Cybersecurity

UK cyber guidance targets legacy trust in network access

The UK’s National Cyber Security Centre has issued new guidance on Zero Trust Network Access, warning that many deployments still rely on outdated assumptions about trust.

ZTNA is often introduced to modernise access to applications. However, the NCSC said many implementations still treat network location as a primary indicator of trust, meaning new tools can continue to rely on broad, network-based access rather than more granular and context-driven decisions.

The guidance explains how organisations can design and implement ZTNA to better align with zero-trust principles and modern network environments. It sets out the organisational and technical foundations required before deployment, describes key design requirements, and provides a reference architecture for accessing private applications and Software-as-a-Service.

A key focus is identifying common anti-patterns that undermine ZTNA security outcomes. The NCSC said many deployments fail not because of missing technology features, but because legacy trust assumptions are carried forward into new designs.

The guidance is aimed primarily at architects, security practitioners, and technical decision-makers responsible for designing or evolving access architectures. It is intended to support organisations exploring ZTNA as part of a broader zero trust strategy, replacing or reducing reliance on legacy ‘walled garden’ architectures, or reviewing existing deployments.

The NCSC said the guidance does not redefine zero trust, prescribe a single technical solution, or serve as a compliance checklist. Instead, ZTNA should be treated as part of a wider zero trust architecture shaped by an organisation’s users, systems, threats, and operational constraints.

Why does it matter?

The guidance highlights a common problem in cybersecurity modernisation: organisations can adopt new access technologies while still preserving older trust models. Poorly designed ZTNA deployments may leave broad access paths in place, weakening zero-trust goals and limiting resilience. NCSC’s message is that effective access control depends not only on deploying new tools, but on redesigning trust decisions around context, users, systems, risks, and operational needs.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Australia warns of serious frontier AI cyber risks

The Australian Government has issued a policy advisory urging Commonwealth entities to strengthen cybersecurity readiness for the frontier AI era.

Issued under the Protective Security Policy Framework, the advisory warns that frontier AI creates a dual-use challenge because advanced AI models can strengthen cyber defence while also being used by malicious actors to conduct cyber activities faster, cheaper, and at greater scale.

The Department of Home Affairs said frontier AI increases the risks posed by known vulnerabilities, legacy systems, and weak cyber hygiene, creating what it calls a ‘vulnerability storm’ for government entities.

The document says Australian Government entities do not need access to the most advanced frontier AI models to stay protected. Instead, effective readiness depends on applying existing cybersecurity mitigations and practices, including guidance from the Australian Signals Directorate and requirements under the Protective Security Policy Framework.

Commonwealth entities are told to prioritise compliance with the PSPF, Information Security Manual, and Essential Eight, confirm executive accountability for cybersecurity risk management, engage with ASD and Home Affairs guidance, and identify and remediate material gaps that AI-enabled threat actors could exploit.

The advisory also highlights requirements covering internet-facing systems, secure procurement and supply chains, attack surface reduction, patching, legacy technologies, zero-trust principles, gateway security, ASD’s Cyber Security Partnership Program, and the application of the Information Security Manual.

An annex from ASD says frontier AI is collapsing exploit timelines from days to hours and urges organisations to ‘lock down the fundamentals now’. It outlines actions to secure systems, reduce vulnerabilities, replace or isolate legacy IT, prepare for incidents, adopt AI for cyber defence, and modernise systems using secure-by-design and secure-by-default principles.

The advisory is aimed at accountable authorities, chief security officers, chief information security officers, procurement officers, and entity personnel.

Why does it matter?

The advisory frames frontier AI as an accelerant for existing cybersecurity weaknesses rather than a wholly new category of risk. Australia’s message to government entities is that AI-enabled threats make basic cyber hygiene more urgent: patching, reducing attack surfaces, managing legacy systems, securing supply chains, and preparing incident response plans. It also shows how governments are beginning to translate frontier AI risk into operational security requirements for public-sector organisations.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Spain approves draft law adapting the EU AI Act into national legislation

Spain’s Council of Ministers has approved a draft Organic Law aimed at adapting the EU AI Act into the country’s national legal framework.

Digital Transformation and Public Service Minister Óscar López said the draft law will now be sent to the Cortes for parliamentary consideration. The proposal establishes obligations for AI providers and introduces requirements for human oversight of AI systems.

The draft law incorporates the EU AI Act’s risk-based classification framework into Spanish legislation while establishing sanctions, governance structures, and supervisory authorities.

López said the law follows Spain’s approach to AI regulation, including human oversight, algorithmic transparency, protection of minors, and data privacy. López rejected the idea that regulation undermines competitiveness, pointing to Spain’s broader AI strategy and investment initiatives.

The minister said the EU AI Act includes prohibitions covering subliminal techniques, exploitation of vulnerabilities, biometric classification, social scoring, predictive surveillance, emotion recognition, facial scraping, and real-time identification. He added that, following a request from Spain, the EU agreed on 7 May to add prohibitions on AI-generated sexual deepfakes and AI-generated child sexual abuse material.

The draft law designates Spain’s Artificial Intelligence Supervisory Agency, based in A Coruña, as the central authority. Other market surveillance authorities will also have roles, including the Bank of Spain for financial systems, the Spanish Data Protection Agency for data-related matters, and the General Council of the Judiciary for justice-related issues.

The proposal promotes responsible AI use in the state public sector, including stronger requirements for AI models and transparency in public administration, as well as the creation of an AI officer role. The law also sets rules for AI regulatory sandboxes and measures intended to help AI providers comply with the legislation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for verifying and ensuring that patient portals meet health-sector security standards.

A second phase of the inquiry will examine the broader impacts of the breach, including patient authorisation, information provided to patients, retention and deletion practices, breach communications, notification compliance, and whether the incident had a disproportionate impact on any group, particularly Northland Māori.

Why does it matter?

The findings show how privacy and cybersecurity failures in health portals can create large-scale risks when sensitive patient data is shared through third-party systems. The case also raises a wider governance issue for digital health: agencies cannot rely only on vendor assurances when transferring large volumes of health information. Independent security assessment, privacy-by-design, effective contracts, and ongoing monitoring are becoming essential safeguards for digital health infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Swiss IGF to tackle AI and digital sovereignty

The Swiss Internet Governance Forum will hold its 2026 meeting in Bern on 16 June, with discussions covering AI governance, cybersecurity, digital sovereignty, digital public infrastructure, platform regulation, and other internet governance issues.

The eleventh Swiss IGF will take place at Welle 7 and online, with registration open until 9 June. The forum is now organised by the Swiss Internet & Digital Governance Association, which describes itself as a neutral multistakeholder platform for internet and digital governance in Switzerland.

The draft programme includes sessions on digital sovereignty, cybersecurity and resilience, AI governance and regulation, digital work and education, e-government and democracy, AI and sustainability, digital public infrastructure, and platform regulation and child protection.

The programme also includes a lightning talk on the road to the Geneva 2027 AI Summit, linking the national forum to broader discussions on global AI governance.

The Swiss IGF is part of the wider UN Internet Governance Forum process, while EuroDIG serves as the regional European forum within that ecosystem. The 2026 Swiss IGF will conclude with the presentation of ‘Messages from Berne’ and contributions from the Swiss Youth IGF.

The Swiss Youth IGF will take place in Bern on 13 June as a capacity-building activity linked to the year-round IGF process. It provides an open platform for young people in Switzerland to discuss internet governance and develop messages and projects. The youth forum will focus on digital literacy, safety, and well-being, including generative AI, social media, and influence culture.

Why does it matter?

The Swiss IGF agenda reflects how national internet governance discussions are increasingly centred on AI governance, digital sovereignty, cybersecurity, platform regulation, and digital public infrastructure. Its link to the Geneva 2027 AI Summit also positions the Swiss debate within broader global discussions on AI governance and the future of multistakeholder internet governance.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK expert panel to shape online safety policy

The UK Department for Science, Innovation and Technology has published the terms of reference for the Growing Up in the Online World expert panel, an independent group that will advise the government on children’s digital experiences.

The panel will provide impartial, evidence-based advice to support government policy development on children’s online well-being. Its remit includes digital technology, social media, gaming, AI chatbots, and proposals under the Growing up in the online world consultation.

DSIT said the panel will help identify evidence gaps and priority research needs for 2026 to 2027 and beyond. It is also intended to provide independent assurance that policy options are considered in the context of the evolving evidence base.

The panel’s responsibilities include reviewing emerging data on children’s online experiences, online safety, and design interventions. It will also scrutinise DSIT’s presentation of consultation evidence, identify risks and dependencies, and provide recommendations to inform advice to ministers.

Members will serve in a personal capacity and must declare conflicts of interest. DSIT said it will publish the panel’s membership once it has been agreed, along with declarations of conflicts of interest.

The panel will bring together expertise in child development, psychology, education, digital harms, online safety, behavioural science, platform design, data infrastructure, algorithmic systems, ethics, safeguarding, equality, human rights, and lived experience.

DSIT expects the panel to meet monthly via Microsoft Teams for the initial 4-month period, with additional meetings around key milestones. The panel will not set government policy, publish independent reports, represent employers or sectors, or engage with media on behalf of DSIT.

Why does it matter?

The panel shows how the UK is trying to ground children’s online safety and well-being policy in a broader evidence base covering platform design, AI chatbots, gaming, behavioural science, safeguarding, and lived experience. Its creation also points to a more formal advisory process around future policy choices, even though the panel itself will not set policy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s ASD outlines AI opportunities and risks in cyber defence

The Australian Signals Directorate (ASD) has published new guidance outlining how organisations can use AI to strengthen cyber defence while managing risks associated with AI adoption.

According to ASD, malicious actors are increasingly using AI to scale and accelerate cyber operations, including reconnaissance, vulnerability analysis, and the generation of tailored malicious content. The guidance warns that AI may lower technical barriers for less experienced threat actors and shorten the time between vulnerability discovery and exploitation.

ASD says AI can support cyber defence by improving threat detection, vulnerability analysis, incident response, and prioritisation of security risks. However, ASD stresses that AI should complement rather than replace existing cybersecurity practices and controls.

The guidance maps AI use in cyber defence to six Information Security Manual functions: Govern, Identify, Protect, Detect, Respond, and Recover. Suggested uses include analysing supply chain risks, improving asset discovery, prioritising hardening actions, scanning source code, detecting anomalous behaviour, supporting incident triage, and assisting restoration planning.

The guidance also addresses so-called ‘agentic AI’ systems capable of autonomous planning and decision-making, warning that such technologies require clear operational limits, sandboxing, and strong human oversight. ASD warns that such systems require careful adoption, clear limits, permissions, sandboxing, and strong human oversight.

Organisations adopting AI for cybersecurity are advised to apply a strong baseline aligned with the Information Security Manual and Essential Eight. ASD recommends protecting AI systems from prompt injection, model evasion, and model extraction, while ensuring least-privilege access, auditability, secure integration, and validation of AI-assisted outputs.

ASD also recommends that organisations assess AI and cybersecurity vendors against criteria including explainability, human oversight, resilience, supply-chain dependencies, fallback mechanisms, and data protection practices.

ASD concludes that AI can strengthen cyber defence when deployed securely and responsibly, but warns that poorly governed systems may introduce new vulnerabilities and operational risks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

OECD warns on cybersecurity regulation fragmentation

The Organisation for Economic Co-operation and Development (OECD) has published a policy paper warning that growing fragmentation in cybersecurity regulation is increasing compliance burdens, weakening international cooperation, and potentially diverting resources away from core security work.

The paper, ‘Towards international coherence of cybersecurity regulations’, examines how diverging rules across jurisdictions and sectors are creating a complex regulatory landscape for governments and businesses. It says fragmentation can stem from differing national security priorities, sector-specific frameworks, legacy rules, protectionist measures, crisis-driven policymaking, overlapping mandates, and the absence of shared definitions.

According to the OECD, the consequences include higher compliance costs, duplicated reporting and documentation, weaker cross-border cooperation, distorted market incentives, and reduced trust in regulatory systems. Small and medium-sized enterprises may be especially affected because they often lack the financial and human resources to manage overlapping obligations.

The paper warns that fragmented rules can divert financial, human, and managerial resources from practical cybersecurity measures towards administrative adaptation and legal alignment. It says the growing complexity of cybersecurity regulation is itself becoming a challenge to stronger cybersecurity.

The OECD also highlights the rapid expansion of cybersecurity-related regulation in Europe. Its annex maps enacted and proposed EU legislation with cybersecurity provisions since 2020, covering areas such as incident reporting, security-by-design, critical infrastructure, data protection, digital services, and operational resilience.

The report also maps existing efforts to improve coherence at domestic, regional, bilateral, and multilateral levels. Examples include the US NIST Cybersecurity Framework, the EU initiatives linked to NIS2, bilateral cooperation, mutual recognition mechanisms, and international technical standards.

The OECD concludes that regulatory fragmentation is becoming a systemic challenge and says it is well placed to support dialogue, strengthen the evidence base, and help develop practical tools for more coherent cybersecurity regulation across jurisdictions.

Why does it matter?

The paper highlights a central tension in cybersecurity policy: more regulation can improve resilience, but poorly coordinated rules can also create duplication, raise costs, and divert resources away from practical risk reduction. For companies operating across borders, coherent reporting, shared definitions, and better regulatory alignment could become as important as the rules themselves.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU adopts unified cyber incident reporting templates under NIS2

The NIS Cooperation Group has adopted common templates for cybersecurity incident reporting across the EU, marking a step towards more harmonised compliance requirements for companies subject to the NIS2 Directive.

The templates were adopted during the group’s 39th plenary meeting in Cyprus and are intended to provide a uniform format for reporting cyber incidents across member states. The NIS Cooperation Group brings together the EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA) as part of wider EU cybersecurity coordination efforts.

According to the Commission, the standardised templates are designed to reduce administrative burdens and simplify compliance for companies required to report cybersecurity incidents under NIS2. The move also aligns with broader EU efforts to create a single-entry point for incident reporting under the proposed Digital Omnibus initiative.

The Commission now plans to adopt the templates through an implementing act, which would make them mandatory for all member states. The EU officials say harmonised reporting fields should reduce fragmentation, simplify reporting obligations, and help strengthen cybersecurity resilience across the bloc.

Why does it matter?

Cybersecurity reporting requirements across Europe have often created complexity for companies operating in multiple jurisdictions. Common templates could reduce duplication, make reporting procedures more predictable, and improve coordination between national authorities. The move also fits into the EU’s broader push to simplify digital compliance while strengthening cyber resilience under NIS2.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.