cybersecurity

Japan to develop new cybersecurity strategy and measures

The Japanese government is preparing to develop a new cybersecurity strategy within the year, aiming to address growing digital threats targeting both public institutions and private enterprises. As part of the forthcoming strategy, the government plans to transition its internal communications systems from public-key cryptography to post-quantum cryptography, which is considered more resilient against potential cyberattacks enabled by quantum computing technologies.

In a recent development, Defence Minister Gen Nakatani met with Lithuanian Defence Minister Dovile Šakalienė in Tokyo, where both sides agreed to strengthen bilateral cooperation on cybersecurity. A Japanese Ministry of Defence expert will be sent to Lithuania in June to engage with local specialists, who are recognised for their expertise in managing persistent cyber threats, particularly those attributed to Russian state-linked actors.

The agreement follows an earlier announcement that Japan intends to expand its pool of specialist cybersecurity personnel from the current 24,000 to at least 50,000 by 2030. The target was introduced in response to a Ministry of Economy, Trade and Industry (METI) panel recommendation that the country needs approximately 110,000 skilled cybersecurity professionals to meet growing demand.

Under new regulatory measures due to take effect in 2026, the government will also begin inspecting the cybersecurity practices of private companies. Firms failing to meet the established standards may risk losing access to state subsidies.

Earlier this year, the parliament passed a new law enabling active cyberdefence measures, allowing authorities to legally monitor communications data during peacetime and neutralise foreign servers if cyberattacks occur.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU extends cybersecurity deadline for wireless devices

The European Commission has extended the deadline for mandatory cybersecurity requirements targeting wireless and connected devices sold within the EU.

Under the Delegated Act (2022/30) of the Radio Equipment Directive, manufacturers must embed robust security features to guard against risks such as unauthorised access and data breaches. The rules will now take effect from 1 August 2025.

A broad range of products will be affected, including mobile phones, tablets, cameras, and telecommunications devices using radio signals.

Internet of Things (IoT) items—such as baby monitors, smartwatches, fitness trackers, and connected industrial machinery—also fall within the scope. Any device capable of transmitting or receiving data wirelessly may be subject to the new requirements.

The deadline extension aims to give manufacturers additional time to adopt harmonised standards and integrate cybersecurity into product design. The Commission emphasised the importance of early action to avoid compliance issues when the rules become binding.

Despite the grace period, businesses are urged to act now by reviewing development cycles and addressing potential vulnerabilities well ahead of the implementation date.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Tech coalition to push for faster US foreign cybersecurity aid

A coalition of leading technology and cybersecurity firms, including Carahsoft, Dell Technologies, Forescout, Google Cloud, Trellix, and Velos, has launched the Strategic Cybersecurity Coalition (SCC). The group is dedicated to advocating for a more efficient and streamlined US approach to foreign cybersecurity assistance.

Their goal is to accelerate the deployment of sustainable, interoperable cybersecurity solutions that can effectively respond to the growing global cyber threat landscape. The US government continues to face significant bureaucratic and legal barriers that slow the delivery of timely cybersecurity support to its allies.

Despite the Biden administration’s introduction of a rapid-response fund, the broader foreign aid framework remains outdated and ill-equipped to keep pace with fast-evolving cyber incidents. Progress was further stalled by a pause in foreign assistance during the previous administration.

Moreover, existing military aid programs focus largely on traditional weaponry, which often requires years-long procurement processes, an impractical timeline for urgently needed cybersecurity tools and training. Restrictive regulations also hinder US companies from providing cybersecurity services abroad, limiting critical threat intelligence sharing vital to national security.

Strengthening allied cybersecurity is crucial for US security, as threats often target both partners and the US. The SCC calls for faster, streamlined cyber aid through military programs by easing contracting rules and funding limits, aiming to reduce procurement from years to months.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

FCC to enhance security on foreign communications equipment

The Federal Communications Commission (FCC) has implemented new policies aimed at strengthening the security of the United States’ communications infrastructure against foreign threats. These policies expand the FCC’s authority to prohibit the authorisation of communications equipment from companies identified as national security risks, including Huawei, ZTE, Hytera, Hikvision, and Dahua.

Additionally, the FCC now has the power to revoke previously granted equipment authorisations if a company is later added to the ‘covered list.’ The scope of these regulations has also broadened to cover not only core network infrastructure but also a wide range of devices such as routers, switches, and consumer electronics, thereby reducing vulnerabilities and protecting against foreign interference.

US telecom companies must comply by replacing equipment from covered vendors, which may involve significant costs. While this transition poses challenges, the FCC stresses minimal short-term impact on consumers and highlights the long-term security benefits.

The agency also has enforcement powers, including fines, to ensure compliance. Going forward, the FCC will keep monitoring threats and update its policies as needed.

It will also work with government and international partners to strengthen cybersecurity efforts, showing its commitment to protecting critical communications infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

The United Nations calls for urgent regulation of military AI

The UN and global experts have emphasised the urgent need for comprehensive regulation of AI in military applications. UN Secretary has called for ‘global guardrails’ to govern the use of autonomous weapons, warning that rapid technological development has outpaced current policies.

Recently, 96 countries met at the UN to discuss AI-powered weapons, expanding the conversation to include human rights, criminal law, and ethics, with a push for legally binding agreements by 2026. Unregulated military AI poses serious risks like cybersecurity attacks and worsening geopolitical divides, as some countries fear losing a strategic advantage to rivals.

However, if properly regulated, AI could reduce violence by enabling less-lethal actions and helping leaders choose non-violent solutions, potentially lowering the human cost of conflict. To address ethical challenges, institutions like Texas A&M University are creating nonprofits that work with academia, industry, and defence sectors to develop responsible AI frameworks.

These efforts aim to promote AI applications that prioritise peace and minimise harm, shifting the focus from offensive weapons toward peaceful conflict resolution. Finally, UN Secretary warned against a future divided into AI ‘haves’ and ‘have-nots.’

He stressed the importance of using AI to bridge global development gaps and promote sustainable progress rather than deepen inequalities, emphasising international cooperation to guide AI toward inclusive growth and peace.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Meta and PayPal users targeted in new phishing scam

Cybersecurity experts are warning of a rapid and highly advanced phishing campaign that targets Meta and PayPal users with instant account takeovers. The attack exploits Google’s AppSheet platform to send emails from a legitimate domain, bypassing standard security checks.

Victims are tricked into entering login details and two-factor authentication codes, which are then harvested in real time. Emails used in the campaign pose as urgent security alerts from Meta or PayPal, urging recipients to click a fake appeal link.

A double-prompt technique falsely claims an initial login attempt failed, increasing the likelihood of accurate information being submitted. KnowBe4 reports that 98% of detected threats impersonated Meta, with the remaining targeting PayPal.

Google confirmed it has taken steps to reduce the campaign’s impact by improving AppSheet security and deploying advanced Gmail protections. The company advised users to stay alert and consult their guide to spotting scams. Meta and PayPal have not yet commented on the situation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ascension faces fresh data breach fallout

A major cybersecurity breach has struck Ascension, one of the largest nonprofit healthcare systems in the US, exposing the sensitive information of over 430,000 patients.

The incident began in December 2024, when Ascension discovered that patient data had been compromised through a former business partner’s software flaw.

The indirect breach allowed cybercriminals to siphon off a wide range of personal, medical and financial details — including Social Security numbers, diagnosis codes, hospital admission records and insurance data.

The breach adds to growing concerns over the healthcare industry’s vulnerability to cyberattacks. In 2024 alone, 1,160 healthcare-related data breaches were reported, affecting 305 million records — a sharp rise from the previous year.

Many institutions still treat cybersecurity as an afterthought instead of a core responsibility, despite handling highly valuable and sensitive data.

Ascension itself has been targeted multiple times, including a ransomware attack in May 2024 that disrupted services at dozens of hospitals and affected nearly 5.6 million individuals.

Ascension has since filed notices with regulators and is offering two years of identity monitoring to those impacted. However, critics argue this response is inadequate and reflects a broader pattern of negligence across the sector.

The company has not named the third-party vendor responsible, but experts believe the incident may be tied to a larger ransomware campaign that exploited flaws in widely used file-transfer software.

Rather than treating such incidents as isolated, experts warn that these breaches highlight systemic flaws in healthcare’s digital infrastructure. As criminals grow more sophisticated and vendors remain vulnerable, patients bear the consequences.

Until healthcare providers prioritise cybersecurity instead of cutting corners, breaches like this are likely to become even more common — and more damaging.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Legal aid data breach affects UK applicants

The UK Ministry of Justice has confirmed a serious cyber-attack on its Legal Aid Agency, first detected on 23 April and revealed to be more extensive on 16 May. Investigators found that a wide range of personal details belonging to applicants dating back to 2010 were accessed.

The breach has prompted urgent security reviews and cooperation with the National Cyber Security Centre. Stolen information may include names, addresses, dates of birth, national ID numbers, criminal histories, employment records and financial data such as debts and contributions.

While the total number of affected individuals remains unconfirmed, publicly available figures suggest hundreds of thousands of applications across the last year alone. Victims have been urged to monitor for suspicious communications and to change passwords promptly.

UK Legal aid services have been taken offline as contingency measures are put in place to maintain support for vulnerable users. Jane Harbottle, CEO of the Legal Aid Agency, expressed regret over the incident and reassured applicants that efforts are underway to restore secure access.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

ENISA unveils cyber stress testing handbook to strengthen critical infrastructure resilience under NIS2

The European Union Agency for Cybersecurity (ENISA) has released a Handbook for Cyber Stress Testing to support national and sectoral authorities in assessing the cybersecurity and resilience of critical infrastructure, in line with the NIS2 Directive. The guidance is intended for use at the national, regional, and EU levels and complements regulatory frameworks such as the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) directive.

Cyber stress tests are defined as targeted assessments of an organisation’s capacity to maintain critical services during and after significant cybersecurity incidents. The handbook outlines five main steps for organising these tests:

  1. Defining scope and objectives – identifying relevant sectors, entities, risk scenarios, and test goals;
  2. Designing the test – developing methodologies, resilience metrics, and timelines;
  3. Executing the test – engaging participants and providing guidance;
  4. Conducting a gap analysis – identifying key findings and resilience gaps;
  5. Concluding and follow-up – compiling lessons learned and formulating recommendations.

The structured process enables authorities to evaluate both organizational preparedness and systemic sectoral risks. Practical recommendations are provided for each step, and an example from the health sector illustrates potential applications.

Authorities may use cyber stress tests to inform national risk assessments, prepare for cyber exercises, identify sector-wide vulnerabilities, and support supervisory planning. Tests can also serve as a basis for dialogue between regulators and operators.

While audits and certifications remain standard supervisory tools, stress tests offer an additional method tailored to specific risk scenarios. Depending on sector maturity and regulatory context, authorities may adopt either a voluntary or more prescriptive approach to testing. ENISA recommends clearly communicating the scope, purpose, and use of test results in advance.

Cyber stress tests can be conducted at national, regional, or EU-wide levels. National-level exercises are typically overseen by authorities responsible for specific critical sectors, either broadly assessing sector maturity or focusing on selected entities. Cooperation with sectoral regulators—such as those in finance or civil protection—can enhance the design and implementation of tests.

Regional and EU-wide stress tests, though more complex to coordinate, may be suited to sectors with cross-border dependencies. Recent examples include joint efforts in the energy and financial sectors, coordinated by the European Commission and the European Central Bank. EU funding through the Digital Europe Programme is available to support such initiatives, including development of common tools and methodologies.

In parallel, ENISA has launched the European Vulnerability Database (EUVD), mandated under NIS2. The EUVD is a centralised, authoritative source of publicly available vulnerability information, supporting coordination among national CSIRTs, vendors, and regulators.

The Handbook for Cyber Stress Testing contributes to broader efforts to strengthen risk-informed cybersecurity oversight across the EU and encourages the consistent integration of cyber stress testing into national and sectoral supervisory practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Netherlands expands espionage laws to include cyber activities

The Dutch government has adopted new legislation expanding the scope of its espionage laws to include digital espionage and other activities carried out on behalf of foreign states that may harm Dutch national interests. The updated law complements existing provisions that criminalise the disclosure of state secrets by adding penalties for leaking sensitive, but not classified, information and for conducting harmful activities linked to foreign entities.

Under the revised legal framework, penalties for computer-related offenses associated with espionage have been increased. Individuals found guilty of such offenses could face up to eight years in prison, or up to twelve years in particularly severe cases.

Netherlands Justice and Security Minister David van Weel stated that the measures aim to enhance national resilience against foreign threats.

In parallel, the government is moving forward with plans to implement vetting procedures for researchers and students seeking access to sensitive technologies at Dutch academic institutions. This follows growing concern over foreign interest in strategic research, particularly from China, as noted by Dutch intelligence services.

In recent assessments, Dutch authorities have reported both Chinese cyber activities targeting intellectual property and Russian state-linked attempts to disrupt national infrastructure. Incidents include reported efforts to infiltrate institutions based in The Hague, such as the International Criminal Court and the Organisation for the Prohibition of Chemical Weapons.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!