiatives.

The minister said the EU AI Act includes prohibitions covering subliminal techniques, exploitation of vulnerabilities, biometric classification, social scoring, predictive surveillance, emotion recognition, facial scraping, and real-time identification. He added that, following a request from Spain, the EU agreed on 7 May to add prohibitions on AI-generated sexual deepfakes and AI-generated child sexual abuse material.

The draft law designates Spain’s Artificial Intelligence Supervisory Agency, based in A Coruña, as the central authority. Other market surveillance authorities will also have roles, including the Bank of Spain for financial systems, the Spanish Data Protection Agency for data-related matters, and the General Council of the Judiciary for justice-related issues.

The proposal promotes responsible AI use in the state public sector, including stronger requirements for AI models and transparency in public administration, as well as the creation of an AI officer role. The law also sets rules for AI regulatory sandboxes and measures intended to help AI providers comply with the legislation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for verifying and ensuring that patient portals meet health-sector security standards.

A second phase of the inquiry will examine the broader impacts of the breach, including patient authorisation, information provided to patients, retention and deletion practices, breach communications, notification compliance, and whether the incident had a disproportionate impact on any group, particularly Northland Māori.

Why does it matter?

The findings show how privacy and cybersecurity failures in health portals can create large-scale risks when sensitive patient data is shared through third-party systems. The case also raises a wider governance issue for digital health: agencies cannot rely only on vendor assurances when transferring large volumes of health information. Independent security assessment, privacy-by-design, effective contracts, and ongoing monitoring are becoming essential safeguards for digital health infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.