Network security

CISA updates vulnerability remediation rules

The US Cybersecurity and Infrastructure Security Agency has issued a binding directive requiring federal civilian agencies to prioritise vulnerability remediation based on risk.

Binding Operational Directive 26-04 directs agencies to align their vulnerability management policies around four criteria: whether an affected asset is exposed, whether a vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalogue, whether exploitation can be automated and the likely technical impact after exploitation.

CISA said the directive consolidates and updates earlier requirements for internet-accessible systems and known exploited vulnerabilities. The agency said the approach is intended to help federal civilian agencies focus remediation on the vulnerabilities most likely to cause serious harm.

The directive comes as threat actors continue to exploit unpatched vulnerabilities, with CISA warning that AI software services could help attackers identify and exploit weaknesses more quickly. The agency said AI-enabled exploitation may further reduce the time defenders have between a patch release and attempted compromise.

The directive also requires agencies to consider whether a system may already be compromised before applying a patch. CISA said applying a patch generally does not remove an attacker who already has access to a system, making compromise checks important for risk management.

CISA will monitor agency compliance and provide implementation support. Although the directive is binding only for federal civilian agencies, CISA encouraged other organisations to adopt similar risk-based vulnerability management practices.

Why does it matter?

The directive reflects a shift in federal cybersecurity from treating vulnerability remediation as a fixed checklist to prioritising flaws based on exploitation risk, exposure, and potential impact. That matters because attackers increasingly move quickly from disclosure to exploitation, and AI tools may further shorten that window. For governments and critical organisations, vulnerability management is becoming a continuous risk-management process rather than a periodic patching exercise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New NIST study reveals inherent weaknesses in AI defences 

A new study by a researcher at the US National Institute of Standards and Technology suggests that fixed AI guardrails cannot provide complete protection against adaptive adversarial prompts.

The paper, published in IEEE Security & Privacy by NIST senior scientist Apostol Vassilev, uses logic linked to Kurt Gödel’s incompleteness theorems to argue that a finite set of AI safety rules cannot be universally robust against every possible prompt-based attack.

According to NIST, the finding does not mean AI systems cannot be hardened. Instead, it supports moving away from a ‘one and done’ security model towards continuous monitoring, testing and updating.

The recommended approach includes ongoing red-team work to identify adversarial prompts before attackers exploit them, continuous updates to strengthen guardrails and operational resilience measures that limit the impact of successful attacks and enable quick recovery.

NIST said the goal is not to eliminate all vulnerabilities, but to make exploitation more difficult and costly. As AI systems are deployed more widely, organisations should treat AI security as a permanent operational process rather than a problem that can be solved through a fixed set of controls.

Why does it matter?

The study reinforces a central challenge in AI governance: security controls for AI systems cannot be treated as static compliance measures. As AI tools are integrated into business operations, public services and security-sensitive environments, organisations may need continuous red-teaming, guardrail updates, monitoring and incident response. The policy relevance lies in shifting AI risk management from one-time assurance towards ongoing operational resilience.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Ofcom confirms platform crisis protocols under UK Online Safety Act

UK communications regulator Ofcom has set out new crisis response measures aimed at helping online platforms respond when illegal content and content harmful to children spreads rapidly during emergencies.

The measures will be added to Ofcom’s Illegal Content Codes of Practice and Protection of Children Codes of Practice under the UK’s Online Safety Act. However, they must still complete the parliamentary process before taking effect.

Ofcom said ordinary content moderation systems may not be sufficient during exceptional events, such as public disorder, terrorist attacks, or other crises that lead to a sudden increase in harmful or illegal online activity. The regulator pointed to the violent riots that followed the 2024 Southport murders and the risk of terrorist attacks being livestreamed as examples of crises where online content can threaten public safety.

Under the measures, service providers should prepare and apply crisis protocols to manage significant increases in relevant illegal content or content harmful to children. Ofcom expects providers to deploy temporary response teams as soon as possible during a crisis, record key decisions and conduct post-crisis reviews to assess whether their response was effective.

Large platforms should also maintain dedicated communication channels for law enforcement agencies to share crisis-related information. Ofcom said the measures are intended to support faster and more coordinated public safety efforts during exceptional events.

The regulator consulted on crisis response protocols in 2025 and said further decisions on additional online safety measures are expected in autumn 2026.

Why does it matter?

The measures show how online safety regulation is moving from general content moderation duties towards operational crisis governance. In emergencies, platforms may face sudden spikes in illegal content, livestreamed harm or coordinated activity that ordinary moderation systems cannot manage quickly enough. Ofcom’s approach also formalises closer crisis-time coordination between large platforms and law enforcement, raising important questions about public safety, platform accountability, due process and safeguards under the UK Online Safety Act.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Study warns of self-replicating AI malware using real-time reasoning

Cybersecurity researchers have demonstrated an AI-powered computer worm capable of identifying vulnerabilities, generating attack strategies and spreading autonomously across networks. The study suggests that advances in AI agents could enable a new class of adaptive cyber threats capable of operating with minimal or no direct human intervention.

The research, conducted by teams from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow, describes malware that uses large language models to tailor its behaviour to each target. Unlike traditional worms, the system can adapt its attack methods in real time instead of relying solely on pre-programmed exploits.

Testing in a controlled virtual environment showed the system could successfully compromise multiple machines and replicate across a simulated network over several days. The worm also operated without relying on cloud infrastructure, running AI models locally on infected systems and using those resources to support its operations.

Researchers warned that such capabilities could signal a shift towards what they describe as ‘autonomous generative adversaries’ and stressed the need for stronger detection systems, evaluation frameworks and governance mechanisms. While details were limited to reduce misuse risks, the authors said the findings reflect how rapidly AI-enabled cyber capabilities are evolving.

Why does it matter? 

The research signals a shift in cyber risk from static, signature-based malware to autonomous systems capable of reasoning, adapting, and scaling attacks without human input.

As AI models become more capable and widely deployed, the line between tool and autonomous threat blurs, increasing pressure on cybersecurity systems, patching cycles, and regulation to keep up with real-time, evolving attacks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Canada warns of cyber threats targeting FIFA World Cup 2026

Canada’s Cyber Centre has warned that the FIFA World Cup 2026 will almost certainly attract cyber threat activity from cybercriminals, non-state actors and state-sponsored actors.

The tournament will run from 11 June to 19 July 2026 across Canada, the US and Mexico, with 104 matches in 16 cities. The Cyber Centre said the event’s global visibility, complex supporting infrastructure and broad ecosystem of suppliers and services create a large attack surface.

According to the bulletin, cybercriminals are expected to exploit public interest in the tournament through phishing, social engineering, ticket scams, fraudulent travel offers, fake livestreaming services, malicious apps and other forms of online fraud. The Cyber Centre cited research identifying more than 4,300 likely fraudulent domain registrations linked to the tournament as of August 2025.

Organisations connected to the event, including travel, hospitality, ticketing, broadcasting, telecommunications, utilities and transport providers, could also face ransomware, distributed denial-of-service attacks and website defacement. The Cyber Centre said attackers may target entities in the wider tournament ecosystem to maximise publicity, even when their targets are not part of the core World Cup infrastructure.

The bulletin also warned that threat actors are very likely to use the event for disinformation and influence activity, including campaigns involving AI-generated articles, images, videos and deepfakes. It found that there is roughly an even chance of disruptive state-sponsored cyber activity, depending on geopolitical tensions involving host nations or participating countries.

Canadian authorities urged fans, attendees, athletes, government officials and organisations linked to the tournament to strengthen cybersecurity practices and prepare for scams, disruptive attacks and information manipulation during the event.

Why does it matter?

The bulletin treats the World Cup as more than a sports event. It frames major tournaments as digitally dependent public safety environments involving ticketing systems, broadcasters, transport networks, hotels, mobile communications, local authorities and critical infrastructure. Cyber incidents during such events can cause financial loss, service disruption, data exposure, emergency communication risks and information manipulation, making cybersecurity part of event resilience and public trust.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Ofcom warns platforms over online abuse ahead of FIFA World Cup 2026

Ofcom has urged online platforms to strengthen protections against illegal hate speech, abuse, threats and harassment ahead of the FIFA World Cup 2026. The UK regulator reminded technology companies that they have legal responsibilities under the Online Safety Act to reduce the risk of users encountering criminal content on their services.

The intervention follows concerns about abuse directed at players, coaches, officials and commentators during previous international tournaments. According to Ofcom, online attacks have frequently targeted individuals based on race, ethnicity, perceived sexual orientation and disability, causing significant personal and professional harm.

Under the UK’s Online Safety Act, platforms are required to operate effective reporting systems, maintain adequately resourced moderation teams and remove illegal content without undue delay. Ofcom stated that evidence of failures to meet these obligations during the tournament could be considered as part of its ongoing compliance assessments.

The regulator also highlighted a partnership established earlier this year with the UK Football Policing Unit, the Football Association, the Premier League, the English Football League, the Women’s Super League, the Professional Footballers’ Association and anti-discrimination organisation Kick It Out.

The initiative aims to strengthen information sharing and support preventative measures against online abuse targeting individuals across the football ecosystem.

Why does it matter?

Major sporting events often lead to spikes in online abuse, particularly against athletes, officials and other high-profile figures. The scale and visibility of these events can amplify harmful behaviour and place additional pressure on platforms to enforce their content moderation policies effectively.

Ofcom’s intervention highlights how online safety regulation is increasingly being tested during major public events. The regulator’s warning also signals that compliance with the Online Safety Act will be assessed not only through policies on paper but through how platforms respond to real-world surges in harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK’s IWF backs on-device nudity detection to protect children online

The Internet Watch Foundation (IWF) has welcomed a UK government proposal that would require technology companies to introduce on-device nudity detection and blocking features for children’s internet-connected devices used by children. The charity argues that preventing explicit images from being created or shared could significantly reduce the circulation of child sexual abuse material online.

The proposal follows growing concern over the increasing volume of so-called ‘self-generated’ child sexual abuse material, in which children are manipulated or coerced into creating explicit content.

According to IWF data, 311,610 reports containing child sexual abuse material were actioned during 2025, the highest number recorded by the organisation. Of those reports, 266,397 contained at least one self-generated image or video, underscoring the scale of the issue.

According to the IWF, children are frequently groomed, manipulated or coerced into producing sexual images that are subsequently distributed online. During 2025, analysts assessed more than 111,000 criminal images and almost 29,000 videos involving self-generated abuse material. More than 25,000 of those files were classified as Category A, the most severe category under UK law.

While supporting device-level protections, the organisation emphasised that no single intervention can address the problem on its own. It argues that effective child protection requires a combination of device safeguards, platform responsibility, law enforcement action and broader online safety policies.

Why does it matter?

The proposal reflects a growing shift towards preventative online safety measures that seek to stop harmful content from being created and shared, rather than relying solely on detection and removal after distribution.

The debate also highlights increasing concern about self-generated child sexual abuse material, which has become one of the fastest-growing categories of online abuse. If implemented effectively, device-level safeguards could become an important component of broader child protection strategies that also include platform responsibility, education initiatives and law enforcement action.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Spain calls for United Nations Action on children’s digital rights

Spain has proposed the creation of a permanent multilateral working group within the UN to strengthen the regulation of digital environments and improve protections for children online.

The proposal was presented by Minister of Youth and Childhood, Sira Rego, during a ministerial roundtable at the Global Alliance of Pioneer Countries to End Violence Against Children in Turin.

According to Rego, stronger international cooperation is needed to regulate digital environments and protect children’s rights in response to abuses by major technology platforms. She said protecting children online requires regulations, rules, and control mechanisms that safeguard their rights and freedoms.

The proposal builds on earlier Ibero-American ministerial discussions on youth and childhood, during which countries agreed to establish an Ibero-American Observatory for the Well-being of Children, with a focus on protecting minors in digital environments. Spain is now proposing a similar approach within the UN framework.

A central element of Spain’s position is algorithmic transparency. Rego said algorithms are not neutral systems and can affect children’s ability to exercise their rights. She argued that such systems should be auditable and subject to democratic oversight by public authorities.

Alongside regulatory measures, Spain is advancing a National Strategy for Digital Environments to improve digital literacy among children, adolescents, and families. The strategy will combine education, pedagogical tools, and content creation to help protect children’s rights in digital spaces.

Why does it matter?

Spain’s proposal reflects growing pressure for international coordination on children’s digital rights. National rules alone often struggle to address platforms that operate across borders and use algorithmic systems that shape what children see, how they interact, and how their data is used. A UN-level working group could provide child online safety with a more permanent multilateral forum, especially on platform accountability and algorithmic transparency.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Australia’s regulator warns of growing AI-powered sextortion threat

Australia’s eSafety Commissioner has launched a public awareness campaign warning that criminals are increasingly using AI and other digital tools in sextortion scams.

The initiative, titled ‘If sextortionists were honest’, uses generative AI to expose deceptive tactics used by online criminals targeting victims through dating apps and social media platforms.

According to eSafety, more than 3,300 reports of sexual extortion were received through its image-based abuse scheme in 2025. Eighty-six percent of reports came from males of all ages, while 42% of all sextortion reports involved males aged 18 to 24.

eSafety Commissioner Julie Inman Grant said offenders are already weaponising face-swapping and voice-cloning technologies, while using generative AI to create fake but convincing online characters and improve scam scripts that previously contained warning signs such as poor grammar or inconsistent messaging.

Reports made to eSafety show that first contact frequently occurs on platforms such as Tinder, Instagram, and Grindr, before conversations are moved to WhatsApp, Telegram, or other messaging apps. Offenders may then search victims’ social media accounts to identify family members and friends they can threaten to contact.

The regulator said overseas offenders often try to appear local and legitimate, including by spoofing Australian phone numbers, using intimate images taken from other victims, or using bank accounts belonging to previous victims to receive and move payments.

eSafety said the safest response is to stop contact, report the account to the platform, block the offender, preserve evidence where possible, and seek support rather than paying. The regulator also called on platforms to take proactive Safety by Design steps, including better language analysis, classifier-based detection, accessible reporting and blocking tools, swift removal pathways for image-based abuse, and cross-platform signal sharing.

Why does it matter?

The campaign shows how generative AI is making online coercion and scams harder to detect. Sextortion is no longer only a problem of fake accounts and blackmail messages: offenders can now use AI-generated personas, improved scripts, voice cloning, and deepfake-style techniques to build trust and pressure victims more effectively. That raises the importance of platform-level detection, user reporting tools, digital literacy, and victim support.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Central Bank warns banks to strengthen resilience as AI reshapes cyber threats

Europe’s banking sector must strengthen its operational resilience as AI transforms the cyber threat landscape and increases systemic risks, according to the European Central Bank (ECB). Speaking at a financial conference, Executive Board member Frank Elderson warned that technological disruption and geopolitical fragmentation are increasing pressure on financial infrastructure.

The ECB said Europe’s reliance on external providers for technology, energy and financial services creates vulnerabilities that could expose critical functions to operational disruptions. While banks remain financially stable, their ability to maintain critical services during cyberattacks or system failures has become key to long-term competitiveness and stability.

According to the ECB, AI is accelerating cyber risks by lowering barriers to sophisticated attacks, enabling faster identification of vulnerabilities and expanding the range of actors capable of conducting cyber operations. While supervisors have strengthened oversight through measures such as stress testing and the implementation of the Digital Operational Resilience Act (DORA), the ECB warned that cyber and operational risks continue to evolve rapidly.

Authorities are now urging banks to invest more heavily in systems, governance, and third-party risk management to ensure continuity of services under stress. The ECB emphasised that operational resilience should be viewed not only as a technical challenge but as a strategic priority for maintaining trust in financial services and supporting Europe’s wider economic transformation.

Why does it matter?

Financial stability increasingly depends not only on the financial health of banks but also on their ability to maintain critical services during cyber incidents, technology failures and operational disruptions.

As AI enables more sophisticated cyberattacks and financial institutions become more dependent on complex digital infrastructure and third-party providers, regulators are placing greater emphasis on operational resilience as a core component of financial stability, economic competitiveness and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.