Spain calls for United Nations Action on children’s digital rights

Spain has proposed the creation of a permanent multilateral working group within the UN to strengthen the regulation of digital environments and improve protections for children online.

The proposal was presented by Minister of Youth and Childhood, Sira Rego, during a ministerial roundtable at the Global Alliance of Pioneer Countries to End Violence Against Children in Turin.

According to Rego, stronger international cooperation is needed to regulate digital environments and protect children’s rights in response to abuses by major technology platforms. She said protecting children online requires regulations, rules, and control mechanisms that safeguard their rights and freedoms.

The proposal builds on earlier Ibero-American ministerial discussions on youth and childhood, during which countries agreed to establish an Ibero-American Observatory for the Well-being of Children, with a focus on protecting minors in digital environments. Spain is now proposing a similar approach within the UN framework.

A central element of Spain’s position is algorithmic transparency. Rego said algorithms are not neutral systems and can affect children’s ability to exercise their rights. She argued that such systems should be auditable and subject to democratic oversight by public authorities.

Alongside regulatory measures, Spain is advancing a National Strategy for Digital Environments to improve digital literacy among children, adolescents, and families. The strategy will combine education, pedagogical tools, and content creation to help protect children’s rights in digital spaces.

Why does it matter?

Spain’s proposal reflects growing pressure for international coordination on children’s digital rights. National rules alone often struggle to address platforms that operate across borders and use algorithmic systems that shape what children see, how they interact, and how their data is used. A UN-level working group could provide child online safety with a more permanent multilateral forum, especially on platform accountability and algorithmic transparency.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Australia’s regulator warns of growing AI-powered sextortion threat

Australia’s eSafety Commissioner has launched a public awareness campaign warning that criminals are increasingly using AI and other digital tools in sextortion scams.

The initiative, titled ‘If sextortionists were honest’, uses generative AI to expose deceptive tactics used by online criminals targeting victims through dating apps and social media platforms.

According to eSafety, more than 3,300 reports of sexual extortion were received through its image-based abuse scheme in 2025. Eighty-six percent of reports came from males of all ages, while 42% of all sextortion reports involved males aged 18 to 24.

eSafety Commissioner Julie Inman Grant said offenders are already weaponising face-swapping and voice-cloning technologies, while using generative AI to create fake but convincing online characters and improve scam scripts that previously contained warning signs such as poor grammar or inconsistent messaging.

Reports made to eSafety show that first contact frequently occurs on platforms such as Tinder, Instagram, and Grindr, before conversations are moved to WhatsApp, Telegram, or other messaging apps. Offenders may then search victims’ social media accounts to identify family members and friends they can threaten to contact.

The regulator said overseas offenders often try to appear local and legitimate, including by spoofing Australian phone numbers, using intimate images taken from other victims, or using bank accounts belonging to previous victims to receive and move payments.

eSafety said the safest response is to stop contact, report the account to the platform, block the offender, preserve evidence where possible, and seek support rather than paying. The regulator also called on platforms to take proactive Safety by Design steps, including better language analysis, classifier-based detection, accessible reporting and blocking tools, swift removal pathways for image-based abuse, and cross-platform signal sharing.

Why does it matter?

The campaign shows how generative AI is making online coercion and scams harder to detect. Sextortion is no longer only a problem of fake accounts and blackmail messages: offenders can now use AI-generated personas, improved scripts, voice cloning, and deepfake-style techniques to build trust and pressure victims more effectively. That raises the importance of platform-level detection, user reporting tools, digital literacy, and victim support.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Central Bank warns banks to strengthen resilience as AI reshapes cyber threats

Europe’s banking sector must strengthen its operational resilience as AI transforms the cyber threat landscape and increases systemic risks, according to the European Central Bank (ECB). Speaking at a financial conference, Executive Board member Frank Elderson warned that technological disruption and geopolitical fragmentation are increasing pressure on financial infrastructure.

The ECB said Europe’s reliance on external providers for technology, energy and financial services creates vulnerabilities that could expose critical functions to operational disruptions. While banks remain financially stable, their ability to maintain critical services during cyberattacks or system failures has become key to long-term competitiveness and stability.

According to the ECB, AI is accelerating cyber risks by lowering barriers to sophisticated attacks, enabling faster identification of vulnerabilities and expanding the range of actors capable of conducting cyber operations. While supervisors have strengthened oversight through measures such as stress testing and the implementation of the Digital Operational Resilience Act (DORA), the ECB warned that cyber and operational risks continue to evolve rapidly.

Authorities are now urging banks to invest more heavily in systems, governance, and third-party risk management to ensure continuity of services under stress. The ECB emphasised that operational resilience should be viewed not only as a technical challenge but as a strategic priority for maintaining trust in financial services and supporting Europe’s wider economic transformation.

Why does it matter?

Financial stability increasingly depends not only on the financial health of banks but also on their ability to maintain critical services during cyber incidents, technology failures and operational disruptions.

As AI enables more sophisticated cyberattacks and financial institutions become more dependent on complex digital infrastructure and third-party providers, regulators are placing greater emphasis on operational resilience as a core component of financial stability, economic competitiveness and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Tech firms and law enforcement disrupt Southeast Asia scam networks

A major international operation involving Meta, Microsoft, Coinbase, Starlink, and law enforcement agencies from several countries has disrupted large-scale criminal scam networks operating across Southeast Asia.

The coordinated effort combined digital intelligence, financial investigations, platform enforcement, and real-world law enforcement action to target organised groups responsible for online fraud, investment scams, and other cyber-enabled crimes.

According to Meta, the operation removed more than 1.4 million fraudulent accounts, pages, and groups across Facebook and Instagram. Microsoft suspended around 20,000 malicious accounts linked to scam activity, while Coinbase froze more than $3 million in cryptocurrency assets associated with criminal operations.

Starlink also shut down thousands of internet terminals allegedly used by fraud operations, while law enforcement authorities arrested 63 individuals linked to scam centres.

The initiative brought together the US Department of Justice, the FBI, the US Secret Service, the Royal Thai Police, and law enforcement agencies from the UK, Australia, Canada and New Zealand.

Meta said intelligence sharing between technology companies and law enforcement helped identify additional scam locations and uncover previously unknown criminal networks operating across multiple jurisdictions.

Why does it matter?

The operation shows how online scam networks now rely on a full digital stack: social media accounts, messaging, cryptocurrency payments, connectivity infrastructure, and cross-border money movement. Disrupting these networks increasingly requires coordination between platforms, financial services, internet providers, and law enforcement. The case also highlights the link between digital fraud and physical scam compounds in Southeast Asia, where cybercrime operations often operate across multiple jurisdictions.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

New Zealand’s NCSC warns frontier AI could amplify cybersecurity risks

New Zealand’s National Cyber Security Centre (NCSC) has issued guidance to help government agencies prepare for the cybersecurity implications of frontier AI systems. The advisory notes that frontier AI models may enable more advanced automation, reasoning and decision-making capabilities than previous generations of AI systems.

The guidance describes frontier AI as a dual-use technology, noting that the same capabilities that enhance cyber defence could also enable malicious actors to conduct cyber operations more quickly, at lower cost and on a larger scale. The NCSC warns that frontier AI could amplify risks associated with known vulnerabilities, legacy systems and poor cyber hygiene, creating what it describes as a ‘vulnerability storm’ for organisations.

According to the NCSC, organisations do not need access to the most advanced frontier AI models to strengthen their cyber resilience. Instead, it says effective readiness depends on existing cybersecurity mitigations and practices, including the New Zealand Information Security Manual, the NCSC Cyber Security Framework, Minimum Cyber Security Standards, and Protective Security Requirements.

The advisory urges government entities to treat several actions as immediate priorities, including reviewing compliance with existing standards, confirming executive accountability for frontier AI cyber risk, reviewing NCSC guidance, and identifying material gaps that AI-enabled threat actors could exploit.

The guidance also restates the NCSC Cyber Security Framework’s five functions: guide and govern, identify and understand, prevent and protect, detect and contain, and respond and recover. The advisory highlights a range of baseline cybersecurity measures, including risk management, security awareness, secure configuration, patch management, multi-factor authentication, least-privilege access controls, anomaly detection, data recovery and incident response planning.

Why does it matter?

Frontier AI is expected to increase the speed, scale and sophistication of cyber operations, potentially allowing attackers to identify vulnerabilities, automate exploitation and conduct campaigns more efficiently than before.

Rather than relying solely on new AI-specific defences, New Zealand’s guidance emphasises that strong cybersecurity fundamentals, including patching, access controls, monitoring and incident response, remain the most effective way to reduce risk. The advisory reflects a growing international view that AI is amplifying existing cyber challenges rather than replacing them with entirely new ones.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic offers ENISA access to advanced AI security model

Anthropic has invited the European Commission to facilitate access for ENISA, the EU agency for cybersecurity, to its cybersecurity-focused AI model Mythos, according to Bloomberg. The invitation followed a meeting between Anthropic and the Commission in San Francisco on 29 May. The EU must now establish a mechanism with appropriate security safeguards before access can be implemented; an ENISA official confirmed the agency does not currently have active access.

Anthropic unveiled Mythos in April, describing it as a model capable of identifying and exploiting cybersecurity vulnerabilities at a level that surpasses most human experts. Bloomberg reported on 2 June that ENISA was set to receive access to the model.

European Commission spokesperson Thomas Regnier welcomed the development, saying that access could help authorities build a clearer understanding of potential risks as increasingly capable AI models enter the market. The invitation follows calls from European policymakers and cybersecurity officials for greater access to advanced AI systems and for the development of comparable European capabilities.

Why does it matter?

The emergence of AI models capable of identifying software vulnerabilities at scale is reshaping cybersecurity risk assessments for governments, regulators and critical infrastructure operators. Access to such systems can help authorities better understand their capabilities, evaluate potential threats and develop appropriate safeguards.

For the EU, granting ENISA access to Mythos could support evidence-based policymaking and strengthen preparedness as increasingly powerful cybersecurity-focused AI models become available. The move also highlights a broader challenge: ensuring that public institutions can keep pace with rapidly advancing AI capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Supply chain attack compromises Red Hat software packages on npm

Security researchers at Aikido and JFrog identified malicious code in more than 30 software packages published through a verified Red Hat Cloud Services account on npm, the widely used software package repository for developers. The packages are used across cloud application development and are installed by developers and automated systems worldwide.

According to the researchers, the attackers did not initially target individual developers. Instead, evidence suggests they gained access to the automated pipeline used to publish Red Hat Cloud Services packages to npm. Evidence indicates they gained access to the automated pipeline that publishes Red Hat Cloud Services software to npm, allowing them to distribute modified packages through an officially trusted channel. Developers and organisations following standard security practice, only installing software from verified, trusted sources, would have had no reason to suspect these packages.

Systems that installed the affected packages from 1 June onward may have executed hidden malicious code capable of harvesting credentials and transmitting them to the attackers. That code collected a wide range of credentials from the affected machine: access keys for Amazon, Google, and Microsoft cloud services; tokens used in automated software pipelines; passwords stored in cloud-based vaults; and credentials for a range of developer tools. The collected data was then transmitted to the attackers.

Researchers said the malware attempted to disguise its outbound communications by mimicking requests to an Anthropic-related service address, potentially making malicious traffic less conspicuous in network logs. The specific path used does not correspond to any real Anthropic end point, but its appearance in network logs would be inconspicuous at organisations using Anthropic products. Network defenders should treat any automated process contacting that address as a potential indicator of compromise.

The malware also installs persistent background processes that survive system restarts, and embeds hooks into several widely used AI coding assistants and developer tools. Researchers also warned that the malware may delete files if compromised credentials are revoked before the malicious software is fully removed from the affected system. Organisations investigating this incident should remove all traces of the malware before revoking any compromised credentials.

Aikido and JFrog have published a list of affected package versions and recommend treating any system that installed them on or after 1 June 2026 as potentially compromised until investigated.

Why does it matter?

Software supply chain attacks are particularly difficult to defend against because they exploit trusted distribution channels rather than relying on phishing, malware downloads or other forms of user error. In this case, developers and organisations installing software from a verified source could have unknowingly introduced malicious code into their environments.

The incident also highlights growing concerns around the security of software publishing infrastructure. As organisations increasingly depend on open-source components and automated development pipelines, compromises affecting trusted repositories can have far-reaching consequences across cloud environments, development systems and critical digital services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Hong Kong launches AI-focused cybersecurity initiatives for 2026

Hong Kong’s Digital Policy Office has announced a series of AI-related cybersecurity initiatives for the second half of 2026, following a briefing on cyber resilience and emerging technology risks. The office said it would focus on improving AI security awareness and digital literacy among both organisations and the public.

Planned initiatives include a Secure AI@Work Enablement Campaign, organised with the Hong Kong Internet Registration Corporation, to help enterprises develop secure and compliant AI ecosystems. The Digital Policy Office will also collaborate with industry on an AI x Cybersecurity Challenge focused on AI-powered threat detection, cyber resilience and cybersecurity skills development.

The office said it would continue enterprise support and practical drills, including an enhanced Cybersec One+, the Cybersecurity Service Providers Connect Programme and the third Hong Kong Cybersecurity Attack and Defence Drill. Hong Kong will also consolidate the Cyber Security Summit Hong Kong and the Cybersecurity Symposium into a single Cybersecurity Symposium and Summit in December.

The Cyber Security and Technology Crime Bureau said the volume of cyber threat intelligence related to threats targeting Hong Kong continues to increase. Its Cyber Security Centre analysed more than 330,000 threat intelligence records during the first quarter of 2026, identifying phishing as the most prevalent threat category.

The bureau said it would deepen international law enforcement cooperation, strengthen intelligence sharing with sectors including critical infrastructure, and use AI and big data to improve cyber threat detection, early warning analysis, and incident response. The Hong Kong Police Force and Cyberport have also established the Smart Policing Joint AI Lab to develop technologies for detecting deepfakes and strengthening network defence capabilities.

Why does it matter?

The initiatives reflect growing efforts by governments to address the cybersecurity implications of wider AI adoption. As organisations increasingly integrate AI into business operations, concerns around secure deployment, cyber resilience and workforce readiness are becoming key policy priorities.

The programme also highlights how AI is being used both as a potential source of cyber risk and as a tool for improving threat detection, incident response and cyber defence capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic expands AI cybersecurity programme for critical infrastructure

AI company Anthropic has announced a major expansion of Project Glasswing, an initiative aimed at strengthening the security of critical software through AI-assisted vulnerability detection.

After initially providing access to around 50 organisations, the programme will expand to approximately 150 additional partners across more than 15 countries.

Project Glasswing provides selected organisations with access to Claude Mythos Preview, Anthropic’s cybersecurity-focused AI model. According to Anthropic, participating organisations have identified more than 10,000 high- and critical-severity software vulnerabilities through the programme.

The newly added participants include operators and vendors across critical infrastructure sectors such as power, water, healthcare, communications and hardware manufacturing.

Anthropic argues that increasingly capable AI systems could significantly reshape cybersecurity, creating both new defensive opportunities and new risks. The company says future AI models may enable defenders to identify, analyse and remediate vulnerabilities at greater scale, while also potentially enhancing the capabilities available to malicious actors.

Project Glasswing is intended to help critical organisations adapt before such capabilities become widely accessible.

Alongside the expansion, Anthropic said it plans to provide additional cybersecurity tools, support vulnerability remediation efforts and work with industry, governments and open-source software maintainers to strengthen cyber resilience.

Why does it matter?

The expansion of Project Glasswing highlights the growing role of AI in cybersecurity, particularly in vulnerability discovery and software security testing. As critical infrastructure operators face increasingly sophisticated cyber threats, AI-assisted tools may help identify and address security weaknesses more quickly.

At the same time, the initiative reflects broader concerns that advances in AI could benefit both defenders and attackers, increasing the importance of responsible deployment, coordinated security research and resilience planning across critical sectors.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!