MPs call for UK government to back sovereign IT

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Tue, 16 Jun 2026 14:57:20 GMT https://www.computerweekly.com editor@computerweekly.com <p>MPs are calling on the government to reduce the UK’s dependency on big technology companies amid concerns that the state is over-reliant on overseas suppliers, posing national security and economic risks.</p> <p>An <a href="https://bills.parliament.uk/bills/4035/stages/20525/amendments/10034731">amendment</a> to the <a href="https://bills.parliament.uk/bills/4035">Cyber Security and Resilience Bill</a> (CSRB), backed by 20 MPs, calls for the government to publish a digital security strategy to assess the risks of relying on overseas technology in critical infrastructure.</p> <p>The move comes as the European Commission <a href="https://www.computerweekly.com/news/366643862/EU-unveils-full-stack-sovereignty-package-to-build-Euro-tech-muscle">sets out plans for a programme to build sovereign IT capabilities</a>, including European datacentres and a move to open source software to reduce dependency on US technology suppliers.</p> <p>The amendment, proposed by <a href="https://members.parliament.uk/member/5201/contact">Liberal Democrat MP Victoria Collins</a>, which will be debated today, calls on the British government to publish a “digital sovereignty strategy” that will commit to building technology capabilities in the UK and to reduce dependency on overseas suppliers.</p> <p>The amendment, which covers critical digital and managed service providers, would require the government to set out a strategy to mitigate the risks of foreign interference and the UK’s reliance on foreign suppliers. It also calls for an assessment of the risks associated with hardware, software, supply chains and procurement processes.</p> <p>The MPs argue that a digital sovereignty strategy is necessary to ensure that government departments do not get “locked in” to proprietary technology from big tech companies, making it difficult or impossible for them to change suppliers.</p> <p>The strategy would also support UK jobs, skills and innovation by encouraging <a href="https://www.computerweekly.com/news/366643844/Starmer-announces-sovereign-compute-strategy-amid-11bn-chip-investment">investment in UK technology companies</a> and making it easier for them to win <a href="https://www.computerweekly.com/search">government contracts</a>.</p> <section class="section main-article-chapter" data-menu-title="UK ‘at mercy’ of a handful of US tech companies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>UK ‘at mercy’ of a handful of US tech companies</h2> <p>The amendment follows <a href="https://committees.parliament.uk/committee/135/science-innovation-and-technology-committee/news/214048/mps-warn-that-palantirs-increasing-presence-in-the-uk-public-sector-is-an-unacceptable-point-of-weakness/">warnings from a cross-party group of MPs</a> that the UK public sector is becoming increasingly reliant on a small number of US technology suppliers, including Microsoft, Amazon Web Services and <a href="https://www.computerweekly.com/news/366643883/SIT-Committee-urges-Palantir-exit-in-push-to-end-US-cloud-grip">Palantir</a>.</p> <p>The Science, Innovation and Technology Committee said the UK’s dependence on a small number of providers represented a “clear vulnerability” and left ambitions to digitally transform public services potentially “at the mercy” of foreign actors.</p> <p>Collins has previously raised concerns over the lack of published information in the UK’s <a href="https://assets.publishing.service.gov.uk/media/67b5f85732b2aab18314bbe4/National_Risk_Register_2025.pdf">National Risk Register</a> on the risks posed by foreign states using legal powers, such as sanctions, to disrupt or discontinue critical digital services used by the UK.</p> <p>She was among <a href="https://www.sianberry.org.uk/publications/calling-for-changes-to-the-national-risk-register/">four MPs to write to the Chancellor of the Duchy of Lancaster</a> and the chairs of two influential parliamentary committees in April, urging the government to take steps to ensure the UK’s digital systems would remain resilient in the event of threats or interference by a foreign government.</p> <p>The MPs pressed the government to publish a currently secret analysis of “chronic risks”, including “concentration of risk through dominance of global tech”, the UK’s “reliance on digital platforms and digital services”, and “impacts from the use and capability of artificial intelligence (AI)”.</p> <p>“The UK public debate on digital sovereignty is significantly hampered by the secrecy surrounding the mitigation strategies for the chronic risks mentioned in the National Risk Register,” the MPs wrote.</p> <p>“This contrasts with open discussions and analysis in other European countries. While there may be aspects of the current documents that need to be kept secret, this cannot and must not apply to the whole analysis,” they stated.</p> <p>European states, including France, Germany, Denmark and the Netherlands, have engaged in national debates about the risks of overdependence on overseas technology.</p> <p>France, for example, is moving to <a href="https://www.zdnet.com/article/france-dumps-teams-zoom-digital-sovereignty-replacement/">sovereign open source desktop and collaboration</a> tools for its senior civil servants to reduce risks of surveillance or loss of services. And <a href="https://interoperable-europe.ec.europa.eu/collection/open-source-observatory-osor/news/bwibundeswehr-chooses-open-source-adopting-opendesk">the German armed forces are moving to OpenDesk,</a> an open source alternative to Microsoft Office.</p> <p><a href="https://www.theguardian.com/business/2026/feb/16/uk-bank-bosses-plan-visa-mastercard-alternative">European banks are also taking</a> action to protect themselves against interference from the US by building their own electronic card payment system as an alternative to the US-run Mastercard and Visa networks.</p> <p>The UK Parliament has previously discussed potential risks of relying on Chinese suppliers, including Huawei and Lenovo.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Amendment to the UK Cyber Security and Resilience Bill</h3> <p>The secretary of state must publish a digital sovereignty strategy setting out the government’s plans for maintaining the security and resilience of networks and information systems within 12 months.</p> <p>The strategy will set out the government’s approach to:</p> <ul class="default-list"> <li>Assessing, managing and mitigating the risks of foreign interference.</li> <li>Assessing, managing and mitigating the risk of reliance on foreign-supplied technologies.</li> <li>Building UK capabilities to prevent over-reliance on foreign providers.</li> </ul> <p>The strategy will:</p> <ul class="default-list"> <li>Cover relevant operators of essential services, digital service providers, managed services and critical suppliers as defined by the Security of Network & Information Systems Regulations (NIS Regulations).</li> <li>Assess the risks associated with hardware, software, supply chains and procurement processes.</li> <li>Show how the government intends to reduce strategic dependence on foreign-owned service providers to mitigate the risk of systemic disruption</li> <li>Commit to prioritising technologies developed in the UK to reduce reliance on foreign technologies.</li> <li>State how the government intends to address risks of foreign interference by supporting domestic technology or introducing technology to secure systems.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Amendment seeks ambitious approach to UK technology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Amendment seeks ambitious approach to UK technology</h2> <p>Collins said the aim of the amendment was not to shut the doors to global technological innovation, but for the government to take a “smart, strategic and ambitious approach” to UK technology.</p> <p>“Right now, too much of our critical national infrastructure and too many government services depend on foreign technology and supply chains. This creates real risks, from national security vulnerabilities to economic fragility,” she added.</p> <p>Collins said <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">UK technology companies are being locked out of government procurement in favour of large multinationals</a>.</p> <p>“A proper digital sovereignty strategy would change that: backing UK innovation, reducing the UK’s dependencies, and ensuring the UK is a world leader in the technologies that will define the next decade,” she added.</p> <p>The Open Rights Group (ORG), a campaign group for digital rights and privacy, which supports the amendment, said the <a href="https://www.computerweekly.com/news/366641487/UK-reliance-on-US-big-tech-companies-is-national-security-risk-claims-report">UK’s reliance on US big tech companies</a> posed both a national security and an economic risk.</p> <p>Jim Killock, executive director of the ORG, said that “by voting on this amendment, MPs can take the first step to secure the UK’s resilience and control over its digital infrastructure”.</p> <p>Richard Starnes, a chief information security officer and author of a <a href="https://www.computerweekly.com/ehandbook/An-evaluation-of-the-UKs-cyber-security-and-privacy-legislative-framework">study on the UK’s cyber security and privacy legislative framework</a>, said the amendment raises valid national security concerns. But he said it also conflates foreign interference risks and economic protectionism.</p> <p>“The enormous risks facing UK critical infrastructure, vendor lock-in and the UK’s current economic climate warrant a more strategic, open-minded approach,” he said.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the UK Cyber Security and Resilience Bill</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366643176/MPs-propose-kill-switch-to-shut-down-rogue-AI-systems">MPs propose ‘kill switch’ to shut down rogue AI systems</a>: An amendment to the Cyber Security and Resilience Bill proposes giving the government a ‘kill switch’ to close datacentres hosting AI if they pose a critical threat to UK infrastructure or national security.</li> <li><a href="https://www.computerweekly.com/blog/When-IT-Meets-Politics/What-is-the-objective-of-the-Cyber-Security-and-Resilience-Bill">What is the objective of the Cyber Security and Resilience Bill?</a> Is it to change corporate behaviour and improve cyber security and resilience? Or is it to create jobs for compliance officers and consultants?</li> <li><a href="https://www.computerweekly.com/news/366621764/Top-1000-IT-service-providers-in-scope-of-UK-cyber-bill">Top 1,000 IT service providers in scope of UK cyber bill</a>: The government’s proposed Cyber Security and Resilience Bill is set to include regulatory provisions covering datacentre operators and larger IT service providers.</li> <li><a href="https://www.computerweekly.com/news/366625838/Cyber-Bill-at-risk-of-becoming-a-missed-opportunity-say-MPs">Cyber Bill at risk of becoming a missed opportunity, say MPs</a>: An APPG report warns that the government’s flagship cyber security legislation is too narrow in its scope and risks missing opportunities to embed resilience at the heart of the British economy.</li> <li><a href="https://www.computerweekly.com/news/366628013/UK-government-to-bring-in-ransomware-payment-ban">UK government to bring in ransomware payment ban</a>: Critical infrastructure operators, hospitals, local councils and schools will be among those banned from giving in to cyber criminal demands as the UK moves forward with proposals to address the scourge of ransomware. </li> </ul> </div> </div> </section> Amendment to the UK’s Cyber Security and Resilience Bill calls for the government to publish a ‘digital sovereignty strategy’ to promote domestic technology https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/London-Westminster-Parliament-Big-Ben-Getty-RF.jpg https://www.computerweekly.com/news/366644347/MPs-call-for-UK-government-to-back-sovereign-IT Tue, 16 Jun 2026 11:24:00 GMT MPs call for UK government to back sovereign IT <p>More evidence of the immense pressure that <a href="https://www.computerweekly.com/news/366628066/The-UK-governments-AI-Growth-Zones-strategy-Everything-you-need-to-know">growing artificial intelligence (AI) workloads</a> are placing on networks has been revealed in research from Cisco, which has fundamentally confirmed that <a href="https://www.techtarget.com/whatis/feature/12-of-the-best-large-language-models">large language models (LLMs)</a> and the emerging wave of <a href="https://www.computerweekly.com/news/366643753/Agentic-AI-is-driving-rethink-of-enterprise-architecture-and-tokenomics">agentic AI</a> are placing unprecedented strain on enterprise campus and branch networks, while security surfaces are already expanding beyond what defences can manage.</p> <p>The networking giant surveyed 3,472 IT leaders in Asia-Pacific, Europe, the Middle East, Latin America and North America between March and April 2026 about how AI is impacting their campus and branch networks. The sample comprised CIOs, as well as networking, end user computing and technology leaders, at organisations with more than 500 employees and an average of 3,292 campus/branch locations.</p> <p>The topline finding, and indeed call to action, for businesses was that <a href="https://www.computerweekly.com/news/366569032/Cisco-unveils-innovations-for-observability-as-it-looks-to-future-networking-vision">network resilience, observability</a> and adaptive security are essential in the <a href="https://www.techtarget.com/searchitoperations/opinion/Preparing-for-the-vital-but-complex-era-of-AI">AI era</a>.<b> </b></p> <p>The study recognised that the network has survived decades of transformation, from dot com to the cloud, by adapting and evolving to meet the moment. Yet it stressed that going forward, those organisations that treat network modernisation as a prerequisite to their AI strategy, rather than a parallel workstream, will define the next decade of enterprise AI.</p> <p>On a quantitative basis, the research data predicted that three years from now, AI will triple network traffic – representing a 235% increase – and said AI workloads are changing traffic patterns across enterprise environments in ways many existing workplace networks were never designed to support.</p> <p>The survey said growth was attributable to the fact that, unlike human users, AI agents operate at machine speed, triggering dozens of application programming interface (API) calls, database lookups and model inferences in seconds. This generates dense <a href="https://www.techtarget.com/searchnetworking/definition/east-west-traffic">east-west traffic</a> – lateral device-to-device or server-to-server communication required for AI agents to exchange data – that legacy workplace networks were not designed to handle.</p> <p>For example, 67% of the participating respondents reported increases in east-west traffic tied to these workloads. Additionally, 61% noted growth in continuous automated traffic generated by AI systems. Most enterprises believe that the likely net result of this is that they will hit campus and branch network capacity limits in two years.</p> <p>These changes are expected to become even more significant as organisations move beyond generative AI (GenAI) experimentation and deeper <a href="https://www.computerweekly.com/news/366639478/Nokia-AWS-demo-agentic-AI-network-slicing-with-du-Orange">into agentic AI capable of autonomous action</a>. A third of firms surveyed said they already have broad enterprise-wide agentic AI deployments, and 97% overall expect an expansion in agentic AI use within 24 months.</p> <p>In addition, the study observed that the same agentic AI workloads that have the potential to transform enterprises are also uniquely fragile. Mature AI adopters globally – those that are ahead in AI deployments – reported that AI workloads are acutely vulnerable to networking issues, making them more sensitive to reliability and uptime (80%), bandwidth (75%), latency (71%) and packet loss (62%) than traditional applications.</p> <p>In all, less than a third of mature AI adopters say their networks are fully prepared for projected AI growth. Overall, 76% of respondents admitted they need upgrades, and 73% said that they have hit, or will hit, campus and branch capacity limits within 24 months. Crucially, <a href="https://www.computerweekly.com/news/366631432/Federated-Wireless-Cisco-validate-commercial-standard-power-for-Wi-Fi-6E-7">almost ubiquitous Wi-Fi</a> is emerging as a major bottleneck for AI, with more than half listing it as the area driving the greatest increase in capacity requirements.</p> <p>Worryingly, the study also revealed a disconnect between ambition and reality, with three-quarters of IT leaders agreeing that they are more confident in their organisation’s AI strategy than in the network’s ability to deliver it. Yet even though 91% cited budget constraints as a barrier, almost all enterprises were planning to modernise their workplace networks.</p> <p>The explosion in AI workloads and general usage was also causing increased security headaches. The overwhelming majority of firms conceded that they were struggling to keep up with an increasingly challenging security environment (92%) and that AI has already caused some damage (90%).</p> <p>Over two-thirds also believed AI-related threats are evolving faster than their ability to adapt, and that failing to adapt networks over the next two years will only increase security risks. At the same time, an observability gap is widening as traditional monitoring tools struggle with bursty, east-west agentic flows.<b> </b></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI in networking</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366643860/Cisco-Live-26-networks-the-key-in-post-Mythos-world">Networks the key in post-Mythos world</a>: Platform offers unified approach for humans and AI agents to run critical IT infrastructure together, allowing customers to build their own apps and agents in natural language.</li> <li><a href="https://www.computerweekly.com/news/366641242/Cisco-network-readiness-a-determining-factor-for-AI-success">Network readiness a determining factor for AI success</a>: Report reveals how firms are harnessing AI to drive progress and overcome industry challenges, with most expecting ‘significant’ increases in connectivity and reliability demands.</li> <li><a href="https://www.computerweekly.com/news/366643095/Implementation-gap-threatens-progress-in-AI-and-5G">Implementation gap threatens progress in AI and 5G</a>: Despite current patchy deployment of key 5G services, study finds that across regions, company sizes and markets, telecoms leaders are strikingly confident about their ability to capture the next wave of growth.</li> <li><a href="https://www.computerweekly.com/news/366642566/Extreme-Connect-26-Agent-ONE-takes-forward-network-AI">Agent ONE takes forward network AI</a>: Network firm launches ‘smarter, faster, autonomous’ approach to enterprise networking, with its operating model moving from assistive AI to autonomous, always-on operations.</li> </ul> </div> </div> Research finds capacity and performance the top network challenge for UK organisations, with 81% of respondents saying their network does not have room to house evolving AI demands https://cdn.ttgtmedia.com/rms/German/Hero-storage-KI-Datacenter-Gorodenkoff-Productions-OU-Adobe-339222220.jpg https://www.computerweekly.com/news/366644358/Cisco-36-months-to-modernise-networks-before-AI-overwhelms-capacity Tue, 16 Jun 2026 04:56:00 GMT Cisco: 36 months to modernise networks before AI overwhelms capacity <p>The cyber security industry is no stranger to big claims. Every major technology shift arrives with two familiar promises: that it will change everything, and that anyone slow to adapt will be left dangerously exposed. Frontier AI is now getting the same treatment, and <a href="https://www.techtarget.com/searchenterpriseai/news/366642478/Claude-Mythos-Preview-and-the-new-rules-of-cybersecurity" target="_blank" rel="noopener">Anthropic’s Claude Mythos preview</a> has quickly been framed as either a breakthrough for cyber defence or a worrying new weapon for attackers.</p> <p><i>The truth is less theatrical, but probably more important.</i></p> <p>Claude Mythos is not unsettling because it behaves like some new form of hostile intelligence. It is unsettling because it is useful. And useful technology, at scale, rarely stays neatly on one side of the fence.</p> <p><a href="https://www.anthropic.com/" target="_blank" rel="noopener">Anthropic’s</a> own work, <a href="https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities" target="_blank" rel="noopener">alongside evaluation from the UK AI Security Institute</a>, suggests that Mythos Preview can reason about vulnerabilities, chain attack paths and assist with exploit development beyond what earlier general-purpose models could manage. That does not mean it was simply “trained to hack”. It means that as models get better at reasoning, planning and understanding software, some security outcomes become easier to reach. That distinction matters because this is not a product quirk. It is a direction of travel.</p> <p>For defenders, the attraction is obvious. Vulnerability discovery, threat modelling and attack simulation are demanding, time-consuming activities. They need scarce skills, good judgement and enough time to do the work properly. Tools like Mythos could help security teams explore scenarios, identify weaknesses and prioritise action more quickly. For CISOs dealing with skills shortages, ageing infrastructure and constant exposure, this is not an abstract debate about the future of AI. It looks like useful help.</p> <p>The problem is that the same compression of time and expertise applies to attackers too.</p> <p>Frontier models do not need to invent exotic new attacks to cause trouble. Many organisations are already struggling with the basics: bespoke enterprise applications, legacy integrations, vendor-supplied middleware, exposed services and operational environments that were designed around availability rather than rapid change. If AI helps attackers join together known weaknesses faster than defenders can respond, that alone is enough to shift the risk.</p> <p><i>The real issue is speed.</i></p> <p>Vulnerability research that once took days or weeks can now be accelerated. <a href="https://www.computerweekly.com/news/366643833/AI-agents-help-Cato-slash-time-to-protect-from-new-CVEs" target="_blank" rel="noopener">That narrows the gap between exposure and exploitation</a>, especially for internet-facing systems or environments that depend heavily on suppliers. In some cases, the window for action may become so small that traditional remediation assumptions no longer hold.</p> <p>That should worry security leaders. Many organisations still operate on detection and response models built for slower, noisier attackers, with patching cycles measured in weeks, months or quarters. In an AI-accelerated environment, “time to patch” may no longer be a reliable comfort blanket. “Time to assume compromise” may be the more honest starting point.</p> <p>This is particularly sharp for government, defence and critical national infrastructure. These sectors often run long-lived technology, constrained maintenance windows, complex supplier chains and safety-critical operations where rapid remediation is difficult. The NCSC has already warned that AI is likely to widen the gap between organisations that can keep pace with emerging threats <a href="https://www.ncsc.gov.uk/news/ai-to-2027-threat-assessment" target="_blank" rel="noopener">and those that cannot</a>.</p> <p>There is, of course, a strong defensive argument for Mythos-class systems. <a href="https://www.computerweekly.com/news/366644132/BT-looks-to-strengthen-network-defences-with-Project-Glasswing" target="_blank" rel="noopener">Anthropic’s Project Glasswing</a> is built around using frontier models to uncover weaknesses in widely deployed software before attackers find them. That is valuable work. But finding vulnerabilities is not the same as being resilient.</p> <p>Discovery only helps when organisations have the governance, engineering capacity and decision-making routes to act on what they find. They still need to triage, prioritise, remediate, test, deploy and monitor fixes. Otherwise AI simply increases the rate at which problems are discovered, while the backlog grows even faster behind it.</p> <p>For CISOs, the question is not simply whether frontier AI should be used. It is whether the organisation’s operating model can cope with the world it creates.</p> <p><i>Three areas deserve attention.</i></p> <p>First, the fundamentals become harder to dodge. Asset visibility, configuration management, identity hygiene, logging, access control and patch discipline are not old-fashioned concerns. They are the foundations that stop AI-amplified discovery becoming AI-amplified compromise.</p> <p>Second, access to frontier models needs proper governance. This is not just a tooling decision for enthusiastic technical teams. Organisations need to know who is using these systems, for what purpose, with what data, and under which controls. Prompt histories containing architectural detail, security assumptions, vulnerability information or supplier dependencies should not be treated as throwaway artefacts. They may become future risk records.</p> <p>Third, AI-assisted vulnerability discovery should be treated as normal, not exceptional. That means rehearsed response routes, shorter exposure assumptions and decision-making that can move quickly without descending into chaos. Perfect information will rarely arrive in time. Good governance has to support timely action, not become a theatre of delay.</p> <p><i>So, is Claude Mythos a clear and present danger?</i></p> <p>Not in the cinematic sense. There is no need to imagine an autonomous adversary plotting systemic collapse. The more practical concern is that Mythos is an accelerant, and security has always struggled when the pace changes faster than the operating model.</p> <p>The real risk is not that organisations use frontier AI. The risk is that they use it without confronting what it reveals about their own fragility.</p> <p>For organisations with strong governance, disciplined engineering, clear accountability and a realistic risk appetite, models like Mythos may become genuinely useful. For those still relying on partial visibility, slow remediation and optimistic assumptions, they may simply hold up a mirror. And make it much harder to look away.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more in this series</h3> <ul style="list-style-type: square;" class="default-list"> <li>John Bruce, Quorum Cyber: <a href="https://www.computerweekly.com/opinion/Claude-Mythos-forces-the-conversation-on-defensive-AI" target="_blank" rel="noopener">Claude Mythos forces the conversation on defensive AI.</a></li> <li>Martin Riley, Bridewell: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Mythos-is-turning-up-the-heat-on-risk-not-rewriting-the-rules">Mythos is turning up the heat on risk, not rewriting the rules.</a></li> <li>Aditya K Sood, Aryaka: <a href="https://www.computerweekly.com/opinion/Frontier-AI-models-could-be-an-adversarys-force-multiplier" target="_blank" rel="noopener">Frontier AI models could be an adversary's force multiplier.</a></li> </ul> </div> </div> The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/The-truth-about-Claude-Mythos-is-less-dramatic-than-it-seems Mon, 15 Jun 2026 14:14:00 GMT The truth about Claude Mythos is less dramatic than it seems <p>The UK government will require big tech companies to introduce <a href="https://www.computerweekly.com/news/366643835/Age-verification-tech-could-put-children-at-greater-risk-says-think-tank">age verification technology</a> as it gears up to ban children from social media by April 2027.</p> <p>Prime minister Keir Starmer <a href="https://www.youtube.com/watch?v=DkI3vvztP3A">announced today</a> that the UK intends to take its restrictions further than Australia by not only banning social media for under-16s, but also restricting their access to adult content via artificial intelligence (AI) and tackling “infinite scrolling”.</p> <p>Under the <a href="https://www.gov.uk/government/news/social-media-to-be-banned-for-under-16s-in-landmark-government-move-to-givekids-their-childhood-back">plan, children will be banned</a> from Snapchat, TikTok, YouTube, Instagram, Facebook and X, but they will still have access to encrypted messaging apps such as WhatsApp and Signal.</p> <p>The announcement has produced a backlash from critics, who argue that it will require adults and children to verify their age – for example, by uploading government ID or using AI to estimate ages from an image – which could lead to unintended risks, including hacking of personal data.</p> <p>Tech groups – including Meta, which owns Instagram and Facebook, YouTube and Snapchat – warned that the ban risked pushing young people towards less safe platforms.</p> <section class="section main-article-chapter" data-menu-title="UK to take restrictions further than Australia"> <h2 class="section-title"><i class="icon" data-icon="1"></i>UK to take restrictions further than Australia</h2> <p>The UK’s ban follows a similar move by Australia, which introduced an outright social media ban for children in December 2025.</p> <p>Starmer said the UK would go further by taking action to ensure that livestreaming platforms and the ability of strangers to communicate with children on gaming platforms are turned off by default for under-16s and 17-year-olds.</p> <p>The ban will prevent AI chatbots from offering sexually explicit content to under-18s, and there will also be restrictions for under-18s accessing “romantic companion chatbots”.</p> <p>The government said it would publish details of plans for overnight curfews and breaks in infinite scrolling for under-18s in July. </p> <p>Speaking at Downing Street this morning, the prime minister said that because of the government’s experience with the <a href="https://www.computerweekly.com/feature/The-UKs-Online-Safety-Act-explained-what-you-need-to-know">Online Safety Act</a>, which has been used to restrict access by children to adult sites, it has an “understanding of how to apply age verification technology”.</p> <p>Powers introduced in the <a href="https://www.computerweekly.com/feature/Childrens-Wellbeing-and-Schools-Bill-prompts-ethical-concerns">Children’s Wellbeing and Schools Act</a>, which <a href="https://educationhub.blog.gov.uk/2026/05/the-childrens-wellbeing-bill-what-parents-need-to-know/">became law in April</a>, mean the government can “move at pace” and adapt as technology changes.</p> <p>Starmer said he hoped to pass the regulation before Christmas and bring the ban into force by spring 2027. “We have these powers, so we are ready and confident that this ban can be effective now,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="No contradiction between ban and supporting big tech"> <h2 class="section-title"><i class="icon" data-icon="1"></i>No contradiction between ban and supporting big tech</h2> <p>Starmer said that there was no contradiction between supporting big tech and protecting children.</p> <p>“When I look at the brilliance of the innovators in AI and tech, I know very well that it is possible to do both. The innovation is incredible. Don’t tell me that it’s impossible for those innovators, those people who are brilliant at technology, to devise ways to protect our children,” he said.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Don’t tell me that it’s impossible for those innovators, those people who are brilliant at technology, to devise ways to protect our children </figure> <figcaption> <strong>Keir Starmer, UK prime minister</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>The prime minister said success could be measured by a drop in the number of children using social media. But equally and perhaps more important is creating a “cultural change” that would see children having more “enriched childhoods”.</p> <p>Starmer said he would discuss the ban with US president Donald Trump, who has expressed opposition to UK restrictions on big tech companies.</p> <p>“I honestly think that across world leaders, there has always been a recognition that leaders have to take steps to protect children. I don’t think that’s controversial. There will also be arguments as to exactly what the limits of that are and what rules should be in place, but I don’t see that as a problem,” he said.</p> </section> <section class="section main-article-chapter" data-menu-title="Delivering effective age verification"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Delivering effective age verification</h2> <p>The government said it would learn lessons from Australia’s experience by introducing more highly effective age assurance (HEAA) measures to support compliance, making it far harder for children to bypass safeguards. </p> <p><a href="https://www.gov.uk/government/publications/june-progress-statement-letter-from-dsit-secretary-of-state-to-ofcom-chair-and-ceo/june-progress-statement-letter-from-dsit-secretary-of-state-to-ofcom-chair-and-ceo">In a letter to Ofcom, published today,</a> Liz Kendall, secretary of state for science, innovation and technology, asked the regulator to conduct a “rapid assessment” of what “highly effective age assurance” would look like and to assess what new methods could support age verification in the future by October. She said that she had asked Ofcom to prioritise data privacy and security.</p> <p>The prime minister did not say whether the government intended to ban under-16s from accessing virtual private networks (VPNs), which could be used to circumvent age verification.</p> <p>Today’s announcement follows a government consultation that received 116,000 responses from parents, children and experts. Downing Street said the responses showed overwhelming public backing for tougher action, with nine in 10 parents saying they would support a social media ban for children under 16.</p> <p>Platforms with built-in safeguards for children, including YouTube Kids, Lego Play and Google Classroom, will fall outside the ban, said Starmer.</p> </section> <section class="section main-article-chapter" data-menu-title="Concerns over mandatory age verification"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Concerns over mandatory age verification</h2> <p>The <a href="https://www.computerweekly.com/news/366643835/Age-verification-tech-could-put-children-at-greater-risk-says-think-tank">Foundation for Information Policy Research (FIPR), a technology think tank, last week raised “deep concerns”</a> that mandatory age verification could expose children to greater risk of harm.</p> <p>“While it is tempting to rely on ‘magic’ technological fixes for online harm, these will not work, will concentrate even more power in the hands of large tech platforms, and will risk letting them off the hook for the wider social harms to which they contribute,” Ben Collier, FIPR chair and senior lecturer at the University of Edinburgh, told Computer Weekly.</p> <p>The Open Rights Group (ORG), a campaign group for digital rights and privacy, said the UK government had failed to address the root cause of online harm – the promotion of harmful content by algorithms.</p> <p>ORG spokesperson James Baker said widespread requirements for age verification to use internet-based services would put children and adults at risk of hacking and security breaches.</p> <p><a href="https://www.theguardian.com/media/2025/oct/09/hack-age-verification-firm-discord-users-id-photos">It emerged last year that government ID photos</a> of about 70,000 global users of the chat platform Discord, used by video gamers, may have been exposed after hackers compromised a company contracted to carry out age verification checks.</p> <p>“Soon, it will be virtually impossible to be online in the UK without handing over identity documents or biometric data to unregulated companies,” said Baker.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Evidence from Australia shows age bans don’t keep children off social media; they just remove the safety measures platforms put in place for them </figure> <figcaption> <strong>Jack Coulson, Big Brother Watch</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Pro-privacy campaign group Big Brother Watch said that the British people had always rejected mandatory ID schemes, but now they would be required to verify their identity to use web services.</p> <p>“These proposals will force the public to trust their IDs to companies with serious track records of leaks and hacks,” said head of advocacy Jack Coulson. “Evidence from Australia shows age bans don’t keep children off social media; they just remove the safety measures platforms put in place for them,” he added.</p> <p>Law firm <a href="https://www.simkins.com/">Simkins LLP</a> said the proposed age verification measures raise data protection concerns when children’s data is processed.</p> <p>“From a user perspective, there is also a real risk that a blanket ban may push under-16s towards less regulated platforms (and potentially less controlled content), thereby undermining its intended effect,” said Simkins associate Stephen Cartwright.</p> <p>Amnesty International said the ban risks treating children as the problem rather than addressing the platforms and business models that create online harms.</p> <p>“The problem is not that children exist on social media; it’s that social media companies have built platforms that are unsafe by design,” said Kerry Moscogiuri, chief executive of Amnesty International UK.</p> </section> <section class="section main-article-chapter" data-menu-title="Age verification ‘technically achievable’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Age verification ‘technically achievable’</h2> <p>The Age Verification Providers Association (AVPA), which represents age verification services, said the government’s aims were “technically achievable using technology that is already widely deployed”.</p> <p>The association said that VPNs were not an insurmountable obstacle to enforcing age verification, as platforms can use additional geolocation, device and behavioural indicators to assess whether a user is likely to be accessing a service from the UK.</p> <p>“The debate has moved beyond whether online age assurance works. The technology already exists and is being used successfully every day at enormous scale,” said Iain Corby, executive director at the AVPA. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about age verification</h3> <ul type="square" class="default-list"> <li><a href="https://www.computerweekly.com/news/366643835/Age-verification-tech-could-put-children-at-greater-risk-says-think-tank">Age verification tech could put children at greater risk, says think tank</a>: UK proposals for mandatory age verification will not mitigate children’s exposure to harmful content and ‘addictive’ app design, and risks excluding vulnerable groups from online services, says Foundation for Information Policy Research.</li> <li><a href="https://www.computerweekly.com/news/366643835/The%20UK%20government%20will%20use%20new%20legal%20powers%20to%20lay%20the%20groundwork%20for%20an%20under-16%20social%20media%20ban%20after%20its%20consultation%20on%20children%E2%80%99s%20digital%20well-being,%20but%20opponents%20warn%20the%20measures%20being%20considered%20will%20only%20treat%20the%20symptoms%20of%20the%20problem%20if%20they%20ignore%20the%20structural%20power%20of%20big%20tech">The UK’s proposed social media ban explained</a>: The UK government will use new legal powers to lay the groundwork for an under-16 social media ban after its consultation on children’s digital well-being.</li> <li><a href="https://www.computerweekly.com/opinion/Tech-cant-wait-for-regulation-to-protect-children-online">Tech can’t wait for regulation to protect children online</a>: The general secretary of the UK's largest teachers’ union explains why social media should be banned for under-16s.</li> <li><a href="https://www.computerweekly.com/news/366639654/UK-government-consults-on-social-media-ban-for-under-16s">UK government consults on social media ban for under-16s</a>: A UK government consultation launched today asks whether under-16s should be banned from social media, and age restrictions introduced for VPNs and chatbots.</li> <li><a href="https://www.computerweekly.com/news/366639244/Governments-urged-to-step-up-enforcement-of-big-tech-amid-rush-to-ban-social-media-for-under-16s">Governments urged to step up enforcement of big tech amid rush to ban social media for under-16s</a>: The Council of Europe’s Commissioner for Human Rights says that European governments should consider better enforcement against big tech companies before banning children from social media.</li> <li><a href="https://www.computerweekly.com/news/366639234/Businesses-may-be-caught-by-government-proposals-to-restrict-VPN-use">Businesses may be caught by government proposals to restrict VPN use</a>: Labour proposals to restrict social media use to people aged 16 and under could have unintended consequences for businesses using virtual private networks. </li> </ul> </div> </div> </section> Keir Starmer announces UK social media ban for under-16s that requires mandatory age verification to access social media services https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/London-Westminster-Parliament-Downing-Street-Getty-RF.jpg https://www.computerweekly.com/news/366644294/Big-tech-must-introduce-age-checks-to-support-UKs-under-16s-social-media-ban Mon, 15 Jun 2026 10:34:00 GMT Big tech must introduce age checks to support UK’s under-16s social media ban <p>Oracle has issued an out-of-band patch for a remote code execution (RCE) zero-day vulnerability affecting its <a href="https://www.oracle.com/security-alerts/alert-cve-2026-35273.html" target="_blank" rel="noopener">PeopleSoft Enterprise PeopleTools</a> product that is being exploited in a rapidly spreading ShinyHunters campaign.</p> <p>Tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-35273" target="_blank" rel="noopener">CVE-2026-35273</a>, the vulnerability is known to be remotely exploitable without authentication, posing a serious risk to unpatched environments.</p> <p>“We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure,” noted Oracle.</p> <p>“Oracle always recommends that customers remain on actively-supported versions and apply all Critical Patch Updates, Critical Security Patch Updates and Security Alerts without delay.”</p> <p>The vulnerability is already known to have been used in a developing cyber attack <a href="https://www.nottingham.ac.uk/currentstudents/news/student-and-alumni-data-has-been-compromised-in-a-data-security-incident" target="_blank" rel="noopener">on the University of Nottingham</a>.</p> <p>According to the ongoing forensic investigation, the university was breached via a vulnerability in Oracle WebLogic – which is a server platform used to develop, deploy and run Java applications that forms a key part of the PeopleSoft Internet Architecture.</p> <p>In contact with <i>Bleeping Computer</i>, ShinyHunters <a href="https://www.bleepingcomputer.com/news/security/nottingham-university-data-breach-affects-over-450-000-students/" target="_blank" rel="noopener">claimed to have stolen 40GB of data</a> relating to 450,000 students past and present. The data is believed to comprise full names, birth dates and contact details, financial data related to their studies, information on characteristics such as ethnicity or disability, and passport data.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about ShinyHunters</h3> <ul class="default-list"> <li>The notorious ShinyHunters hacking collective menaces video game publisher Rockstar and says it will leak data <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366641486/Grand-Theft-Auto-publisher-Rockstar-hit-by-hackers-again">on 14 April</a>.</li> <li>The ShinyHunters hacking collective that caused chaos in 2025 is ramping up a new voice phishing campaign, with several potential victims <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366637762/Wave-of-ShinyHunters-vishing-attacks-spreading-fast">already identified</a>.</li> <li>ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366629157/Researchers-firm-up-ShinyHunters-Scattered-Spider-link">and Scattered Spider cyber gangs</a>.</li> </ul> </div> </div> <p>In a statement earlier today (12 June), a University spokesperson said: “Our investigation into this incident is continuing, and this matter has now become a criminal investigation, with police involved alongside ongoing forensic work.</p> <p>“We are continuing to work closely with cyber security specialists and regulatory authorities to understand the scope of the data accessed and to ensure our system remains secure,” they added. “We know how concerning this situation is and as soon as we have more definitive information to share, we will provide a further update.”</p> <p>The University has established a <a href="https://www.nottingham.ac.uk/Home/Alerts/Cyber-attack-incident.aspx" target="_blank" rel="noopener">dedicated web page</a> and contact phone lines for affected individuals.</p> <p>According to the Google Threat Intelligence Group and Mandiant, ShinyHunters began exploiting CVE-2026-35273 a few weeks ago, on 27 May.</p> <p>GTIG said that upon becoming aware of active scanning and exploitation, it notified over 100 organisations with IP addresses correlating with potentially at-risk endpoints, 68% of them in the higher education sector.</p> <p>Public reports obtained via social media platform X has subsequently enabled its team to piece together a detailed breakdown of ShinyHunters’ campaign, <a href="https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit" target="_blank" rel="noopener">which can be found here</a>.</p> <section class="section main-article-chapter" data-menu-title="Education in the crosshairs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Education in the crosshairs</h2> <p>Since the summer of 2025, various ShinyHunters campaigns have targeted multiple different verticals, with the group favouring mass compromise of software products used by similar organisations.</p> <p><a href="https://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure" target="_blank" rel="noopener">Over the past couple of months</a>, the collective has been targeting education institutions specifically, and the PeopleSoft attacks follow swiftly on the heels of its April compromise of Infrastructure’s Canvas learning management system.</p> <p>In that instance, ShinyHunters claimed to have exfiltrated 3.65TB of data comprising 275 million records from almost 9,000 different institutions.</p> <p>The danger in the exposure of highly sensitive data relating to children and students lies not just in the situation in which ShinyHunters’ victims find themselves, but in the potential for other threat actors to conduct personalised downstream attacks against individuals.</p> <p>Keven Knight, CEO of <a href="https://talion.net/" target="_blank" rel="noopener">Talion</a>, said: “Now that this data has been compromised, students and alumni must be vigilant for phishing scams as this is likely the route the attackers will take to monetise from the incident, if their ransom demand is not met.”</p> </section> A zero-day vulnerability affecting Oracle’s PeopleSoft products is being exploited by a ShinyHunters campaign targeting schools and universities https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/security-breach-artbase-adobe.jpg https://www.computerweekly.com/news/366644375/Oracle-fixes-PeopleSoft-flaw-exploited-by-ShinyHunters Fri, 12 Jun 2026 12:22:00 GMT Oracle fixes PeopleSoft flaw exploited by ShinyHunters <p>Frontier AI models such as <a href="https://red.anthropic.com/2026/mythos-preview/" target="_blank" rel="noopener">Anthropic Claude, Mythos</a>, and <a href="https://openai.com/daybreak/" target="_blank" rel="noopener">OpenAI Daybreak</a> fundamentally alter the cybersecurity equation by compressing the time, skill, and scale required to discover and exploit vulnerabilities. A single adversary can now automate reconnaissance, generate exploit variants, analyse source code, weaponise misconfigurations, and adapt phishing or social engineering campaigns at machine speed. For CISOs, the problem is no longer just “AI adoption risk” but the rise of AI-amplified adversaries capable of iterating faster than traditional defense cycles.</p> <section class="section main-article-chapter" data-menu-title="Combating frontier AI model risks and threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Combating frontier AI model risks and threats</h2> <p>In this evolving landscape, organisations must address the risks and threats posed by frontier AI models by combining human expertise with AI-assisted defenses and treating security as a continuously adaptive function rather than a periodic exercise. CISOs need to establish new policies, operational procedures, and governance models not only to defend against the misuse of frontier AI but also to strategically leverage these technologies to strengthen the organization’s overall security posture. Let us explore how CISOs can adapt to manage and mitigate the emerging risks associated with frontier AI models.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.computerweekly.com/rms/computerweekly/Mythos-Aryaka-CWSTT-June-2026-800px-h.jpg"> <img data-src="https://www.computerweekly.com/rms/computerweekly/Mythos-Aryaka-CWSTT-June-2026-800px-h_mobile.jpg" class="lazy" data-srcset="https://www.computerweekly.com/rms/computerweekly/Mythos-Aryaka-CWSTT-June-2026-800px-h_mobile.jpg 960w,https://www.computerweekly.com/rms/computerweekly/Mythos-Aryaka-CWSTT-June-2026-800px-h.jpg 1280w" alt="Diagram shows steps to frontier AI risk management." data-credit="Aryaka"> <figcaption> <i class="icon pictures" data-icon="z"></i>The key elements of a strategy to securely combat risks arising from frontier AI models such as Anthropic Claude Mythos. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><em>Continuous exposure management</em></p> <p>CISOs need to shift from traditional monitoring to continuous exposure management. In the age of AI, quarterly assessments are too slow when AI can continuously analyse attack surfaces. Security teams should prioritise continuous asset discovery, external attack surface management, automated configuration validation, and rapid patch orchestration tailored to AI entities. Equally important is reducing the “blast radius” of inevitable compromise through zero-trust segmentation, least-privilege access, short-lived credentials, and robust identity governance. The assumption should be: <i>if</i> <i>AI</i> <i>can</i> <i>find</i> <i>it, it will eventually be exploited</i>.</p> <p><i>AI-aware defence engineering</i></p> <p>This mechanism reflects the integration of AI-focused threat modeling into the SDLC and infrastructure design. Development pipelines should include AI-assisted code review, secret scanning, dependency risk analysis, and automated policy validation before deployment. Focus on securing high-risk AI infrastructure components, such as APIs, plugins, agents, MCP-style integrations, and AI-connected workflows, which significantly expand the attack surface. Defenders need behavioral analytics to detect abnormal automation patterns, autonomous reconnaissance behavior, and machine-speed lateral movement.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Claude Mythos</h3> <ul style="list-style-type: square;" class="default-list"> <li>Anthropic's Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and drive <a href="https://www.techtarget.com/searchcio/feature/Take-a-breath-A-CISOs-Claude-Mythos-advice-for-CIOs" target="_blank" rel="noopener">unprecedented levels of hacking</a>.</li> <li>As AI tools such as Claude Mythos Preview can speed vulnerability discovery for attackers, CIOs are <a href="https://www.techtarget.com/searchcio/feature/ais-cybersecurity-paradox-how-CIOs-can-keep-up-with-change" target="_blank" rel="noopener">automating detection and response to keep pace</a>.</li> <li>Claude Mythos has the potential to enhance global cyber security or undermine it by becoming a weapon <a href="https://www.techtarget.com/healthtechsecurity/news/366643379/Health-ISAC-How-Claude-Mythos-could-impact-healthcare-cybersecurity" target="_blank" rel="noopener">in the hands of threat actors</a>.</li> </ul> </div> </div> <p><i>AI surface governance and reducing breach risk</i></p> <p>CISOs must recognise that AI surface governance and resilience are critical strategic requirements, not compliance exercises. Security policies must govern the use of frontier models, Shadow AI adoption, prompt usage analysis, third-party AI integrations, and agent permissions. CISOs must adopt a shift-left strategy for vulnerability discovery, using the same class of AI-powered tools, i.e., frontier AI models, to uncover the attack surface adversaries could exploit. At the same time, organisations should prepare operationally for AI-enabled breaches: tabletop exercises, AI-red-team simulations, supply-chain compromise scenarios, and incident response plans that assume adversaries can adapt dynamically during an intrusion. The key mindset shift is that frontier AI models are accelerants that reshape the speed, scale, and asymmetry of cyber conflict.</p> <p><i>Rapid response assuming AI speed disclosure</i></p> <p>The window between vulnerability discovery and exploitation is narrowing. CISOs must understand patch and response process needs and assume that a critical vulnerability may be weaponised within 24 hours of disclosure, or even sooner. Relying on slow patch cycles, manual triage, or periodic security reviews is not viable when adversaries can automate reconnaissance, weaponisation, and exploitation at machine speed. The time demands rapid-response security models that include pre-positioned response playbooks, AI-assisted prioritisation, and resilient architectures capable of quickly containing compromise. In practice, CISOs must assume that once a weakness becomes visible, AI-enabled adversaries can rapidly operationalise it before traditional defences can react.</p> <p><i>Reshaping privileged access for AI entities</i></p> <p>We are witnessing the evolution of AI solutions that use active agents to interact with APIs, infrastructure, workflows, and enterprise data. CISOs must reshape the privilege-access model for dynamic AI entities, such as agents. Organszations require tightly scoped, identity-aware, and time-bound access models tailored to the AI entities accessing frontier AI models. This means applying zero-trust principles to AI agents, continuously validating their actions, monitoring behavioral deviations, and enforcing granular controls over which data, systems, and operations they can access. With the advent of frontier AI models and AI agents, privileged access management is no longer just about securing human administrators; it is about governing machine-driven entities operating at scale and speed.</p> </section> <section class="section main-article-chapter" data-menu-title="The need of the hour: CISO mindset shift"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The need of the hour: CISO mindset shift</h2> <p>CISOs' practical line of thought: <i>stop planning for the</i> <i>attacker you knew and start planning for the attacker</i> <i>that</i> <i>frontier models enable</i>. That attacker is faster, more contextually aware, more persistent, and more scalable than anything the security industry has faced. CISOs who adapt most quickly to manage the AI attack surface will lead enterprise security in the frontier-model era. Those who treat this as an incremental update to existing frameworks will find that the gap between their defenses and the threat has quietly become insurmountable. CISOs need to internalise this speed asymmetry before building any response strategy.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more in this series</h3> <ul class="default-list"> <li>John Bruce, Quorum Cyber: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Claude-Mythos-forces-the-conversation-on-defensive-AI">Claude Mythos forces the conversation on defensive AI.</a></li> <li>Martin Riley, Bridewell: <a href="https://www.computerweekly.com/opinion/Mythos-is-turning-up-the-heat-on-risk-not-rewriting-the-rules" target="_blank" rel="noopener">Mythos is turning up the heat on risk, not rewriting the rules.</a></li> </ul> </div> </div> </section> The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/Frontier-AI-models-could-be-an-adversarys-force-multiplier Fri, 12 Jun 2026 10:02:00 GMT Frontier AI models could be an adversary's force multiplier <p>With Microsoft releasing its <a href="https://www.computerweekly.com/news/366644117/Microsoft-smashes-record-for-biggest-ever-Patch-Tuesday-update" target="_blank" rel="noopener">largest-ever Patch Tuesday update</a> in June, and the continuing debate over the impact of artificial intelligence (AI) and <a href="https://www.computerweekly.com/opinion/Claude-Mythos-forces-the-conversation-on-defensive-AI" target="_blank" rel="noopener">Anthropic’s Claude Mythos model</a>, new analysis from US-based autonomous patch management and endpoint protection experts <a href="https://www.action1.com/" target="_blank" rel="noopener">Action1</a> has warned that vulnerability growth and structural shifts are outrunning the ability of traditional, schedule-driven enterprise patching strategies to keep pace.</p> <p>Action1’s <i>2026 software vulnerability ratings </i>report revealed that in 2025 – well before the debut of <a href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model" target="_blank" rel="noopener">Claude Mythos</a> – the total number of disclosed vulnerabilities surged by 92% compared with 2024, with critical and elevation of privilege (EoP) vulnerabilities doubling in volume, and remote code execution (RCE) flaws rising by almost 130%.</p> <p>Put more simply, said Action1, the fastest growth is occurring in vulnerability classes that most easily and readily expose businesses to real-world compromises, cyber attacks, data breaches and other forms of disruption.</p> <p>The firm described this as a “warning shot” for enterprise security leaders, pointing to a broader shift in the threat landscape in which threat actors are taking advantage of newly disclosed flaws faster than any human cyber team can remediate them, and shrinking response windows to hours in some cases.</p> <p>“2025 marked a turning point in cyber security operations,” said Jack Bicer, director of vulnerability research at Action1. “Attackers are now using AI and automation to accelerate vulnerability discovery and exploitation faster than most organisations can respond. Many enterprises are still patching on human schedules while attackers operate at machine speed.” </p> <p>Action1’s CEO and co-founder, Alex Vovk, added: “The threat landscape is no longer just bigger – it’s faster, more automated, and harder to detect. Patching speed is no longer simply an IT metric. It’s now a business resilience metric.” </p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The threat landscape is no longer just bigger – it’s faster, more automated, and harder to detect. Patching speed is no longer simply an IT metric. It’s now a business resilience metric </figure> <figcaption> <strong>Alex Vovk, Action 1</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In short, the report said, those organisations that rely on manual patching processes, infrequent scan cycles, or delayed maintenance windows are now falling behind operationally.</p> <p>The need to introduce continuous vulnerability management and remediation workflows that are capable of reducing exposure windows across the most frequently attacked targets, such as business applications, network infrastructure, operating systems and security tools, is now critical, said Action1.</p> <p>“The volume and speed of the 2025 threat environment make it clear that any process still dependent on human scheduling and manual deployment will fail to keep up. Automation is not just an efficiency improvement. It is a survival requirement,” wrote the report’s authors.</p> <section class="section main-article-chapter" data-menu-title="Next steps for identifying and patching vulnerabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next steps for identifying and patching vulnerabilities</h2> <p>The report, <a href="https://www.action1.com/software-vulnerability-ratings-report-2026/" target="_blank" rel="noopener">which can be downloaded in full here</a>, contains a number of recommendations for security leaders.</p> <p>As an immediate first step, Action1 said CISOs and security leaders need to audit how quickly they are patching business-critical software. Delaying patches for business applications and other platforms out of a desire not to be disruptive or inconvenience users is now a measurable business risk. Patching must be aligned with the threat environment in mind, not the convenience of finance, HR or sales teams.</p> <p>Beyond this, the most pressing priority is the need to automate vulnerability management in response, especially in organisations that handle the most sensitive categories of data, such as educational and healthcare bodies, or operators of critical services, such as utilities and power suppliers.</p> <p>In these organisations, the ability to deploy urgent updates automatically and without having to wait for maintenance windows should now be adopted as the standard model, but beyond this, automation should also be pushed across patch testing, verification and deployment.</p> <p>Chief information security officers (CISOs) should prioritise vulnerabilities based on risk to the organisation, taking advantage of known metrics, such as common vulnerability scoring system (CVSS) ratings, or known exploitation to focus their efforts – integrating threat intelligence is key here. And clear metrics for mean time to remediate (MTTR) by severity tier should be made a core benchmark.</p> <p>But this does not mean that low-risk vulnerabilities are necessarily taking a back seat. Indeed, said the report, security leaders should also update vulnerability prioritisation models to account for attack chaining, in which multiple low-severity issues are combined into a more damaging attack, enabling EoP or lateral movement. Patching service level agreements (SLAs) for low-severity flaws needs to be reassessed to see whether current remediation timelines are still appropriate, said Action1.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about patch management</h3> <ul style="list-style-type: square;" class="default-list"> <li>These 12 tools approach patching from different perspectives. Understanding their various approaches can help you <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchenterprisedesktop/tip/12-best-patch-management-software-and-tools">find the right product for your needs</a>.</li> <li>NIST announces big changes to the way it categorises and manages CVEs, which are set to change how organisations manage <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366641916/Surging-CVE-disclosures-force-NIST-to-shake-up-workflows">patching and remediation</a>.</li> <li>Timely patch management should be crucial in any organisation, but too often it goes by the wayside. Automating the process may offer a path forward for <a rel="noopener" target="_blank" href="https://www.computerweekly.com/feature/Automated-patch-management-A-proactive-way-to-stay-ahead-of-threats">hard-pressed cyber defenders</a>.</li> </ul> </div> </div> </section> Vulnerability discovery and exploitation was surging dramatically even before Anthropic decided to unleash its frontier Mythos model. As such, an Action1 report finds old approaches to patching are no longer fit for purpose https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/chess-strategy-game-intelligence-1-adobe.jpeg https://www.computerweekly.com/news/366644134/Established-enterprise-patching-models-dead-in-the-water-says-report Thu, 11 Jun 2026 09:00:00 GMT Established enterprise patching models dead in the water, says report <p>The development of artificial intelligence (AI) means that what is new today will inevitably be surpassed in just a few months. Speaking at the <a href="https://www.computerweekly.com/news/366644236/Government-aims-to-make-UK-top-spot-for-open-source-AI">AI Summit in London,</a> air chief marshal Rich Knighton, chief of defence staff, told delegates that even today’s AI models have the capacity and capability to transform warfare. </p> <p>“They can process satellite imagery, open source information, logistics, electronic signatures and battlefield reports at a scale that no human headquarters could replicate,” he said. “They could identify patterns, anomalies and even suggest possible courses of action.”  </p> <p>Knighton believes that AI models can help commanders understand not only what is happening now, but what might happen next: “I don’t think that we need to fast forward five years or even 35 years from today to see how the battlefield of the future will be shaped by AI.”</p> <p>As Knighton noted, there are now a range of AI systems that are starting to <a href="https://www.computerweekly.com/news/366644236/Government-aims-to-make-UK-top-spot-for-open-source-AI">outperform PhD level experts</a> and compete with top-level software engineers. He said the length of time it takes AI to complete tasks autonomously is dramatically reducing: “The frontier is moving incredibly fast and we must be ready to update our assumptions about what AI can do rapidly as it is changing every six months.</p> <p>“We can imagine what this might mean for defence if we can keep pace with the frontier and exploit new models and changes as they are updated every six months or quicker then we will have a clear advantage in the future. </p> <p>Knighton stated that many of today’s AI models already have the potential to accelerate the military decision-making cycle to machine speed, removing what he called “many of the cognitive biases that haunts human decision-making”, adding: “There is both <a href="https://www.computerweekly.com/news/366621215/Military-AI-caught-in-tension-between-speed-and-control">massive risk and huge opportunity</a> even before we think about the ethical questions of the use of AI in warfare.”</p> <p>But he said the UK’s policy remains that humans, not machines, are accountable for decisions, especially when they relate to the application of lethal force. “Defence will continue to ensure that there is a context appropriate human involvement in the development of all AI-enabled systems,” he said.</p> <p>Looking at some of the pilots currently running, Knighton said the Royal Navy has been conducting trials at sea using experimental vessel XV Patrick Blackett. The robotic rigid inflatable boat is equipped with cameras and sensors on board, which feed back data and video to control units and computers on XV Patrick Blackett for analysis. The vessel can be equipped with other sensors and weapons enabling it to be used for intelligence, surveillance and reconnaissance operations with real-time data feeds.</p> <p>“We are using AI to enable fully autonomous navigation and decision-making in un-crewed vessels by fusing sensor data and offering the ability to act without any human input. This is the foundational capability for growing a hybrid navy,” Knighton said. </p> <p>AI is also being used to enhance the effectiveness of military intelligence services to overcome what Knighton describes as “bottlenecked legacy processes and tools”. The result, according to Knighton, is that military analysts have been able to cut identification and response times down from weeks to hours. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI in warfare</h3> <ul class="default-list"> <li>In Davos and Washington, <a href="https://www.techtarget.com/searchhrsoftware/news/366566796/In-Davos-and-Washington-AI-warfare-and-AI-skills-are-linked">AI warfare and AI skills</a> are linked: Lawmakers are discussing AI’s effects on national defense and the economy as well as considering ways to develop a workforce that can meet the challenge.</li> <li><a href="https://www.computerweekly.com/news/366639877/AI-chooses-nuclear-escalation-in-95-of-simulated-crises">AI chooses nuclear escalation</a> in 95% of simulated crises: With artificial intelligence increasingly deployed in analysis and decision-making in armed conflict, research shows AI systems will not naturally default to ‘safe’ outcomes in nuclear crises.</li> </ul> </div> </div> AI innovation moves quickly, unlike the speed of innovation in the military. How can AI be used to improve the UK armed forces? https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/power-struggle-battle-fight-Romolo-Tavani-adobe.jpg https://www.computerweekly.com/news/366644104/AI-Summit-London-AIs-role-in-UK-defence Thu, 11 Jun 2026 07:00:00 GMT AI Summit London: AI’s role in UK defence <p>The UK’s <a href="https://ico.org.uk/" target="_blank" rel="noopener">information commissioner</a>, John Edwards, has been temporarily stripped of his responsibilities in the wake of a workplace investigation into as-yet undisclosed allegations.</p> <p>Edwards initially stepped back from his day-to-day role at the Information Commissioner’s Office (ICO) at the end of February 2026, and according to the regulator, an independent probe has now found that although there is no finding of any wrongdoing, there is a case to answer.</p> <p>As such, said the ICO, although he has continued to receive updates from his support team and was available if required, Edwards can no longer act in fulfilling his role for the remainder of the process.</p> <p>“Throughout this complex and unprecedented situation, our priority has been to provide a safe and supportive environment for our staff that enables them to carry out their important regulatory work,” said ICO chief executive Paul Arnold. “I’ve been enormously proud of the professional way in which our work has continued across the past months, and the steps we have taken today will ensure that continues to happen.”</p> <p>Under the ICO’s Scheme of Delegation, Arnold will temporarily take on Edwards’ non-delegable responsibilities, but given the commissioner is accountable to Parliament and not directly employed by the ICO, the next steps in the process will now be determined by the Department for Science, Innovation and Technology (DSIT), said the data and privacy watchdog.</p> <p>Computer Weekly understands Arnold has also been designated as temporary acting accounting officer for the ICO. In all other regards, the regulator said, the board, chief exec and executive team are continuing to lead the body to ensure continuity in its core work.</p> <p><a href="https://www.politico.eu/article/uk-watchdog-lead-draws-200000-salary-for-no-work-john-edwards/" target="_blank" rel="noopener">According to <i>Politico</i></a>, which was first to break the story <a href="https://www.politico.eu/article/head-of-uk-data-watchdog-voluntary-steps-aside-amid-hr-probe-john-edwards/" target="_blank" rel="noopener">back in April</a>, Edwards has returned to New Zealand at this time, although he continues to draw his £200,000 annual salary, which exceeds that paid to the prime minister.</p> <p>Based on information obtained under the Freedom of Information Act (FoIA), <i>Politico</i> said ICO staffers were initially kept in the dark and told the commissioner was on an extended leave of absence, which it said appeared somewhat at odds with the office’s wider commitment to public transparency.</p> <p><a href="https://www.linkedin.com/feed/update/urn:li:activity:7453709974826020864/" target="_blank" rel="noopener">In a LinkedIn post</a>, Edwards said he was “fully cooperating” with the investigation.</p> <p>An information law specialist with 20 years of practice experience, Edwards was named the UK’s new information commissioner by Westminster <a href="https://www.computerweekly.com/news/252505879/NZ-privacy-lead-John-Edwards-named-new-information-commissioner" target="_blank" rel="noopener">in August 2021</a>, succeeding the outgoing Elizabeth Denham – whose term in office had previously been extended during the Covid-19 pandemic.</p> <p>Hailing originally from New Zealand, Edwards previously served as the Kiwi privacy commissioner from 2014 to 2021, and was also chairman of the Global Privacy Assembly from 2014 to 2017.</p> <p>He took up the role as the work of the ICO became increasingly publicly visible after the introduction of the General Data Protection Regulation (GDPR) and as the sudden rapid digitisation of daily life brought about by the pandemic threw data privacy issues into stark relief.</p> <p>More recently, Edwards has overseen the office’s response to the growth of artificial intelligence (AI), <a href="https://www.computerweekly.com/news/366625476/UK-ICO-publishes-AI-and-biometrics-strategy" target="_blank" rel="noopener">last year launching a strategy</a> covering areas such as the use of automated decision-making (ADM) systems and <a href="https://www.computerweekly.com/news/366630181/ICO-publishes-summary-of-police-facial-recognition-audit" target="_blank" rel="noopener">the use of facial recognition by law enforcement</a>, among other things.</p> <p>The ICO said that to protect the parties involved and maintain the integrity of the process, it was unable to provide any further details on the matter at this stage.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the ICO’s work</h3> <ul class="default-list"> <li>The ICO has levied a reduced fine on South Staffordshire Water following cyber improvements in the wake of <a href="https://www.computerweekly.com/news/366642957/ICO-fines-Cl0p-victim-South-Staffs-Water-over-data-breach" target="_blank" rel="noopener">a Cl0p ransomware attack</a>.</li> <li>The UK Information Commissioner’s Office has won an important appeal relating to data protection obligations arising from a 2017-18 cyber attack <a href="https://www.computerweekly.com/news/366639299/ICO-wins-appeal-over-data-protection-obligations-in-Currys-cyber-attack" target="_blank" rel="noopener">at electronics retailer Currys PC World</a>.</li> <li>Outsourcing giant Capita hit with £14m fine over 2023 cyber attack, but costs could rise <a href="https://www.computerweekly.com/news/366632591/ICO-fines-Capita-14m-after-ransomware-caused-major-data-breach" target="_blank" rel="noopener">as legal actions continue</a>.</li> </ul> </div> </div> The UK’s information commissioner John Edwards has been temporarily stripped of his responsibilities in the wake of a workplace investigation https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/security-threat-cyber-attack-1-adobe.jpeg https://www.computerweekly.com/news/366644121/ICO-strips-commissioner-Edwards-of-responsibilities-in-HR-inquiry Wed, 10 Jun 2026 12:41:00 GMT ICO strips commissioner Edwards of responsibilities in HR inquiry <p>Anthropic’s Claude Mythos has quickly become the latest <a href="https://www.techtarget.com/searchcio/feature/Take-a-breath-A-CISOs-Claude-Mythos-advice-for-CIOs" target="_blank" rel="noopener">flashpoint in the AI security debate</a>: a supposedly gated frontier model whose capabilities raise questions about whether it represents a step-change risk to enterprise security, or simply the next iteration of an already visible trend.</p> <p>The reality sits somewhere in between.</p> <p>On one hand, the decision to restrict access to a model signals that capability thresholds are being crossed. Frontier models are now demonstrably capable of complex reasoning, code analysis and multi-step problem solving at a level that demands caution. That alone should prompt CISOs to pay attention.</p> <p>But the underlying techniques driving this concern are not new. Multi-agent AI systems, where specialised models collaborate to map targets, analyse vulnerabilities, and validate findings, are already in use today. The industry has moved beyond single-model experimentation into orchestrated pipelines that produce meaningful, and in some cases high-severity, security outcomes. In that sense, Mythos is less a breakthrough and more a marker of direction.</p> <p>Where this becomes material is in vulnerability discovery and exploitation. AI is compressing the time between identifying a weakness and weaponising it. Tasks that once required days of expert effort, such as analysing cryptographic implementations or building proof-of-concept exploits, can now be accelerated dramatically. <a href="https://www.computerweekly.com/news/366642503/AI-is-widening-the-asymmetry-between-attackers-and-defenders" target="_blank" rel="noopener">The barrier to entry is lowering for both defenders and attackers</a>, impacting the economics of vulnerability research.</p> <p>For UK organisations, this has immediate implications. Software supply chain risk moves firmly back into focus. Most organisations have made progress in cataloguing their assets and dependencies, but visibility alone is no longer sufficient. The ability to continuously interrogate those assets for weakness and prioritise remediation based on business impact becomes critical.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Claude Mythos</h3> <ul style="list-style-type: square;" class="default-list"> <li>Anthropic's Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and drive <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchcio/feature/Take-a-breath-A-CISOs-Claude-Mythos-advice-for-CIOs">unprecedented levels of hacking</a>.</li> <li>As AI tools such as Claude Mythos Preview can speed vulnerability discovery for attackers, CIOs are <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchcio/feature/ais-cybersecurity-paradox-how-CIOs-can-keep-up-with-change">automating detection and response to keep pace</a>.</li> <li>Claude Mythos has the potential to enhance global cyber security or undermine it by becoming a weapon <a rel="noopener" target="_blank" href="https://www.techtarget.com/healthtechsecurity/news/366643379/Health-ISAC-How-Claude-Mythos-could-impact-healthcare-cybersecurity">in the hands of threat actors</a>.</li> </ul> </div> </div> <p>This is where Continuous Threat Exposure Management (CTEM) comes into play. Strong asset visibility, enriched with business context, allows organisations to understand not just what is vulnerable, but what truly matters. CTEM extends beyond infrastructure into CI/CD pipelines and DevOps practices, ensuring application-layer vulnerabilities are assessed alongside traditional IT risks. Without this joined-up view, organisations risk misallocating resources while high-impact exposures remain unaddressed.</p> <p>At the same time, the fundamentals of security operations are becoming more important. There is no “silver bullet” emerging from AI. Organisations that already struggle with patching and vulnerability management will feel the pressure most acutely as exploit timelines shrink. The speed at which known vulnerabilities are remediated becomes a defining factor in resilience.</p> <p>Detection and response must also evolve. AI-driven attack paths are increasingly multi-stage and adaptive, requiring organisations to invest in anomaly-based detection and deeper telemetry across networks and endpoints. However, technology alone is not enough. The ability to respond decisively in the early stages of an incident remains critical, as poor coordination and delayed decision-making can quickly outweigh even the most advanced technical capabilities.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more in this series</h3> <p>John Bruce, Quorum Cyber: <a href="https://www.computerweekly.com/opinion/Claude-Mythos-forces-the-conversation-on-defensive-AI" target="_blank" rel="noopener">Claude Mythos forces the conversation on defensive AI.</a></p> </div> </div> <p>Looking ahead, these AI-driven pipelines will only become more sophisticated and accessible. Even if the most advanced models remain restricted, the techniques will continue to diffuse across the ecosystem as baseline model capabilities improve.</p> <p>The takeaway for CISOs is that Mythos signals that the operating environment has already changed. Organisations do not need access to frontier models to respond. They need to strengthen what they should already be doing as well as maintain continuous visibility of their assets, integrate AI into existing security workflows, improve patching and remediation speed, and rigorously rehearse incident response.</p> <p>In an AI-accelerated threat landscape, resilience will not come from chasing the latest model. It will come from executing the fundamentals, faster and better than before.</p> <p><em>Martin Riley is CTO at <a href="https://www.bridewell.com/uk" target="_blank" rel="noopener">Bridewell</a>, a managed security services provider.</em></p> The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/Mythos-is-turning-up-the-heat-on-risk-not-rewriting-the-rules Wed, 10 Jun 2026 11:49:00 GMT Mythos is turning up the heat on risk, not rewriting the rules <p>Europe’s debate over <a href="https://www.computerweekly.com/news/366642487/Cloud-and-data-sovereignty-caught-in-a-paradox">cloud sovereignty</a> has moved from ideology to engineering. The question is no longer whether organisations should control their data and artificial intelligence (AI) workloads, but whether their governments have built the frameworks that make such control possible in practice.</p> <p>The answer, according to <a href="https://www.linkedin.com/in/martin-merz-ba804280/">Martin Merz, president of Sovereign Cloud at SAP</a>, depends entirely on where you are.</p> <p>“It starts with each and every country,” Merz told Computer Weekly at <a href="https://www.computerweekly.com/news/366643794/Sapphire-2026-SAP-executives-admit-route-change-on-high-road-to-business-AI">SAP Sapphire Europe</a> in Madrid. “They have their own regulations, their own national security requirements, and I think that needs to be honoured.”</p> <p>He understands the frustration that comes with this reality. European politicians, he said, regularly point out that 450 million citizens and a combined budget of comparable scale to the US should make Europe a formidable force. But the US is one country. Europe is not, and its cloud sovereignty landscape reflects that.</p> <p>For SAP, sovereignty is not a single property but a stack of four distinct obligations: data sovereignty, which requires that data and metadata remain within the country or region; operational sovereignty, meaning that only individuals with the appropriate nationality and security clearances handle that data; technical sovereignty, including an in-country control plane rather than a centralised one; and legal sovereignty, ensuring that the applicable regulatory framework is the one the customer and government actually signed off on.</p> <p>Sovereign cloud, in SAP’s definition, is not a configuration choice. It is a compliance state. “Either it’s sovereign, or it’s not sovereign. You can’t have it halfway,” said Merz.</p> <p>That positioning sounds straightforward. The European reality is considerably messier.</p> <section class="section main-article-chapter" data-menu-title="Different speeds, different distances"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Different speeds, different distances</h2> <p>France and Germany have each moved beyond policy aspiration, though they are at different stages of maturity. France built its sovereign cloud framework around SecNumCloud, the certification standard maintained by cyber security agency ANSSI that sets strict requirements for data isolation, operational control and legal sovereignty.</p> <p>In March 2026, SAP launched its sovereign cloud offering in France on the Bleu platform, a joint venture between Orange and Capgemini that runs Microsoft Azure technology under French ownership and is working towards full SecNumCloud qualification.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> [Cloud sovereignty] starts with each and every country. They have their own regulations, their own national security requirements, and I think that needs to be honoured </figure> <figcaption> <strong>Martin Merz, SAP</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Germany’s Delos Cloud, an SAP subsidiary operating Microsoft Azure infrastructure under active oversight of the German Federal Office for Information Security (BSI), launched for productive use in early 2026. The platform is designed specifically for Germany’s public sector and meets the cloud platform requirements set by the BSI, which also monitors and controls outgoing telemetry.</p> <p>Merz confirmed he met with Germany’s digital minister, Carsten Wildberger, two weeks before Sapphire to work through sovereign deployment requirements. Both countries have defined architectures and active deployments. The frameworks exist, and public sector organisations are running on them.</p> <p>The Netherlands is not at that stage. The country has been active in European sovereignty discussions, most visibly through a non-paper adopted by the Dutch Council of Ministers calling for stronger cloud sovereignty frameworks for public administrations.</p> <p>But the document is telling in what it does not do: rather than setting out a Dutch national framework, it asks Brussels to define one. The Netherlands, it argues, believes the definition and criteria for cloud sovereignty are best established within the proposed EU Cloud and AI Development Act.</p> <p>A January 2025 report by the Netherlands Court of Audit <a href="https://english.rekenkamer.nl/documents/2025/01/15/dutch-central-government-in-the-cloud">found that</a> two-thirds of government cloud services examined had not completed a mandatory risk assessment, leaving digital sovereignty and data protection inadequately assured. The findings echoed concerns <a href="https://www.computerweekly.com/news/366626105/Dutch-cloud-pioneers-face-the-hard-limits-of-digital-sovereignty">reported by Computer Weekly</a> in June 2025, when independent experts warned that <a href="https://www.computerweekly.com/news/366626105/Dutch-cloud-pioneers-face-the-hard-limits-of-digital-sovereignty">Dutch sovereign cloud initiatives remain too fragmented</a> to serve critical infrastructure at scale.</p> <p>The court’s vice-president warned bluntly that foreign governments, including the US, could potentially access or modify information held on Dutch government systems.</p> <p>When asked directly whether any Dutch critical infrastructure operator is currently running on SAP sovereign infrastructure at a comparable level to deployments in France or Germany, Merz was notably cautious. “We work with the Netherlands,” he said. He did not name a certified deployment.</p> <p>That gap matters because the stakes are not abstract. The Netherlands is home to some of Europe’s most strategically significant critical infrastructure, and organisations across those sectors have already made significant investments in cloud enterprise resource planning (ERP).</p> <p>The question of what sovereign protection those deployments carry is one that regulators, boards and procurement teams across the Dutch public and regulated private sector will need to answer.</p> </section> <section class="section main-article-chapter" data-menu-title="The hyperscaler paradox"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The hyperscaler paradox</h2> <p>One reason the conversation is complicated is that SAP’s sovereign cloud offering does not resolve neatly into a simple alternative to hyperscale infrastructure. SAP offers sovereign deployments on Amazon Web Services (AWS), on Microsoft Azure via partnerships such as Delos, on its own cloud infrastructure, and on-premise for customers such as intelligence agencies that require data to stay within their own facilities.</p> <p>Which option is sovereign depends entirely on what the relevant regional cyber security agency has approved.</p> <p>“If AWS is approved by the cyber security agency, then it’s sovereign for us,” said Merz. Some military customers in Europe, he noted, are comfortable running sovereign workloads on AWS provided the regulatory sign-off is in place. Others are not. The result is that sovereignty is defined not by the underlying infrastructure but by a compliance status that varies by sector, by nation, and by the specific requirements of each organisation.</p> <p>“There are customers for whom none of these options is valid,” Merz acknowledged. “They want it solely in their own datacentre. Only then is it sovereign for them.”</p> <p>That compliance question does not stop at the infrastructure layer. As SAP pushes its Autonomous Enterprise vision, the governance of AI agents introduces a parallel accountability gap that organisations in regulated sectors cannot afford to ignore.</p> <p><a href="https://www.linkedin.com/in/philipp-herzig/?locale=en">SAP’s chief technology officer, Philipp Herzig,</a> addressed this directly in a media roundtable at Sapphire. When an autonomous agent makes a wrong call, he said, accountability does not sit with SAP alone. “At the end of the day, that’s a shared responsibility,” Herzig said.</p> <p>AI governance, he explained, sits primarily with the customer, through the AI Agent Hub, where IT departments set the policies, architecture and boundary conditions that govern what agents can and cannot do.</p> <p>For organisations in regulated sectors, that governance layer is not optional, and it has to be designed before AI is switched on.</p> </section> <section class="section main-article-chapter" data-menu-title="An industrial speed bump"> <h2 class="section-title"><i class="icon" data-icon="1"></i>An industrial speed bump</h2> <p>The operational consequences of Europe’s fragmented sovereignty landscape are visible at the company level.</p> <p>Damen Shipyards, the Dutch maritime group that builds vessels for navies and commercial operators across more than 20 countries, has spent several years consolidating around 80% of its entities onto a single SAP S/4Hana Cloud platform via Rise with SAP. The roll-out is largely complete, and the focus has shifted to unlocking AI value across finance, procurement, supply chain and project management.</p> <p>Han Coenraad, who oversees the SAP programme at Damen, described genuine enthusiasm for the direction, particularly around SAP Joule. “Young professionals are using it, and the acceleration they get from it is really something to see,” he said.</p> <p>But Damen Naval, the division that designs and builds warships for European defence ministries, remains on an on-premise SAP instance. Defence compliance rules require personnel to be screened by Dutch intelligence services in first- and second-line support, a standard that current cloud deployment models do not yet structurally accommodate.</p> <p>“We see internally already a difference in adoption speed developing,” said Coenraad. “And that is not what we want.”</p> <p>His colleague Kenny van Sleuwen, system architect for ERP, sees SAP Sovereign Cloud as a potential route to bringing both environments onto a common platform, and expects Dutch defence to follow Germany and France in formalising such requirements. But until that framework exists, the gap remains.</p> <p>That is not a technology problem. It is a policy problem.</p> </section> <section class="section main-article-chapter" data-menu-title="The pragmatism trap"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The pragmatism trap</h2> <p>Merz is not without sympathy for the difficulty of European convergence. He acknowledged that the US operates as a single regulatory market, while Europe is attempting to coordinate sovereign cloud standards across member states with different legal traditions, different national security agencies and different threat assessments.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The most successful countries and customers are those who start in a pragmatic way. Fulfil the requirements but stay open for new technology </figure> <figcaption> <strong>Martin Merz, SAP</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>His prescription is pragmatism. “The most successful countries and customers are those who start in a pragmatic way,” he said. “Fulfil the requirements but stay open for new technology.”</p> <p>The challenge with pragmatism as a long-term strategy is that it tends to lock in the advantages of those who moved earliest. France and Germany have invested heavily in building sovereign cloud infrastructure that meets their own standards. Organisations in those countries, including defence contractors and critical infrastructure operators, can adopt cloud and AI at a pace that regulators have approved. The Netherlands is still building the framework that would allow equivalent certifications to take place.</p> <p>Merz said he would welcome one regulation for the whole of Europe. He was not optimistic about the timeline. For Dutch organisations that cannot wait for convergence, the practical questions are what sovereign cloud looks like under the current Dutch framework, whether that framework is developing fast enough, and what the cost of the delay is in terms of AI adoption that the most regulated and strategically significant sectors cannot yet pursue.</p> <p>Those are questions that SAP’s engineering teams cannot answer. They are questions for The Hague.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Dutch digital independence</h3> <ul class="default-list"> <li>Dutch politicians raise concerns over <a href="https://www.computerweekly.com/news/366616381/Dutch-politicians-raise-concerns-over-Big-Tech-reliance">Big Tech reliance</a>.</li> <li>The Netherlands starts <a href="https://www.computerweekly.com/news/366558412/Netherlands-starts-building-its-own-AI-language-model">building its own AI language model</a>.</li> <li>Dutch universities have found themselves <a href="https://www.computerweekly.com/news/366623843/Dutch-universities-call-for-reduced-dependence-on-Big-Tech">in the grip of American tech giants</a>.</li> </ul> </div> </div> </section> France has an established sovereign cloud framework and Germany launched one earlier this year, whereas the Netherlands is still just building its policy foundation https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Europe-map-adobe.jpeg https://www.computerweekly.com/news/366644008/Dutch-critical-infrastructure-lags-Europes-cloud-sovereignty-divide-SAP-executive-warns Wed, 10 Jun 2026 11:46:00 GMT Dutch critical infrastructure lags Europe’s cloud sovereignty divide, SAP executive warns <p>The UK government is attempting to improve public trust in its <a href="https://www.computerweekly.com/news/366637124/What-will-happen-with-Starmers-digital-ID-scheme-in-2026">digital ID proposals</a> and rebuild relations with industry by setting up a new advisory group and establishing regular meetings with private sector stakeholders.</p> <p>In the King’s Speech last month, the government unveiled <a href="https://www.computerweekly.com/news/366643097/Kings-Speech-paves-the-way-for-digital-ID">plans for a Digital Access to Services Bill</a>, which will form a legal framework under which it can create, issue and use digital IDs.</p> <p>The proposals have <a href="https://www.computerweekly.com/news/366635513/Mandatory-digital-ID-paves-way-for-surveillance-and-exclusion-MPs-hear">faced significant criticism</a> and opposition from civil society and privacy groups, while MPs on the Home Affairs Committee described the <a href="https://www.computerweekly.com/news/366643374/Government-digital-ID-launch-was-a-fiasco-report-finds">launch of the government’s policy as “nothing short of a fiasco”</a>, adding that the initial plan to make the scheme mandatory – and the <a href="https://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/UK-governments-U-turn-on-digital-ID-was-inevitable-from-the-start">subsequent U-turn</a> – “undermined what existing public support” there was for digital ID.</p> <p>While stakeholders wait for the results of a recent <a href="https://www.computerweekly.com/news/366639956/Whitehall-launches-digital-ID-consultation">consultation process</a>, chief secretary to the prime minister, Darren Jones – the minister in charge of the digital identity policy – has convened an independent group of experts with a remit to “provide accountability and insight” to help ensure the digital ID scheme is “inclusive, useful and trusted”.</p> <p>The experts range from familiar faces who sit on other digital government advisory groups to business and political leaders (<a href="#Members"><i>see box, below</i></a>). At first glance, the group appears to lack one significant factor – any direct experience of developing, operating or implementing digital identity systems. However, Computer Weekly understands that this was a deliberate decision to keep the group free of any commercial interest.</p> <p>According to the Cabinet Office, “The advisory group will meet quarterly for the duration of the digital ID programme to provide external scrutiny and strategic insight and will challenge the government on emerging ideas or policy decisions to ensure the system works for everyone.”</p> <p>The government is also starting a process of regular engagement with industry bodies and key stakeholders in the digital identity and financial services sectors to “inform” the programme as it develops.</p> <p>The government has <a href="https://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/Digital-ID-providers-are-placated-again-as-anticipation-builds-towards-government-consultation">caused significant friction with the digital verification sector</a> over the past 18 months, and has faced criticism for its lack of communication and announcements that made the government’s plans for identity apps appear to be in competition with industry offerings.</p> <p>Behind-the-scenes lobbying by industry bodies has now led to a more formal process of engagement to address supplier concerns and to listen to “lessons and insights” from the sector.</p> <p>“This new programme of engagement will ensure we benefit from the insights and experience of experts as we build a system that is secure, useful and for everyone – and that supports public services that are there for you when you need them most,” said Jones.</p> <p>Parliamentary under-secretary of state in the Department for Science, Innovation and Technology and parliamentary secretary in the Cabinet Office, James Frith, added: “We want digital ID to work for everyone – something that is useful, inclusive and trusted. That is why we’re working with industry, civil society and others to get this right. Our programme of engagement will run throughout our development of the programme, ensuring we hear from as many people and organisations as possible.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="Members"></a>Members of the UK government’s advisory group on digital ID</h3> <p><strong>John Fallon</strong> – former CEO of global education publisher Pearson, where he led the company’s transition from print to digital learning platforms. Fallon is also the lead Cabinet Office non-executive board member.</p> <p><strong>Anne-Marie Imafidon</strong> – co-founder and CEO of Stemettes, a social enterprise helping people to pursue careers in science, technology, engineering and maths.</p> <p><strong>David Rogers</strong> – a cyber security expert and member of the faculty at Columbia Business School.</p> <p><strong>Emma Wright</strong> – an expert in digital regulation law, she is director and co-founder of the Interparliamentary Forum on Emerging Technologies and a partner at law firm Crowell & Moring.</p> <p><strong>Justine Roberts</strong> – founder and executive chair of Mumsnet and Gransnet.</p> <p><strong>Victor Dominello</strong> – former New South Wales minister for digital government and now CEO and co-founder of the Future Government Institute.</p> </div> </div> <p>Tech sector trade body TechUK will host a discussion with Frith this month to “identify the technical details required to ensure an interoperable, secure and seamlessly integrated system”, according to TechUK CEO Julian David.</p> <p>As part of the consultation process, the government has also convened a “people’s panel” – which it says was “selected to be broadly representative of the whole British public” – to gather feedback and opinions from citizens on digital identity.</p> <p><a href="https://www.computerweekly.com/opinion/Building-the-foundations-A-national-roadmap-for-digital-identity-and-sovereign-data">David Crack, chair of the Association of Digital Verification Professionals</a>, welcomed the government’s belated commitment to regular engagement with the industry.</p> <p>“The UK already has a vibrant and innovative digital verification services (DVS) market operating under the UK’s <a href="https://www.computerweekly.com/news/366635638/Use-of-digital-ID-in-UK-achieves-statutory-status">DVS Trust Framework</a>. Our members are delivering trusted identity solutions today, helping citizens access services more easily while supporting businesses and public bodies to reduce fraud, improve security and enhance user experience,” said Crack.</p> <p>“We stand ready to work constructively with government, policymakers, regulators and industry partners to support the continued implementation of the Trust Framework and the successful development of the government’s digital ID programme.”</p> <p>He added: “As the programme develops, it will be important that engagement is broad, meaningful and ongoing, drawing on the practical experience of organisations already delivering trusted digital identity services at scale. By working together, government and industry can help ensure the UK develops a digital identity ecosystem that is secure, inclusive, interoperable and trusted by citizens.”</p> <p>Earlier this month, Computer Weekly revealed that <a href="https://www.computerweekly.com/news/366643785/Property-sector-plans-for-digital-ID-collapse-over-government-policy-concerns">a property sector initiative to introduce a digital identity scheme is being scrapped</a> due to concerns over UK government policy and a lack of consumer benefits.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the government’s digital ID plans</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366643374/Government-digital-ID-launch-was-a-fiasco-report-finds">Government digital ID launch was a fiasco, report finds</a>: Back-to-front policy and a rushed launch destroyed public confidence, as Home Affairs Committee is sceptical government has capacity to implement the digital ID programme.</li> <li><a href="https://www.computerweekly.com/news/366636254/MPs-maul-digital-ID-plans-in-parliamentary-debate">MPs maul digital ID plans in Parliamentary debate</a>: MPs brand the government’s digital ID plans ‘un-British’ and ‘an attack on civil liberties’ during debate on the controversial policy.</li> <li><a href="https://www.computerweekly.com/news/366634197/Industry-calls-for-clarity-on-government-digital-ID-plans">Industry calls for clarity on government digital ID plans</a>: The digital identity industry asks UK government for transparency on its digital identity scheme and proposes a formal collaboration agreement.</li> <li><a href="https://www.computerweekly.com/news/366640072/The-UK-governments-digital-identity-scheme-Dystopian-nightmare-or-modernised-public-services">The UK government’s digital identity scheme: Dystopian nightmare or modernised public services?</a> Critics and supporters of digital ID are honing their arguments for the government’s consultation – but it’s the public that will decide. How should you choose?</li> <li><a href="https://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/Who-knew-How-Starmer-kept-his-digital-ID-plan-secret-for-months">Who knew? How Starmer kept his digital ID plan secret for months</a>: When prime minister Keir Starmer announced on 26 September that the government was to introduce a mandatory national digital ID scheme, it came as a surprise to many people.</li> </ul> </div> </div> After mounting criticism of its digital identity policy, the government is convening an independent advisory group and improving engagement with industry stakeholders in an attempt to improve public trust https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/London-parliament-digital-mobile-adobe.jpeg https://www.computerweekly.com/news/366644120/UK-government-invites-experts-and-industry-groups-to-advise-on-digital-ID-plans Wed, 10 Jun 2026 06:36:00 GMT UK government invites experts and industry groups to advise on digital ID plans <p>A year after its initial pledge to help create inclusive, digital opportunities across the UK & Ireland, and following its launch of a platform offering a new way to run critical infrastructure, Cisco has forged a strategic collaboration with the UK Department for Science, Innovation and Technology (DSIT) to use artificial intelligence (AI) and advanced digital technologies to help drive economic growth, improve public services and build digital skills.</p> <p>At its heart, the initiative directly supports the <a href="https://www.gov.uk/government/publications/ai-opportunities-action-plan/ai-opportunities-action-plan">UK government’s AI opportunities action plan</a>, and is designed to bring together Cisco’s technology expertise, skills programmes and wider ecosystem with DSIT’s national policy initiatives. It also complements the Cisco June 2025 <a href="https://gblogs.cisco.com/uki/delivering-on-our-promise-one-year-of-the-cisco-uk-ireland-manifesto/">UK & Ireland Manifesto</a> in which the networking giant make a commitment to help everyone benefit from a more digitally inclusive society.</p> <p>This memorandum of understanding (MoU), which outlines a framework through to 2030, aims to build on what has been achieved so far, helping to address the gap between AI ambition and large-scale adoption, focusing on practical deployment rather than theoretical potential.</p> <p>A year on from its commitment, Cisco said that it has delivered tangible progress across the three areas at the heart of that pledge: growing its presence in communities, developing digital skills and activating its people and partners.</p> <p>A key part of the collaboration to further establish Barnsley as the UK’s first Tech Town. The initiative seeks to apply AI in real-world settings where infrastructure, public services and skills come together. The collaboration aims to identify projects that can use AI capabilities, Cisco technology and skills courses to support progress for Barnsley’s local economy and citizens. With an initial 18-month pilot phase, the aim is to create a blueprint that could deliver similar benefits in other parts of the UK.</p> <p>As part of the Tech Town initiative, through the Lister alliance, Cisco plans to explore the viability of<b> </b>a healthcare Living Lab in Barnsley to help public sector organisations, academia and industry partners work together on emerging technologies in real-world settings. The aim is to create an environment to co-produce solutions – initially focused on improving how outpatient appointments are managed and the delivery of <a href="https://www.techtarget.com/virtualhealthcare/feature/Telehealth-playbook-aims-to-bolster-rural-hospitals-amid-funding-crisis">virtual care</a>. Learnings are expected to be shared with other NHS trusts.</p> <p>The MoU also looks to strengthens support for the government’s TechFirst programme, which aims to give one million secondary school students access to technology and AI learning experiences.</p> <p>Cisco plans to contribute to these efforts through at least 8,000 hours of employee volunteering over four years; programmes to inspire into tech careers; work experience opportunities for students across London, Manchester, Birmingham and Glasgow; dedicated pathways placements; university-level and T-Level placements. Cisco also plans to explore research opportunities for PhD candidates and aim to expand access to the Cisco Networking Academy for schools and colleges.</p> <p>Commenting on the partnership, Cisco UK & Ireland chief executive Sarah Walker said: “We believe a digital society that works for everyone isn’t out of reach. Neither is it the responsibility of one group of people or organisations. That is why collaboration matters. Today’s announcement marks a year of progress towards our commitment to help create a more inclusive, digital UK and Ireland, with a clear path to future impact.”</p> <p>UK AI minister Kanishka Narayan added: “Partnerships like this one with Cisco are exactly what will power the UK's AI future. By combining world-class expertise with our ambition to upskill 10 million people by 2030, we can make sure that the benefits of AI aren’t just felt in boardrooms and tech hubs, but in classrooms, hospitals and high streets right across the country.”</p> <p>In addition, Cisco said that it has helped 100,000 people develop their skills through Cisco Networking Academy in the past year alone, the equivalent of five years of progress in one year and a “significant step” towards its target of one million learners in the UK by 2030.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about education and training in networking</h3> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchnetworking/post/CIOs-must-support-multi-cloud-training-for-network-engineers">CIOs must support multi-cloud training for network engineers</a>: Many enterprises are shifting to multicloud environments, but they must enable proper training. Here's how they can be proactive and support multi-cloud network training.</li> <li><a href="https://www.computerweekly.com/feature/How-AI-is-being-used-to-manage-networks">How AI is being used to manage networks</a>: Network management is becoming reliant on artificial intelligence-enabled tools, which use machine learning based on network monitoring data.</li> <li><a href="https://www.computerweekly.com/feature/Kazakhstan-Where-data-is-set-to-be-the-real-new-oil">Kazakhstan - Where data is set to be the real new oil</a>: Spanning huge distances, Kazakhstan has amassed riches from beneath its ground and its ability to launch rockets into space above. Yet the country sees its future prosperity in exploiting digital riches.</li> <li><a href="https://www.computerweekly.com/microscope/news/252523463/Extreme-Networks-puts-emphasis-on-training">Extreme Networks puts emphasis on training</a>: Vendor Extreme Networks enhances partner programme with an emphasis on encouraging partners to get certifications and increase their technical training.</li> </ul> </div> </div> Networking giant and UK Department for Science, Innovation and Technology announce strategic collaboration to help increase AI adoption and widen access to digital skills https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/training-fotalia.jpg https://www.computerweekly.com/news/366643929/UK-government-and-Cisco-unveil-AI-digital-skills-initiative Wed, 10 Jun 2026 04:58:00 GMT UK government and Cisco unveil AI, digital skills initiative <p>Microsoft has issued patches for around 200 flaws in its latest monthly <a href="https://www.techtarget.com/searchsecurity/definition/Patch-Tuesday" target="_blank" rel="noopener">Patch Tuesday</a> drop, blasting past a previous record high of almost 170 common vulnerabilities and exposures (CVEs) <a href="https://www.computerweekly.com/news/366632872/Patch-Tuesday-Windows-10-end-of-life-pain-for-IT-departments" target="_blank" rel="noopener">set in October 2025</a>. Among a great many others, the latest update from Redmond fixes a total of 32 critical CVEs and three zero-day flaws.</p> <p>Dustin Childs, head of threat awareness at <a href="https://www.zerodayinitiative.com/blog/2026/6/9/the-june-2026-security-update-review" target="_blank" rel="noopener">TrendAI’s Zero-Day Initiative</a>, said: “We are heading into a high-stakes summer for cyber security. June's record-shattering drop…is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale. The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018. It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist.”</p> <p>With the addition of hundreds of CVEs in Google Chrome and Microsoft Edge (Chromium) and other third-party flaws taking the total to almost 600, Chris Goettl, vice-president of security product management at <a href="https://www.ivanti.com/" target="_blank" rel="noopener">Ivanti</a>, said talk of a “patch apocalypse” was no longer unwarranted.</p> <p>“<a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide" target="_blank" rel="noopener">We are in the patch apocalypse</a>. The patch apocalypse is now,” said Goettl. “This is not intended to be a scare tactic. It is meant to outline the challenge that many organisations were anticipating, but the new generation of LLMs [large language models] has accelerated significantly in the first half of 2026. </p> <p>“There are going to be more CVEs resolved by vendors at a faster and more continuous pace than we have ever seen previously. Unfortunately, this will also include more zero-day and n-day exploits than previously seen as well. The window from release from a vendor to exploitation had <a href="https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023" target="_blank" rel="noopener">already shortened to five days as of 2023 threat intelligence data</a>.”</p> <p>Goettl said that many suppliers have acknowledged the need to use AI tools in their security research to identify and resolve flaws, with Oracle, Google Chrome and Mozilla all upping the cadence of their updates. Whether or not Microsoft follows suit remains to be seen.</p> <section class="section main-article-chapter" data-menu-title="Zero-days"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Zero-days</h2> <p>This month’s zero-days are tracked as follows, in numerical order:</p> <ul class="default-list"> <li><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45586" target="_blank" rel="noopener">CVE-2026-45586</a>, an elevation of privilege (EoP) flaw in Windows Collaborative Translation Framework (CTFMON);</li> <li><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160" target="_blank" rel="noopener">CVE-2026-49160</a>, a denial of service (DoS) flaw in HTTP.sys;</li> <li>And <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50507" target="_blank" rel="noopener">CVE-2026-50507</a>, a security feature bypass (SFB) flaw in Windows BitLocker.</li> </ul> <p>All three of these flaws carry CVSS ratings of between six and eight, and all three have been reported publicly, but are not yet known to have been exploited.</p> <p>Alex Vovk, CEO and co-founder of <a href="https://www.action1.com/" target="_blank" rel="noopener">Action1</a>, explained how CVE-2026-45586 could enable a local, authenticated attacker to gain system-level privileges with ease: “The issue is caused by improper link resolution before file access, also known as link following. A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time.</p> <p>“System access can allow malware installation, defense evasion, credential theft, data modification and deeper movement across the environment. For businesses, this can increase the impact of phishing, stolen credentials or compromised standard user accounts. This patch should be prioritised. Even though active exploitation is not reported, this type of bug can turn a minor local compromise into full endpoint control.”</p> <p>Meanwhile, CVE-2026-49160 in HTTP.sys stems from an uncontrolled resource consumption issue that could allow an unauthenticated threat actor to cause a DoS over the network.</p> <p>“While the vulnerability does not expose data or allow code execution, it can disrupt services that depend on affected Windows systems,” said Action1 president and co-founder Mike Walters.</p> <p>“Successful exploitation could disrupt web services, internal applications, APIs [application programming interfaces] and business systems that rely on affected Windows HTTP services. Outages may lead to downtime, failed transactions, loss of productivity, customer impact and increased operational response costs.”</p> <p>With exploitation considered more likely, CVE-2026049160 is another prime candidate for prioritisation, particularly since it is both network-accessible and requires zero authentication.</p> <p>Finally, CVE-2026-50507 in Windows BitLocker – arising from a protection mechanism failure in how BitLocker handles device encryption – enables an attacker to access encrypted, stored data with no need for credentials, if they have physical access to the device.</p> <p>While the need for physical access will be an effective blocker for many attackers, the potential impact is significant, as Action1 vulnerability research director Jack Bicer noted.</p> <p>“BitLocker is commonly relied upon to protect sensitive business and personal data when devices are lost, stolen or accessed by unauthorised individuals,” he said. “A successful bypass undermines this security control and can expose confidential business information, customer data, intellectual property, financial records and regulated data.</p> <p>“In environments where endpoint encryption is a compliance requirement, exploitation could result in regulatory exposure, breach notification obligations, reputational damage and financial losses.”</p> <p>Businesses with dispersed mobile estates and plentiful remote or hybrid workers should prioritise the fix for CVE-2026-50507, said Bicer.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Patch Tuesday</h3> <ul style="list-style-type: square;" class="default-list"> <li><strong><strong>May 2026: </strong></strong>No zero-day flaws were addressed in May’s Patch Tuesday update but as usual there is much for admins to chew over <a href="https://www.computerweekly.com/news/366642908/Microsoft-releases-rare-zero-day-free-Patch-Tuesday-update" target="_blank" rel="noopener">in the coming days</a>.</li> <li><strong>April 2026: </strong>Microsoft’s latest Patch Tuesday update may be one of the largest in history, <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server">with more than 160 issues in scope</a>.</li> <li><strong>March 2026: </strong>Zero-days in .NET and SQL Server, and a handful of critical RCE bugs, form the nucleus of Microsoft’s <a href="https://www.computerweekly.com/news/366639784/Microsoft-patches-zero-days-in-NET-and-SQL-Server" target="_blank" rel="noopener">March Patch Tuesday update</a>.</li> <li><strong>February 2026: </strong>Microsoft releases patches for six zero-day flaws in its latest monthly update, <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366638958/February-Patch-Tuesday-Microsoft-drops-six-zero-days">many of them related to security feature bypass issues</a>.</li> <li><strong>January 2026: </strong>January brings a larger-than-of-late Patch Tuesday update out of Redmond, but an uptick in disclosures <a href="https://www.computerweekly.com/news/366637296/Microsoft-patches-112-CVEs-on-first-Patch-Tuesday-of-2026" target="_blank" rel="noopener">is often expected at this time of year</a>.</li> <li><strong>December 2025: </strong>The final Patch Tuesday update of the year brings 56 new CVEs, bringing the year-end total <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366636275/Microsoft-patched-over-1100-CVEs-in-2025">to more than 1,100</a>.</li> <li><strong>November 2025:</strong> An elevation of privilege vulnerability in Windows Kernel tops the list of issues to address in the <a href="https://www.computerweekly.com/news/366634166/Microsoft-users-warned-over-privilege-elevation-flaw" target="_blank" rel="noopener">latest monthly Patch Tuesday update</a>.</li> <li><strong>October 2025:</strong> Windows 10 is no longer supported, but that does not mean it is not impacted <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366632872/Patch-Tuesday-Windows-10-end-of-life-pain-for-IT-departments">by the latest Patch Tuesday update</a>.</li> <li><strong>September 2025:</strong> Nearly half the CVEs Microsoft disclosed in its September security update, including one publicly known bug, <a rel="noopener" target="_blank" href="https://www.darkreading.com/application-security/eop-flaws-again-lead-microsoft-patch-day">enable escalation of privileges</a> (Dark Reading).</li> <li><strong>August 2025:</strong> Microsoft rolls out fixes for over 100 CVEs <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366629273/Eight-critical-RCE-flaws-make-Microsofts-latest-Patch-Tuesday-list">in its August Patch Tuesday update</a>.</li> <li><strong>July 2025:</strong> Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is <a href="https://www.computerweekly.com/news/366627196/July-Patch-Tuesday-brings-over-130-new-flaws-to-address" target="_blank" rel="noopener">mercifully light on zero-days</a>.</li> <li><strong>June 2025:</strong> Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366625818/June-Patch-Tuesday-brings-a-lighter-load-for-defenders">warrant close attention</a>.</li> </ul> </div> </div> </section> Microsoft has obliterated the record for the largest ever Patch Tuesday drop, with its June 2026 update addressing approximately 200 flaws and three zero-days https://cdn.ttgtmedia.com/visuals/German/article/upgrade-computer-adobe.jpg https://www.computerweekly.com/news/366644117/Microsoft-smashes-record-for-biggest-ever-Patch-Tuesday-update Tue, 09 Jun 2026 16:35:00 GMT Microsoft smashes record for biggest ever Patch Tuesday update <p><a href="https://www.mse.nhs.uk/" target="_blank" rel="noopener">Mid and South Essex NHS Foundation Trust</a> (MSE), which is responsible for sites in Chelmsford, Basildon and Southend, is to contact an unspecified number of its patients whose personal data was stolen in the <a href="https://www.computerweekly.com/news/366587519/NHS-services-at-major-London-hospitals-disrupted-by-cyber-attack" target="_blank" rel="noopener">2024 Qilin ransomware attack</a> on NHS lab services partner Synnovis.</p> <p>The incident caused chaos across parts of the NHS, with hospitals in South London particularly badly affected, and led to <a href="https://www.computerweekly.com/news/366593892/NHS-Trusts-cancelled-over-6000-appointments-after-Qilin-cyber-attack" target="_blank" rel="noopener">thousands of cancelled outpatient appointments and elective procedures</a>. The Qilin gang later published <a href="https://www.computerweekly.com/news/366589583/Qilin-ransomware-gang-publishes-stolen-NHS-data-online" target="_blank" rel="noopener">over 400GB of sensitive data</a> taken from the various NHS bodies to which Synnovis provides testing services.</p> <p>However, while the basic facts of the incident were quickly established, <a href="https://www.computerweekly.com/news/366634454/Synnovis-to-notify-NHS-of-data-breach-after-nearly-18-months" target="_blank" rel="noopener">it took nearly 18 months</a> for Synnovis to complete its full forensic investigation and to begin to inform downstream NHS organisations that their patients’ data was compromised. MSE was among those bodies informed towards the end of 2025, and it has since conducted its own investigation into the breach.</p> <p>MSE deputy chief executive Dawn Scawfield said: “Records relating to patients who had a mixture of specialist diagnostic tests were affected. Some data is not directly linked to patients, so we are still waiting for confirmation on exact numbers. Once we have established who those patients are, we will be in contact with any who have been affected.”</p> <p>At the time of writing, Computer Weekly understands that approximately 2,380 records are involved, and that while the exact time period during which the affected tests were conducted is yet to be determined, all of the exposed data relates to tests taken before 3 June 2024, the approximate date of the Synnovis attack.</p> <section class="section main-article-chapter" data-menu-title="Number of breaches may grow"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Number of breaches may grow</h2> <p>At this point in time, it is not publicly known how many other NHS trusts are impacted, although it is thought likely that others will come forward.</p> <p>Last week, <a href="https://www.bedfordshirehospitals.nhs.uk/news/notification-synnovis-cyber-incident/" target="_blank" rel="noopener">Bedfordshire Hospitals NHS Foundation Trust revealed</a> that data on just under 30,000 patients, including names, birthdates, patient and NHS numbers, postcodes and test results, was stolen.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Perhaps the most dangerous aspect of these timelines is the signal they send. Slow response in a data-rich industry is a clear signal that attacks can be carried out without consequence for years </figure> <figcaption> <strong>Lee Sult, Binalyze</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In this instance, the data appeared to be from historic testing done before November 2020. However, the trust said, the records themselves are fragmented, incomplete and dispersed throughout multiple files, so it is hard to interpret them accurately.</p> <p>Lee Sult, chief investigator at threat intelligence platform <a href="https://www.binalyze.com/" target="_blank" rel="noopener">Binalyze</a>, said the most worrying aspect of the Synnovis incident was the length of time it has taken to establish the true nature and extent of the stolen data.</p> <p>“If we’re still trying to determine the true scale two years later, it’s less an investigation than a slow-burn crisis. Every month that passes is time NHS numbers, names, dates of birth and test results sit in criminal hands – and nobody knows what’s being done with them,” he said.</p> <p>“Perhaps the most dangerous aspect of these timelines is the signal they send. Slow detection, fragmented investigations and delayed disclosures advertise weakness. State-backed threat actors and organised cyber criminal groups act based on opportunity. Slow response in a data-rich industry is a clear signal that attacks can be carried out without consequence for years.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the Synnovis incident</h3> <ul class="default-list"> <li>Synnovis, the pathology lab services provider hit by a Qilin ransomware attack in 2024, is notifying its NHS partners that their patient data was compromised, <a href="https://www.computerweekly.com/news/366634454/Synnovis-to-notify-NHS-of-data-breach-after-nearly-18-months" target="_blank" rel="noopener">following a lengthy investigation</a>.</li> <li>More cyber attacks against the health service are likely, and will succeed if something isn’t done to address the increasingly elderly NHS IT estate, <a href="https://www.computerweekly.com/news/366592754/Synnovis-attack-highlights-degraded-outdated-state-of-NHS-IT" target="_blank" rel="noopener">experts are warning</a>.</li> <li>The two NHS trusts most heavily impacted by the Qilin ransomware attack on pathology services provider Synnovis have cancelled over 6,000 appointments and procedures <a href="https://www.computerweekly.com/news/366593892/NHS-Trusts-cancelled-over-6000-appointments-after-Qilin-cyber-attack" target="_blank" rel="noopener">in the past five weeks</a>.</li> </ul> </div> </div> </section> Mid and South Essex NHS Foundation Trust has become the latest NHS body to confirm data on its patients was stolen in a 2024 ransomware attack on lab services partner Synnovis https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/healthcare-doctor-clipboard-adobe.jpeg https://www.computerweekly.com/news/366644037/Scale-of-Synnovis-breach-widens-as-Essex-NHS-Trust-comes-forward Mon, 08 Jun 2026 12:15:00 GMT Scale of Synnovis breach widens as Essex NHS Trust comes forward <p>While we’ve seen a lot of hype about AI in cyber security, <a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide" target="_blank" rel="noopener">Anthropic’s Claude Mythos</a> has suddenly and significantly changed the rules of offensive security.<i> </i>The arrival of Anthropic’s Claude Mythos on 7 April 2026 created a paradigm shift in the economics of a cyber attack. AI has rapidly changed the cyber security landscape – and faster than most risk models assume. The window between discovery and weaponisation has collapsed, with time to exploitation dropping from 2.3 years in 2018 to 20 hours today.</p> <p>AI is making vulnerability discovery, exploit generation, and attack orchestration faster and cheaper. Tools like Mythos show that AI can identify <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability" target="_blank" rel="noopener">critical zero-days</a>, generate working exploits, and orchestrate attacks at a speed and scale that traditional security processes were never designed and built to cope with.</p> <p>However, some things have been exaggerated and not everything has changed overnight. The fundamentals remain essential. Mythos is a structural acceleration, not a magic new category of risk. The basics such as identity, segmentation, MFA, patch discipline, zero-trust, secrets rotation, and egress filtering have become even more important, not less.</p> <p>AI has lowered the cost and skill barrier for finding and exploiting vulnerabilities faster than organisations can patch them. While defenders must manage every exposure across code, infrastructure, identity, suppliers, and agents around the clock, the attacker only needs to find one route into the organisation. So, today at least, attackers have the advantage. It’s now time for defenders to turn the same tools inward to find and fortify any weaknesses first.</p> <p>So, how can CISOs adapt quickly enough?</p> <p>The first point of call is <a href="https://www.computerweekly.com/news/366643082/Software-developers-shift-to-AI-code-reviewers" target="_blank" rel="noopener">code review and vulnerability discovery</a>. Organisations should immediately point AI agents at their most critical codebases, then move toward large language model (LLM)-driven review inside continuous integration and development (CI/CD) pipelines. Every piece of code, whether written by humans or generated by AI should go through automated security review before it is merged.</p> <p>Many organisations still treat AI as a productivity tool rather than a change in the threat model. The mistake that many are making is assuming old patch windows, old incident timelines, and old risk assumptions still hold. Organisations are also underestimating AI agents as a new attack surface. Prompts, tools, retrieval pipelines, escalation logic, and agent permissions all need controls before agents should be permitted to enter production.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Claude Mythos</h3> <ul class="default-list"> <li>Anthropic's Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and drive <a href="https://www.techtarget.com/searchcio/feature/Take-a-breath-A-CISOs-Claude-Mythos-advice-for-CIOs" target="_blank" rel="noopener">unprecedented levels of hacking</a>.</li> <li>As AI tools such as Claude Mythos Preview can speed vulnerability discovery for attackers, CIOs are <a href="https://www.techtarget.com/searchcio/feature/ais-cybersecurity-paradox-how-CIOs-can-keep-up-with-change" target="_blank" rel="noopener">automating detection and response to keep pace</a>.</li> <li>Claude Mythos has the potential to enhance global cyber security or undermine it by becoming a weapon <a href="https://www.techtarget.com/healthtechsecurity/news/366643379/Health-ISAC-How-Claude-Mythos-could-impact-healthcare-cybersecurity" target="_blank" rel="noopener">in the hands of threat actors</a>.</li> </ul> </div> </div> <p>The biggest change CIOs and CISOs need to make in how they approach cyber security is to update their operating model from <a href="https://www.computerweekly.com/news/366643833/AI-agents-help-Cato-slash-time-to-protect-from-new-CVEs" target="_blank" rel="noopener">human-speed security to AI-speed resilience</a>. This will involve mandating responsible AI adoption across security functions, embedding AI review into software delivery, defending agents as first-class assets, rehearsing simultaneous high-severity incidents, updating board reporting and risk models, and hardening the fundamentals without delay.</p> <p>AI is increasing the speed and volume of software development, so security must move earlier and faster. Security review can no longer be a manual gate at the end of development. It needs to be embedded into the pipeline, with AI agents reviewing code continuously and all code – whether human- or AI-generated – assessed before merge.</p> <p>At the present time, AI is making it both easier and more difficult to find and fix vulnerabilities. But the fact is that the risk is growing faster than most organisations’ ability to respond. AI makes it easier for defenders to discover their own weaknesses, but it also makes it easier for adversaries to find and weaponise them. AI must be used defensively now, preparing for a flood of patches, and building response capabilities that can operate at scale.</p> <p>Being Mythos-ready means limiting blast radius, discovering vulnerabilities before adversaries do, building scalable responses, and empowering teams with AI agents now.</p> <p><em>John Bruce is CISO at <a href="https://www.quorumcyber.com/" target="_blank" rel="noopener">Quorum Cyber</a>, an Edinburgh-based managed security services provider (MSSP).</em></p> The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/Claude-Mythos-forces-the-conversation-on-defensive-AI Mon, 08 Jun 2026 11:45:00 GMT Claude Mythos forces the conversation on defensive AI <p>The big theme of the keynote programme at this year’s Infosecurity Europe focused on how artificial intelligence (AI) is turbo-charging the activities of cyber attackers, whether criminals or states hostile to the West. </p> <p><a href="https://www.computerweekly.com/news/366632649/China-responsible-for-rising-cyber-attacks-says-NCSC">Paul Chichester</a>, director of operations at the <a href="https://www.computerweekly.com/news/366642625/UKs-NCSC-warns-of-wave-of-patches">National Cyber Security Centre (NCSC)</a>, told attendees that he had moved from a more to a less sceptical position on the salience of artificial intelligence for cyber security over the past year.</p> <p>We are now at a point of “maximum uncertainty” that might also be the calm before a coming cyber storm, he said, in part because of the sheer “number of variables” now at play. He agreed with the description of the present made by Blaise Metreweli, the head of MI6, that the UK is currently positioned “between peace and war”.</p> <p>“The combined uncertainty in so many parts of our lives – personal, work, the environment – is something different,” said Chichester. “The world is more dangerous and contested now than in decades, and te greater acceleration of connectedness is increasing. So, when you try to think about what’s next and predict where things are going, it’s hard.”</p> <p>The rapidity of technology evolution is novel, he said, adding that while his tendency is to be sceptical, “it feels that the technological rate of change…is going to [mean] societal and civilisational change. A lot of what we’re trying to understand is far beyond our adversaries stealing our secrets. States have integrated cyber operations into everything they do.</p> <p>“We see that integration in the military domain, playing out in Ukraine, Syria, the Middle East. The way that we now see our adversaries integrating to support military outcomes is changing at a vast pace. And we’ve seen Russia, particularly, learning a huge amount.”</p> <p>Nevertheless, he declared himself “a massive optimist about a lot of the challenges that we face…there are a lot of opportunities”.</p> <p>In terms of responding to cyber threats, Chichester drew attention to “more aggressive countering” by the state, <a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats">advocated by security minister Dan Jarvis</a>, as well as building in more resilience, as exemplified by the <a href="https://www.computerweekly.com/opinion/UKs-Cyber-Bill-should-be-just-one-part-of-a-wider-effort">Cyber Security Resilience Bill</a>.</p> <p>“The government absolutely recognises that it needs to do more in that space [working with regulators],” said Chichester.</p> <p>But it is a “collective endeavour”, he added. “I know you’ve heard the NCSC talk before about partnership, and ‘now is the time to act, you must act’. I mean it this time. Now, more than ever, is the time to act. We must work together to get ahead of threats that we face and vulnerabilities that we talk about. Even if the things you ultimately do aren’t 100%, you’re getting match fit. Don’t wait for certainty, because it’s never coming.”</p> <section class="section main-article-chapter" data-menu-title="Adversaries accelerating"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Adversaries accelerating</h2> <p><a href="https://www.computerweekly.com/news/366623776/UK-government-websites-to-replace-passwords-with-secure-passkeys">Stuart McKenzie</a>, managing director of Mandiant Consulting EMEA, part of Google Cloud, gave attendees his “big, fat security update of the year”, which echoed Chichester’s presentation in terms of its stress on the increased speed scale of the adversarial activities with which network defenders are confronted. His session covered lessons learned from Mandiant’s work on the front lines of incident response.</p> <p>Attackers have gotten faster and become more persistent over the past year, said McKenzie. Cyber criminals are also working more in unison and are merely 18 months behind nation-state actors in capability, whereas previously they were more like years behind. “We see attackers now handing off attacks to other groups, actively collaborating,” he added.</p> <p>While some actors are incredibly quick, there were others who preferred to maintain a very long dwell time in their target networks. “Attackers are increasingly trying to get in and deny you access to your recovery environment,” said McKenzie. “They’re actively taking down your ability to recover, which makes it difficult to get your organisation back up. We need to think about how to move from the reactive state that we’re in today, where we’re responding to every incident, to a much more proactive state.”</p> <p>AI is making a big difference, he said, both in his talk and in an interview with Computer Weekly afterwards; “Attackers are very much like us. They use AI in the same way we do and have done. At the start of early 2025, they were, ‘Cool, this is a good chatbot’. And then in mid-2025, as we all began to see how you can use <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">LLMs</a> [large language models] directly, they started integrating the LLMs into their attack chains to handle dynamic tasks.</p> <p>“There was a step change around about October last year where we all thought, ‘This could be the future’, and went from being AI sceptical to embracing it. At the same time, we saw the attackers integrate [AI] directly into their environments. Then at the start of 2026, we saw attackers collaborate to find a zero day in a content management platform. Luckily, through some Google intel, we were able to see what they were going after, and we worked with the vendor to patch it before it could be actively exploited.”</p> <p>McKenzie expanded on how the way a defender sees their network is completely different to how an attacker sees it: “When a security person draws their network, they draw a beautiful network architecture of how they think it’s all being segregated. They have these lovely diagrams of where all the workstations are, what the servers are and what the connections look like.</p> <p>“But the attacker finds all the misconfigurations and systems that aren’t supposed to be connected, they’re supposed to have logical gaps between them. They see this view of network that is a real-world view. That is why we always suggest that defenders use adversarial emulation or red teaming to be able to work out: how does that network exist, does it really have all the logical separation you think it has, are there bits that have changed over time?</p> <p>“Their network will have grown organically over time and they’re still looking at the network diagram from when it was designed. They’ve forgotten that something’s been layered on top and changed and connected or someone’s made a policy change, and so on.”</p> <p>Security fundamentals have not changed, he said, but AI has sped up attacks and so sped up required defence.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber criminal ecosystem evolves"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber criminal ecosystem evolves</h2> <p>On the second day of the event, <a href="https://www.computerweekly.com/news/366625059/Infosecurity-2025-NCA-cyber-intelligence-head-spells-out-trends">William Lyne</a>, head of economic and cyber crime at the Metropolitan Police Service, offered a picture of how cyber criminality has been changing as its ecosystem has evolved.</p> <p>There is now less stove piping of criminality, and cyber criminals are getting involved in a fuller gamut of activity, he said. Lyne said that when he joined the UK National Crime Agency as a trainee investigator 15 years ago, “you had cyber crime, hacktivists and hostile state actors, and everything sat quite nicely in those particular stove pipes. But this has changed quite a lot recently.</p> <p>“People aren’t just involved in cyber crime, or another type of online offending, they’re involved in many different types of offending, which is something that we never used to see previously,” he added.</p> <p>Lyne said there is now an evolved cyber adversarial ecosystem, with a commoditisation of cyber crime over the past few years that – among other things – means you can rent malware as a service, just as a business will use software as a service for its customer relationship management. “You can get a service for basically anything in the cyber crime ecosystem now,” he added.</p> <p>Another step change is that the rise of <a href="https://www.techtarget.com/whatis/definition/cryptocurrency">cryptocurrencies</a> has made cyber crime much more profitable. Cashing out used to be “massive pain in the backside” for cyber criminals, said Lyne. “How do you convert the data you have stolen into money? How do you launder the money you’ve stolen from credit card fraud and other types of identity theft? Cyber criminals were losing between 50% to 75% of their ill-gotten gains due to those kinds of complexity. Cryptocurrencies have changed all of that; now 99.5% is realisable.</p> <p>“Virtual currencies are also massively helpful because, if you want to commoditise, if you want to run as a service entity, you’ve got to trade with each other. Criminals trading with each other is inherently quite dodgy.” Virtual currencies have been tremendous for ensuring trust among those dedicated to criminality.</p> <p>Nevertheless, UK law enforcement has had big successes in recent years, said Lyne. Like Chichester, he appealed for collaboration between the security services and civilian business organisations: “Collaboration is critical for every one of our investigations – with multiple organisations, across the UK and local and international partners.</p> <p>“We want to have meaningful, strategic and tactical integration with industry partners who we know hold keys to the questions and challenges that we have in this space. It’s important for us to build and generate trust. And it can be a challenge, but I’m grateful for those partners.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Infosecurity Europe 2026</h3> <ul class="default-list"> <li>Infosecurity Europe <a href="https://www.computerweekly.com/news/366638558/Infosecurity-Europe-launches-cyber-security-startups-stream">launches cyber security startups stream</a>.</li> <li>Infosec 2026: <a href="https://www.computerweekly.com/microscope/news/366641752/InfoSec-The-Channel-Zone-returns">The Channel Zone returns</a>.</li> <li><a href="https://www.computerweekly.com/news/366642956/Security-chiefs-too-polite-for-startups-says-cyber-flywheel-founder-Alastair-Paterson">Security chiefs ‘too polite’ for startups</a>, says cyber flywheel founder Alastair Paterson.</li> </ul> </div> </div> </section> AI is accelerating cyber attacks by criminals and hostile states, with attackers faster, more persistent and increasingly collaborative, say experts speaking at Infosecurity Europe 2026 https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Infosecurity-Europe-2026-PR-hero.jpg https://www.computerweekly.com/news/366643943/Infosecurity-Europe-2026-AI-turbo-charging-cyber-crime-and-response Mon, 08 Jun 2026 06:19:00 GMT Infosecurity Europe 2026: AI turbo-charging cyber crime and response <p>The United Arab Emirates (UAE) is taking another significant step in its cyber security strategy with the launch of a national Crypto Discovery Tool (CDT), designed to help organisations identify, manage and ultimately replace cryptographic systems that could become vulnerable in the era of quantum computing.</p> <p>Developed through a partnership between the UAE Cyber Security Council and Abu Dhabi-based cyber security firm QuantumGate, the platform forms part of the country’s National Post-Quantum Migration Programme and has been customised to requirements established by the UAE National Cryptography Centre.</p> <p>The initiative reflects a growing global recognition that quantum computing, while still emerging, could eventually undermine many of the cryptographic algorithms that currently protect sensitive data, digital identities and critical infrastructure. Governments and enterprises worldwide are therefore beginning to assess their cryptographic exposure and plan migration paths towards quantum-resistant encryption standards.</p> <p>According to the UAE Cyber Security Council, the CDT will provide organisations with comprehensive visibility into cryptographic assets across complex IT environments, automatically identifying embedded cryptography, cataloguing dependencies and supporting ongoing risk management efforts.</p> <p>“Our partnership with QuantumGate on the national Crypto Discovery Tool marks a critical step forward in strengthening the UAE’s national cyber security posture in the face of emerging quantum threats,” said Mohamed Al Kuwaiti, head of cyber security for the UAE government. “As we advance our National Post-Quantum Migration Programme, having sovereign capability to discover, assess and manage cryptographic assets across sectors is essential.”</p> <p>One of the biggest challenges facing organisations preparing for post-quantum cryptography is the lack of visibility into where encryption technologies are deployed. Many enterprises operate thousands of applications, devices and systems that rely on cryptographic algorithms, often without a complete inventory of where those technologies are embedded.</p> <p>The CDT aims to address that challenge by automating cryptographic discovery and inventory management at scale. The platform will also provide continuous monitoring capabilities, enabling organisations to maintain visibility of cryptographic assets over time, support compliance requirements and adapt to future regulatory directives issued by the Cyber Security Council.</p> <p>“Organisations cannot defend against risks they cannot account for,” Najwa Aaraj, chief executive officer of QuantumGate, said. “With the Crypto Discovery Tool, we have built a solution that brings that risk into full visibility, enabling organisations to act decisively and migrate with confidence.”</p> <p>The launch further demonstrates the UAE’s ambition to position itself among the world’s leading nations in cyber security preparedness and digital resilience. Unlike many countries that remain in the assessment phase of post-quantum planning, the UAE is pursuing a coordinated national programme that combines governance, operational tooling and sector-wide implementation.</p> <p>The tool’s outputs will also be integrated into the UAE’s National Cybersecurity Index platform, creating what officials describe as a national Post-Quantum Cryptography (PQC) Index. By consolidating cryptographic posture information across public- and private-sector entities, the Cyber Security Council will gain a centralised view of the country’s readiness for quantum-safe security.</p> <p>The announcement follows a series of initiatives designed to strengthen the UAE’s sovereign cyber capabilities. Earlier this year, the <a href="https://www.computerweekly.com/news/366642990/UAE-Cyber-Security-Council-and-Dell-launch-cyber-security-centre-to-strengthen-digital-resilience" target="_blank" rel="noopener">UAE Cyber Security Council and Dell Technologies</a> launched a Cybersecurity Centre of Excellence in Abu Dhabi to enhance national cyber resilience through AI-driven security operations, skills development and local innovation.</p> <p>Together, the initiatives illustrate a broader strategy that combines advanced threat detection, continuous monitoring and national coordination. As cyber threats become increasingly sophisticated and concerns over future quantum-enabled attacks grow, UAE authorities are seeking to ensure that critical infrastructure operators, government entities and private-sector organisations are equipped to transition securely towards the next generation of cryptographic protection.</p> <p>While large-scale quantum computers capable of breaking current encryption standards are not yet commercially available, security experts increasingly warn that organisations should begin preparing now. The challenge is particularly urgent for sectors handling long-lived sensitive data, where information intercepted today could potentially be decrypted years later using future quantum capabilities.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about cyber security</h3> <ul style="list-style-type: square;" class="default-list"> <li><a href="https://www.computerweekly.com/news/366639768/CISOs-on-alert-Strengthening-cyber-resilience-amid-geopolitical-tensions-in-the-Middle-East">CISOs on alert – strengthening cyber resilience amid geopolitical tensions in the Middle East</a>: As regional uncertainty rises, security leaders across the Gulf focus on resilience, faster incident response and deeper threat intelligence to protect critical systems and data.</li> <li><a rel="noopener" href="https://www.techtarget.com/healthtechsecurity/news/366640347/CISA-urges-companies-to-bolster-Microsoft-Intune-systems-after-Stryker-cyberattack" target="_blank">CISA urges companies to bolster Microsoft Intune systems after Stryker cyber attack</a>: CISA is urging US organisations to strengthen the security of their endpoint management systems after cyber threat actors infiltrated Stryker’s Microsoft environment.</li> </ul> </div> </div> Partnership between the UAE Cyber Security Council and QuantumGate aims to provide nationwide visibility of cryptographic assets, helping critical infrastructure operators to prepare for the emerging risks posed by quantum computing https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/IT-security-padlocks-red-1-denisismagilov_adobe.jpg https://www.computerweekly.com/news/366643900/UAE-launches-national-cryptography-discovery-platform-to-accelerate-post-quantum-security-transition Fri, 05 Jun 2026 04:33:00 GMT UAE launches national cryptography discovery platform to accelerate post-quantum security transition <p>A property sector initiative to introduce a digital identity scheme is being scrapped due to concerns over UK government policy and a lack of consumer benefits.</p> <p>Organisers of the scheme have informed Whitehall departments backing the plan, along with regulators and industry bodies, that they are withdrawing support for the implementation of a standard digital ID into the property sector.</p> <p>The MyIdentity initiative aimed to allow home buyers and sellers to prove their identity once, instead of having to do so multiple times. This information would then be shared with other parties, such as estate agents, mortgage providers, solicitors and conveyancers, within a <a href="https://www.computerweekly.com/news/366635638/Use-of-digital-ID-in-UK-achieves-statutory-status">government-approved digital identity trust framework</a>.</p> <p><a href="https://www.computerweekly.com/news/252504904/11-areas-will-trial-digital-identity-scheme-for-residential-property-sector">A pilot in 2021/2022</a> was backed by funding from Innovate UK and supported at the time by ministers. However, after what organisers described as “repeated delays and false starts in progressing a coherent identity strategy”, MyIdentity and backers at the Home Builders Federation have advised more than 250 companies in the sector to reconsider any further investment of time and money into digital identity systems “until the government sets out clear regulation and legislation, a failure on their part”.</p> <p>“We are putting all activity on digital ID in the property sector on hold. We’re not convinced that it will work, as it provides no consumer benefit and, by default, no real sector benefit,” said Stuart Young, managing director of <a href="https://www.computerweekly.com/news/252494817/Etive-to-create-digital-identity-trust-scheme-for-home-sales">Etive, the company leading the MyIdentity scheme</a>.</p> <p>“This is not a decision that has been made lightly. Following extensive work over the last year or so, it is clear that the people who work on the coalface of property are not convinced of what government is trying to do. In fact, confidence has dropped dramatically. Plus, the business case just doesn’t seem to be there.”</p> <p>The government has encouraged industry sectors to set up digital ID schemes as part of its <a href="https://www.gov.uk/government/collections/uk-digital-verification-services-trust-framework">Digital Verification Services Trust Framework</a>, established by the Department for Science, Innovation and Technology (DSIT). The withdrawal of one of the leading schemes will come as a blow to the wider policy to introduce a government-backed digital identity programme across the UK.</p> <p>Young cited long-term, continued uncertainty over government policy, as far back as Tony Blair’s physical ID card scheme, through the <a href="https://www.computerweekly.com/news/252498143/Government-bids-final-goodbye-to-Govuk-Verify">failed Gov.uk Verify programme</a>, and up to the mixed messaging and confusion caused by Keir Starmer’s announcement of a mandatory national digital ID scheme and his <a href="https://www.computerweekly.com/news/366637189/UK-government-backtracks-on-plans-for-mandatory-digital-ID">subsequent U-turn</a>.</p> <p>“All the same mistakes are being made,” said Young. “We have told DSIT, the Ministry of Housing, etc about this over the years but they just aren’t interested. I think it is wrong to mislead companies and it was clear to me that [companies] are fed up with more failed initiatives or ’not another initiative’. Fatigued is probably the best word to describe how people feel.</p> <p>“For the government to try to introduce digital identity, which is only guidance and voluntary, makes it a tough sell for companies that have other shifting business priorities to deal with.”</p> <p>Currently, home buyers and sellers must complete multiple identity checks during a single transaction, paying repeated fees. Rather than reducing friction, Young says such digital identity processes are increasing both costs and delays.</p> <p>In a letter to government representatives in April, MyIdentity said: “The current landscape for customer identity is characterised by significant ambiguity. Divergent and, at times, conflicting perspectives across government and industry have resulted in a lack of clear direction regarding policy, regulatory intent and the permissible scope of private sector activity. This uncertainty is compounded by the absence of definitive guidance on the government’s long-term strategy and mandates in this area.”</p> <p>A report by MPs on the Home Affairs Committee last month <a href="https://www.computerweekly.com/news/366643374/Government-digital-ID-launch-was-a-fiasco-report-finds">described the government’s launch of its digital ID policy as “nothing short of a fiasco”</a> that “undermined what existing public support” there was for digital ID.</p> <p>Young added: “We remain hopeful that, over time, the digital identity challenge can be resolved and contribute positively to improving the home buying and selling process. What the industry needs is demonstrable progress, clear leadership and tangible outcomes capable of building market and consumer confidence.”</p> <p>Computer Weekly has asked DSIT to comment on this story, but had not received a response at the time of publication. </p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about government digital ID policy</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640072/The-UK-governments-digital-identity-scheme-Dystopian-nightmare-or-modernised-public-services">The UK government’s digital identity scheme: Dystopian nightmare or modernised public services?</a> Critics and supporters of digital ID are honing their arguments for the government’s consultation – but it’s the public that will decide. How should you choose?</li> <li><a href="https://www.computerweekly.com/news/366634197/Industry-calls-for-clarity-on-government-digital-ID-plans">Industry calls for clarity on government digital ID plans</a> – The digital identity industry asks UK government for transparency on its digital identity scheme and proposes a formal collaboration agreement.</li> <li><a href="https://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/UK-governments-U-turn-on-digital-ID-was-inevitable-from-the-start">UK government’s U-turn on digital ID was inevitable from the start</a> – The UK government’s plans for a national digital identity scheme were never going to be mandatory. That’s not some sort of scoop – although Computer Weekly predicted as much last year.</li> </ul> </div> </div> A major initiative to introduce a standard digital identity scheme for house buying and selling has been shelved due to political uncertainty and lack of clear benefits https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/terraced-houses-uk-teamjackson-adobe.jpg https://www.computerweekly.com/news/366643785/Property-sector-plans-for-digital-ID-collapse-over-government-policy-concerns Thu, 04 Jun 2026 06:40:00 GMT Property sector plans for digital ID collapse over government policy concerns <p>MPs on the Science, Industry and Technology Committee have called for a “period of over-correction” to break the cycle of supplier lock-in and foster <a href="https://www.computerweekly.com/resources/Cloud-computing-services">a domestic UK cloud ecosystem</a> through mandatory re-competition and open source standards.</p> <p>One notable measure recommended in the report – <em><a href="https://committees.parliament.uk/publications/53352/documents/298462/default/">Rewiring the state: Delivering digital government</a></em> – is that the UK government should exercise the break clause with <a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">Palantir and the Federated Data Platform (FDP)</a> in the NHS and publish a fully costed exit plan by the end of 2026.</p> <p>Elsewhere, the report highlights a “lack of competition” in government cloud spending, which totals about £10bn per year. It cites the March 2026 HM Revenue & Customs (HMRC) contract with Amazon Web Services (AWS) as a primary example of market failure. AWS was the sole bidder for <a href="https://www.computerweekly.com/news/366640606/Flaws-in-government-procurement-show-in-HMRC-473m-AWS-award">the 10-year, £472m deal</a>, despite concerns over restrictive licensing practices. </p> <p>Meanwhile, the report recommends the establishment of a unit to monitor and disseminate digital government best practices from the European Union (EU), including how member states encourage the development of sovereign alternatives to incumbent providers. </p> <section class="section main-article-chapter" data-menu-title="Dangerous levels of lock-in"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Dangerous levels of lock-in</h2> <p>The report warns that the <a href="https://www.computerweekly.com/news/366643799/Data-dive-Mapping-the-UK-public-sectors-hyperscale-dependence">UK public sector’s heavy reliance on a small group of US-based technology providers</a> – specifically Microsoft, AWS and Palantir – creates <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">dangerous levels of supplier lock-in and systemic fragility</a>.</p> <p>The committee’s report argues that these dependencies, often driven by proprietary software and complex, opaque contracts, undermine competition, hinder innovation by small and medium-sized enterprises (SMEs), and expose the government to significant operational risks, including potential data access by the US under the Cloud Act.</p> <p>To address such vulnerabilities, the committee recommends a comprehensive strategy to achieve “technology sovereignty” and that the government should prioritise open source alternatives and mandate that a defined percentage of procurement budgets go to UK-based startups.</p> <p>Key interventions include exercising the break clause for the NHS FDP, implementing a rigorous cloud consumption dashboard to monitor supplier power, and legally requiring public bodies to favour open standards over proprietary systems to ensure the government retains the ability to make strategic choices independent of dominant incumbents.</p> </section> <section class="section main-article-chapter" data-menu-title="Key recommendations in the report"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key recommendations in the report</h2> <p><strong>Federated Data Platform:</strong> The government should commit to exercising the February 2027 break clause in the Palantir FDP contract and develop an in-house replacement or seek an alternative from UK-owned and UK-based providers, with a fully costed exit plan for the FDP published by the end of 2026.</p> <p><strong>Data access and transparency:</strong> The government must confirm the nature of Palantir’s access to patient data, the statutory basis for this authorisation, when and by whom it was authorised, and whether the information commissioner was consulted.</p> <p><strong>NHS single patient record</strong>: The government should prioritise using UK-owned and UK-based suppliers <a href="https://www.computerweekly.com/news/366643138/NHS-Modernisation-Bill-promises-single-patient-record-by-2028">to develop and implement this</a> and award all contracts through open and transparent procurement processes.</p> <p><strong>Ministry of Defence and Palantir:</strong> The government must set out the reasons for awarding a £240m Ministry of Defence contract to Palantir without a competitive tender process.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">What is the Science, Innovation and Technology Committee?</h3> <p>The Science, Innovation and Technology Committee is a cross-party body of MPs tasked with scrutinising the expenditure, policy and administration of its parent department. Via formal inquiries, it gathers evidence from ministers, officials and experts to produce research-backed reports. While the committee’s findings are not legally binding, they serve as a powerful mechanism for parliamentary oversight and provide ammunition that can hold the government accountable for digital strategy.</p> <p>The committee’s influence is exercised through mandatory government responses (usually within 60 days), public pressure and the ability to shift the national debate. Even when the government does not adopt specific recommendations, the committee’s oversight can lead to increased transparency, policy adjustments and internal reviews.</p> </div> </div> <p><strong>Procurement and SMEs:</strong> Central departments and public bodies should be required to spend a defined minimum percentage of their technology procurement budgets on products from UK-based and UK-owned startups and SMEs, with quarterly progress updates published.</p> <p><strong>Ending supplier lock-in:</strong> The Government Digital Service (GDS) should produce a strategy to end supplier lock-in, including targets for supplier diversification across departments and public bodies, with quarterly reporting.</p> <p><strong>Cloud consumption dashboard:</strong> The government’s promised cloud dashboard should include a breakdown of contract awards by company, their value, details of break clauses, specific licensing terms, and a value-for-money assessment.</p> <p><strong>All of Government cloud contract:</strong> The government should detail how this contract will prevent supplier lock-in, including its engagement with the Competition and Markets Authority (CMA) and how it will embed a pro-competition approach.</p> <p><strong>Technology sovereignty strategy:</strong> The government should define technology sovereignty. The definition should be reviewed annually, and it should set out how the government intends to support sovereign alternatives to incumbent providers.</p> <p><strong>Open source in the Procurement Act 2023:</strong> The government should use the update to this act to require public sector bodies to prioritise open source tools and technology over proprietary offerings.</p> <p><strong>Data access contingencies:</strong> The government should detail its contingencies for safeguarding citizens’ data should the US trigger data access provisions under the Cloud Act 2018, and share relevant impact assessments.</p> <p><strong>Monitor EU digital government initiatives:</strong> As part of the government’s “wider reset” in relations with the EU, DSIT should establish a unit to monitor and disseminate digital government best practice from, with a remit to engage with European Commission and member state-level bodies, in particular to focus on how the EU and member states develop sovereign alternative providers.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Industry reaction: Welcomed but measured</h3> <p>Nicky Stewart, senior advisor to the Open Cloud Coalition, said: “We agree with the need to reduce vendor lock-in across the public sector and to move towards a system that rewards choice, interoperability and fair competition for all providers.”</p> <hr> <p>Conservative peer Lord Chris Holmes said: “This is an important report from the committee which the government must consider seriously and respond to. The most important recommendation is to increase competition in the UK cloud market. This is a critical question of resilience. The cloud concentration risk for the UK right now is beyond worrying. It is also a question of economic value and growth for UK business and a key consideration for any serious discussion around sovereign capability and capacity.”</p> <hr> <p>Bill McCluggage, director of IT strategy and policy in the Cabinet Office and deputy government CIO from 2009 to 2012, said: “I applaud the committee’s thoroughness, but we need to be honest about what select committees actually do. They shine a light; they don’t drive change. This is Parliament holding the executive to account, not the government committing to act.</p> <p>“With the current political pressures bearing down on the government, economic headwinds, a crowded legislative agenda, and an ever-present lobbying machine from the big tech players, I’d be really surprised if more than a handful of these recommendations make it into policy in any meaningful timeframe. We’ve seen this film before.”</p> <hr> <p>Owen Sayers of Secon Solutions, an enterprise architect with more than 20 years’ experience in delivering national policing systems, said: “It’s the most radical set of recommendations I’ve seen in any Parliamentary report in 10 years. The title of the report clearly means they are laying out – or seeking to reset – government policy.</p> <p>“I doubt the government can fully ignore it, but some of the measures – such as following Europe’s lead, which is very sensible right now in technical and compliance/derisking terms – might be hard for Whitehall and the government to stomach. Are they brave enough to take the recommendations and work through them to develop a new, more balanced and less US-centric policy? I seriously doubt it.”</p> </div> </div> </section> A Science, Innovation and Technology Committee report contains recommendations that would radically alter UK public sector IT, procurement and relationship with hyperscalers if adopted https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Westminster1-fotolia.jpg https://www.computerweekly.com/news/366643883/SIT-Committee-urges-Palantir-exit-in-push-to-end-US-cloud-grip Wed, 03 Jun 2026 12:41:00 GMT SIT Committee urges Palantir exit in push to end US cloud grip ComputerWeekly.com 60 editor@computerweekly.com