Cybersecurity

UK committee urges stronger online safety protections

The UK Parliament’s Science, Innovation and Technology Committee has urged the government to strengthen online safety protections for young people, following evidence on proposals to restrict social media access for under-16s.

Committee Chair Dame Chi Onwurah wrote to Science, Innovation and Technology Secretary Liz Kendall and AI and Online Safety Minister Kanishka Narayan after an evidence session on age-based restrictions.

The committee said there is strong and consistent evidence of significant individual harms linked to social media use, alongside a growing body of evidence showing wider negative impacts. It said there is a clear need to protect people, especially young users, from those harms.

The letter argues that responsibility for preventing harm should not rest solely on young people or parents. It says government inaction on online safety is not an option and calls for stronger enforcement of existing age restrictions

The committee also urged the government to revisit its July 2025 report on social media misinformation. Although the government accepted almost all of the report’s conclusions, the committee said it rejected almost all recommendations for change. It is now calling for action on misinformation, harmful algorithms, and online harms in the new parliamentary session.

Dame Chi Onwurah said: ‘The status quo, where social media companies are neither accountable nor responsible for preventing harms, isn’t acceptable. It’s clear social media can cause real harm and more must be done to protect people, especially young users. If any other consumer product caused these harms, it would’ve been recalled or changed. Shouldn’t the same be true for social media services and design features?’

She added: ‘The government must urgently address gaps in the regulation, legislation and enforcement of online safety. It should revisit and adopt my committee’s previous recommendations on tackling misinformation and harmful algorithms and bring forward legislation to effectively tackle online harms in the new parliamentary session.’

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

AI governance priorities outlined by EU at UN dialogue

The European Union has called for the UN Global Dialogue on AI Governance to focus on responsible innovation, human rights, capacity-building and stronger interoperability between AI governance frameworks.

In a statement delivered on behalf of the EU and its member states, the bloc said the dialogue should examine AI’s social, economic, ethical, cultural, linguistic, technical and environmental implications. It also argued that responsible AI innovation should be framed not only as a risk-management challenge, but also as an opportunity for public benefit in areas such as education and government.

The EU urged participants to address who controls the data, compute and value chains behind AI systems. It also highlighted linguistic and cultural diversity, warning that AI systems trained mainly on a limited number of languages can produce less accurate and more costly outputs for speakers of underrepresented languages.

Capacity-building was presented as a core condition for effective AI governance, particularly for developing countries. The EU said countries and institutions need the skills, systems and human capacity to evaluate, question and deploy AI responsibly, while treating AI infrastructure as a matter of public interest rather than only market access or proprietary control.

The statement also identified agentic AI as an emerging governance frontier, arguing that such systems raise new questions around accountability, oversight and control that existing frameworks do not yet adequately address.

On safe and trustworthy AI, the EU called for greater compatibility between governance approaches to prevent regulatory arbitrage and support responsible cross-border deployment. It said trust should not rely only on self-assessment or voluntary disclosure, but also on auditability, traceability, validation mechanisms, certification approaches and evaluation frameworks for high-risk systems.

The EU also urged a human-centric, human rights-based approach grounded in international law. It identified AI-facilitated gender-based violence, harmful AI-generated content affecting children and older persons, manipulative algorithmic systems, data exploitation and AI-enabled surveillance as areas requiring dedicated attention.

The statement called for the UN dialogue to build on existing initiatives, including those led by UNESCO, ITU, UNDP, OHCHR, GPAI, the Council of Europe, the Hiroshima Process and AI summit processes. The EU also supported more interactive thematic sessions, continuity between dialogue editions and a co-chairs’ summary reflecting both converging and diverging views.

Why does it matter?

The EU statement shows how global AI governance debates are moving beyond broad principles towards questions of implementation, institutional capacity and interoperability between frameworks. By linking AI infrastructure, human rights, auditability and agentic AI, the EU is signalling that future international coordination will need to address both today’s deployment risks and the governance challenges posed by more autonomous systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ICO warns organisations about growing AI cyber threats

The UK Information Commissioner’s Office has warned that AI is enabling faster, more advanced and harder-to-detect cyberattacks, urging organisations to strengthen their defences against emerging threats.

In a blog post, the regulator highlighted risks such as AI-generated phishing emails, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential attacks, data poisoning and indirect prompt injection. The ICO said cybersecurity must be treated as a shared responsibility, with organisations expected to take proactive steps to protect the personal data they hold.

The ICO said strong foundational security measures remain essential, but should be reinforced with layered defences to counter AI-powered threats. It pointed to practical steps such as patching systems, restricting access through multi-factor authentication, applying least-privilege principles and managing supplier risks.

The recommendations also include monitoring systems for unusual activity, carrying out vulnerability scanning and penetration testing, and maintaining regularly tested incident response plans. The ICO said AI can also support cyber defence, but should operate within a clear framework of human oversight and accountability.

Organisations are further advised to minimise data collection, conduct regular data audits and train staff to recognise AI-powered social engineering attacks. The ICO said AI tools processing high-risk personal data should be supported by data protection impact assessments and appropriate safeguards.

Why does it matter?

The ICO’s warning links AI-powered cyber threats directly to data protection obligations. As attackers use AI to scale phishing, exploit vulnerabilities and impersonate trusted contacts, organisations are expected not only to improve technical security, but also to limit the personal data they hold, strengthen governance and prepare for faster-moving incidents.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

CMA opens Strategic Market Status investigation into Microsoft business software

The UK Competition and Markets Authority has opened a Strategic Market Status investigation into Microsoft’s business software ecosystem, marking another major step in the country’s digital competition regime.

The investigation will examine Microsoft’s position across workplace software products widely used throughout the UK economy, including productivity software, personal computer and server operating systems, database management systems, security software and its growing AI assistant ecosystem, including Copilot. The CMA said more than 15 million commercial users across the UK rely on Microsoft’s software ecosystem.

Regulators will assess whether Microsoft has Strategic Market Status in business software and whether its position may limit customer choice. The CMA said it will examine concerns linked to product bundling, interoperability limits and default settings that could make it harder for businesses and public-sector organisations to switch providers or combine Microsoft tools with competing products.

The authority will also examine how competing AI services can integrate with Microsoft’s business software as workplace tools increasingly incorporate AI and agentic AI functions. The CMA said customers should be able to access software and AI services from a range of suppliers rather than being locked into a single ecosystem.

Cloud competition concerns are also linked to the probe. An SMS designation would allow the CMA to consider targeted interventions related to Microsoft’s software licensing practices, which were previously identified as reducing competition in cloud services.

The CMA will gather evidence from Microsoft, customers, rivals, challenger technology firms and other stakeholders before deciding whether to designate Microsoft with Strategic Market Status. The regulator said the investigation does not assume wrongdoing and that any future interventions would depend on the evidence and relevant legal tests.

Why does it matter?

The investigation shows how digital competition oversight is moving deeper into enterprise software, cloud infrastructure and AI-enabled workplace tools. As products such as Copilot become embedded in systems used by businesses and public services, regulators are increasingly treating interoperability, bundling and switching costs as strategic competition issues rather than narrow technical questions.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK NAO guide sets AI oversight questions for public bodies

The UK National Audit Office has published a good practice guide for public sector organisations using AI, setting out questions for audit and risk assurance committees overseeing the planning, deployment and scaling of the technology.

The guide draws on NAO findings, the UK government’s AI Playbook and lessons from digital transformation programmes. It advises committees to assess whether organisations are clear on why they are using AI, what risks they need to manage and how responsible adoption will be assured. The NAO says the guide will evolve as AI continues to develop.

AI is already being used across government for fraud and error detection, imaging, document processing, operational management, research and monitoring, text generation, virtual assistants and coding support. The NAO notes that several of these uses may involve personal data, making governance, assurance and data protection especially important.

The guide warns that productivity gains from AI should not be assumed. AI may speed up individual tasks, but those gains do not automatically translate into organisation-wide savings, particularly where work still depends on approvals, governance processes or human judgement.

The NAO also highlights external risks from AI use, including increased demand on public services, more low-quality or repeated submissions, higher fraud risks, cyberattacks and attempts to extract sensitive data. Audit committees are advised to ensure organisations can anticipate, monitor and mitigate such risks.

Key areas for oversight include innovation, AI strategy, leadership and skills, data, security, pilots, scaling, guardrails and workforce culture. The guide says strong digital and AI strategies should be business-led, aligned with organisational priorities, backed by leadership support and supported by clear governance, funding and measurable objectives.

Data quality, accessibility and governance are presented as foundational risks, with weak data affecting model performance, bias, explainability and reliability. The NAO also warns that AI can increase exposure to operational and security risks, including data breaches, model manipulation, supply-chain risk and resilience problems.

Recommended guardrails include acceptable use policies, data protection controls, bias testing, human oversight of automated decisions and clear accountability for AI outcomes. The guide also urges organisations to plan for workforce changes, including new skills needs, role redesign, AI literacy, risks to entry-level learning, overreliance on automation and loss of institutional knowledge.

Why does it matter?

The guide shows that public-sector AI adoption is becoming an audit, governance and accountability issue, not only a technology project. By focusing on oversight questions, the NAO is pushing public bodies to test whether AI projects have clear objectives, reliable data, measurable benefits, security controls and safeguards for staff and citizens before they are scaled.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Google outlines AI-driven measures against online scams and fraud

Google has outlined new and existing measures to tackle online scams and fraud ahead of the second EMEA Anti-Scams and Fraud Summit, hosted by the Google Safety Engineering Centre in Zurich.

The company said the summit brings together representatives from governments, technology companies, consumer groups and academia to discuss collective responses to increasingly sophisticated scams. Google said its approach combines AI-driven protections across its products with wider cooperation involving industry and public authorities.

Google highlighted the use of AI-powered systems in services including Gmail, Chrome, Search, Ads and Phone by Google. The company said Gmail blocks more than 99.9% of spam, phishing and malware, while Search filters out hundreds of millions of spam-related pages daily. It also said its systems caught more than 99% of policy-violating ads before they reached users in 2025.

User-facing tools are also part of the company’s anti-scam strategy. Google pointed to Security Checkup, Passkeys, 2-Step Verification, Circle to Search and Google Lens as tools that can help users strengthen account protection and verify suspicious messages or content.

The company also highlighted public awareness and education initiatives, including Be Scam Ready, a game-based programme that uses simulated scam scenarios to help users recognise common tactics. Google said a previous Google.org commitment of $5 million is supporting anti-scam initiatives in Europe and the Middle East, including work by the Internet Society and Oxford Information Labs.

Google also referred to cooperation through the Global Signal Exchange, a threat-intelligence sharing platform for scams and fraud. As a founding partner, Google said it both contributes to and draws from the platform, which now stores more than 1.2 billion signals used to identify and disrupt criminal activity.

The company said it also works with law enforcement agencies, including the UK’s National Crime Agency, and participates in the Industry Accord Against Online Scams and Fraud. Google also pointed to legal actions against scam operations and botnets, including cases involving Lighthouse and BadBox.

Why does it matter?

Online scams are increasingly industrialised, cross-platform and supported by AI-enabled tactics, making them difficult to address through product-level security alone. Google’s approach shows how major technology companies are combining automated detection, user education, threat-intelligence sharing and law enforcement cooperation to respond to fraud. The wider policy issue is how much responsibility large platforms should bear for detecting and disrupting scams before they reach users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Microsoft MDASH agentic AI security system tops vulnerability discovery benchmarks

Microsoft has described a multi-model agentic AI security system, codenamed MDASH, designed to support vulnerability discovery and cybersecurity research across complex codebases.

According to Microsoft, the system helped researchers identify 16 vulnerabilities across Windows networking and authentication components, including issues in the Windows TCP/IP stack, IKEv2 services, DNS handling and Netlogon processes. Several of the vulnerabilities were reachable over networks without authentication, the company said.

MDASH was developed by Microsoft’s Autonomous Code Security team and combines more than 100 specialised AI agents with an ensemble of frontier and distilled AI models. The system is structured as a multi-stage pipeline covering code preparation, scanning, validation, deduplication and proof generation.

The publication says the system identified remote code execution flaws, denial-of-service issues, information disclosure vulnerabilities and security feature bypasses. Microsoft also described the use of specialised auditor, debater and prover agents designed to analyse vulnerabilities across multiple files and code paths.

Microsoft said MDASH uses plugins and domain-specific knowledge to support validation and proof-of-concept generation, allowing security experts to add context that foundation models may not capture on their own.

The company also reported benchmark results from internal and public tests. It said MDASH identified all 21 deliberately inserted vulnerabilities in a private test driver with zero false positives in that run, achieved 96% recall against five years of confirmed Microsoft Security Response Center cases in clfs.sys and 100% in tcpip.sys, and scored 88.45% on the public CyberGym benchmark.

Microsoft said the system is already being used by its security engineering teams and is being tested with a small group of customers through a limited private preview.

Why does it matter?

MDASH shows how agentic AI is moving into high-value cybersecurity tasks such as vulnerability discovery, validation and proof generation. If systems like this can reliably reduce false positives and help researchers find exploitable flaws earlier, they could improve defensive security at scale. The same development also raises governance questions around access, oversight and dual-use risk, since tools capable of finding and proving vulnerabilities may be valuable to both defenders and attackers.

The company also discussed broader implications for AI-assisted cybersecurity operations, including the use of agentic AI systems for vulnerability discovery, validation, and remediation workflows. Microsoft stated that the system is currently being tested internally and through a limited private preview involving selected customers.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Poland launches campaign to boost business cybersecurity awareness

Poland’s Ministry of Digital Affairs has launched a campaign to encourage entrepreneurs and management teams to take a more active role in protecting their companies from cyber threats.

The campaign, titled ‘Build your company’s digital security click by click’, is aimed at businesses and senior decision-makers. The ministry says its main goal is to encourage firms to address cybersecurity at both organisational and operational levels.

The campaign stresses that cybersecurity is no longer solely the responsibility of IT departments but is a key part of responsible business management. The ministry points to growing risks such as phishing and ransomware as digital technology becomes central to company operations.

According to the ministry, effective cybersecurity depends on three pillars: knowledge, processes and people. The campaign encourages firms to analyse risks, develop incident response procedures, train employees regularly and use official guidance available through cyber.gov.pl.

A separate focus is placed on medium-sized and large companies subject to requirements under Poland’s national cybersecurity system. The ministry says firms in key sectors should understand obligations related to risk management, incident reporting and the protection of information systems.

The campaign also calls on company leaders to integrate cybersecurity into business strategy, including through security policies, investment in skills and the development of a culture of responsibility across organisations.

Why does it matter?

The campaign reflects a broader shift in cybersecurity policy from technical protection towards organisational responsibility. By targeting business leaders, Poland is emphasising that cyber resilience depends not only on tools, but also on governance, staff training, incident response and compliance with national cybersecurity obligations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

OpenAI sued over alleged ChatGPT role in Florida State University shooting

The family of a victim killed in the April 2025 Florida State University shooting has filed a federal lawsuit in Florida against OpenAI, alleging that ChatGPT enabled the attack. The lawsuit was filed on Sunday by Vandana Joshi, the widow of Tiru Chabba, who was killed alongside university dining director Robert Morales.

The complaint states that the accused shooter, Phoenix Ikner, engaged in extensive conversations with ChatGPT months before leading up to the incident. According to the suit, those exchanges included images and discussions about firearms he had acquired, ideological material, ideological far-right beliefs, and possible outcomes of violent attacks.

The chatbot is further accused of providing contextual information about campus activity and commenting on factors that could increase public attention in violent incidents. This is indicated by the fact that at one point, ChatGPT said, ‘if children are involved, even 2-3 victims can draw more attention’. The filing also claims Ikner asked about legal consequences and planning considerations shortly before the attack.

The lawsuit contends that OpenAI failed to identify escalating risk indicators within the conversations and did not adequately prevent harmful guidance. It argues the system ‘failed to connect the dots’ despite Ikner’s repeated questions about suicide, terrorism and mass shootings.

OpenAI has rejected responsibility for the attack, claiming its platform is not to blame. Company spokesperson Drew Pusateri said ChatGPT generated factual responses that could be found broadly across publicly available information and did not encourage or promote illegal activity. He also stated that OpenAI continues to strengthen safeguards to identify harmful intent, reduce misuse and respond appropriately when safety risks arise.

Joshi’s complaint argues that the system reinforced the shooter’s beliefs and failed to interrupt conversations involving violent ideation. The filing alleges the ChatGPT inflamed, validated and endorsed delusional thinking and contributed to planning discussions while ‘convincing him that violent acts can be required to bring about change’.

The lawsuit forms part of a broader wave of litigation involving AI systems and alleged harm. OpenAI is already facing separate lawsuits linked to incidents involving violence and suicide, raising wider questions about safeguards and user protection

Florida’s Attorney General James Uthmeier announced a criminal investigation into OpenAI and ChatGPT following a review of chat logs connected to the case. Uthmeier said in a statement that ‘If ChatGPT is a person it would be facing charges for murder’.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

G7 working group advances cybersecurity approach for AI systems

The German Federal Office for Information Security published guidance developed by the G7 Cybersecurity Working Group outlining elements for a Software Bill of Materials for AI. The document aims to support both public and private sector stakeholders in improving transparency in AI systems.

The guidance builds on a shared G7 vision introduced in 2025 and focuses on strengthening cybersecurity throughout the AI supply chain. It sets out baseline components that should be included in an AI SBOM to better track and understand system dependencies.

The document outlines seven baseline building blocks that should form part of an AI Software Bill of Materials (SBOM for AI), designed to improve visibility into how AI systems are built and how their components interact across the supply chain.

At the foundation is a Metadata cluster, which records information about the SBOM itself, including who created it, which tools and formats were used, when it was generated, and how software dependencies relate to one another.

The framework then moves to System Level Properties, covering the AI system as a whole. This includes the system’s components, producers, data flows, intended application areas, and the processing of information between internal and external services.

A dedicated Models cluster focuses on the AI models embedded within the system, documenting details such as model identifiers, versions, architectures, training methods, limitations, licenses, and dependencies. The goal is to make the origins and characteristics of models easier to trace and assess.

The document also introduces a Dataset Properties cluster to improve transparency into the data used throughout the AI lifecycle. It captures dataset provenance, content, statistical properties, sensitivity levels, licensing, and the tools used to create or modify datasets.

Beyond software and data, the framework includes an Infrastructure cluster that maps the software and hardware dependencies required to run AI systems, including links to hardware bills of materials where relevant.

Cybersecurity considerations are grouped under Security Properties, which document implemented safeguards such as encryption, access controls, adversarial robustness measures, compliance frameworks, and vulnerability references.

Finally, the framework proposes a Key Performance Indicators cluster that includes metrics related to both security and operational performance, including robustness, uptime, latency, and incident response indicators.

According to the paper, the objective is to provide practical direction that organisations can adopt to enhance visibility and manage risks linked to AI technologies. The framework is intended to support more secure development and deployment practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.