Laws, executive orders, compliance frameworks, government action
Anthropic's AI model, Mythos, will be made available to the European Union's Agency for Cybersecurity (ENISA) through a collaboration known as Project Glasswing. This initiative stems from close cooperation between the European Commission and Anthropic.
The Pentagon is actively promoting the use of Artificial Intelligence in military operations, viewing it as a significant advantage. However, some military leaders are expressing a need for caution regarding its implementation.
A significant portion of CISOs admit their organizations are not adequately protecting data or are unprepared for cyberattacks, indicating critical security gaps. The article outlines six key areas CISOs must address, including a perception gap where security is still viewed primarily as an IT problem rather than a business resilience issue.
Russia has significantly expanded its SORM surveillance requirements, imposing stricter data retention and access mandates on telecommunications and internet service providers. This move is part of an ongoing effort to increase state control over online communications and data within the country.
Russian intelligence agencies are actively targeting Western technology by creating shell companies, enlisting intermediaries, and utilizing cyber espionage and hacking operations. This effort aims to acquire sensitive information potentially for use against critical infrastructure as the nation faces economic sanctions.
California's AB 1856 proposes to exempt open-source operating systems from the age-gating requirements of AB 1043, but it also expands these requirements to web browsers and websites. The Electronic Frontier Foundation (EFF) opposes the bill, arguing that the expanded age-gating harms users' speech, privacy, and anonymity, and continues to disproportionately burden open-source developers.
U.S. Immigration and Customs Enforcement (ICE) has awarded a $25 million contract for a biometric scanner system that will collect iris and facial scans. The system, developed by Idemia Identity & Security, is intended to improve border security and identify individuals entering the country.
CISA has added CVE-2026-0257, a Palo Alto Networks PAN-OS authentication bypass vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog. This inclusion is due to evidence of active exploitation, posing significant risks to federal networks. CISA urges all organizations to prioritize the remediation of these cataloged vulnerabilities as part of their security practices.
The California Attorney General has filed a lawsuit against 23andMe, alleging the company failed to adequately protect user data following a significant data breach in 2023. The lawsuit was filed against Chrome Holding Co., the entity 23andMe rebranded under after its bankruptcy filing.
Public companies are now required by the SEC to include a section in their annual 10-K filings detailing their cybersecurity risk management, strategy, governance, and incidents. This article analyzes these filings, focusing on the top 200 S&P companies, to understand how senior executives are reporting on their cybersecurity posture and to identify trends. The research specifically examines the role of the Chief Information Security Officer (CISO) and their reporting structure.
Big tech companies are challenging GDPR fines, a trend that experts see as a precursor to future pushback against AI regulations. While these challenges may not be inherently concerning, the increasing integration of AI presents a greater data protection challenge. The GDPR's influence on data protection law globally, particularly its 72-hour breach notification standard, is highlighted, though enforcement issues remain.
The article argues that online age verification schemes, despite good intentions, create significant privacy and security risks by forcing users to submit sensitive personal information. Centralized data from these schemes becomes a prime target for leaks and hacks, with past incidents already demonstrating these dangers.
Microsoft is advocating for Coordinated Vulnerability Disclosure (CVD) and urging researchers to share their findings with vendors before public disclosure. This stance follows an incident where a researcher, Chaotic Eclipse, disclosed details of multiple zero-day vulnerabilities.
India's cybersecurity agency, CERT-In, has issued new guidance urging organizations to address exploited internet-facing vulnerabilities within 12 hours, citing the acceleration of attacks due to AI. The advisory also includes tiered remediation timelines for critical internal and high-severity vulnerabilities.
This article discusses how the cyber insurance industry is compelling organizations to quantify their security risks. It explores what cyber insurance policies typically cover and highlights how this focus on risk assessment can ultimately improve overall cybersecurity posture.
New EU rules for accessing documents, intended to increase transparency, could paradoxically reduce it by creating loopholes that allow public bodies to refuse requests. This is particularly concerning for large tech companies, who may exploit these new provisions to shield their internal operations and data from public scrutiny.
India's cyber agency, CERT-In, has issued a directive mandating that internet-facing or critical systems be patched, mitigated, or disconnected within 12 hours of exploited vulnerabilities being identified. This accelerated response time is driven by the increasing speed and sophistication of cyberattacks, exacerbated by advancements in AI.
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. These vulnerabilities, affecting Daemon Tools Lite, TanStack, and Nx Console, are flagged as frequent attack vectors posing significant risks. The KEV Catalog is part of a directive requiring federal agencies to remediate these vulnerabilities, and CISA urges all organizations to prioritize their patching.
State cybersecurity leaders are urging Congress to increase funding and support for critical infrastructure protection. They highlighted the negative impact of federal cutbacks on cyber grants and information-sharing initiatives, especially in light of recent damaging attacks.
CISA has added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities (KEV) Catalog. This addition is based on evidence of active exploitation, highlighting it as a significant risk to the federal enterprise.
CERT-In has mandated a 12-hour patching window for internet-facing vulnerabilities, emphasizing the need for rapid response due to AI-assisted attacks. This measure aims to protect systems from threats amplified by the misuse of AI and LLMs by malicious actors.
The article argues that traditional AI governance models, where compliance is treated as a post-development review, are failing. Instead, AI governance should be integrated as 'release infrastructure' directly into the development pipeline, similar to practices observed in China.
Dutch authorities have arrested two individuals who allegedly operated IT infrastructure used by Russia for cyberattacks, influence operations, and disinformation campaigns targeting the EU. The arrests targeted the co-owners of two hosting companies that had taken over the infrastructure of a previously sanctioned Internet service provider linked to Russian intelligence.
The Texas Attorney General has filed a lawsuit against Meta, alleging that WhatsApp does not provide true end-to-end encryption. Critics, including a US Senate candidate, have pointed out a lack of factual support for the claims made in the lawsuit.
European authorities, with assistance from Europol and Eurojust, have dismantled First VPN, a service used by cybercriminals to conceal their activities during ransomware attacks and other offenses. The crackdown raises broader concerns about government attempts to restrict VPN usage, with various countries considering legislation that could impact internet access and privacy.
CISA has added CVE-2026-9082, a Drupal Core SQL Injection Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This inclusion is part of Binding Operational Directive 22-01, which mandates remediation for federal agencies and urges all organizations to prioritize these vulnerabilities.
Democrats have criticized former President Trump's budget allocations, highlighting a perceived discrepancy between spending on cybersecurity initiatives and expenditures on other areas. Rep. Delia Ramirez emphasized that budgets reflect moral priorities, suggesting a disconnect in the Trump administration's fiscal decisions.
CISA has added two new vulnerabilities, CVE-2025-34291 and CVE-2026-34926, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. These vulnerabilities, affecting Langflow and Trend Micro Apex One respectively, are considered significant risks, particularly for federal agencies.
Politicians in Australia are reportedly considering ditching the encrypted messaging app Signal for domestically developed applications. This move is driven by concerns over foreign ownership and potential data access by foreign governments. The shift aims to bolster national security and data sovereignty.
EPIC, along with over 40 civil society groups, is urging the U.S. House Committee on Transportation and Infrastructure to ban the use of automatic license plate readers (ALPRs) except for tolling purposes. This push is in response to the increasing prevalence of ALPR surveillance technology and is part of an amendment to the Highway Bill.
An analysis of cybersecurity incidents revealed that process and cultural issues, rather than technical vulnerabilities, are the primary drivers of data breaches. Government leaders noted that despite existing state laws aimed at improving cyber hygiene, persistent problems and a lack of visibility continue to hinder effective security.
EPIC has submitted comments to CalPrivacy, urging the agency to ensure privacy policies are accessible and free from dark patterns. The organization advocates for policies that clearly link to actionable steps for Californians to exercise their privacy rights under state law.
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating evidence of active exploitation. These vulnerabilities, including buffer overflows and denial-of-service flaws in Microsoft and Adobe products, pose significant risks, especially to the federal enterprise. CISA urges all organizations to prioritize their remediation.
Interpol's 'Operation Ramz' successfully concluded with a crackdown on cybercrime, involving 13 countries across the Middle East and North Africa (MENA) region. This operation marks the largest law enforcement collaboration to date in the region, aiming to enhance cross-border cooperation against cyber threats.
This article discusses the increasing prevalence of AI failures in cybersecurity and explores the legal implications and liability associated with them. It will examine legislation addressing AI-provoked incidents on both sides of the Atlantic, focusing on prevention, risk mitigation, and personal liability for executives.
The article posits that cyber resilience should be the new standard for business continuity planning. Organizations should focus on aligning security, continuity, and risk management to protect their most critical assets.
Laurie Anderson quotes Bruce Schneier's statement, "If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems," in her new album and interviews when discussing AI.
The article discusses the concept of AI Bills of Materials (BOMs) and their growing importance in managing the risks associated with artificial intelligence. It explores how these detailed inventories of AI components are essential for transparency and security within AI systems.
The Polish government has instructed its officials to stop using the Signal messaging app due to concerns about potential social engineering attacks targeting high-ranking individuals. Officials are directed to switch to a domestically developed secure communication alternative.
Mozilla is warning the UK government against plans to mandate VPN providers block access to age-verified adult content. The company argues that VPNs are essential security tools for protecting user privacy and anonymity online, not tools for circumventing age verification. Mozilla suggests that breaking VPN functionality would undermine fundamental internet security for all users.
South Korea is testing new regulations aimed at curbing the spread of deepfakes, particularly during its upcoming local elections. The effectiveness of these laws in combating deceptive AI-generated content will be observed.
This article summarizes several cybersecurity-related news items, including Big Tech's opposition to Canada's encryption bill, Cisco's offering of a free AI security specification, and vulnerabilities found in Audi's app. It also briefly mentions other stories like an Nvidia cloud gaming data breach and Android 17 security upgrades.
Privacy International has submitted a report to the UN High Commissioner for Human Rights concerning the protection of human rights defenders in the digital age. The submission highlights the increasing digital threats faced by these individuals and calls for stronger measures to safeguard their privacy and security online.
This article analyzes a new U.S. counterterrorism strategy, highlighting how its implementation could potentially increase risks for individuals. The White House document outlines the government's approach to domestic counterterrorism efforts.
The EU's Cyber Resilience Act (CRA) shifts focus from processes to product safety for IT products, including software and firmware. It mandates vulnerability and incident reporting within strict timelines, requiring organizations to have these processes in place by September 11th. Many organizations are unprepared for these obligations, particularly regarding automated SBOM generation and rapid reporting.
A UK parliamentary committee has expressed concerns that the current online safety regime is inadequately protecting children on social media platforms. The committee is urging ministers to treat social media companies with greater scrutiny, comparing them to the regulation of unsafe children's toys.
Colorado's legislature has amended its landmark AI law for the second time, significantly weakening its original requirements. The latest changes further postpone the law's effective date.
The article provides a list of upcoming speaking engagements for the author. These engagements include virtual and in-person talks on topics such as the security of trust in the age of AI and national cybersecurity.
The G7 countries have released guidance on AI Software Bill of Materials (SBOM) to improve transparency in AI systems and their supply chains. The guidance outlines minimum elements intended to help organizations achieve this transparency.
This article discusses the ongoing debate and conflict surrounding AI regulation. It highlights the intense disagreements among various stakeholders regarding how artificial intelligence should be governed, indicating a significant challenge in establishing a clear regulatory path forward.
