Network security

Apple loses appeal against German regulators

Apple has lost its appeal against a regulatory decision that could impose stricter controls on the company in Germany.

The Federal Court of Justice upheld a 2023 ruling by the country’s competition authority, which classified Apple as a company of ‘paramount cross-market significance for competition,’ placing it under closer scrutiny.

A decision like this means Apple will face potential regulatory measures similar to those imposed on tech giants such as Google’s parent company, Alphabet, and Facebook’s owner, Meta.

The ruling follows a judge’s earlier indication in January that the court would side with the regulator. Apple had attempted to involve the European Court of Justice in Luxembourg, but the request was denied.

In Europe, Apple’s App Store has come under increasing scrutiny, with regulators expressing concerns over how the company collects and utilises vast amounts of user data. This latest setback adds to Apple’s ongoing legal and regulatory challenges in the region.

For more information on these topics, visit diplomacy.edu.

Security Checkup arrives on TikTok to boost user account safety

TikTok has launched a new Security Checkup tool, offering users a simplified way to manage their account safety.

The dashboard provides an easy-to-navigate hub where users can review and update security settings such as login methods, two-step verification, and device access.

Designed to be user-friendly, it aims to encourage proactive security habits without overwhelming people with technical details.

The security portal functions similarly to tools offered by major tech companies like Google and Meta, reinforcing the importance of digital safety.

Features include passkey authentication for password-free logins, alerts for suspicious activity, and the ability to check which devices are logged into an account.

TikTok hopes the tool will make it easier for users to secure their profiles and prevent unauthorised access.

While the Security Checkup is a practical addition, it also arrives amid TikTok’s ongoing struggles in the US, where concerns over data privacy persist.

The company’s head of global security, Kim Albarella, describes the feature as a ‘powerful new tool’ that allows users to ‘take control’ of their account safety with confidence.

Accessing the tool is straightforward—users can find it within the app’s ‘Settings and privacy’ menu under ‘Security & permissions.’

For more information on these topics, visit diplomacy.edu.

UK watchdog launches enforcement on file-sharing services

The UK’s internet watchdog, Ofcom, has launched a new enforcement programme under the Online Safety Act (OSA), targeting storage and file-sharing services due to concerns over the sharing of child sexual abuse material (CSAM).

The regulator has identified these services as particularly vulnerable to misuse for distributing CSAM and will assess the safety measures in place to prevent such activities.

As part of the enforcement programme, Ofcom has contacted a number of file-storage and sharing services, warning them that formal information requests will be issued soon.

These requests will require the services to submit details on the measures they have implemented or plan to introduce to combat CSAM, along with risk assessments related to illegal content.

Failure to comply with the requirements of the OSA could result in substantial penalties for these companies, with fines reaching up to 10% of their global annual turnover.

Ofcom’s crackdown highlights the growing responsibility for online services to prevent illegal content from being shared on their platforms.

For more information on these topics, visit diplomacy.edu.

Infosys resolves cybersecurity lawsuits in the US

Indian IT services giant Infosys has settled lawsuits filed against its US subsidiary, Infosys McCamish Systems, for $17.5 million. The lawsuits stem from a cyber incident that occurred in November 2023, which resulted in the compromise of personal data. The company has agreed to pay the settlement into a fund that will resolve all claims related to the breach.

The breach, which involved unauthorised access and data exfiltration, affected up to 6.5 million individuals. Following the incident, Infosys McCamish in the US, in coordination with a third-party vendor, took steps to address the issue and limit the damage caused by the cyberattack.

This settlement marks a significant step for Infosys in resolving the ongoing legal issues stemming from the 2023 incident. The Indian company has worked to resolve the situation while continuing to bolster its cybersecurity measures to prevent future breaches.

For more information on these topics, visit diplomacy.edu.

Indian police arrest Garantex administrator wanted by US

Indian authorities have arrested Aleksej Besciokov, an administrator of the Russian cryptocurrency exchange Garantex, at the request of the US.

Besciokov, a Russian resident and Lithuanian national, was taken into custody in Kerala on charges of money laundering and violating sanctions. The Central Bureau of Investigation (CBI) said he was planning to flee India, and Washington is expected to seek his extradition.

The arrest follows a joint operation by the US, Germany, and Finland to dismantle Garantex’s online infrastructure.

The exchange, under US sanctions since 2022, has processed at least $96 billion in cryptocurrency transactions since 2019. The US Justice Department recently charged two administrators, including Besciokov, with operating an unlicensed money-transmitting business.

Experts warn that sanctioned exchanges often attempt to bypass restrictions by setting up new entities. Blockchain research firm TRM Labs called the Garantex takedown a significant step in combating illicit finance but emphasised the need for continued vigilance against evasion tactics.

For more information on these topics, visit diplomacy.edu.

UK NCSC evaluates best practices for open source software and supply chain risk management

The UK government, through the Department for Science, Innovation and Technology (DSIT), has commissioned research to evaluate best practices for managing risks associated with open-source software (OSS). The study assesses existing guidance on OSS security and resilience, examines its effectiveness across sectors, and provides recommendations for strengthening software supply chain security. That research is part of the government’s wider work to improve the UK’s cyber defences and protect and grow the economy.

The report outlines key recommendations for organisations using OSS, including:

  • Establishing an internal OSS policy to manage the adoption of OSS components.
  • Creating a Software Bill of Materials (SBOM) to track OSS components and their dependencies.
  • Continuously monitoring the software supply chain with software composition analysis (SCA) tools to identify vulnerabilities and licensing issues.
  • Actively engaging with the OSS community to attract talent, foster innovation, enhance reputation, and ensure a sustainable ecosystem.
  • Using automation tools to streamline OSS management processes, particularly for smaller organisations, as a cost-effective alternative to manual practices.

The report also highlights the need for further research and policy development in areas such as scale-appropriate best practice guidance, industry-specific OSS management frameworks, standardised metrics for evaluating OSS component maturity, and the impact of community engagement on OSS quality and security.

For more information on these topics, visit diplomacy.edu.

OpenSSF launches security baseline to strengthen open source software protection

The Open Source Security Foundation (OpenSSF) has introduced the Open Source Project Security Baseline (OSPS Baseline), a structured framework of security requirements designed to align with international cybersecurity regulations and best practices.

The OSPS Baseline provides a tiered approach that evolves with project maturity, integrating guidance from OpenSSF and industry experts to help open-source projects enhance their security posture. Following the Baseline enables developers to align with global cybersecurity regulations, including the EU Cyber Resilience Act (CRA) and the US National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).

Several projects, including GUAC, OpenVEX, bomctl, and Open Telemetry, participated in the pilot rollout. OpenSSF encourages developers and maintainers to adopt the framework and contribute to its ongoing refinement.

For more information on these topics, visit diplomacy.edu.

HQC announced as safeguard against future quantum attacks

The National Institute of Standards and Technology (NIST) has introduced HQC, a backup encryption algorithm designed to protect sensitive data from potential threats posed by future quantum computers.

As part of its ongoing efforts to strengthen cybersecurity, the agency selected HQC to complement the existing post-quantum cryptography (PQC) standard, ML-KEM, in case quantum advancements compromise current encryption methods.

HQC relies on error-correcting codes, a mathematical approach used in data protection for decades, including in NASA missions.

The algorithm is larger than ML-KEM and requires more computing power, but experts determined it to be a secure and reliable alternative. A draft standard for HQC is expected within a year, with final approval anticipated by 2027.

NIST has been working to prepare for the so-called ‘Q day,’ when quantum computers could break conventional encryption. Three PQC algorithms were finalized in 2024, including ML-KEM and two digital signature standards.

In addition to announcing HQC, NIST is preparing to release a draft standard for the FALCON algorithm, further strengthening protections against future cyber threats.

For more information on these topics, visit diplomacy.edu.

Tech giants join forces to promote global standards for data provenance and AI transparency

OASIS Open, a global open-source and standards organisation, and the Data & Trust Alliance, a consortium focused on responsible data and AI practices, have announced the formation of the OASIS Data Provenance Standards Technical Committee (DPS TC).

The committee will build upon version 1.0.0 of the Data Provenance Standards developed by the Data & Trust Alliance’s cross-industry Working Group, expanding industry participation to establish formal technical standards for data transparency, accountability, and trust. Founding sponsors include Cisco, IBM, Intel, Microsoft, and Red Hat.

As AI adoption accelerates, organisations face increasing challenges in verifying data sources, ensuring compliance, and maintaining data integrity. The DPS TC aims to create a standardised metadata framework that tracks data lineage, transformations, and compliance across various platforms. This initiative will help organisations improve governance practices, mitigate risks related to data privacy and intellectual property, and enhance transparency in AI-driven applications.

The committee’s work will focus on:

  • Standardised data lineage tracking: Establishing clear and consistent methods for documenting data origins and transformations.
  • Compliance and risk management: Supporting organisations in meeting regulatory and ethical standards for data use.
  • Interoperability across platforms: Ensuring metadata models can be applied consistently across different databases, tables, and data pipelines.
  • Transparency for data users: Providing businesses and individuals with visibility into how data is sourced and managed.

IBM has already tested an early version of the standards, integrating them into its governance framework. According to Christina Montgomery, Chief Privacy and Trust Officer at IBM, this resulted in measurable improvements in data diligence and management processes.

The DPS TC will hold its first meeting on 8 April 2025, with participation open to organisations, industry leaders, and experts through OASIS membership. The committee aims to refine existing standards and develop implementation tools, with a goal of introducing broadly applicable metadata quality metrics within the next 12 to 18 months.

For more information on these topics, visit diplomacy.edu

Spain approves bill to regulate AI-generated content

Spain’s government has approved a bill imposing heavy fines on companies that fail to label AI-generated content, aiming to combat the spread of deepfakes.

The legislation, which aligns with the European Union’s AI Act, classifies non-compliance as a serious offence, with penalties reaching up to €35 million or 7% of a company’s global revenue.

Digital Transformation Minister Oscar Lopez stressed that AI can be a force for good but also a tool for misinformation and threats to democracy.

The bill also bans manipulative AI techniques, such as subliminal messaging targeting vulnerable groups, and restricts the use of AI-driven biometric profiling, except in cases of national security.

Spain is one of the first EU nations to implement these strict AI regulations, going beyond the looser US approach, which relies on voluntary compliance.

A newly established AI supervisory agency, AESIA, will oversee enforcement, alongside sector-specific regulators handling privacy, financial markets, and law enforcement concerns.

For more information on these topics, visit diplomacy.edu.