Wiz founder: Hack yourself with AI, before the bad guys do

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Mon, 27 Apr 2026 07:44:49 GMT https://www.computerweekly.com editor@computerweekly.com <p>Security leaders should be turning <a href="https://www.computerweekly.com/opinion/Confidence-in-AI-powered-cyber-must-be-earned-not-assumed" target="_blank" rel="noopener">offensive artificial intelligence (AI) cyber tools</a> on their own systems before threat actors do, exploiting the innate defenders’ advantage to attain the high ground and increase their chances of withstanding a cyber attack.</p> <p>So says Yinon Costica, co-founder of <a href="https://www.wiz.io/" target="_blank" rel="noopener">Google-owned Wiz</a>, who, speaking at <a href="https://cloud.google.com/blog/topics/google-cloud-next/welcome-to-google-cloud-next26" target="_blank" rel="noopener">Google Cloud Next in Las Vegas</a>, argued that defenders can win against attackers by using AI to exploit an advantage that may not appear obvious at first glance, that of context.</p> <p>“The same AI model can obviously produce very different results based on the context that we feed into it,” he said. “Now, attackers hopefully have much less context about us, while as defenders we do have a lot of context about our environments that we can share with the model.</p> <p>“If, as defenders, we take the first movers’ advantage and we use the AI against ourselves, with the context we have, we actually stand a chance to win … But we need to act fast,” said Costica.</p> <p>“We need to start using AI against ourselves as much as possible, whether it’s to scan attack surfaces, scan code, scan anything, in order to be the first one to see the results and not to wait for the bad guys to do it before us.”</p> <p>As speed becomes ever more of the essence in cyber security, Costica conceded that this would be a challenge for defenders – but noted that the tools to do this are rapidly becoming available. To try to help, Wiz unveiled three new <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-agents" target="_blank" rel="noopener">AI agents</a> at Google Cloud Next – red, green and blue – which are named for the human cyber teams they are designed to help.</p> <p>“What agents allow us to do is really get to the next level of acceleration [and] automation of security work,” said Costica.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from Google Cloud Next</h3> <ul class="default-list"> <li>Attendees at Google Cloud Next in Las Vegas are backing AI all the way to the bank. But as AI turns up in everything, everywhere, all at once, we’re going to need to get a lot stricter <a href="https://www.computerweekly.com/opinion/Google-Cloud-Next-Its-time-to-create-value-not-slop-from-the-AI-boom" target="_blank" rel="noopener">about what we use it for</a>.</li> <li>With more AI agents moving to production, Google Cloud is targeting governance, multi-cloud data architecture and purpose-built silicon to help enterprises <a href="https://www.computerweekly.com/news/366641999/Google-launches-Gemini-Agent-Platform-eighth-generation-TPUs" target="_blank" rel="noopener">orchestrate agentic workflows</a>.</li> <li>Blue chips will expand use of Gemini Enterprise AI agents on a revamped platform, but how far its appeal will extend beyond the Google Cloud user base <a href="https://www.techtarget.com/searchitoperations/news/366642097/Merck-Home-Depot-tap-Gemini-Enterprise-for-AI-agent-development" target="_blank" rel="noopener">remains to be seen</a>.</li> </ul> </div> </div> <p>The red agent is designed to assist red team penetration testing work by probing deep into its owners’ IT estate, identifying potential exposures, such as <a href="https://www.computerweekly.com/news/366618596/DeepSeek-API-chat-log-exposure-a-rookie-cyber-error" target="_blank" rel="noopener">application programming interfaces</a>, end-of-life <a href="https://www.computerweekly.com/news/366641403/Russian-cyber-spies-targeting-consumer-Soho-routers" target="_blank" rel="noopener">edge networking kit</a> or operational technology (OT) assets, and runs penetration tests on them. The green agent follows on by automating the triage process, something that can take ages for humans. Finally, the blue agent acts as a detective, doing the investigative work that can also be a lengthy process for human teams.</p> <p>“These three agents together form a layer that is autonomous and automated,” said Costica. “It’s not revolutionary in that it aligns closely to how security teams have been working for many years, but now it allows each team to automate their workflows.</p> <p>“It’s like living in the future in the eyes of security teams because it means that from the moment they find a risk, they can automate the process to find who owns it and deliver the code fix to complete and redeploy to production.”</p> <p>A little over a month on from the closure of the $32bn acquisition of Wiz – Google’s largest purchase to date – the two organisations reaffirmed their commitment to providing a unified security platform, retaining Wiz’s brand, that will enhance the speed with which customers detect, prevent and respond to threats, especially emerging ones created using AI.</p> <p>The duo also claim their combined capability will accelerate adoption of multi-cloud security and spur more confidence in innovation around cloud and AI. Wiz’s products are also to continue to be made available across other platforms, including Amazon Web Services (AWS), Microsoft Azure and Oracle Cloud. It also announced support for Databricks and agent studios such as AWS Agentcore, Microsoft Azure Copilot Studio and Salesforce Agentforce, as well as the Gemini Enterprise Agent Platform, and continues to support security ecosystems with integrations to the outer layer of the cloud, including Google Cloud Apigee, Cloudflare AI Security for Apps, and the Vercel platform.</p> <p>Behind the scenes, Wiz has also updated how it integrates security detections from Wiz Defend with Google Security Operations and Mandiant Threat Defence to make life easier for human analysts.</p> <p>And it announced new capabilities to secure the AI-native deployment cycle. These include scanning vibe coded applications for issues; AI-generated code scanning and vulnerability remediation; agent-based remediation allowing teams to automate remediation workflows; and an AI bill of materials to keep on top of the use of shadow AI for coding.</p> At Google Cloud Next, Wiz co-founder Yinon Costica called on security defenders to use AI to steal a march on threat actors, and launched agentic capabilities for cyber teams https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Robot-AI-books-learning-Adobe.jpg https://www.computerweekly.com/news/366642436/Wiz-founder-Hack-yourself-with-AI-before-the-bad-guys-do Fri, 24 Apr 2026 15:15:00 GMT Wiz founder: Hack yourself with AI, before the bad guys do <p>BT and mobile provider EE have now blocked over a billion clicks to malicious websites using intelligence supplied by the UK’s <a href="https://www.computerweekly.com/news/366642156/NCSC-heralds-end-of-passwords-for-consumers-and-pushes-secure-passkeys">National Cyber Security Centre</a> (NCSC), according to figures disclosed today.</p> <p>The NCSC’s Share and Defend programme, launched last year, protects 46 million mobile phone users and 12 million fixed line internet subscribers from websites that could deliver malicious code, malware or phishing attacks, the NCSC said.</p> <p>It has allowed BT to head off “early stage cyber attacks” and attempts by its customers to access scam websites.</p> <p>The programme provides telecoms companies with streams of alerts about malicious websites, giving telcos and internet companies the option to block access to the most severe risks to its customers.</p> <p>Claimed to be the most extensive in the world, Share and Defend provides alerts to BT, EE and VodafoneThree.</p> <p>Other partners include broadband company PXC, which provides wholesale broadband and network services.</p> <p>The NCSC said it is “engaging” with other companies to achieve wider coverage and looking to bring new partners into the scheme.</p> <section class="section main-article-chapter" data-menu-title="Threat feeds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Threat feeds</h2> <p>Share and Defend provides telcos with alerts from threat feeds, some of which are private to the NCSC, with others provided by businesses, and the Cyber Defence Alliance, a group for the finance sector.</p> <p>Other alerts are generated by take-down notices issued to remove malicious content from the internet, and from websites identified as being linked to phishing sites reported by the public.</p> <p>Organisations signed up to the programme are able to protect their customers from accessing malicious content, but can choose which sites to block based on their own risk analysis.</p> <p>The programme provides threat data from the NCSC-developed Protective Domain Name Service, run by Cloudflare and Accenture. The service is capable of preventing access to malicious web domains when they are looked up on the Domain Name System used to navigate the internet.</p> <p>It also takes feeds from the NCSC’s takedown service – run in conjunction with cyber security company Netcraft – which blocks and removes websites linked to spam and phishing attacks that could damage the reputation of government services.</p> <p>The Share and Defend service is also used by Jsic, a not-for-profit organisation, which builds and maintains the Janet network, used by education and research organisations.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK 2026 – UK lagging on legal protections for cyber pros</a>: Ahead of this year’s CyberUK conference, the CyberUp Campaign for reform of the UK’s hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution.</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, warns at the CyberUK conference.</li> <li><a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats">UK to build ‘national cyber shield’ to protect against AI cyber threats</a>: Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences.</li> <li><a href="https://www.computerweekly.com/news/366642156/NCSC-heralds-end-of-passwords-for-consumers-and-pushes-secure-passkeys">NCSC heralds end of passwords for consumers and pushes secure passkeys</a>: UK National Cyber Security Centre is urging consumers to replace passwords and two-factor authentication with passkeys, following a technical study that shows they are more secure and easier to use.</li> <li><a href="https://www.computerweekly.com/news/366641986/Chinese-hackers-using-compromised-networks-to-spy-on-Western-companies-says-Five-Eyes">Chinese hackers using compromised networks to spy on Western companies, says Five Eyes</a> - Companies urged to take countermeasures as Chinese hacking groups use networks of infected home and office devices ‘at scale’ to evade security monitoring systems.</li> </ul> </div> </div> <ul type="square" class="default-list"></ul> </section> NCSC’s Share and Defend scheme has seen BT block over a billion clicks through to malicious websites https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/cyber-security-attack-virus-malware-Skorzewiak-adobe.jpg https://www.computerweekly.com/news/366642433/BT-has-now-blocked-over-a-billion-clicks-to-malicious-websites-says-NCSC Fri, 24 Apr 2026 11:30:00 GMT BT has now blocked over a billion clicks to malicious websites, says NCSC <p data-end="5614" data-start="5350">Organizations use digital signatures when an agreement needs more than convenience. They use them when a workflow requires <a href="https://www.techtarget.com/searchcontentmanagement/answer/E-signature-vs-digital-signature-Whats-the-difference">stronger signer verification</a>, tamper evidence and a better evidentiary trail than a basic electronic signature provides.</p> <p data-end="5871" data-start="5616">That distinction matters because not every document needs the same level of trust. Routine approvals may only need a simple e-signature, while regulated, high-value or dispute-sensitive transactions often benefit from certificate-based digital signatures.</p> <p data-end="6126" data-start="5873">In practice, the goal is to match the signing method to the risk. The right question is not whether a business can sign electronically. It is whether the transaction needs stronger identity assurance, document integrity controls and compliance support.</p> <section class="section main-article-chapter" data-menu-title="Digital signatures vs. e-signatures"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Digital signatures vs. e-signatures</h2> <p>Organizations must understand the <a href="https://www.techtarget.com/searchcontentmanagement/answer/E-signature-vs-digital-signature-Whats-the-difference">difference between digital signatures and e-signatures</a> so they can implement a level of security that meets their needs.</p> <p>An e-signature is a broad term that includes any signature a user sends electronically. Some e-signatures, such as those retail stores use for small transactions, don't require identity verification. However, other types, such as digital signatures, involve a strict authentication process.</p> <p>In the U.S., the E-SIGN Act gives <a href="https://www.techtarget.com/searchcontentmanagement/answer/Are-electronic-signatures-legally-binding">electronic signatures legal standing </a>when key conditions are met, but organizations still use digital signatures when they need stronger identity assurance and tamper evidence. In the EU, trust-service frameworks make those assurance levels even more explicit.</p> <p>Digital signatures rely on <a href="https://www.techtarget.com/searchsecurity/definition/public-key">public key cryptography</a> and <a href="https://www.techtarget.com/searchsecurity/definition/public-key-certificate">digital certificates</a> to verify authenticity and detect tampering. In a typical workflow, the system creates a hash of the document and signs that hash with the sender's private key. The recipient then uses the corresponding public key and certificate to verify the signature and confirm that the document has not been altered since it was signed.</p> <p>To create a digital signature, organizations typically use an<a href="https://www.techtarget.com/searchcontentmanagement/tip/Top-e-signature-software-providers"> e-signature system</a>. E-signature systems offer digital signature capabilities, but they can also streamline workflows. For example, they can send reminder notifications to late signatories and assign roles to specific individuals.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">When to use a digital signature instead of a basic e-signature</h3> <p>Use a basic e-signature when speed and convenience are the priority and the workflow does not require higher assurance. Use a digital signature when the organization needs certificate-backed signer verification, tamper evidence and a stronger audit trail. In practice, the choice depends on transaction risk, compliance requirements and the evidentiary burden if the agreement is challenged later.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="What are digital signatures used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are digital signatures used for?</h2> <p>Organizations can use digital signatures anywhere a signature is required, but they usually reserve them for transactions where stronger trust, signer verification and document integrity matter most. Common examples include the following:</p> <ul class="default-list"> <li>Real estate purchase and sale agreements</li> <li>Sales contracts</li> <li>Insurance agreements</li> <li>Tax documents and forms</li> <li>Construction change orders</li> <li>Clinical trials</li> <li>Loans</li> <li>Mortgages</li> <li>Leases</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/uw4aTvRDHB4?autoplay=0&modestbranding=1&rel=0&widget_referrer=null&enablejsapi=1&origin=https://www.computerweekly.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How digital signatures work"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How digital signatures work</h2> <p>Digital signatures rely on digital certificates that trust service providers issue to signers. These providers are legal entities that use processes and tools in accordance with a national authority, such as the U.S. government or EU, to verify e-signatures' authenticity.</p> <p>"The trust service provider verifies the identity of the signer prior to the issuance of the digital certificate using various mechanisms, [such as] near-field communication, automated video-based identity documents and biometric verification," Manaila said.</p> <p>After the trust service provider verifies the signer's identity, it issues the digital certificate in the cloud. It stores the required cryptographic keys on a hardware security module (<a href="https://www.techtarget.com/searchsecurity/definition/hardware-security-module-HSM">HSM</a>) and protects it with two-factor authentication (2FA). These security measures let people sign documents and get digital certificates from any type of platform, device or smartphone, Manaila said.</p> <p>Some countries issue electronic identification cards that store the owner's biometric data, such as their fingerprint or facial structure, on a chip. Citizens and organizations can use these cards to prove their identity online and quickly obtain a digital certificate.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/onlineimages/how_digital_signatures_work-f.png"> <img data-src="https://www.computerweekly.com/rms/onlineimages/how_digital_signatures_work-f_mobile.png" class="lazy" data-srcset="https://www.computerweekly.com/rms/onlineimages/how_digital_signatures_work-f_mobile.png 960w,https://www.computerweekly.com/rms/onlineimages/how_digital_signatures_work-f.png 1280w" alt="Diagram showing the digital-signature workflow from document hashing and certificate-backed signing to signature verification and downstream processing." height="260" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The digital-signature process uses certificates, private/public keys and document hashes to verify signer identity, detect tampering and support downstream workflows. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How cloud affected the digital signature landscape"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How cloud affected the digital signature landscape</h2> <p>Before the proliferation of cloud services, organizations relied on physical devices, such as <a href="https://www.techtarget.com/searchsecurity/definition/security-token">security tokens</a> or smart cards, to protect their digital certificates with an HSM. This traditional approach posed implementation challenges. For example, the approach isn't user-friendly because it requires users to carry a physical device, Manaila said.</p> <p>Cloud tools, on the other hand, store the cryptographic keys on the cloud provider's HSM so organizations don't need to track physical tokens or replace them over time. Cloud products are also more scalable and require no physical maintenance costs.</p> <p>The digital signature landscape changed after the CSC standardized remote, cloud-based digital signatures with its open source API. This technology offers the following benefits:</p> <ul class="default-list"> <li>Generates remote digital signatures across desktop, web and mobile devices.</li> <li>Protects legally binding signatures with 2FA.</li> <li>Integrates with various <a href="https://www.techtarget.com/searcherp/definition/ERP-enterprise-resource-planning">ERP</a> and <a href="https://www.techtarget.com/searchcontentmanagement/feature/How-to-choose-the-right-document-management-system">digital transaction management systems</a>.</li> <li>Reduces IT governance costs.</li> <li>Ensures compliance with e-signature laws in the U.S. and EU, such as the <a href="https://ico.org.uk/for-organisations/guide-to-eidas/what-is-the-eidas-regulation" target="_blank" rel="noopener">Electronic Identification, Authentication and Trust Services Regulation</a>. <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The right question is not whether a business can sign electronically. It is whether the transaction needs stronger identity assurance, document integrity controls and compliance support. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote></li> </ul> <ul class="default-list"></ul> </section> <section class="section main-article-chapter" data-menu-title="Security benefits of digital signatures"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security benefits of digital signatures</h2> <p>Digital signature technology can help organizations prevent bad actors from tampering with important transactions. Security benefits include the following:</p> <ul class="default-list"> <li>Links signer's identity to the signature.</li> <li>Makes the signer legally responsible for their actions.</li> <li>Securely stores the digital certificate's cryptographic keys on a certified HSM and protects them with 2FA.</li> <li>Offers <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a> to strengthen security.</li> <li>Can prove a signature's authenticity in court.</li> </ul> <p>Digital signatures add assurance, but they also add process and training overhead. That is why organizations should treat them as a fit-for-purpose control: use them where the business needs higher trust, stronger evidence or stricter compliance, and use simpler e-signatures where speed and convenience matter more.</p> <p><strong>Editor's note:</strong> <em>This article was originally published in 2023 and was updated in 2026 to reflect current digital-signature workflows, legal context and enterprise use cases. </em></p> </section> Digital signatures help organizations verify signer identity and detect tampering, but teams should choose them only when a transaction needs stronger trust, evidence and compliance controls https://cdn.ttgtmedia.com/rms/onlineimages/check_g530502390.jpg https://www.techtarget.com/searchcontentmanagement/tip/How-do-digital-signatures-work Fri, 24 Apr 2026 10:13:00 GMT How do digital signatures work? <p>Medical data belonging to half a million British citizens has been offered for sale on a Chinese website following a security breach at health information database UK Biobank.</p> <p>Technology minister Ian Murray said that data obtained from UK Biobank had been advertised for sale by several sellers on Alibaba e-commerce platforms in China, in what he called an “unacceptable abuse”.</p> <p>UK Biobank, a non-profit charity, collects medical data provided by volunteers and shares it with researchers around the world to further medical research in cancer, heart disease and ways of predicting dementia.</p> <p>The charity informed the UK government on Monday that it had identified anonymised data from its volunteers for sale by three sellers on Alibaba, including at least one listing that appeared to offer anonymised data from its 500,000 volunteers.</p> <section class="section main-article-chapter" data-menu-title="Unacceptable abuse of data"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Unacceptable abuse of data</h2> <p>“This has been an unacceptable abuse of the UK Biobank charity’s data and an abuse of the trust that participants rightly expect when sharing their data for research purposes,” Murray said in a <a href="https://www.gov.uk/government/speeches/minister-of-state-statement-to-the-house-of-commons-23-april-2026">statement to Parliament</a>.</p> <p>UK Biobank has assured its volunteers that the data contained no participants’ names, addresses, contact details, or telephone numbers. The charity does not believe that any of the data was sold.</p> <p>UK Biobank said it had now revoked access to research institutions identified as the source of the breach of its UK data cloud.</p> <p>Murray said the UK government had worked quickly with Biobank, the Chinese government and Alibaba to take down the listings offering the data.</p> <p>“We have asked the Biobank charity to pause further access to its data until they have put in place a technical solution to prevent data from its current platform from being downloaded in this way again,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="Biobank will improve security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Biobank will improve security</h2> <p>Rory Collins, chief executive of Biobank, told volunteers in a <a href="https://www.ukbiobank.ac.uk/news/a-message-to-our-participants-uk-biobank-data-security-update/">statement</a> that personally identifiable information (PII) was safe and that it would put additional security measures in place to prevent the incident from happening again.</p> <p>He said that researchers go through a rigorous access review process and institutions sign a contract committing to keeping data secure before they are given access to Biobank.</p> <p>“This is a clear breach of the contract signed by these academic institutions, and they, along with the individuals involved, have had their access suspended,” he added.</p> <p>Biobank has temporarily suspended all access to its UK cloud-based research platform, and plans to introduce a limit on the size of files that can be taken off the platform. It will also monitor files exported from the platform for suspicious behaviour.</p> <p>The charity said it was developing an automated checking system to prevent de-identified data from being taken off its research platform, while still allowing scientists to conduct research. The system will be in place by the end of the year.</p> </section> <section class="section main-article-chapter" data-menu-title="UK government to issue guidance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>UK government to issue guidance</h2> <p>Murray said the government would soon be issuing guidance on controlling data from research studies, and urged businesses and charities to ensure their systems and data-sharing processes are as secure as possible.</p> <p>The charity has reported the incident to the Information Commissioner’s Office (ICO).</p> <p>An ICO spokesperson said: “People’s medical data is highly sensitive information. Not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. UK Biobank has made us aware of an incident, and we are making enquiries.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">What companies should do</h3> <p>All organisations should map and “baseline” their edge device traffic, especially VPN and remote access connections. They should adopt dynamic threat feed filtering that includes known covert network indicators.</p> <p>Potential victims of Chinese infiltration should implement two-factor authentication for remote access and, where possible, apply zero-trust controls, IP allow lists and machine certificate verification.</p> <p>Larger or high-risk entities should consider active hunting of suspicious traffic from home office devices or traffic from the internet of things, geographic profiling, and machine learning-based anomaly detection.</p> <p style="text-align: right;"><em>Source NCSC</em></p> </div> </div> </section> Biobank operator is taking steps to improve security after biological, health and lifestyle information from its database was offered for sale on a Chinese website https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/healthcare-medical-statistics-stethoscope-adobe.jpeg https://www.computerweekly.com/news/366642041/Medical-data-about-half-a-million-Britains-on-sale-in-China-after-Biobank-breach Thu, 23 Apr 2026 10:59:00 GMT Medical data of half a million Britons on sale in China after Biobank breach <p>China-linked hackers are using networks of vulnerable <a href="https://www.techtarget.com/iotagenda/Ultimate-IoT-implementation-guide-for-businesses">internet-connected devices</a>, including home routers, printers and smart devices, as cover to mount espionage and hacking operations.</p> <p>The technique is now used by the majority of China-linked hackers as a way to obscure hacking and espionage attacks launched against organisations in the West.</p> <p>The UK’s National Cyber Security Centre (NCSC) and national agencies in nine other countries have warned today that Chinese-linked groups are now leveraging networks of infected devices “at scale” to target critical sectors globally and steal sensitive data.</p> <p>According to an advisory issued by the Five Eyes intelligence-sharing alliance – comprising the UK, the US, Canada, Australia and New Zealand – and 10 other countries, Chinese groups are exploiting security vulnerabilities in unpatched internet devices to create networks to use as a staging post to launch further attacks.</p> <p>“We know that China’s intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations,” said <a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">NCSC chief Richard Horne</a> in a speech at its <a href="https://www.cyberuk.uk/">CyberUK conference in Glasgow</a>.</p> <section class="section main-article-chapter" data-menu-title="Covert networks hide ‘indicators of compromise’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Covert networks hide ‘indicators of compromise’</h2> <p>The agencies warn that the Chinese tactics are making it difficult for organisations to detect and attribute malicious attacks on their computer networks using traditional “indicators of compromise”.</p> <p>Chinese groups, for example, could use a UK-based infected device as a staging post to hack into a UK-based company, meaning that blocking non-UK IP addresses no longer provides a defence for overseas attacks.</p> <p>They advise companies to adopt “adaptive, intelligence-driven measures” to better mitigate the risks, including monitoring traffic from internet-connected devices, virtual private networks (VPNs) and remote access devices to identify suspicious traffic.</p> <p>Chinese-linked groups are able to evade detection by exploiting low-cost networks of infected devices that can rapidly be reconfigured so that traditional static IP block lists are no longer effective.</p> <p>The networks are used for each phase of a cyber attack, from reconnaissance and malware delivery, to command and control and data exfiltration against targets of espionage and offensive cyber operations, according to the advisory.</p> </section> <section class="section main-article-chapter" data-menu-title="Covert networks behind major hacking operations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Covert networks behind major hacking operations</h2> <p>Covert networks of compromised devices have been used by the Chinese state-sponsored group Volt Typhoon to pre-position for future attacks on <a href="https://www.computerweekly.com/news/366626193/Long-range-drones-to-fly-across-UKs-critical-national-infrastructure">critical national infrastructure (CNI)</a>.</p> <p>The group has <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a?utm_source=UK_NCSC&utm_medium=press_release&utm_campaign=VT_020724">targeted communications, energy, transport and water services in the US</a>, and has been able to maintain covert access to critical IT systems for five years or more.</p> <p>It used a network of vulnerable Cisco and NetGear routers, which were no longer supported by the manufacturers and were no longer receiving updates of security patches.</p> <p>Another Chinese group, <a href="https://www.computerweekly.com/news/366611295/NCSC-exposes-Chinese-company-running-malicious-Mirai-botnet">Flax Typhoon</a>, has used a covert network of 260,000 compromised devices, including routers, firewalls, webcams and CCTV cameras, to conduct cyber espionage against targets in multiple countries.</p> </section> <section class="section main-article-chapter" data-menu-title="Hacking as a service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hacking as a service</h2> <p>Chinese hacking groups have a choice of covert networks, each with potentially hundreds of thousands of endpoints, which frequently change, making it more difficult for companies targeted to block attacks, according to the advisory.</p> <p>Chinese information security companies have maintained networks of infected devices, available as a service for Chinese-linked hacking groups.</p> <p>Chinese company Integrity Technology Group controlled a network known as <a href="https://www.techtarget.com/searchsecurity/news/366611357/FBI-disrupts-another-Chinese-state-sponsored-botnet">Raptor Train</a>, which infected more than 200,000 devices worldwide in 2024.</p> </section> <section class="section main-article-chapter" data-menu-title="Companies advised to take countermeasures"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Companies advised to take countermeasures</h2> <p>The NCSC advises companies to map internet-connected devices in their organisation and corporate VPNs, so they can understand which traffic is legitimate.</p> <p>They should also introduce <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">multifactor authentication (MFA)</a> when employees use remote connections to dial into business networks.</p> <p>Larger organisations can profile incoming connections based on operating systems, time zones, and the organisation’s systems configurations to identify legitimate traffic.</p> <p>The Five Eyes and the NCSC advise the most at-risk organisations to actively track <a href="https://www.computerweekly.com/news/366583712/Chinese-APT-suspected-of-Ministry-of-Defence-hack">Chinese advanced persistent threats (APTs)</a>, using threat reports supplied by the NCSC to create dynamic block lists and rules to detect incoming threats.</p> <p>“In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability,” said Paul Chichester, NCSC director of operations. “We call on organisations to act now to better defend their critical assets.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul type="square" class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK 2026 – UK lagging on legal protections for cyber pros</a>: Ahead of this year’s CyberUK conference, the CyberUp Campaign for reform of the UK’s hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution.</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, warns at the CyberUK conference.</li> <li><a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats">UK to build ‘national cyber shield’ to protect against AI cyber threats</a>: Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences.</li> <li><a href="https://www.computerweekly.com/news/366642156/NCSC-heralds-end-of-passwords-for-consumers-and-pushes-secure-passkeys">NCSC heralds end of passwords for consumers and pushes secure passkeys</a>: UK National Cyber Security Centre is urging consumers to replace passwords and two-factor authentication with passkeys, following a technical study that shows they are more secure and easier to use.</li> </ul> </div> </div> <ul type="square" class="default-list"></ul> </section> Companies urged to take countermeasures as Chinese hacking groups use networks of infected home and office devices ‘at scale’ to evade security monitoring systems https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/china-flag-fotolia.jpg https://www.computerweekly.com/news/366641986/Chinese-hackers-using-compromised-networks-to-spy-on-Western-companies-says-Five-Eyes Thu, 23 Apr 2026 07:15:00 GMT Chinese hackers using compromised networks to spy on Western companies, says Five Eyes <p>Consumers are being urged to replace passwords with passkeys as a simpler, more secure method of accessing online services.</p> <p>The National Cyber Security Centre (NCSC), part of the signals intelligence agency GCHQ, said today that it would no longer recommend that individuals use passwords for logging on where passkeys are available as an alternative.</p> <p><a href="https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference">Passkeys</a>, which are securely stored on people’s phones, computers, or in third-party credential managers, are quicker and easier to use than passwords and offer stronger security.</p> <p>The NCSC’s recommendation follows a technical study that shows passkeys are at least as secure – and generally more secure – than a password combined with two-factor authentication, such as an authorisation code sent by SMS.</p> <section class="section main-article-chapter" data-menu-title="Resilience against phishing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Resilience against phishing</h2> <p>The agency claims that a move to passkeys would boost the UK’s resilience to phishing attacks and other hacking attempts, the majority of which rely on criminals stealing or compromising login details.</p> <p>The UK government <a href="https://www.computerweekly.com/news/366623776/UK-government-websites-to-replace-passwords-with-secure-passkeys">announced last year</a> that it would roll out passkey technology for digital services as an alternative to current SMS-based verification systems, which incur additional costs for sending SMS messages.</p> <p>The NHS became one of the first government organisations in the world to use passkeys to give patients secure access to hospital and pharmacy websites.</p> <p>Online service providers, including Google, eBay and PayPal, also support passkeys. According to Google, over 50% of active Google users in the UK have a registered passkey – the highest uptake. Microsoft is also introducing passkeys for Hotmail.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul type="square" class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK ’26: UK lagging on legal protections for cyber pros</a>: Ahead of next week's CyberUK conference, the CyberUp Campaign for reform of the UK's hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference.</li> <li><a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats">UK to build ‘national cyber shield’ to protect against AI cyber threats</a>: Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Better security than 2FA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Better security than 2FA</h2> <p>Passkeys offer a greater level of security than passwords and SMS two-factor authentication (2FA), both of which can be compromised by hackers.</p> <p>They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.</p> <p>The use of passwords with two-factor authentication for SMS can be vulnerable to “SIM swapping” attacks, where criminals allocate a victim’s phone number to a phone SIM card to intercept authentication keys.</p> <p>The NCSC said that it stopped short of endorsing passkeys last year because there were still key implementation challenges.</p> <p>However, it said that progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable.</p> </section> <section class="section main-article-chapter" data-menu-title="Passkeys not yet recommended for business"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Passkeys not yet recommended for business</h2> <p>The centre said it can now recommend passkey technology to the public as a more secure and user-friendly login method, and to businesses as the default authentication option for consumers.</p> <p>The NCSC is not yet recommending <a href="https://www.techtarget.com/searchsecurity/tip/How-to-roll-out-an-enterprise-passkey-deployment">passkeys for business applications</a>, which will take longer to phase in. Many organisations rely on old IT systems that do not support passkeys or two-factor authentication.</p> <p>The NCSC said that where services do not support passkeys, it advises consumers to create strong passwords and use two-factor authentication.</p> <p>Jonathon Ellison, director for national resilience at the NCSC, said moving to passkeys would accelerate the UK’s resilience against cyber attacks.</p> <p>“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys – they are a user-friendly alternative, which provides stronger overall resilience,” he said.</p> <p>Phasing out passwords will be gradual, with the first step being for people to become comfortable with using passkeys. Big banks are expected to phase in the technology over the next three to five years.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">How passkeys work</h3> <p>When people sign up for accounts using passkeys, their device creates a private key, which remains on the device, and a public key, which is stored by the service they wish to access.</p> <p>The device will prove to the website that it has the correct private key when the owner signs into a service, without disclosing the private key to the service provider.</p> <p>Passkeys are designed to synchronise across different devices, so a passkey stored on an iPhone would be automatically shared with the owner’s iPad.</p> <p>If a person loses a device and does not have a copy of the passkey on a second device, they will be able to recover it by going through an account recovery process.</p> <p>Unlike passwords, passkeys are cryptographically generated and do not need to be changed regularly to remain secure.</p> <p>They are stored in a “secure enclave” on phones and computers, which means they cannot be accessed if the device is compromised or lost.</p> </div> </div> </section> UK National Cyber Security Centre is urging consumers to replace passwords and two-factor authentication with passkeys, following a technical study that shows they are more secure and easier to use https://cdn.ttgtmedia.com/visuals/German/article/easy-password-adobe.jpg https://www.computerweekly.com/news/366642156/NCSC-heralds-end-of-passwords-for-consumers-and-pushes-secure-passkeys Wed, 22 Apr 2026 19:01:00 GMT NCSC heralds end of passwords for consumers and pushes secure passkeys <p>Critical local infrastructure that supports council services, social care services and local transport in the UK is falling through the gaps in government and business planning for cyber resilience, claims <a title="https://www.linkedin.com/in/jonathannicholaslee/" href="https://url.us.m.mimecastprotect.com/s/UP5yCjRvnlfAGlgGMhWfPTmiUW4?domain=urldefense.com">Jonathan Lee</a>, director of cyber strategy at cyber security company TrendAI.</p> <p>In an interview with Computer Weekly, Lee says that municipal areas, such as London or Greater Manchester, could be at risk from multiple cyber attacks that could damage local infrastructure, causing escalating problems for residents that could add up to severe disruption.</p> <p>“We need to be thinking about what would happen if multiple attacks happened at the same time across the city region – and the human impact of not being able to do your job properly, not being able to travel around and not being able to deliver public services,” he says.</p> <p>The <a href="https://www.computerweekly.com/news/366634283/IT-services-companies-and-datacentres-face-regulation-as-cyber-security-bill-reaches-Parliament">Cyber Security and Resilience Bill (CSRB)</a>, which is currently going through Parliament, aims to ensure that critical national services, such as healthcare, water, transport and energy, are protected against cyber attacks that cost the economy billions of pounds a year. But local infrastructure has been relatively neglected, claims Lee.</p> <p>The National Cyber Security Centre’s (NCSC) <a href="https://www.computerweekly.com/news/366628426/NCSC-updates-CNI-Cyber-Assessment-Framework">Cyber Assurance Framework</a>, for example, aims to help operators of critical national infrastructure (CNI) demonstrate a base level of cyber security preparedness – but it is not mandatory, and not every organisation that should implement it is implementing it.</p> <section class="section main-article-chapter" data-menu-title="Whole of society risk"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Whole of society risk</h2> <p>“We need to be more stringent in making sure that people are taking this seriously and are looking not just at their own organisation, but are looking at the whole of society risk,” says Lee.</p> <p>Attacks on public services, such as council-run social care, can have a catastrophic, knock-on effect on the NHS and patient care, he adds.</p> <p>There is a need for more “top-down” advice for regional infrastructure providers, from organisations such as the NCSC, which is not as well known as it could be among the companies and public sector bodies that provide local infrastructure.</p> <p>“The message has got to be diffused down into local levels to ensure that a consistent message is spread out, and that can also be through industry partners. That is something I feel quite strongly about,” says Lee.</p> <p>The <a href="https://www.computerweekly.com/news/366641782/Cyber-Essentials-closes-the-MFA-loophole-but-leaves-some-organisations-adrift">Cyber Essentials programme</a>, which has been updated to include new requirements for organisations to use multifactor authentication (MFA), and requirements for cloud providers to patch vulnerabilities within 14 days, has helped build resilience, but only for organisations that choose to adhere to it.</p> </section> <section class="section main-article-chapter" data-menu-title="Keeping the resilience score"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Keeping the resilience score</h2> <p>The UK government is also intending to publish a <a href="https://www.computerweekly.com/news/366638753/UK-government-must-get-its-hands-dirty-on-security-report-says">Cyber Action Plan</a> in the coming months, which will guide organisations to get basic security right and improve their cyber security over time.</p> <p>Although there is no shortage of initiatives and action plans, there is a danger that many of these plans will be left on a shelf.</p> <p>One approach is for organisations to rate themselves on a scorecard for cyber resilience, on a scale of, say, 1 to 100, and to report their progress back to board-level directors.</p> <p>“We need a mechanism to measure how impactful these interventions are, whether it be things like the Cyber Assessment Framework, Cyber Essentials or legislation,” says Lee.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about cyber resilience</h3> <ul class="default-list"> <li><a href="For%20business%20leaders,%20if%20your%20security%20strategy%20for%202026%20still%20revolves%20around%20keeping%20attackers%20out,%20you%20might%20already%20be%20behind.">Cyber resilience will define winners and losers in 2026</a>: For business leaders, if your security strategy for 2026 still revolves around keeping attackers out, you might already be behind.</li> <li><a href="https://www.computerweekly.com/opinion/Are-we-mistaking-regulation-for-resilience">Are we mistaking regulation for resilience</a>? We have a growing number of cyber compliance regulations, yet our country’s cyber resilience remains fragile. What is going wrong?</li> <li><a href="https://www.computerweekly.com/opinion/How-CISOs-can-build-a-truly-unified-and-resilient-security-platform">How CISOs can build a truly unified and resilient security platform</a>: The Security Think Tank looks at platformisation, considering questions such as how CISOs can distinguish between a truly integrated platform and integration theatre, and how to protect unified platforms.</li> </ul> </div> </div> </section> Jonathan Lee, director of cyber strategy at Trend AI, argues for more focus on local and municipal cyber resilience https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Hero-Danger-by-InfiniteFlow-Adobe-10.jpg https://www.computerweekly.com/news/366641946/Interview-Critical-local-infrastructure-is-missing-link-in-cyber-resilience Wed, 22 Apr 2026 11:02:00 GMT Interview: Critical local infrastructure is missing link in UK cyber resilience <p>The UK aims to build “national scale” cyber defence capabilities to respond to growing threats from hostile states and artificial intelligence (AI)-powered attacks.</p> <p>Security minister Dan Jarvis said today that defending against “<a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide">frontier AI</a>” will require a national effort from government and businesses.</p> <p>He said the government was “laying the groundwork” for a national capability, which has been dubbed the “national cyber shield”, to protect the UK against cyber threats, and called for AI companies to work directly with the government to develop AI to defend against automated cyber attacks.</p> <p>The government’s vision is to develop defensive AI technology that has the capability to identify and repair security vulnerabilities in software at machine speed. “Make no mistake, this is a generational endeavour, and it will test the absolute limits of our engineering and innovation,” Jarvis said in a speech in Glasgow.</p> <p>He was speaking following Anthropic’s decision to delay its Claude Mythos AI model from public release <a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide">after the technology uncovered thousands of previously known security vulnerabilities</a> across commonly used software applications.</p> <p>Mythos had uncovered “critical flaws that had gone unnoticed by human experts and automatic tools for over two decades”, said Jarvis.</p> <p>He said that protecting Critical National Infrastructure will require a “fundamentally different approach” in the age of AI. “We will not secure the central pillars of the UK state simply by purchasing off-the-shelf vendor solutions,” said Jarvis.</p> <section class="section main-article-chapter" data-menu-title="Cyber attacks more sophisticated"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber attacks more sophisticated</h2> <p>Jarvis said the nature of warfare had changed, and that attacks on British systems were increasing in “volume, sophistication and in ambition”.</p> <p>Hostile states have “worked out that the most effective way is not to confront us directly, but to quietly hollow us out”, he said.</p> <p>The National Cyber Security Centre (NCSC), part of GCHQ, handled over 200 nationally significant incidents last year, double that of the year before. <a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">The majority are attacks from hostile nation states</a>, including Russia, Iran and China.</p> <p>“That number tells me the frontline isn’t coming – it’s here,” said Jarvis. “The cyber security of British business is a matter of national security.”</p> <p>Hostile states were attacking logistics systems used to move goods, and were compromising high street business – a reference to the <a href="https://www.computerweekly.com/feature/One-year-on-from-the-MS-cyber-attack-What-did-we-learn">debilitating cyber attacks against Marks & Spencer and Co-op</a>.</p> <p>The <a href="https://www.computerweekly.com/news/366634441/Jaguar-Land-Rover-cyber-attack-costs-firm-485m-in-its-quarter">cyber attack against Jaguar Land Rover</a>, had it been caused by an old-school physical attack, “would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country breaking glass, smashing up computers and driving cars right off the forecourt”.</p> </section> <section class="section main-article-chapter" data-menu-title="Business needs to step up"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Business needs to step up</h2> <p>Companies are most at risk from cyber attacks, not because attackers exploit vulnerabilities, but because companies have failed to keep their systems up to date, or to deploy base-line security measures such as multi-factor authentication.</p> <p>Jarvis said that while government can set standards, share intelligence and provide guidance, it was no substitute for businesses ensuring basic cyber security hygiene.</p> <p>“Basic cyber hygiene is no longer optional, but the baseline – the absolute minimum we should expect of any serious organisation operating in the modern economy,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber Resilience Pledge"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber Resilience Pledge</h2> <p>Jarvis said the government would be inviting organisations to sign a Cyber Resilience Pledge.</p> <p>Businesses will be invited to make a “public commitment” to investors, their customers and supply chains to make cyber security a board-level responsibility.</p> <p>They will also be urged to commit to meeting basic security standards through the NCSC’s Cyber Essentials programme.</p> <p>The pledge will accompany the government’s National Cyber Action Plan – a national strategy for cyber security – to be published in the summer.</p> <p>“The plan will demonstrate how we will tackle the growing threat, how we will strengthen our collective resilience, and how we will harness the opportunity for our world-leading cyber sector to secure the UK’s economic growth for years to come,” said Jarvis.</p> </section> <section class="section main-article-chapter" data-menu-title="More funding for small business"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More funding for small business</h2> <p>The security minister said the government was making £90m of investment to strengthen cyber resilience, to provide “practical targeted support” to small and medium-sized businesses.</p> <p>It will be distributed over the next three years through existing schemes run by the Department for Science, Innovation and Technology and the National Cyber Security Centre.</p> <p>Cyber security minister Baroness Lloyd said the government had written to the CEOs and chairs of over 180 of the UK’s leading businesses to encourage as many as possible to sign up to the pledge ahead of a formal launch later this year.</p> <p>“The cyber threat facing UK businesses is serious, growing and evolving fast,” she said. “AI is giving attackers capabilities that would have seemed extraordinary just a year ago, and no organisation can afford to be complacent.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more from CyberUK 2026</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros">CyberUK ’26: UK lagging on legal protections for cyber pros</a>: Ahead of next week's CyberUK conference, the CyberUp Campaign for reform of the UK's hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution</li> <li><a href="https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief">Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief</a>: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference.</li> </ul> </div> </div> </section> Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/IT-security-cyber-defence-fotolia.jpg https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats Wed, 22 Apr 2026 10:45:00 GMT UK to build ‘national cyber shield’ to protect against AI cyber threats <p>Microsoft’s regular monthly round of vulnerability fixes dropped <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">as scheduled on Tuesday 14 April</a>, containing a handful of zero-days and critical updates for security teams to pore over. So far, so normal.</p> <p>But this month’s Patch Tuesday was rather more notable then many other recent updates because it was, by some margin, the second-largest update in history by volume, comprising over 160 distinct flaws – <a href="https://www.computerweekly.com/news/366632872/Patch-Tuesday-Windows-10-end-of-life-pain-for-IT-departments" target="_blank" rel="noopener">October 2025 saw 175</a> – and rising to nearly 250 once third-party and Chromium updates were taken into account.</p> <p>Almost immediately, commentators rushed to invoke the unavoidable spectre of artificial intelligence (AI). Vulnerability expert and regular Patch Tuesday commentator Dustin Childs, of TrendAI’s Zero Day Initiative, was among them.</p> <p><a href="https://www.zerodayinitiative.com/blog/2026/4/14/the-april-2026-security-update-review" target="_blank" rel="noopener">In his regular write-up</a>, he described the update as “monstrous” in size, and went on to suggest that growth in the use of AI tools to uncover software vulnerabilities at scale may be behind the sudden jump.</p> <p>And this may well be a big part of what is going on, agrees Chris Goettl, vice-president of product management for software products at <a href="https://www.ivanti.com/" target="_blank" rel="noopener">Ivanti</a>, which has just made significant enhancements to its Neurons patch management platform.</p> <p>Setting the scene, Goettl explains: “The lead up to Patch Tuesday has been interesting. We had a Google Chrome zero-day, <a href="http://nvd.nist.gov/vuln/detail/CVE-2026-5281" target="_blank" rel="noopener">CVE-2026-5281</a>, that was patched on 1 April, an Adobe Acrobat Reader zero-day, <a href="https://helpx.adobe.com/security/products/acrobat/apsb26-43.html" target="_blank" rel="noopener">CVE-2026-34621</a>, late in the day on Friday 10 April, and several older CVEs that were added to the Cisa Kev list yesterday [13 April]. All of this amidst a lot of industry buzz about Anthropic Mythos and <a href="https://www.anthropic.com/glasswing">Project Glasswing</a>.”</p> <p>Launched amid much fanfare earlier in April, Project Glasswing is a new Anthropic initiative built around an in-development frontier AI model, Claude Mythos Preview, which its progenitors say can both discover zero-day flaws and develop exploits for them.</p> <section class="section main-article-chapter" data-menu-title="Critical vulnerabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Critical vulnerabilities</h2> <p>Such is Mythos’s power – Anthropic claims to have discovered “thousands” of critical vulnerabilities, some of which have been hiding in plain sight for years – that a wraparound Project Glasswing has been created to limit access to the potentially dangerous model to a select group of tech companies, or at least to give them a head start on fixing the flaws before Mythos becomes more widely available.</p> <p>These include Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia and Palo Alto Networks.</p> <p>Mythos and Project Glasswing were only made public earlier this month – far too recently to have had much impact on the Patch Tuesday update. And according to analysis of recently disclosed vulnerabilities <a href="https://www.vulncheck.com/blog/anthropic-glasswing-cves" target="_blank" rel="noopener">conducted by VulnCheck</a>, only 75 mention Anthropic and only one is directly attributable to Glasswing.</p> <p>Therefore, it’s reasonable and accurate to say the correlation between its release and the spike in Patch Tuesday disclosures is a hypothetical one for now.</p> </section> <section class="section main-article-chapter" data-menu-title="Fast-moving timeline"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Fast-moving timeline</h2> <p>However, things are moving fast, and given the timeline is advancing at pace, the conversation needs to happen today. <a href="https://www.computerweekly.com/news/366641649/UK-businesses-must-face-up-to-AI-threat-says-government" target="_blank" rel="noopener">Indeed, in an open letter published on 15 April</a>, business secretary Liz Kendall urged UK business leaders to “plan accordingly” as frontier models become more adept.</p> <p>“The scenarios that Mythos enables aren’t routine,” says Doc McConnell, head of policy at <a href="https://finitestate.io/" target="_blank" rel="noopener">Finite State</a> and a former Cybersecurity and Infrastructure Security Agency (Cisa) branch chief and White House advisor. “AI is a ratchet wrench for cyber security – it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but it also increases the volume and severity of those incidents.</p> <p>“Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cyber security is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to “do the basics, but faster” is no longer sufficient … Regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.”</p> <p>While McConnell applauds Anthropic and its Project Glasswing squad for their approach, he says it would be wise to assume that if Anthropic is being noisy and responsible about this, someone else is being quiet, and irresponsible.</p> </section> <section class="section main-article-chapter" data-menu-title="How will Mythos be used?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How will Mythos be used?</h2> <p>Goettl at Ivanti says: “Most of the discussions around Mythos have been focused on where it will be used and the ramifications, [and] finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released.</p> <p>“However, it will also be used by researchers and threat actors to find flaws in code that is already released, and that is where my speculation is directed,” he says.</p> <p>Goettl invites us to consider the knock-on effects of a frontier model like Mythos and what it means for software companies.</p> <p>In the immediate future, he says, large tech firms will use it to release more secure code. But at the same time, both legit security researchers and threat actors will be adopting more robust AI models to identify exploitable flaws.</p> <p>“This will result in more coordinated disclosures – good – zero-day exploits – bad – and n-day exploits – bad,” says Goettl. “All of this will result in more frequent, and more importantly, urgent software updates.</p> <p>“Many organisations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. [For example], I suspect most organisations were not aware of the Adobe Acrobat zero-day exploit <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" target="_blank" rel="noopener">until the Cisa Kev update</a> … This means that threat actors had another two to three days of free reign to exploit CVE-2026-34621 before most organisations became aware,” says Goettl.</p> <p>Given browser security updates are weekly occurrences these days, and many other business applications in regular use release updates on a continuous cadence and not a set monthly date, it isn’t hard to see that a good number of exploits are going to, a) make a mockery out of organisations’ maintenance schedules and, b) do it a lot. Of course, it’s not possible to say if this will be a doubling, trebling or quadrupling of vulnerabilities, but it probably is safe to say that the increase will be noticeable and will likely exacerbate the challenges security leaders already see around patch management.</p> </section> <section class="section main-article-chapter" data-menu-title="Next steps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next steps</h2> <p>What’s the solution? Goettl believes security leaders need to make a step change in mindset, and maturity, defining their risk appetite and risk posture, which if done effectively, can make remediation activities much more clear cut.</p> <p>This, he argues, should go alongside a technical evolution in which traditional vulnerability assessment and intelligence services become better integrated into a broader ecosystem where they marry up with asset visibility or systems of record. This hybrid approach can help refine the process of determining if things need to be addressed right away, or if they can wait for regular maintenance activities. This stack should be integrated with an autonomous endpoint management (AEM) platform, adds Goettl, to speed remediation.</p> <p>Meanwhile, Finite State’s McConnell lays out three steps the industry itself should be considering.</p> <p>“Security has to move to the very beginning of the product lifecycle,” he says. “If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development – not as a ‘final check’ when the features are final and the release is scheduled.</p> <p>“Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time SBOM, with automated reachability analysis for new vulnerabilities so that they can confidently prioritise the fixes that matter most.</p> <p>“Finally, companies need to understand that even in a capable security environment, incidents will still happen.” says McConnell. “When they do, defenders need to match attacker speed. That means an automated vulnerability and incident response capability that can triage, communicate and coordinate remediation across a product portfolio without relying on manual investigation at each step. </p> <p>“Companies need to act on this immediately: make it the top topic at your next board meeting. If you don’t have this capability today, partner with a company that does.”</p> </section> <section class="section main-article-chapter" data-menu-title="Could frontier models be good for cyber?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Could frontier models be good for cyber?</h2> <p>Could this leap forward in the bug-hunting capabilities of frontier models like Mythos ultimately prove to be beneficial for cyber security? Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), certainly seems to think so.</p> <p>In an article first published <a href="https://www.ft.com/content/9469b567-0f86-4c6f-9ce3-a2a28e4f7cad" target="_blank" rel="noopener">as a letter to <em>The </em></a><i><a href="https://www.ft.com/content/9469b567-0f86-4c6f-9ce3-a2a28e4f7cad" target="_blank" rel="noopener">Financial Times</a></i>, Horne says there is a path towards the industry using AI appropriately to find and fix flaws, but the road ahead is paved with risks.</p> <p>“In the immediate term, we will increasingly see AI exposing those organisations that have not taken appropriate steps to safeguard their cyber security,” says Horne.</p> <p>“AI will make it easier, faster and cheaper to discover and exploit weaknesses that previously required more time, skill or resource for attackers to identify. And the pressure on organisations to patch systems quickly will only grow more acute.</p> <p>“That’s why it is more essential than ever that organisations ensure they are following established good practices, set out by the NCSC, to raise their security baseline.”</p> <p>For Horne, this includes reducing “unnecessary” exposure to attacks, rapid application of updates, and monitoring for and responding to malicious activity. These technical actions, he says, will have to be championed by all leaders and board-level executives at organisations if they are to have a positive impact.</p> <p>This includes reducing unnecessary exposure to attack, applying security updates rapidly, as well as monitoring for, and quickly responding to, malicious activity detected.</p> <p>These are technical actions, but they must be championed by all leaders and board members at organisations to have a positive impact. Cyber risk is business risk.</p> <p>“As our society navigates these fast-evolving capabilities, the NCSC will stay focused on its mission to protect the UK from cyber threats, working alongside industry and wider government, and we will continue advising on the risks and opportunities,” says Horne.</p> <p>“By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Anthropic Mythos</h3> <ul class="default-list"> <li>Technology secretary Liz Kendall urges Britain’s business community to sit up and pay attention to emerging AI threats, following the debut of <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model">Anthropic’s new frontier model, Mythos</a>.</li> <li>Banks called in by regulators as latest artificial intelligence model identifies <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model">thousands of software vulnerabilities</a>.</li> <li>In a new report from the Cloud Security Alliance, experts warn of an AI vulnerability storm triggered by <a rel="noopener" target="_blank" href="https://www.darkreading.com/cloud-security/csa-cisos-prepare-post-mythos-exploit-storm">the introduction of Anthropic’s Claude Mythos</a> (Dark Reading).</li> <li>Letting probabilistic AI models autonomously operate inside production networks creates real safety and auditability issues, and that core security validation still needs deterministic guardrails. <a href="https://www.computerweekly.com/opinion/Anthropics-Mythos-raises-the-stakes-for-security-validation" target="_blank" rel="noopener">And Anthropic just raised the stakes</a>.</li> </ul> </div> </div> </section> Microsoft’s April Patch Tuesday drop was the second-largest in history, falling just shy of an October 2025 record. What is behind the spike in vulnerability disclosures, and is there a connection to Anthropic’s bug-hunting Claude Mythos AI model? https://cdn.ttgtmedia.com/visuals/German/article/cloud-service-outage-adobe.jpg https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide Wed, 22 Apr 2026 06:15:00 GMT A tsunami of flaws: When frontier AI and Patch Tuesday collide <p>The UK is facing a “perfect storm” in cyber security as attacks driven by hostile states, combined with advances in artificial intelligence (AI), create new risks to UK infrastructure, the head of the UK’s National Cyber Security Centre (NCSC) will warn on Tuesday.</p> <p>Hostile nation states are now directly or indirectly responsible for the majority of <a href="https://www.computerweekly.com/news/366632664/NCSC-calls-for-action-after-rise-in-nationally-significant-cyber-incidents">“nationally significant” cyber security attacks</a> against the UK which run at an average of four per week, <a href="https://www.computerweekly.com/news/366616635/NCSC-boss-calls-for-sustained-vigilance-in-an-aggressive-world">Richard Horne, CEO of the NCSC</a>, is expected to say.</p> <p>A combination of technological change and rising geopolitical tension is creating “tumultuous uncertainty”, as well as opportunities in cyber security, he is expected to say at the <a href="https://www.cyberuk.uk/">NCSC’s CyberUK conference in Glasgow</a>.</p> <section class="section main-article-chapter" data-menu-title="Lessons from the battlefield"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lessons from the battlefield</h2> <p>Russia is taking cyber lessons learned during the war in Ukraine and is deploying “tactics and techniques honed in conflict” against western states, including the UK, Horne will tell conference attendees.</p> <p>That has led to sustained “hybrid” attacks, which incorporate physical and cyber disruption, targeting the UK and Europe.</p> <p>China’s intelligence and military agencies are capable of an “eye-watering level of sophistication” in offensive cyber operations.</p> <p>The Chinese hacking group Volt Typhoon has targeted multiple operators of critical national infrastructure (CNI) in Asia and across the US, as it pre-positions for future attacks, which <a href="https://www.computerweekly.com/news/366640484/UK-Cyber-Monitoring-Centre-plans-expansion-in-US-amid-risk-of-Category-5-attack">could rank among the most severe</a> experienced to date, Computer Weekly has previously reported.</p> <p>And Iran is “almost certainly” using cyber activity to support the repression of people in Britain who are seen as threats to the Iranian regime.</p> <p>Iranian state-linked hackers were also identified as being <a href="https://www.computerweekly.com/news/366640448/Cisa-tells-US-organisations-to-harden-endpoint-management-after-Stryker-attack">behind the cyber attack on the US medical technology firm, Stryker</a>, in March.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber is an integral part of conflict"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber is an integral part of conflict</h2> <p>Horne is expected to warn that cyber attacks are now an integral part of conflict, and as much a part of modern warfare as drones and missiles.</p> <p>Groups linked to Russian military and intelligence services were behind a series of <a href="https://www.computerweekly.com/news/366638859/Russias-cyber-attacks-on-Polish-utilities-draws-NCSC-alert">cyber attacks on Poland’s energy infrastructure</a> in December 2025, for example.</p> <p>They targeted two combined heat and <a href="https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure">power plants and an energy management system</a> for renewable energy.</p> <p>“Russia is taking the cyber lessons it has learnt in a theatre of war and is moving them beyond the battlefield,” he will say.</p> <p>Cyber security has become “integral to conflict” and will become a new “home front."</p> </section> <section class="section main-article-chapter" data-menu-title="Ransomware without the ransom"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ransomware without the ransom</h2> <p>In the event of conflict, or near conflict, the UK would likely face cyber attacks “at scale” that would cause similar disruption to ransomware attacks, but without the possibility of recovering data by paying a ransom.</p> <p><a href="https://www.computerweekly.com/news/366634441/Jaguar-Land-Rover-cyber-attack-costs-firm-485m-in-its-quarter">Ransomware attacks on Jaguar Land Rover</a> cost the UK an estimated £1.9bn, while <a href="https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts">attacks on Marks & Spencer and the Co-op</a> had estimated costs of between £270m and £440m, according to the <a href="https://www.computerweekly.com/news/366640484/UK-Cyber-Monitoring-Centre-plans-expansion-in-US-amid-risk-of-Category-5-attack">UK Cyber Monitoring Centre</a>.</p> <p>Horne will say that defending against such attacks will require every organisation to make cyber security part of their corporate mission and to “build defence in-depth” so that they can remain operational following a successful attack.</p> </section> <section class="section main-article-chapter" data-menu-title="Risks from Mythos and frontier AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Risks from Mythos and frontier AI</h2> <p>Anthropic’s AI model, <a href="https://www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week">Mythos</a>, has exposed widespread security vulnerabilities in legacy software that could be exploited by malicious attackers if they became known.</p> <p>Horne will warn that such “frontier AI” will quickly show where the fundamentals of cyber security need to be addressed.</p> <p>It will expose poor quality code shipped by software suppliers with significant vulnerabilities, organisations that are not patching their IT systems quickly or widely enough, and those that <a href="https://www.computerweekly.com/news/366638959/CIOs-discuss-friction-between-legacy-IT-and-innovation">fail to replace outdated legacy computer systems</a>.</p> <p>But Horne is expected to argue that there is an opportunity for AI to be a net positive for cyber defence.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber security in space"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber security in space</h2> <p>In the near future, organisations will need to expand cyber security to protect energy systems, production lines, robotics, space-based communications and autonomous AI agents.</p> <p>Technology that is physically integrated into the human body, including medical devices, will also need to be protected.</p> <p>Defending against cyber attacks requires a “cultural shift”, and for cyber security and resilience to be seen as a strategic investment, rather than a cost.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about nation-state attacks</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639713/NCSC-No-increase-in-cyber-threat-from-Iran-but-be-prepared">NCSC: No increase in cyber threat from Iran, but be prepared</a>.</li> <li><a href="https://www.computerweekly.com/news/366641058/NCSC-warns-high-risk-individuals-of-Signal-and-WhatsApp-social-engineering-attacks">NCSC warns high-risk individuals of Signal and WhatsApp social engineering attacks</a>.</li> <li><a href="https://www.computerweekly.com/news/366632664/NCSC-calls-for-action-after-rise-in-nationally-significant-cyber-incidents">NCSC calls for action after rise in ‘nationally significant’ cyber incidents</a>.</li> <li><a href="https://www.computerweekly.com/news/366632649/China-responsible-for-rising-cyber-attacks-says-NCSC">NCSC: China responsible for rising cyber attacks</a>.</li> </ul> </div> </div> </section> The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/War-Missiles-Weapons-adobe.jpg https://www.computerweekly.com/news/366642032/Nation-states-responsible-for-nationally-significant-cyber-attacks-against-UK-says-NCSC-chief Tue, 21 Apr 2026 17:30:00 GMT Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief <p>A security team recently walked me through a scenario that illustrates exactly why the industry's current obsession with autonomous AI is so risky. They had used an agentic tool to uncover a complex attack path that started with a small foothold and ended in a critical exposure. It was a clear win for discovery. They remediated the gaps and restricted access, expecting the issue to be closed.</p> <p>The trouble started when they went back to prove the fix. Because the tool was driven by a <a href="https://www.geeksforgeeks.org/artificial-intelligence/ai-for-geeks-week2/" target="_blank" rel="noopener">probabilistic model</a> designed to explore and pivot like a human, it didn't take the same path twice. When the original path didn't show up, the team couldn't tell if the hole was plugged or if the system had simply chosen a different route. That kind of unnecessary doubt is the hidden tax of the push toward total autonomy.</p> <p>That doubt, in a single environment, is the manageable version of the problem. Earlier in April Anthropic demonstrated what it looks like when the attacker is an AI. <a href="https://www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week" target="_blank" rel="noopener">Claude Mythos</a> autonomously discovered and chained zero-day vulnerabilities across major operating systems, producing working exploits in hours. That would have taken elite researchers weeks. Anthropic withheld public release for good reason, but the implication is already here: disclosure now equals weaponisation.</p> <p>That puts a sharper point on a question security teams were already wrestling with: namely, how do you validate your defences when the threat keeps changing? How do you know your security controls work and remediate whatever falls short, before these gaps are exploited?</p> <p>Security validation has always depended on predictability. If you know how attackers operate, you can test your defenses against those methods and know where you stand – that's the difference between knowing your defenses work and hoping they do. Historically, attacker behavior followed well-documented patterns and techniques, which is what made that testing reliable. AI is beginning to change that predictability, giving attackers the ability to reason about novel paths at machine speed. But even before novel attacks become routine, AI already offers attackers a more immediate advantage: the ability to execute known techniques at a scale no human team can match, covering more of the attack surface faster than the environment changes.</p> <p>Defenders are responding in kind and agentic security tools are gaining traction. The most meaningful risks today rarely come from an unpatched server. They come from the connective tissue of the enterprise, where lateral paths are created by service accounts, trust relationships or a set of permissions that made sense once but no longer do. Systems that can piece these together get us closer to how real attacks happen.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Anthropic Mythos</h3> <ul class="default-list"> <li>Technology secretary Liz Kendall urges Britain’s business community to sit up and pay attention to emerging AI threats, following the debut of <a href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model" target="_blank" rel="noopener">Anthropic’s new frontier model, Mythos</a>.</li> <li>Banks called in by regulators as latest artificial intelligence model identifies <a href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model" target="_blank" rel="noopener">thousands of software vulnerabilities</a>.</li> <li>In a new report from the Cloud Security Alliance (CSA), experts warn of an AI vulnerability storm triggered by <a href="https://www.darkreading.com/cloud-security/csa-cisos-prepare-post-mythos-exploit-storm" target="_blank" rel="noopener">the introduction of Anthropic's Claude Mythos</a> (Dark Reading)</li> </ul> </div> </div> <p>But this shift introduces a fundamental conflict between exploration and validation. Agentic systems are designed to explore, not to repeat. In cyber security, that is what makes them effective for discovery, but it is also what makes them a liability for remediation. They can tell you what could happen, but not whether something has actually been fixed.</p> <p>Answering that requires deterministic execution. It means executing the same techniques, with the same conditions, in a strictly repeatable way. It is not about a variation or a similar route. It is about the exact same sequence so the outcome can be compared directly. Without that, you are operating on assumption, not confidence.</p> <p>The real challenge is meeting user expectations for safety and accountability. People now want systems that behave like agents working on their behalf, but they also expect the vendors building those systems to take responsibility for the outcomes. If a probabilistic model makes a mistake in a live production environment, the customer holds the vendor accountable, not the model provider.</p> <p>What is emerging is a two engine architecture where agentic techniques and deterministic execution work together. Agentic layers handle discovery, surfacing compound exposures that emerge from how systems interact over time rather than from any single misconfiguration. Deterministic engines then take those findings and execute them in a controlled, repeatable way so security teams can verify a fix is real and not just unobserved. Neither layer is sufficient on its own. Discovery without verification leaves you with exactly the doubt problem I opened with. Verification without discovery leaves you testing what you already know, which is not where the real risk lives.</p> <p>The industry will keep moving toward more autonomous systems. Mythos confirmed that the trajectory is right, and that the pace just accelerated. But for security leaders, the core requirement has not changed. You need to know a threat has been neutralised, not just that it has not shown up recently. Teams running continuous validation are already ahead. But ahead just got redefined. When an adversary can reason about novel attack paths and produce working exploits at machine speed, confidence comes from verification – not from the absence of a finding.</p> <p><em>Amitai Ratzon is CEO at <a href="https://pentera.io/" target="_blank" rel="noopener">Pentera</a></em></p> Letting probabilistic AI models autonomously operate inside production networks creates real safety and auditability issues, and that core security validation still needs deterministic guardrails. And Anthropic just raised the stakes. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/chess-strategy-game-intelligence-1-adobe.jpeg https://www.computerweekly.com/opinion/Anthropics-Mythos-raises-the-stakes-for-security-validation Tue, 21 Apr 2026 13:59:00 GMT Anthropic's Mythos raises the stakes for security validation <p><a href="https://www.sans.org/" target="_blank" rel="noopener">The Sans Institute</a>, one of the world’s pre-eminent cyber security certification and training bodies, is to play a key role in the annual <a href="https://ccdcoe.org/" target="_blank" rel="noopener">Nato Cooperative Cyber Defence Centre of Excellence</a> (CCDCOE) Locked Shields exercise, held in Tallinn, Estonia, through the provision of a fully functional power generation system that participating teams will attempt to defend during the game.</p> <p>This year marks the 16th running of the Locked Shields live fire security defence exercise, which unites <a href="https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference" target="_blank" rel="noopener">blue teams</a> from across Nato’s 32 member states, as well as other allies and observers.</p> <p>This year, however, Sans has been entrusted with the task of building a genuine, operational cyber range, as opposed to creating a simulation. It is using real <a href="https://www.techtarget.com/whatis/definition/industrial-control-system-ICS" target="_blank" rel="noopener">industrial control systems</a> (ICSs) and physical equipment that 16 teams of defenders will have to protect while under live cyber attack, with the decisions they make having an immediate physical impact on a national-scale power grid.</p> <p>Nato and Sans said the aim of the game is to close the gap between sandboxed, classroom-based cyber security training and real-world operational readiness, which, amid the cyber dimension to the energy crisis precipitated by the <a href="https://www.computerweekly.com/news/366639901/Iran-war-a-melting-pot-for-other-cyber-threats" target="_blank" rel="noopener">war in Iran</a> and <a href="https://www.computerweekly.com/news/366638859/Russias-cyber-attacks-on-Polish-utilities-draws-NCSC-alert" target="_blank" rel="noopener">spillover from the ongoing war in Ukraine</a>, has never been more important.</p> <p>“We are putting teams in an environment where cyber decisions directly impact physical operations,” said Felix Schallock, who leads the initiative at the Sans Institute. “If you lose visibility, if you lose control, the power generation can be affected. That’s the reality operators face every day. That’s what we’re training for.”</p> <p>Nato CCDCOE director Tõnis Saar added: “Locked Shields is a technically advanced exercise that challenges participants to defend the critical infrastructure systems modern societies depend on. As much of this critical infrastructure is owned and operated by the private sector, strong public-private collaboration is essential. Industry partners such as Sans Institute play a vital role in making the exercise as realistic and impactful as possible.”</p> <section class="section main-article-chapter" data-menu-title="Hybrid architecture"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hybrid architecture</h2> <p>The Sans Institute’s cyber range comprises close to 70 physical ICS devices, with programmable logic controllers (PLCs), human-machine interfaces (HMIs), operator and engineering workstations, 100 virtual machines (VMs) and interconnected systems within the wider CCDCOE environment, all supported by live network infrastructure, the whole forming a <a href="https://www.computerweekly.com/news/366623862/New-security-paradigm-needed-for-IT-OT-convergence" target="_blank" rel="noopener">hybrid information and operational technology</a> (IT/OT) architecture.</p> <p>During the exercise, blue teamers will be set the task of defending the “energy provider” while coming under sustained attack from opposing red teams.</p> <p>The goal is to effectively demonstrate how maintaining a reliable generation system isn’t some metric on a scorecard, but rather the core mission, so success will entail more than just spotting and arresting threats – it will also demand operational discipline, maintaining uninterrupted power generation, preserving comms between IT and OT networks, guaranteeing visibility and control of ICS technology, and avoiding any destabilising disruptions.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The people defending our critical infrastructure deserve training that takes the threat as seriously as they do </figure> <figcaption> <strong>James Lyne, Sans Institute</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Actions will be visible, rippling through the systems in real time, so participants won’t just see alerts, they will see turbines being throttled, breakers being opened or closed, and generation capacity being affected. As such, failure will be immediate and visible – missteps will degrade system performance, disrupt or halt power generation, or simulate national-level consequences.</p> <p>Tim Conway, Sans Institute fellow and ICS curriculum lead, explained: “We’re showing teams how to defend infrastructure that can’t simply be rebooted or patched on the fly. You have to think like an operator, not just a defender. That mindset shift is what makes this environment so powerful.”</p> <p>Sans Institute CEO James Lyne expressed great pride in what the Sans team has built for Locked Shields this year. “The scenarios these critical initiatives prepare for are playing out in the world – national espionage, cyber integrated to kinetic attacks and warfare, and retaliation attacks,” he said.</p> <p>“Throw in AI or machine speed attackers and the need for defenders to adapt, and you have the most disruptive period in cyber security in 20 years. We are privileged to help our allies be ready and continuously improving to secure the future. The people defending our critical infrastructure deserve training that takes the threat as seriously as they do,” he added.</p> <p>Schallock said the exercise was about preparing teams for protecting the systems that matter most. “Cyber security training must reflect the environment defenders are protecting. We’re not just teaching cyber security, we’re showing how to defend a nation’s infrastructure when it counts.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about CNI and ICS security</h3> <ul class="default-list"> <li>Regulation has superseded cyber threats as the main driver of cyber security spending, and AI has made its debut for attack and defence, <a href="https://www.computerweekly.com/news/366640469/AI-makes-debut-in-Bridewell-cyber-security-in-CNI-report" target="_blank" rel="noopener">according to a CNI-focused report from Bridewell</a>.</li> <li>Monitoring an ICS environment isn’t that different from monitoring a traditional IT environment, but there are <a href="https://www.techtarget.com/searchsecurity/feature/Reinforce-industrial-control-system-security-with-ICS-monitoring" target="_blank" rel="noopener">some considerations to keep in mind</a>.</li> <li>Updates to the NCSC’s Cyber Assessment Framework are designed to help providers of critical services better <a href="https://www.computerweekly.com/news/366628426/NCSC-updates-CNI-Cyber-Assessment-Framework" target="_blank" rel="noopener">manage their risk profiles</a>.</li> </ul> </div> </div> </section> Cyber training body the Sans Institute is preparing live power generation IT and OT systems for Nato’s annual Locked Shields blue team exercise, which this year appears more relevant than ever https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/energy-power-electricity-pylons-bizioti-adobe.jpg https://www.computerweekly.com/news/366642012/Sans-Institute-preps-live-systems-for-Nato-cyber-exercise Tue, 21 Apr 2026 10:30:00 GMT Sans Institute preps live systems for Nato cyber exercise <p><a href="https://www.computerweekly.com/news/366622847/Cyber-attack-downs-systems-at-Marks-Spencer" target="_blank" rel="noopener">The cyber attack on M&S last year</a> marked a turning point for resilience in the retail sector. One year on, knowing how to avoid the next incident is no longer the priority and being ready for when it happens is key.</p> <p>Retail continues to be targeted at pace, and for good reason. The sector holds vast volumes of high-value customer data, operates across complex and often opaque supply chains, and has a near-zero tolerance for downtime. In an industry where customer experience is everything, cyber incidents are no longer just technical disruptions – but material business events that can define customer and stakeholder trust.</p> <p>The new digital reality for retailers is no longer whether they are attacked, but how prepared they are to respond and return to business-as-usual operations as quickly as possible; to survive and thrive.</p> <section class="section main-article-chapter" data-menu-title="Third-party risk is now the frontline"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Third-party risk is now the frontline</h2> <p>From logistics providers to payment platforms and SaaS vendors, modern retail depends on a web of third-party relationships. Retailers are ecosystems of interconnectedness that has become a critical vulnerability.</p> <p>A single compromised supplier can provide attackers with the foothold they need further up the supply chain. In many cases, it’s not the retailer’s own defences that fail, but those of a partner enjoying data sharing access but with less mature cyber controls. <a href="https://www.bbc.co.uk/news/articles/c93x16zkl9do" target="_blank" rel="noopener">The fallout of the M&S attack hit sales and profits heavily</a>, which stands as a stark reminder for any sector that security posture is only as strong as your weakest link.</p> <p>This is where many organisations still fall short. Supplier assurance is often treated as a compliance exercise, focused on periodic questionnaires and tick-box reviews, rather than a continuous, risk-based process. But attackers don’t operate on annual cycles. They exploit gaps in real time.</p> <p>Retailers must move towards ongoing visibility across their supply chain, understanding not just who their partners are, but how they access systems, what data they handle, and where the real points of exposure lie.</p> </section> <section class="section main-article-chapter" data-menu-title="The extended risk to customers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The extended risk to customers</h2> <p>One of the most persistent misconceptions following a cyber incident is that the risk ends when the breach is contained but, in reality, their problems have only just begun. The long road to recovery for retail can cost millions.</p> <p>And attackers rarely stop at initial access, but reuse stolen data, sell it on the dark web, and leverage it to launch highly targeted phishing and social engineering campaigns. Even seemingly low-risk information, such as names, email addresses and phone numbers can be enough to target customers with convincing scams.</p> <p>This shifts the responsibility for retailers – it is no longer sufficient to simply advise customers to “stay vigilant.” Post-breach, organisations have an extended duty of care. This includes monitoring for downstream threats, communicating clearly and proactively helping customers identify and avoid scams that may arise from the incident. In an environment where trust is fragile, how a retailer supports its customers after a breach can matter just as much as how it prevents one.</p> </section> <section class="section main-article-chapter" data-menu-title="From awareness to secure by design"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From awareness to secure by design</h2> <p>If the past year has shown anything, it’s that awareness alone is not enough. The industry has spent years talking about cyber risk, now it must <a href="https://www.techtarget.com/whatis/definition/security-by-design" target="_blank" rel="noopener">embed security into the fabric</a> of how retail businesses are designed and operated.</p> <p>That starts with the fundamentals that are most often exploited: identity security, access controls, phishing resistance, help desk processes, and full visibility across both cloud and on-premises environments. These are not new challenges, but they’re still a consistent target for a reason - because they are often inconsistently implemented. The introduction of AI to streamline operational processes has opened up new attack vectors that need to be understood and mitigated.</p> <p>Beyond that, organisations need a clear understanding of their most critical data and services. Where is sensitive information stored? Who can access it? What would the operational and customer impact be if it were exposed or unavailable?</p> <p>Crucially, resilience must be built over time and in depth. Every incident, near miss, or attempted intrusion should strengthen defences by feeding into better detection, faster response and more effective prevention. Security is not a fixed state; it is a continuous process of learning and adaptation.</p> <p>And preparation cannot be theoretical; retailers must simulate incidents, test response plans, run exercises, and verify that backups actually work, to build the essential muscle memory within teams. Being ready for how you respond is often the difference between weeks and months of recovery time.</p> </section> <section class="section main-article-chapter" data-menu-title="A cultural shift at the top"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A cultural shift at the top</h2> <p>Technology alone will not solve this challenge but real progress requires a shift in accountability and culture.</p> <p>Training employees to recognise phishing attempts and follow best practices is essential, but it is not sufficient. Cyber readiness must be owned at the highest levels of the organisation.</p> <p>If cyber risk is business risk, then it should be treated with the same rigour as financial performance. Boards should be measured not just on growth and profitability, but on their preparedness to withstand and respond to cyber incidents. Regulators are increasingly placing the responsibility for cyber incidents on CEOs and boardrooms. This means leaders need to ask more challenging questions, demand clearer visibility and ensure that cyber resilience is embedded into strategic decision-making.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about retail technology</h3> <ul class="default-list"> <li>A year on from the Marks & Spencer cyber attack, we look back at the incident, consider the lessons learned and ask if the retail sector is <a href="https://www.computerweekly.com/feature/One-year-on-from-the-MS-cyber-attack-What-did-we-learn" target="_blank" rel="noopener">any more secure today</a>.</li> <li>Dave’s Hot Chicken provides rare ‘greenfield’ tech development opportunity for Azzurri Group, says tech director Jim Hingston, amid rumours of an <a href="https://www.computerweekly.com/feature/Hot-property-Azzurri-Groups-chicken-chain-and-the-greenfield-tech-opportunity" target="_blank" rel="noopener">imminent sale of the US-themed food chain</a>.</li> <li>Some 90% of retailers planning to boost spending on artificial intelligence to optimise e-commerce operations, as new research identifies <a href="https://www.computerweekly.com/feature/Delivery-comms-intelligent-fulfilment-and-AIs-growing-influence" target="_blank" rel="noopener">different AI shopper personas</a>.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Redesigning retail for disruption"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Redesigning retail for disruption</h2> <p>One year on from the M&S cyber attack, the lesson is to rethink how retail organisations operate in an environment where disruption is inevitable. The future of cyber security lies in anticipation, where businesses are building secure-by-design operations that assume compromise, minimise impact, and recover quickly without losing customer trust.</p> <p>The retailers that succeed will be those that can take a hit and keep trading, keep communicating, and keep protecting their customers without missing a beat.</p> <p><i>Chris Brown is senior vice president and UK and Ireland market leader at <a href="https://www.nccgroup.com/" target="_blank" rel="noopener">NCC Group.</a></i></p> </section> The cyber attack on M&S last year marked a turning point for resilience in the retail sector. One year on, knowing how to avoid the next incident is no longer the priority and being ready for when it happens is key. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/retail-supermarket-vegetables-IrinaSokolovskaya-adobe.jpg https://www.computerweekly.com/opinion/MS-one-year-on-turning-anticipation-into-secure-by-design Tue, 21 Apr 2026 10:15:00 GMT M&S one year on: turning anticipation into secure by design <p>Privacy is not a modern invention; it is part of the human condition of trust, dissent, and intimacy. Every society has developed ways to communicate beyond the reach of power: whispered conversations, sealed letters, coded language.</p> <p>The need to keep secrets is equally as important among the powerful – governments, more so than individuals, have jealously guarded their own secrets, even as they seek to uncover the secrets of others. What is new is neither the need nor desire for private communication but the current power of the observer.</p> <p>We now live in what some have termed a “golden age of <a href="https://www.computerweekly.com/news/366636284/Top-10-surveillance-journalism-and-encryption-stories-of-2025">surveillance</a>,” in which governments, <a href="https://www.computerweekly.com/feature/Facebooks-privacy-U-turn-how-Zuckerberg-backtracked-on-promises-to-protect-personal-data">corporations</a>, and <a href="https://www.computerweekly.com/news/366637759/Saudi-Arabia-ordered-to-pay-3m-to-UK-dissident-targeted-with-Pegasus-spyware">adversaries</a> possess the technical capability to monitor human interaction at unprecedented scale. In this era of pervasive digital connectivity, most digital interactions leave a permanent, searchable trace, and the need to protect sensitive information has become critical.</p> <p>End-to-end encryption (E2EE) is therefore not a technical abstraction or ideological indulgence; it is the most effective defence against unauthorized access to private communications in a fully networked world. As digital communication continues to evolve, the risks of interception scale with it.</p> <section class="section main-article-chapter" data-menu-title="Why E2EE matters"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why E2EE matters</h2> <p>E2EE preserves data confidentiality by masking data from unauthorised users and ensuring that only the intended recipients, with a decryption key, can access the data. Using cryptography, E2EE transforms readable plaintext into unreadable ciphertext on the sender’s device, keeps it encrypted during transmission, and decrypts it back into its original form only when it reaches its destination and is decoded with the correct key. It is widely used by governments and corporations and is becoming increasingly common among individual users, reflecting its status as the prevailing standard for data security and privacy.</p> <p>The most common use of E2EE is for secure communications on mobile and <a href="https://www.computerweekly.com/news/366633894/European-governments-opt-for-open-source-alternatives-to-Big-Tech-encrypted-communications">online messaging services</a>. It is also widely used by <a href="https://www.techtarget.com/searchsecurity/tip/Are-password-managers-safe-for-enterprise-use">password managers</a> to protect users’ passwords; for data storage purposes to ensure that data is protected when it is stored and when it is transmitted between devices or to the cloud; and for <a href="https://www.techtarget.com/searchsecurity/tip/8-secure-file-transfer-services-for-the-enterprise">file-sharing</a> purposes, including peer-to-peer file sharing, <a href="https://www.techtarget.com/searchstorage/tip/Ways-to-ensure-regulatory-compliance-in-cloud-storage">encrypted cloud storage</a>, and specialised file transfer services.</p> <p>Using E2EE means that no one else, including the service provider facilitating the communications, has access to the unencrypted data without consent. If it were to be intercepted, the data would appear to third parties as random, unintelligible characters.</p> <p>As the service provider facilitating the communications does not have access to the unencrypted data due to E2EE, it is unable to provide it to any third party. That includes governments and <a href="https://www.computerweekly.com/news/366618230/Europol-seeks-evidence-of-encryption-on-crime-enforcement-as-it-steps-up-pressure-on-Big-Tech">law enforcement agencies that criticize E2EE as an obstacle to investigations</a> while at the same time relying on and demanding the strongest available encryption to protect their own systems. Thus, the debate over E2EE is not about balancing privacy and security. It is about whether governments can demand systemic insecurity while insisting on absolute security for themselves.</p> </section> <section class="section main-article-chapter" data-menu-title="The risks of 'exceptional access'"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The risks of 'exceptional access'</h2> <p>“<a href="https://www.computerweekly.com/news/366640462/Technology-accelerating-crime-boosts-case-for-national-police-service-says-NCA-chief">Exceptional access</a>” is the term used to describe the mechanism for enabling government access to encrypted communications. Different governments take different approaches to the methods they use to seek exceptional access. While the intentions behind exceptional access may be noble, facilitating such mechanisms in E2EE communications can create more problems than it seeks to solve.</p> <p>The creation of government-mandated security vulnerabilities, commonly known as <a href="https://www.computerweekly.com/news/366632159/Home-Office-issues-new-back-door-order-over-Apple-encryption">backdoors</a>, into E2EE services jeopardizes the security and privacy of global communications. Once a backdoor is built, no one can guarantee that only the authorised third party will have access to it. <a href="https://www.computerweekly.com/news/366619614/Apple-withdraws-encrypted-iCloud-storage-from-UK-after-government-demands-back-door-access">Malicious actors will try to use such backdoors</a> to enter and decrypt communications that are intended to be secure on the endpoints and only accessible to the sender and recipients. It is for this reason that the <a href="https://www.computerweekly.com/news/366619614/Apple-withdraws-encrypted-iCloud-storage-from-UK-after-government-demands-back-door-access">world’s leading providers have avowed publicly never to do so</a>.</p> <p>Third-party exceptional access mechanisms in which a copy of a user’s decryption keys are held by a “trusted” third party for potential future use by the government are at present fraught with insurmountable technological and security issues. Industry, backed by the vast majority of relevant experts, is saying that it’s simply not possible to have E2EE where a third party holds a key. It defeats E2EE’s central premise and is a deliberate breach of the security guarantee that E2EE provides.</p> <p>Any kind of repository where providers are forced to store the keys would become a treasure trove of a target for attackers – especially so for sophisticated state actors who, as we have repeatedly seen, are adept at breaking into worldwide telecommunications networks and critical infrastructure.</p> </section> <section class="section main-article-chapter" data-menu-title="Why encryption is not an existential threat to law enforcement"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why encryption is not an existential threat to law enforcement</h2> <p>In any event, governments have for decades warned of the existential threat posed by encryption and on the grim possibility of “going dark.” But they have not gone dark, and there exist other means by which governments can get valuable data. Metadata remains available. Enhanced investigative means and other investigative tools are ever evolving and becoming more sophisticated.</p> <p>Governments should be careful about what they wish for. In seeking to fetter E2EE, they may drive the very actors whose data they most need away from mainstream providers, most of whom have long-standing collaborative relationships with law enforcement. In doing so, they will lose the ability to gain the data they can still obtain notwithstanding the use of E2EE – or, worse, they will undermine the very technology on which they also rely.</p> <p>At this stage of technological development,<i> </i>there exists no meaningful way to grant governments “exceptional access” to encrypted communications without deliberately engineering systemic vulnerability into the digital infrastructure on which billions of people, institutions, and governments themselves depend.</p> <p>Once such vulnerabilities exist, they cannot be confined to the well-intentioned or the lawful; they become available to hostile states, criminal actors, and anyone capable of exploiting them. The consensus among technologists and security experts is unequivocal: E2EE either works for everyone, or it is broken for everyone. Governments may continue to warn of impending darkness, but the greater danger lies in demanding insecurity by design – an outcome that would fundamentally undermine trust, resilience, and the security of the global communications ecosystem.</p> </section> Governments may continue to look for ways to restrict end-to-end encryption, but the greater danger lies in demanding insecurity by design that would undermining trust, resilience, and the security of the global communications ecosystem. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Security-data-protection.jpg https://www.computerweekly.com/opinion/Privacy-power-and-encryption-Why-end-to-end-security-matters Mon, 20 Apr 2026 05:50:00 GMT Privacy, power, and encryption: why end-to-end security matters <p>A recent Computer Weekly article posed a question that has hung over UK government technology for decades: <a href="https://www.computerweekly.com/news/366640072/The-UK-governments-digital-identity-scheme-Dystopian-nightmare-or-modernised-public-services">is digital identity a dystopian nightmare</a> or the route to modernised public services?</p> <p>The article invoked the Rashomon Effect - the idea that we're all watching the same policy from different angles and nobody can agree on what's actually happening.</p> <p>It was right. But there's a way to stop arguing about the ending and start writing it with evidence. Trial digital identity somewhere first, applying the government’s mantra of “<a href="https://www.computerweekly.com/news/366617000/Government-launches-100m-innovation-fund-for-public-service-reform">test and learn</a>”.</p> <p>Not in a Whitehall sandbox. Not in a PowerPoint simulation. In a real place, with real people, where you can measure what happens and, crucially, what doesn't.</p> <p>The Isle of Wight is that place.</p> <section class="section main-article-chapter" data-menu-title="The problem with national rollout"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The problem with national rollout</h2> <p>When Darren Jones, the <a href="https://www.computerweekly.com/news/366633478/Cabinet-Office-pinches-digital-ID-responsibility-from-GDS">Cabinet Office minister in charge of digital identity policy</a>, launched the government's <a href="https://www.computerweekly.com/news/366639956/Whitehall-launches-digital-ID-consultation">digital ID consultation</a> on 10 March, he promised the public could interact with government services as easily as streaming on Netflix.</p> <p>It's a fine ambition. But the consultation also revealed a familiar pattern - policy designed in Westminster, debated in the abstract, and destined to be rolled out nationally before anyone knows whether it works.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The Isle of Wight's value as a policy testbed extends well beyond digital identity, although digital ID makes for the most compelling starting point precisely because it is so contested </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>We've been here before. <a href="https://www.computerweekly.com/news/252498143/Government-bids-final-goodbye-to-Govuk-Verify">Gov.uk Verify</a> launched in 2013 as the answer to digital identity. It was buried a few years later having consumed £220m and <a href="https://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/Zombified-Govuk-Verify-is-officially-dead-so-whats-next">delivered precious little</a>. The political scars from that failure, and from Tony Blair's ID card debacle before it, are exactly why three million people signed a petition against the current proposals before the consultation even opened.</p> <p>The government says it has learned. The app will be built in-house by the Government Digital Service. There will be no central database. The National Cyber Security Centre will be involved from the start. The legislation will enshrine its voluntary nature. These are sensible commitments. But they're still promises, not proof.</p> <p>What if there were a way to turn those promises into evidence?</p> </section> <section class="section main-article-chapter" data-menu-title="A controlled environment for a contested policy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A controlled environment for a contested policy</h2> <p>The Isle of Wight provides an ideal controlled environment. It functions as a naturally closed system. It is surrounded by water, connected to the mainland by three ferry gateways where every person, vehicle, and item of freight can be tracked. It has one local authority, a defined NHS footprint, and a population of 140,000 - large enough to be statistically meaningful, small enough to manage.</p> <p>For a policy as sensitive as digital identity, this matters enormously.</p> <p>The critics worry about function creep, about a surveillance infrastructure being built by stealth, about data leaking to law enforcement or foreign tech companies. The supporters argue it will save billions and transform public services. Both sides are speculating, because neither has evidence. A controlled trial on the island would generate that evidence for the first time.</p> <p>It would also help clarify the role of private and public sectors. There’s a growing marketplace of digital identity service providers certified against the government’s statutory digital verification services trust framework. Some providers already offer high assurance services such as digital right to work checks. Working through the question of what the public sector should do and what the private sector should do will be key to avoiding the problems of earlier failed initiatives like Gov.uk Verify.</p> <p>Imagine a voluntary digital ID pilot on the Isle of Wight. Residents who opt in could choose from a range of certified digital ID providers, including the <a href="https://www.computerweekly.com/news/366618312/Government-to-launch-Govuk-Wallet">Gov.uk Wallet</a> prototype, to access local health services through the Island's NHS Trust, renew ferry-related travel passes, verify their identity for benefits, or interact with the council.</p> <p>Every transaction would be measurable. Adoption rates, drop-off points, accessibility barriers, security incidents, public sentiment, all captured in a bounded environment where the data isn't contaminated by a thousand confounding variables.</p> <p>If it works, the government has proof, not rhetoric, to take to the sceptics. If it doesn't, it has failed cheaply and learned before committing the nation to a multibillion-pound programme.</p> </section> <section class="section main-article-chapter" data-menu-title="More than digital ID"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More than digital ID</h2> <p>This is not just about one application. The Isle of Wight's value as a policy testbed extends well beyond digital identity, although digital ID makes for the most compelling starting point precisely because it is so contested.</p> <p>The island's demographics are roughly 15 years ahead of the UK average on the ageing curve. What happens there with healthcare, social care, and pension-age employment is a preview of what the rest of Britain will face by 2040. The island already carries an invisible surcharge on the cost of living or an "island tax" driven by ferry costs that inflates the price of everything from groceries to building materials, making it an ideal environment for trialling cost-of-living interventions, even more so in the light of the war in Iran.</p> <p>A cross-departmental policy testbed on the Isle of Wight could trial fare caps and public-utility ferry models for the Department for Transport; a revised Index of Multiple Deprivation formula that accounts for geographic isolation for the Treasury; AI-driven remote diagnostics for the Department of Health; mobility credits for the Department for Work and Pensions; and teacher recruitment incentives for the Department for Education. All running simultaneously, all measurable, all in a single bounded geography.</p> <p>Layered on top, a digital twin of the island, fed by real-time data from the ferry gateways and local services, could allow policymakers to model interventions before they go live. The digital ID infrastructure becomes the connective tissue - the secure front door through which residents access trials and through which the government collects the data it needs to evaluate outcomes.</p> <p>This is what Jones' ambition of "government by app" looks like when you actually test it before you ship it, in exactly the same way that clinical trials are used in the pharmaceutical industry.</p> </section> <section class="section main-article-chapter" data-menu-title="The political opportunity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The political opportunity</h2> <p>Computer Weekly’s article ended by handing the decision to the public. That's fair. But the public is being asked to choose between two hypothetical futures with no evidence for either. That isn't informed consent, it's a leap of faith.</p> <p>A live trial on the Isle of Wight changes the terms of the debate entirely. It moves digital identity from political football to policy experiment. It gives the government something it has never had with digital ID - a proof of concept in the real world, with real people, generating real data.</p> <p>The consultation is open. A people's panel is being assembled. But consultations collect opinions. Trials collect evidence. If the government is serious about building public trust in digital identity, it should do both and the Isle of Wight is the obvious place to start.</p> <p>The island has spent decades being treated as a problem to be solved. It's time to recognise it as the country's most valuable policy asset.</p> <p><i>James Findlay is a former CTO/CIO in the UK government. He is the author of the Isle of Wight Living Lab proposal, which advocates for the island's designation as a Special Policy Zone for cross-departmental government trials.</i></p> <p><i>Jerry Fishenden is a seasoned CTO/CIO and author of <a href="https://www.amazon.co.uk/dp/B0F2MXPSM5">Fracture: The collision between technology and democracy - and how we fix it.</a></i></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the government's digital identity scheme</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366637124/What-will-happen-with-Starmers-digital-ID-scheme-in-2026">What will happen with Starmer’s digital ID scheme in 2026?</a> Last year, the UK government announced ambitious plans for a national digital identity scheme, but will 2026 lead to more disenchantment or new excitement?</li> <li><a href="https://www.computerweekly.com/news/366636254/MPs-maul-digital-ID-plans-in-parliamentary-debate">MPs maul digital ID plans in Parliamentary debate</a> - MPs brand the government’s digital ID plans ‘un-British’ and ‘an attack on civil liberties’ during debate on the controversial policy.</li> <li><a href="https://www.computerweekly.com/opinion/How-digital-identity-will-empower-people-and-drive-economic-growth">How digital identity will empower people and drive economic growth</a> - The government has finally plotted out the future of digital identity in the UK in a way that makes sense for private sector, public sector, and citizens. Now let's make it happen.</li> </ul> </div> </div> <p><a href="https://www.amazon.co.uk/dp/B0F2MXPSM5"></a></p> </section> As heated debate rises around the UK government's plans for a national digital identity scheme - why not try it out to see if it works, in a well-defined, real-life environment with real people involved https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Isle-of-Wight-England-2-adobe.jpg https://www.computerweekly.com/opinion/Dont-debate-digital-ID-trial-it-the-Isle-of-Wight-could-settle-the-argument Mon, 20 Apr 2026 04:00:00 GMT Don't debate digital ID, trial it - the Isle of Wight could settle the argument <p>The US <a href="https://www.nist.gov/" target="_blank" rel="noopener">National Institute for Standards and Technology</a> (NIST) is in the process of changing the way it handles common vulnerabilities and exposures (CVEs) listed in the <a href="https://nvd.nist.gov/" target="_blank" rel="noopener">National Vulnerability Database</a> (NVD) in the face of a rapidly changing threat environment.</p> <p>Previously, the NVD programme aimed to analyse all <a href="https://www.techtarget.com/searchsecurity/definition/Common-Vulnerabilities-and-Exposures-CVE" target="_blank" rel="noopener">CVEs</a> received, adding details such as severity scores and affected product lists to help cyber teams prioritise and mitigate relevant vulnerabilities. It terms this process “enrichment”.</p> <p>However, going forward, it will enrich only those CVEs that meet a predefined set of criteria – those flaws that don’t meet this bar will still be listed but will be marked as lower priority issues.</p> <p>“This change is driven by <a href="https://www.computerweekly.com/news/366638949/CVE-volumes-may-plausibly-reach-100000-this-year" target="_blank" rel="noopener">a surge in CVE submissions</a>, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST said in a statement.</p> <p>“We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 – 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach.”</p> <p>The authority hopes that these changes will enable it to stabilise its programme and buy some time to help it develop new automated systems and workflow enhancements.</p> <section class="section main-article-chapter" data-menu-title="From comprehensive to selective CVE enrichment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From comprehensive to selective CVE enrichment</h2> <p><a href="https://nvd.nist.gov/general/cve-process" target="_blank" rel="noopener">The new criteria</a> came into effect on Wednesday 15 April, with the following CVEs prioritised:</p> <ul class="default-list"> <li>Those that the US government’s Cybersecurity and Infrastructure Security Agency (Cisa) has added to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" target="_blank" rel="noopener">Known Exploited Vulnerabilities</a> (Kev) catalogue;</li> <li>Those appearing in software used within the US government;</li> <li>Those for critical software <a href="https://www.nist.gov/system/files/documents/2026/04/15/EO%2014028%20Critical%20FINAL.pdf" target="_blank" rel="noopener">as defined by president Biden’s Executive Order 14028</a>, issued in October 2021.</li> </ul> <p>“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritised categories,” said NIST.</p> <p>The organisation acknowledged that the new criteria may not catch every potentially high-impact flaw, so users will be able to request reviews of lower priority CVEs for enrichment.</p> <p>At the same time, NIST will no longer routinely provide a separate severity score for CVEs that have already been assigned one by the CVE Numbering Authority – firms such as Microsoft, etc – that submitted it. It said this was an effort to reduce duplication of effort and better focus its resources, although users are also able to request reviews of specific CVEs if wanted.</p> <p>NIST is also changing how it goes about reanalysing enriched CVEs that have been modified after enrichment. Previously, it had reanalysed all modified flaws, but it will now only do so if it becomes aware of a modification that materially impacts its enrichment data. Again, a user-requested review system will be put in place.</p> </section> <section class="section main-article-chapter" data-menu-title="Tackling the backlog of unenriched CVEs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tackling the backlog of unenriched CVEs</h2> <p>In relation to a significant backlog of unenriched CVEs that started to develop two years ago, NIST stated that it has not been able to clear this down, and so all backlogged CVEs with an NVD publish date before 1 March 2026 will be moved into the “Not Scheduled” category. CVEs falling into this bucket will be considered for enrichment provided they meet the new prioritisation criteria.</p> <p>Finally, NIST is updating CVE status labels and descriptions, and making changes to the NVD Dashboard to accurately report these.</p> <p>The organisation said it was making big changes that would affect everyday users; however, it reiterated that adopting a risk-based approach was necessary to manage the surge in submissions and buy it time to build new systems that will ensure the sustainability of its offering going forward.</p> <p>Danis Calderone, principal and chief technology officer at <a href="https://suzulabs.com/" target="_blank" rel="noopener">Suzu Labs</a>, said NIST had probably taken the right decision.</p> <p>“An overhaul was certainly needed and probably inevitable given the volume of new CVE submissions, and we suspect that AI-assisted discovery is probably already pushing that number higher. After all, <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server">Microsoft just had its second-largest Patch Tuesday ever</a>, and even ZDI says their incoming submissions have tripled thanks to AI tools,” said Calderone.</p> <p>“We are excited to see NIST making Kev the top priority tier. That is the right call and something we’ve been doing with our clients for some time now, so we’re very happy to see that becoming the official model.”</p> </section> <section class="section main-article-chapter" data-menu-title="Concerns about scoring gaps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Concerns about scoring gaps</h2> <p>However, Calderone criticised some perceived gaps in NIST’s new methodology, specifically the ending of CVE scoring when the submitting authority has already scored it.</p> <p>“That sounds efficient until you remember that the submitting authority is often the vendor, and vendors don’t always get their own bugs right,” he said. “We just went through this with F5. A recent BIG-IP vulnerability was scored 8.7 HIGH as a denial-of-service issue for five months before it got reclassified as a 9.8 RCE. For organisations using CVSS to drive patching priority, that miscategorisation meant the real risk sat in the wrong queue for five months while attackers were already exploiting it.”</p> <p>He added: “The other thing missing here is that NIST addressed the processing volume problem but didn’t touch the scoring methodology. CVSS still scores vulnerabilities in isolation. It doesn’t model chainability, where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise.”</p> <p>Calderone said that for security leaders who have relied on NVD as their go-to for vulnerability context, the time was nigh to build their own prioritisation stack. This could incorporate data from Cisa’s Kev catalogue, <a href="https://www.first.org/epss/" target="_blank" rel="noopener">Exploit Prediction Scoring System</a> (EPSS) information, and their organisation’s own environmental context.</p> <p>“The days of waiting for NIST to tell you what matters are over,” he remarked.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about patching and vulnerability mitigation</h3> <ul class="default-list"> <li>Artificial intelligence supplier Anthropic promises UK banks the opportunity to review its Mythos AI model, which has already revealed <a href="https://www.computerweekly.com/news/366641763/Bank-cyber-teams-on-red-alert-as-Anthropic-promises-them-Mythos-next-week" target="_blank" rel="noopener">thousands of security flaws</a>.</li> <li>Microsoft’s latest Patch Tuesday update may be one of the largest in history, <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">with more than 160 issues in scope</a>.</li> <li>These 12 tools approach patching from different perspectives. Understanding their various approaches <a href="https://www.techtarget.com/searchenterprisedesktop/tip/12-best-patch-management-software-and-tools" target="_blank" rel="noopener">can help you find the right product for your needs</a>.</li> </ul> </div> </div> </section> NIST announces big changes to the way it categorises and manages CVEs, which are set to have a big impact on how organisations manage patching and remediation https://cdn.ttgtmedia.com/visuals/German/article/priorities-brainstorming-anaylse-plan-adobe.jpg https://www.computerweekly.com/news/366641916/Surging-CVE-disclosures-force-NIST-to-shake-up-workflows Fri, 17 Apr 2026 15:19:00 GMT Surging CVE disclosures force NIST to shake up workflows <p>A North Korean social engineering campaign targeting MacOS users tricked its victims into manually executing malicious files by impersonating a software update and led to the theft of credentials, crypto assets and personal data, <a href="https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/" target="_blank" rel="noopener">according to Microsoft’s Threat Intelligence unit, MSTIC</a>.</p> <p>In a report published this week, MSTIC exposed the campaign – run by a threat actor tracked as <a href="https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/#who-is-sapphire-sleet">Sapphire Sleet</a> – which highlights how convincing user prompts and trusted system tools are still a highly valuable tool for attackers of all stripes.</p> <p>This particular campaign, said MSTIC, demonstrated some new combinations of MacOS-focused techniques that, though not novel in and of themselves, come as something of a surprise from a threat actor like Sapphire Sleet.</p> <p>MSTIC explained how the group is now shifting attack execution away from the exploitation of software vulnerabilities and <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering" target="_blank" rel="noopener">into a “user-initiated” context</a>.</p> <p>Crucially for Sapphire Sleet, this enables its attack chain to move ahead beyond the oversight of MacOS’s onboard protections, such as Transparency, Consent and Control (TCC), Gatekeeper, quarantine enforcement, and notarisation checks.</p> <p>“Sapphire Sleet achieves a highly reliable infection chain that lowers operational friction and increases the likelihood of successful compromise – posing an elevated risk to organisations and individuals involved in cryptocurrency, digital assets, finance and similar high‑value targets that Sapphire Sleet is known to target,” said the MSTIC team.</p> <p>“After discovering the threat, Microsoft shared details of this activity with Apple as part of our responsible disclosure process.”</p> <section class="section main-article-chapter" data-menu-title="A danger to financial services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A danger to financial services</h2> <p>Backed by the isolated, reclusive and destitute regime in Pyongyang, Sapphire Sleet has been operational since about March 2020, and is suspected to have links to <a href="https://www.techtarget.com/searchsecurity/news/366619872/FBI-Lazarus-Group-behind-15-billion-ByBit-heist" target="_blank" rel="noopener">the rather more notorious Lazarus operation</a>.</p> <p>According to MSTIC, it specialises in targeting the financial services sector, including venture capital firms and organisations involved in blockchain and cryptocurrency. Its prime motivation is to loot its victims’ crypto wallets to generate revenue for its paymasters, and to steal intellectual property (IP) and tech secrets related to blockchain and crypto trading.</p> <p>Sapphire Sleet is a North Korean state actor active since at least March 2020 that primarily targets the finance sector, including cryptocurrency, venture capital and blockchain organisations. The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms.</p> <p>In this campaign, its playbook saw the group run fake recruitment profiles on professional networking and social media sites, through which selected targets were roped into conversations about job opportunities. “Successful” candidates were then invited to a technical interview during which they were directed to install Sapphire Sleet’s malware, disguised as a software developer kit (SDK) update for the Zoom videoconferencing tool.</p> <p>The file, <i>Zoom SDK Update.scpt</i> was a compiled AppleScript that opened by default in MacOS Script Editor, a trusted Apple application that can execute arbitrary shell commands. Victims were lured into a false sense of security with large blocks of decoy upgrade instructions that mimicked a routine software update. Beneath this text was inserted thousands of blank lines to push the malicious script beyond the immediately scrollable view – a crude but effective technique.</p> <p>The script then launched a command to launch a trusted Apple-signed process to reinforce the appearance of a genuine update. Following this, it executed its malicious payload, retrieving threat actor-controlled content via curl, and passing it back to be run. This content also took the form of an AppleScript so that it could again launch in Script Editor to initiate delivery of the final payload – the attack orchestrator – for system reconnaissance and other operations.</p> <p>Data exfiltrated by Sapphire Sleet during these attacks is known to have included Apple notes data, crypto wallet data, browser data and keychain information, and Telegram credentials and session data, among other things.</p> </section> <section class="section main-article-chapter" data-menu-title="Next steps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next steps</h2> <p>Behind the scenes, Apple has already implemented platform-level protections to detect and block Sapphire Sleet’s infrastructure and malwares, and deployed browsing protections in Safari. It has also issued new signatures to detect and block the malwares associated with the campaign, which should already have been received by devices running MacOS.</p> <p>MSTIC advised organisations that may be at risk of falling victim to this – or similar – campaigns, should conduct user education on threats emanating from social media and external platforms, especially outreach that seems to require they download software or virtual meeting tools, or execute terminal demands.</p> <p>Security teams may also wish to consider blocking or restricting the execution of compiled AppleScript files and unsigned Mach-O binaries downloaded from the internet. Any such files downloaded from external sources should of course be rigorously inspected and verified. It may also be wise to limit or at least audit the use of curl, particularly when piped to interpreters.</p> <p>Defenders should also monitor for unauthorised modifications to the MacOS TCC database, a feature of this campaign, and audit LaunchDaemon and LaunchAgent installations.</p> <p>MSTIC also advised organisations and users to be cautious when copying and pasting sensitive data related to cryptocurrency, such as wallet addresses or credentials, to check and verify the pasted content matches the intended source, and to protect crypto wallets and rotate any browser-stored credentials.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about social engineering</h3> <ul class="default-list"> <li>NCSC advises on countermeasures for high-risk individuals over phishing attacks on encrypted messaging services, <a href="https://www.computerweekly.com/news/366641058/NCSC-warns-high-risk-individuals-of-Signal-and-WhatsApp-social-engineering-attacks" target="_blank" rel="noopener">such as Signal, WhatsApp and Facebook Messenger.</a></li> <li>Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering <a href="https://www.computerweekly.com/feature/ShinyHunters-Salesforce-cyber-attacks-explained-What-you-need-to-know" target="_blank" rel="noopener">against Salesforce users</a>.</li> <li>Organisations and employees must both do their part to prevent and avoid social engineering attacks. <a href="https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks" target="_blank" rel="noopener">A combination of security controls, policies, procedures and training is necessary</a>.</li> </ul> </div> </div> </section> A MacOS-focused social engineering campaign orchestrated by North Korea-based threat actor Sapphire Sleet has been exposed by Microsoft’s Threat Intelligence Unit https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/cyber-security-network-lock-adobe.jpeg https://www.computerweekly.com/news/366641953/North-Korean-social-engineering-campaign-targets-macOS-users Fri, 17 Apr 2026 14:13:00 GMT North Korean social engineering campaign targets MacOS users <p>After establishing a robotics ecosystem, leading innovators from Norway’s capital are calling for more open access to risk capital so that they can take the next step in advancing technology.</p> <p>When it comes to tech startup success, Norway’s credentials are unique when compared to counterparts in Stockholm, Copenhagen, Gothenburg or even Helsinki. Over time, Oslo’s strong industrial and maritime traditions have transitioned to focus on business agility and tech disruption.</p> <p>In turn, academic institutions and startup incubators have looked to capture the momentum, fostering a wave of budding entrepreneurs and innovators. The final ingredient to this mix has been an inherent drive to target tech towards societal good.</p> <p>The culmination of all the above, through the lens of robotics, is a host of businesses applying automation to industrial, ethical and social challenges.</p> <p>“The tech culture here is pragmatic,” says <a href="https://www.linkedin.com/in/knut-sandven-31859a3/">Knut Sandven, CEO and co-founder of Soniar</a>. “We test things early, we talk to users and we think long-term. It’s a good fit for robotics, which is all about systems integration, reliability and safety.”</p> <p>Sonair fits quite purposefully into the ethical, societal category when it comes to robotics development, with a chief aim of helping robots and humans to coexist more safely.</p> <p>Sandven pinpoints the overarching strengths and weaknesses that shape Oslo’s robotics’ cohort at present: “The country and city are still underdogs in robotics, for sure. But we punch above our weight in deep tech, especially in sensors, autonomy and embedded systems. Our strength lies in turning complex technologies into practical, industrial-grade solutions.”</p> <p>Another company helping to land that punch – albeit from the other, more industrial angle – is agricultural enabler, Saga Robotics. <a href="https://www.linkedin.com/in/lars-grimstad-841737293/">CTO and co-founder Lars Grimstad</a> agrees with Sandven’s summary of this rising sector machine: “The <a href="https://www.techtarget.com/searchenterpriseai/news/366640672/How-simulations-and-digital-twins-are-advancing-robotics">robotics community</a> is fairly small, but there are still a lot of cool and innovative companies. Most people here are comfortable around technology, digital skill levels are high and the receptivity across sectors to new solutions suits the Norway-robotics crossover.”<b> </b></p> <section class="section main-article-chapter" data-menu-title="Scaling to safety"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scaling to safety</h2> <p>Sonair was founded in 2022 as a spin-out from cutting-edge research in ultrasound and signal processing. Merging roots from medical and offshore backgrounds, early developments culminated in May 2024 through the launch of the company’s first 3D ultrasonic sensor for mobile robots operating in human environments.</p> <p>“Then, in the summer of 2025, we launched ADAR commercially,” Sandven says. “ADAR is the world’s first compact, soon-to-be-certified 3D safety sensor based on ultrasound in air. It gives robots a new kind of spatial awareness, using sound instead of light, and performs reliably even in complex, unpredictable spaces like warehouses, hospitals or airports.”</p> <p>Again, this blending of industrial application through the safety and reliability lens was a seamless evolution, aided by Norwegian innovation.</p> <p>“ADAR gives robots the ability to see in 3D using sound. It acts like a virtual safety shield, helping machines detect people, objects and obstacles in real time with a wide field of view,” adds Sanden.</p> <p>This matters because robots increasingly operate in public spaces and traditional safety sensors weren’t built for this level of scale.</p> <p>“I’d say robotics is no longer novel, but robot safety at this scale still is,” says Sanden. “There’s a wave of automation coming in warehouses, healthcare and logistics, and safety is the bottleneck. Everyone’s looking for ways to reduce risks without compromising performance. That’s where we come in.”</p> </section> <section class="section main-article-chapter" data-menu-title="From novel to normal"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From novel to normal</h2> <p>Alongside warehouses, healthcare and logistics, another identified area for robotic intervention is in <a href="https://www.techtarget.com/searchenterpriseai/feature/AI-examples-that-can-be-used-effectively-in-agriculture">agriculture</a>, where Saga Robotics is thriving. Just like Sonair, however, it has been on a journey through other realms and developments to reach this particular application.</p> <p>Grimstad tells Computer Weekly: “We are a spin-out of a research group at the Norwegian University of Life Sciences, just outside Oslo. We started the company in 2016 after working on the technology for a couple of years in academia. Our goal was always to get our robots out to growers, but for the first few years we were mainly making agricultural robots for universities and research institutions, while at the same time working on our core technology.</p> <p>“In 2020, we got investors onboard and started focusing on selling to growers. Today, our autonomous robots operate in strawberry and wine grapes across the UK and US, while Norwegian growers are also very open to the technology.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Norway is producing more robotics and autonomy startups than ever before, and with the right global partnerships, we can absolutely lead in this next era </figure> <figcaption> <strong>Knut Sandven, Soniar</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Saga Robotics’ proposition focuses on providing timely, regular UVC light, reducing the need for chemicals during the growing process. The company then shares critical data to inform more strategic business decisions.</p> <p>Grimstad echoes Sandven in detailing the “novel” nature of this kind of application at such a broad scale: “Certainly, on farms it’s novel, but through the past couple of years, it has been taking greater and greater steps towards normal.</p> <p>“Some of our competitors aim to automate the traditional tractor, which can make a lot of sense, but at Saga our focus has been on the new approaches that robotics enable. We have put a lot of effort into making sure the autonomy is robust and uptime is high, and that the fleet is easy to use.”</p> </section> <section class="section main-article-chapter" data-menu-title="A key node in Europe’s robotics landscape"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A key node in Europe’s robotics landscape</h2> <p>Robotics technologies more generally are becoming more and more innovative each year, making Oslo’s exposure to – and utilisation of – them an inevitability. The acceptance of new tech is there. The desire to channel new tech to both industrial and social uses is there.</p> <p>Perhaps the only element left with room for improvement – and that would take the sector to the next level – is access to capital.</p> <p>Grimstad says: “Access to risk capital and scaling funding isn’t great here. And that’s a shame, because we want to create an environment that will support the cool and <a href="https://www.computerweekly.com/news/366639921/NEURA-Robotics-accelerates-next-generation-physical-AI">innovative robotics</a> companies looking to grow.</p> <p>“Agriculture serves as a good example of what can be achieved when the mission and innovation is supported properly. For a decade, self-driving agricultural robots have been said to be ‘about two years away’. Now, they are actually here, generating real value for growers. The market is ready, and there will be countless others like it.”</p> <p>Sandven agrees: “What’s missing is volume – both in terms of capital and market access. But that is changing. Norway is producing more robotics and autonomy startups than ever before, and with the right global partnerships, we can absolutely lead in this next era.</p> <p>“We want to help start a wave of robot builders that move faster, take on bolder use cases and scale safely. In the next three-to-five years, we can then expect Norway to become a key node in Europe’s robotics innovation landscape. Not the largest, but one of the most technically credible.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about robotics</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366636818/CES-2026-Qualcomm-expands-IEIoT-portfolio">CES 2026: Qualcomm expands IE‑IoT portfolio</a>: Edge AI technology made available for developers, enterprises and OEMs, integrating chipsets, software distribution and tools to scales across verticals.</li> <li><a href="https://www.computerweekly.com/news/366639389/DOCOMO-Keio-University-claim-5G-robot-teleoperation-first">Docomo, Keio University claim 5G robot teleoperation first</a>: Japan’s leading mobile operator and global research institute for haptics announce what they call world's first stable, high-fidelity robot via commercial 5G using low-latency slicing.</li> <li><a href="https://www.computerweekly.com/feature/AI-XR-digital-twins-set-to-transform-robotics">AI, XR, digital twins set to transform robotics</a>: The availability of advanced sensors, artificial intelligence, digital twins, XR and robotics has changed technology-driven markets. We look at how the intersection of these technologies will create commercial opportunities.</li> <li><a href="https://www.computerweekly.com/feature/AI-and-digital-twins-to-serve-increasingly-complex-robot-management">AI and digital twins to serve increasingly complex robot management</a>: Proliferating fleets of robots, diffusion of humanoids, and the emerging robot class of androids will increase complexities of robot management in the future. AI and digital twins will become increasingly important.</li> </ul> </div> </div> </section> The Norwegian capital’s leading innovators have got the ecosystem up and running, and are now calling for greater access to risk capital to take it to the next level https://cdn.ttgtmedia.com/visuals/German/Ai-KI-robot-with-machine-Summit-Art-Creations-Adobe.jpg https://www.computerweekly.com/feature/Oslos-robots-arent-yet-taking-over-but-are-already-punching-above-their-weight Fri, 17 Apr 2026 08:42:00 GMT Oslo’s robots aren’t yet taking over, but are already punching above their weight <p>Artificial intelligence (AI) companies focused on supercomputing and drug discovery are among the first cohort of startups to get money and computing resources from the UK government’s £500m Sovereign AI unit, which was <a href="https://www.computerweekly.com/news/366641682/UK-governments-50m-sovereign-AI-fund-bids-to-commercialise-research">officially launched on 16 April</a> at the King’s Cross headquarters of self-driving car company Wayve.</p> <p>The government’s stated intention is that “by backing [startups] early, the UK is keeping expertise, decision making and economic value at home – and reducing reliance on a small number of foreign tech giants for critical AI that matter for our economic prosperity and national security”.</p> <p>Technology secretary<b> </b>Liz Kendall said in support of the fund: “Sovereign AI is unlike anything government has ever done before. Its unique approach will help to break down the barriers that have too often held back British enterprise and innovation. This is how we ensure Britain’s economic prosperity and national security in the modern age.</p> <p>“My message to British founders and innovators is clear – we will ensure you never have to choose between your ambition and your home, because Britain will give you both.”</p> <p>Rachel Reeves, chancellor of the exchequer, said: “We have the right economic plan – backing business so the technologies of the future are invented, built and deployed here in Britain.</p> <p>“A thriving domestic AI sector is one of my three big choices for the economy, and by supporting strategic national champions we can ensure internationally competitive companies start, scale and stay here in Britain.”</p> <p>The Department for Science, Innovation and Technology (DSIT) has said the fund has made its first compute allocations through the <a href="https://www.computerweekly.com/news/366627724/UK-government-plans-to-ramp-up-sovereign-computer-capacity">AI Research Resource (AIRR)</a>.</p> <p>The six recipients are in the fields of biological foundation models, world simulation, sovereign inference infrastructure, agentic AI, engineering biology and AI for national security.</p> <p>Alongside the compute, the fund has agreed Right of First Refusal (ROFR) investment options with some of the recipients, according to DSIT. This is said to create a creating “pathway from early support to follow-on funding”. The fund will continue, said DSIT, to assess applications for compute said to be worth tens of millions of pounds to British startups over the course of this year.</p> <p>The DSIT statement maintains that the UK has ingredients needed for success: “Top talent, stability, leading institutions, world-class universities and a culture of entrepreneurialism. Sovereign AI is the government betting on Britain to succeed, so our country can shape the AI revolution. This is ultimately how we unlock this technology’s potential for building a stronger and more prosperous society.”</p> <p>It added that the funding unit will operate like a venture capital entity, backed by the state: “It will invest directly in the UK’s most promising AI startups, help them scale quickly, and give them the support they need to compete with the best in the world.”</p> <p>Sovereign AI’s first equity investment will be in an AI infrastructure startup Callosum, while six more startups will get access to supercomputing capacity.</p> <p>Danyal Akarca, founder of Callosum, said: “There’s a fundamental shift underway in how AI systems are built and run. The future of compute is heterogeneous, and making that complexity usable is the next frontier. The UK already understands where this is heading, and with its depth of talent across universities and labs like DeepMind, it is the natural place to build Callosum”, which he described as an “orchestration platform that allows models and chips to work together as one system”.<b> </b></p> <p>The other companies supported are Prima Mente, Cosine, Cursive, Doubleword, Twig Bio and Odyssey.</p> <p>Ravi Solanki, co-founder of Prima Mente, said: “Our deep research collaborations with Oxford, Imperial and Edinburgh are a testament to the UK’s world-class strength in the life sciences. The combination with world-class compute infrastructure from the Sovereign AI Fund has made the UK the right place to work at the frontier of AI and the life sciences.”</p> <p>Prima Mente is said to use AI to decode the “languages of biology – from DNA sequence to gene expression and epigenetic regulation – to better understand and tackle brain diseases such as Alzheimer’s and Parkinson’s”.</p> <p>Cosine develops advanced models and coding agents for defence, national security and regulated industries where foreign-built AI is inadmissible.</p> <p>The companies supported by the fund are said to benefit from fully funded access to the UK’s largest AI supercomputers, with up to 1 million GPU hours available per startup. Each company getting investment will get visa decisions within a working day, plus access to an initial 10 cost-free visas.</p> <p>They will get “hands-on government support: help navigating access to data, early procurement opportunities, independent product validation and routes into new approaches to regulation”.</p> <p>Sovereign AI is also currently in discussions with around 30 firms over potential AIRR access, according to DSIT.</p> <p>James Wise, a venture capitalist and chair of the Sovereign AI Unit, said: “AI as a technology could be transformational for both our wealth and security. Britain has the foundations be a global AI leader in many fields, with a unique and enviable mix of talent, capital and infrastructure which make this country the natural home for world-leading innovation. Now, through Sovereign AI, we can use the state’s unique capabilities to double down on these strengths, backing Britain’s founders to scale here in the UK and globally.”</p> <p>Alex Kendall, CEO of <a href="https://cse.google.com/cse?cx=000538068201538516906:yfye0gb_e3i">Wayve</a>, said: “As a business that has successfully grown and launched in the UK, we’re thrilled to support the launch of the Sovereign AI Unit, which will help support emerging companies, attract talent and ultimately ensure UK AI champions can compete on the global stage. We’re excited to see the next generation of British AI companies benefit from the funding opportunities available and join us in supporting the UK’s expanding AI ecosystem.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about UK government AI and technology ventures</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641682/UK-governments-50m-sovereign-AI-fund-bids-to-commercialise-research">UK government’s £500m sovereign AI fund</a> bids to commercialise research.</li> <li>The <a href="https://www.computerweekly.com/news/366628066/The-UK-governments-AI-Growth-Zones-strategy-Everything-you-need-to-know">UK government’s AI growth zones strategy</a>: Everything you need to know.</li> <li>Kendall names <a href="https://www.computerweekly.com/news/366638556/Kendall-names-Barnsley-as-UKs-first-tech-town">Barnsley as UK’s first tech town</a>.</li> <li><a href="https://www.computerweekly.com/news/366636163/Google-DeepMind-partners-with-UK-government-to-deliver-AI">Google DeepMind partners with UK government</a> to deliver AI.</li> <li>UK’s AI plan of action <a href="https://www.computerweekly.com/news/366636810/UKs-AI-plan-of-action-needs-to-shift-into-overdrive">needs to shift into overdrive</a>.</li> </ul> </div> </div> The UK government’s £500m Sovereign AI fund announces first cohort of startups backed to boost economic growth and national security https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/London-Westminster-Houses-of-Parliament-exflow-adobe.jpg https://www.computerweekly.com/news/366641874/UKs-Sovereign-AI-supports-supercomputing-and-drug-discovery-AI-startups Thu, 16 Apr 2026 13:30:00 GMT UK’s Sovereign AI supports supercomputing and drug discovery AI startups <p>The increasingly long-in-the-tooth <a href="https://www.legislation.gov.uk/ukpga/1990/18/contents" target="_blank" rel="noopener">Computer Misuse Act</a> (CMA) of 1990 remains an albatross around the neck of British cyber security professionals, and even though the UK government <a href="https://www.computerweekly.com/news/366635624/UK-government-pledges-to-rewrite-Computer-Misuse-Act" target="_blank" rel="noopener">committed last December</a> to reforming it, every minute of delay is holding back the nation’s security innovation, resilience, talent and ability to defend itself against cyber attacks, campaigners have warned.</p> <p>Ahead of the National Cyber Security Centre’s (NCSC’s) upcoming <a href="https://www.cyberuk.uk/" target="_blank" rel="noopener">CyberUK</a> conference in Glasgow, the <a href="https://www.cyberupcampaign.com/" target="_blank" rel="noopener">CyberUp Campaign</a> for reform of the Computer Misuse Act (CMA) has published a report, <i>Protections for cyber researchers: How the UK is being left behind</i>, to maintain pressure on Westminster.</p> <p>The CMA defines the vague offence of unauthorised access to a computer, which the campaigners want changed because it was written 35 years ago and fails to account for the development of the cyber security profession, and the fact that in the course of their day-to-day work, cyber professionals may sometimes need to hack into other systems.</p> <p>“Cyber attacks are growing in scale, sophistication and severity, with a devastating impact on infrastructure, businesses and charities,” said a CyberUp campaign spokesperson.</p> <p>“While other countries have moved to refresh their cyber laws in response, the UK’s Computer Misuse Act hasn’t been updated since before the modern internet – hardly the best platform for accelerating our defences into the next decade.”</p> <p>The group’s report highlights how other nations – Australia, Belgium, France, Germany, Hong Kong, Malta, Portugal and the US – have already secured legal protections for cyber professionals that enable them to go about their business without fear of prosecution.</p> <p>In Portugal – Britain’s oldest formal ally under a treaty dating back to the 14th century – the government last year published <a target="_blank" href="https://diariodarepublica.pt/dr/detalhe/decreto-lei/125-2025-962603401" rel="noopener">Decreto-Lei 125/2025</a>, implementing the European Union (EU) Network and Information Systems (NIS2) Directive and revising the country’s cyber crime law to ensure that ethical hackers and professional cyber security practitioners working in good faith are both recognised and protected.</p> <p>Portgual’s laws now accept that some elements of cyber work may have to happen without explicit permission or involve unanticipated technical overreach that has a legitimate purpose.</p> <p>As such, Portugal says security work undertaken in good faith won’t be punished as long as the researcher fulfils a set of conditions. For example, they can act only to find vulnerabilities, and these must be reported immediately, they must avoid taking harmful actions, like conducting distributed denial of service (DDoS) attacks or installing malware, and they must respect the integrity of any data they may find or access and delete it within 10 days once the issue is addressed.</p> <p>CyberUp said Portugal’s example demonstrates how cyber crime laws can be modernised to legally protect research carried out in the public interest.</p> <p>“Portugal has demonstrated how to modernise their equivalent law through cyber legislation,” the spokesperson said. “We urge the government to follow this example and act swiftly through the Cyber Security and Resilience Bill to achieve meaningful reform, or risk lagging even further behind our peers.”</p> <section class="section main-article-chapter" data-menu-title="Defence Framework"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Defence Framework</h2> <p>Working with cyber security experts and legal advisors, the CyberUp campaign has developed its own Defence Framework that would allow cyber professionals to present a statutory defence in court as long as they adhere to four core principles:</p> <ul class="default-list"> <li>Harm versus benefit: The benefits of the activity must outweigh the potential harms;</li> <li>Proportionality: Cyber professionals must take all reasonable steps to minimise the risks of their activity;</li> <li>Intent: They must act honestly, sincerely and clearly direct themselves towards improving security;</li> <li>Competence: Their qualifications and professional memberships should demonstrate they are suitably equipped to perform cyber security work.</li> </ul> <p>The campaigners say this framework will bring clarity and confidence to the security sector, enabling cyber professionals to run essential research tasks without fear of criminal prosecution, helping organisations operate to recognised legal standards, and enabling a more open and collaborative relationship between the cyber sector and the UK government.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Timeline: Computer Misuse Act reform</h3> <ul class="default-list"> <li><strong>January 2020:</strong> A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and <a href="https://www.computerweekly.com/news/252477141/Computer-Misuse-Act-crying-out-for-reform">needs reforming</a>.</li> <li><strong>June 2020:</strong> The CyberUp coalition writes to Boris Johnson to urge him to reform <a href="https://www.computerweekly.com/news/252485276/Out-of-date-security-laws-leave-UK-plc-at-risk-during-pandemic">the UK’s 30-year-old cyber crime laws</a>.</li> <li><strong>November 2020:</strong> CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted <a href="https://www.computerweekly.com/news/252492416/Security-pros-fear-prosecution-under-outdated-UK-laws">just for doing their jobs</a>.</li> <li><strong>May 2021:</strong> Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated <a href="https://www.computerweekly.com/news/252500572/Government-to-reform-Computer-Misuse-Act">to reflect the changed online world</a>.</li> <li><strong>June 2022:</strong> A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted <a href="https://www.computerweekly.com/news/252521716/Lords-move-to-protect-cyber-researchers-from-prosecution" target="_blank" rel="noopener">in the course of their work</a>.</li> <li><strong>August 2022:</strong> A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers <a href="https://www.computerweekly.com/news/252523826/Report-reveals-consensus-around-Computer-Misuse-Act-reform" target="_blank" rel="noopener">as they explore its reform</a>.</li> <li><strong>September 2022:</strong> The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals <a href="https://www.computerweekly.com/news/252524622/Campaigners-call-on-Truss-to-change-UKs-archaic-hacking-laws" target="_blank" rel="noopener">from potential prosecution</a>.</li> <li><strong>January 2023:</strong> Cyber accreditation association Crest International lends its support to the CyberUp Campaign for <a href="https://www.computerweekly.com/news/252529245/Crest-throws-support-behind-CyberUp-CMA-reform-campaign" target="_blank" rel="noopener">reform to the Computer Misuse Act 1990</a>.</li> <li><strong>February 2023:</strong> Westminster opens a consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals <a href="https://www.computerweekly.com/news/365530632/Campaigners-lament-lack-of-movement-on-Computer-Misuse-Act-reform" target="_blank" rel="noopener">have been left disappointed</a>.</li> <li><strong>March 2023:</strong> The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, <a href="https://www.computerweekly.com/news/365533941/Ethical-hackers-urged-to-respond-to-Computer-Misuse-Act-reform-proposals" target="_blank" rel="noopener">say Bugcrowd’s ethical hackers</a>.</li> <li><strong>November 2023:</strong> A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left <a href="https://www.computerweekly.com/news/366558652/Kings-Speech-misses-the-mark-on-cyber-law-reform-says-campaign" target="_blank" rel="noopener">frustrated by a lack of legislative progress</a>.</li> <li>J<strong>uly 2024:</strong> In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice <a href="https://www.computerweekly.com/news/366595211/UK-Cyber-Bill-teases-mandatory-ransomware-reporting" target="_blank" rel="noopener">and to mandate incident reporting</a>.</li> <li>J<strong>uly 2024:</strong> The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366595211/UK-Cyber-Bill-teases-mandatory-ransomware-reporting">hinders legitimate work</a>.</li> <li><strong>December 2024:</strong> An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation <a href="https://www.computerweekly.com/news/366617262/Computer-Misuse-Act-reform-gains-traction-in-Parliament" target="_blank" rel="noopener">is to be debated at Westminster</a>.</li> <li><strong>December 2024:</strong> Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366617109/Latest-attempt-to-override-UKs-outdated-hacking-law-stalls">beyond a Lords committee</a>.</li> <li><strong>January 2025:</strong> Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create <a href="https://www.computerweekly.com/news/366618521/Vallance-rejects-latest-charge-to-reform-UK-hacking-laws" target="_blank" rel="noopener">a loophole for cyber criminals to exploit</a>.</li> <li><strong>May 2025: </strong>Britain’s outdated hacking laws are leaving the UK’s cyber practitioners hamstrung and afraid. Security professional Simon Whittaker reveals how he nearly ran afoul of the Computer Misuse Act, <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366623789/Why-we-must-reform-the-Computer-Misuse-Act-A-cyber-pro-speaks-out">and why he’s speaking out for reform</a>.</li> <li><strong>December 2025: </strong>Campaigners celebrate as security minister Dan Jarvis commits to amending the outdated Computer Misuse Act <a href="https://www.computerweekly.com/news/366635624/UK-government-pledges-to-rewrite-Computer-Misuse-Act" target="_blank" rel="noopener">to protect security professionals from prosecution</a>.</li> </ul> </div> </div> </section> Ahead of next week’s CyberUK conference, the CyberUp Campaign for reform of the UK’s hacking laws urges the government to keep focus and proposes a four-pillar framework that would protect cyber professionals from prosecution https://cdn.ttgtmedia.com/rms/German/ethical-hacking-woman-adobe.jpg https://www.computerweekly.com/news/366641875/CYBERUK-26-UK-lagging-on-legal-protections-for-cyber-pros Thu, 16 Apr 2026 12:13:00 GMT CyberUK 2026: UK lagging on legal protections for cyber pros ComputerWeekly.com 60 editor@computerweekly.com