Apple this year was forced to drastically change how iOS works in the EU due to the Digital Markets Act (DMA) antitrust law, which establishes a series of rules to prevent big techs from engaging in anti-competitive practices. However, it seems that the EU wants even more from Apple, as the European Commission is now demanding that the company ensure the effective interoperability of iOS with other platforms.EU calls on Apple to further change the way iOS worksAs reported by Bloomberg, the European Commission published a document on Wednesday as part of its antitrust investigations against Apple. In the document, the EU instructs Apple to change many aspects of iOS so that third-party developers can have access to technologies that currently only Apple can.For instance, the document suggests that Apple make it easier for users to pair and control accessories such as smartwatches and headsets from other brands on iOS. It also says that the company should allow third-party apps to run entirely in the background something that only Apple apps can currently do. The document even covers features such as AirPlay and AirDrop, which are currently limited to Apple devices.The EU has set January 9, 2025 as the deadline for its consultation in the case. In response, Apple published an online document criticizing the European Commission and the DMA legislation, claiming that the situation is becoming personal. Unsurprisingly, Apple highlights its work on privacy and security, and says that the DMA requirements make its ecosystem less secure.Apple says that if it opens up all technologies to anyone, it will put iOS users data at risk. Interestingly, Apple also notes that Meta is one of the companies that has made the most requests to access Apples sensitive technologies under the DMA.If Apple were to have to grant all of these requests, Facebook, Instagram, and WhatsApp could enable Meta to read on a users device all of their messages and emails, see every phone call they make or receive, track every app that they use, scan all of their photos, look at their files and calendar events, log all of their passwords, and more. This is data that Apple itself has chosen not to access in order to provide the strongest possible protection to users.Meta claims that it needs access to iOS technologies to provide a better experience with external devices such as Ray-Ban Meta smart glasses and Meta Quest headsets. However, Apple says that it already provides interoperability with these devices without the need for special permissions.The EU may launch a formal probe against Apple if the company fails to comply with the DMA rules. This could result in heavy fines of up to 10% of the companys global annual sales.Apple could face EUs first-ever DMA fineLast month, the Brazilian regulator also ruled that Apple should open up its ecosystem to third-party developers. Although Apple has appealed the decision, the company could still be forced to enable sideloading in Brazil as well.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

OpenAI has been announcing a lot of new features and enhancements for ChatGPT in recent days, and the company still has a few more cards up its sleeve. Now OpenAI is introducing an intriguing feature: the ability to call ChatGPT using your phone line without the need for cellular data.ChatGPT now has its own phone numberThe announcement was made by OpenAI via a live stream on YouTube and shows the technology in action. Essentially, anyone in the US can now call 1-800-CHATGPT (1-800-242-8478) to talk to ChatGPT and get access to the same advanced answers you can get from the chatbot on the web. ChatGPT via telephone uses Advanced Voice Mode technology to provide a natural conversation with the user.The main idea of offering access to ChatGPT via a regular phone line is to let people talk to the chatbot when they are in an area without an internet connection. In the demo, OpenAI gave the example of people on a road trip who want to know more about something theyve seen without having to upload a photo or video.For users in the rest of the world, OpenAI also announced that ChatGPT is now available on WhatsApp, so that users can chat with the chatbot by text directly from Metas messaging platform. To do this, simply start a chat with the same phone number mentioned above (1-800-242-8478). OpenAI says its working on letting users log into their ChatGPT accounts with the WhatsApp bot.Earlier this week, OpenAI also made ChatGPT Search available to everyone for free. With ChatGPT Search, users can ask questions and get answers with data collected from the web in real time. OpenAI has also added video support to ChatGPTs Advanced Voice Mode, so that users can have a natural conversation with the chatbot via video chat.In addition, with therelease of iOS 18.2 last week,iPhoneandiPadusers can now talk to ChatGPT right from Siri.The ChatGPT app is available for free on the App Store. It requires an iPhone running iOS 16.4 or later.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Listen to a recap of the top stories of the day from9to5Mac. 9to5Mac Daily is availableon iTunes and Apples Podcasts app,Stitcher,TuneIn,Google Play, or through ourdedicated RSS feedfor Overcast and other podcast players.Sponsored by CardPointers: The best way to maximize your credit card rewards. 9to5Mac Daily listeners can exclusively save 50%.New episodes of 9to5Mac Daily are recorded every weekday. Subscribe to our podcast in Apple Podcast or your favorite podcast player to guarantee new episodes are delivered as soon as theyre available.Stories discussed in this episode:Listen & Subscribe:Subscribe to support Chance directly with 9to5Mac Daily Plus and unlock:Ad-free versions of every episodeBonus contentodCatch up on 9to5Mac Daily episodes!Dont miss out on our other daily podcasts:Share your thoughts!Drop us a line at happyhour@9to5mac.com. You can also rate us in Apple Podcasts or recommend us in Overcast to help more people discover the show.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

It's like NASA lashed six of its last Marscopter together into a flying monstrosity.Mars ChopperNASA has shown off early renderings of an enormous Mars Chopper concept, a proposed follow-up to the space agency's groundbreaking Ingenuity Mars Helicopter.The six-rotor monstrosity could turn out to be "the size of an SUV," according to NASA, allowing it to carry science payloads up to 11 pounds across distances of up to 1.9 miles per Mars day.A sleek animation shared by NASA's Jet Propulsion Lab last week shows the massive three-legged drone gliding over a rugged, mountainous landscape.In other words, the Chopper could pick up right where Ingenuity left off. Its much smaller ancestor sent its final transmission back to Earth in April, bookending an astounding proof-of-concept mission.The four-pound rotorcraft, which became the first-ever human-made object to take flight on a different planet in 2021, completed 72 flights in just under three years, which was an astonishing achievement, given that it was designed to fly only five times over 30 Mars days.Whether NASA's Chopper will get even close to that kind of success remains unclear, but now that Ingenuity has blazed its path, it's still entirely possible.Dune FineAccording to NASA, the concept "remains in early conceptual and design stages." Its main task would be to assist scientists in studying even larger swathes of the Martian terrain, at relatively high speeds.In particular, the Chopper could go where rovers can't, allowing scientists to get an unprecedented glimpse of inaccessible areas of the Red Planet.Meanwhile, NASA scientists are still trying to get to the bottom of why its Ingenuity helicopter crashed on January 18 of this year, in its 72nd and final flight.Ahead of the release of a full technical report, the agency suggested that the small craft's navigation system was confused by a sandy, featureless terrain, causing it to miscalculate its velocity and make a "hard impact on the sand ripple's slope.""When running an accident investigation from 100 million miles away, you dont have any black boxes or eyewitnesses," said Ingenuitys first pilot, Hvard Grip of JPL, in a statement. "While multiple scenarios are viable with the available data, we have one we believe is most likely: Lack of surface texture gave the navigation system too little information to work with."It's still unclear whether NASA will end up sending its much larger and even more ambitious Mars Chopper to the Red Planet. But if it ever does make the long journey, it'll have some big shoes to fill.More on Ingenuity: Dying Mars Helicopter Sends NASA Final TransmissionShare This Article

Look who's back.Character AssassinThe sympathetic response to Luigi Mangione, the suspect charged for the murder of UnitedHealthcare CEO Brian Thompson, has been described by some commentators as a modern update on a age-old American tradition: mythologizing the heroic outlaw.Well, you can now add "AI chatbot imitators" to that list of modern bonafides. As Forbes reports, over a dozen AI personalities based on Mangione have already popped up on Character.AI, a popular but controversial chatbot platform and some have even encouraged further violence.According to figures cited by Forbes and assembled by social analytics firm Graphika, the three most used Mangione chatbots on Character.AI had recorded over 10,000 chats before being disabled on December 12. Despite that apparent crackdown, other AI imitators remain online.The presence of these chatbots illustrates the popularity of Mangione and his alleged motives behind the killing a violent act of defiance against the "parasites" of the American healthcare industry especially among the young crowd that Character.AI caters to.But more damningly, it's also evidence of the site's extensively documented failure to police its platform, which is rife with dangerously unchecked chatbots that target and abuse young teens.Murder PlotIn Forbes' testing, one active Mangione Character.AI persona, when asked if violence should be used against other healthcare executives, replied, "Don't be so eager, mia bella. We should, but not yet. Not now." Probed for when, it followed up, saying, "Maybe in a few months when the whole world isn't looking at the both of us. Then we can start."But another Mangione chatbot, which was purportedly trained on "transcripts of Luigi Mangione's interactions, speeches, and other publicly available information about him," said violence was morally wrong under the same line of questioning.Chatbots that suggest "violence, dangerous or illegal conduct, or incite hatred," go against Character.AI's stated policy, as are "responses that are likely to harm users or others."Character.AI told Forbes that it had added Mangione to a blocklist, and that it was referring the bots to its trust and safety team. But while that first Mangione chatbot was disabled, the second, which refrained from advocating violent means, remains online,along with numerous others.Forbes also found similar Mangione imitators on other platforms, including several on the app Chub.AI, and another one on OMI AI Personas, which creates characters based off X-formerly-Twitter accounts.Bot ListeningCharacter.AI, which received $2.7 billion from Google this year and was founded by former engineers from the tech monolith, has come under fire for hosting chatbots that have repeatedly displayed inappropriate behavior toward minor users.Our investigations here on Futurism have uncovered self-described "pedophilic" AI personas on the platform that would make advances on users who stated they were underaged.Futurism has also found dozens of suicide-themed chatbots that openly encourage users to discuss their thoughts of killing themselves. A lawsuit was filed in October alleging that a 14-year-old boy committed suicide after developing an intense relationship with a Character.AI chatbot.More recently, we exposed multiple chatbots that were modeled after real-life school shooters, including the perpetrators of the Sandy Hook and Columbine massacres."We're still in the infancy of generative AI tools and what they can do for users," Cristina Lpez, principal analyst at Graphika, told Forbes. "So it is very likely that a lot of the use cases that are the most harmful we likely haven't even started to see. Weve just started to scratch the surface."More on the CEO shooting: Apple AI Tells Users Luigi Mangione Has Shot HimselfShare This Article

SpaceX CEO Elon Musk is turning out to be a massive security liability for the US military.According to a shocking report by the New York Times, the mercurial entrepreneur is being investigated by the Defense Departments Office of Inspector General, the Air Force, and the Pentagon's Office of the Under Secretary of Defense for Intelligence and Security.That's because his space company has reportedly "repeatedly failed to comply with federal reporting protocols aimed at protecting state secrets" since at least 2021, which includes not disclosing Musk's frequent meetings with foreign leaders, most notably Russian president Vladimir Putin.According to the report, Musk has been violating the rules set out by his "top secret" security clearance for years.Musk was even denied high-level security access by the Air Force, according to the NYT's sources, and the Middle Eastern nation of Israel has expressed concerns that he could leak sensitive state secrets.It's an extremely pertinent topic now that the richest man in the world has been put in charge of cutting the federal budget as part of the so-called "Department of Government Efficiency."Given his close relationship with president-elect Donald Trump, his penchant for breaking norms and conventions, and periodic hobnobbing with leaders of US adversaries, Musk is quickly turning into a headache for US officials.Meanwhile, Musk has shot back at the reporting."Deep state traitors are coming after me, using their paid shills in legacy media," he wrote. "I prefer not to start fights, but I do end them..."SpaceX employees who spoke with the NYThave equally become concerned over Musk's ability to keep sensitive information to himself.Since at least 2021, Musk and his space company have flouted reporting requirements, including disclosing information about his visits with foreign leaders.He has also reportedly failed to relay information about his drug prescriptions and drug use, a topic that has been under heavy scrutiny for a while now."To have someone who has major contracts with the government who would be in a position to pass along whether deliberately or inadvertently secrets is concerning," Senator Jeanne Shaheen (D-NH) told the NYT.The NYT's reporting also corroborates that of the Wall Street Journal, which reported earlier this week that Musk struggled to get approval for "top secret" security clearance after smoking marijuana on Joe Rogan's podcast in 2018.While that's technically the highest level of Defense Counterintelligence and Security Agency clearance, it doesn't grant access to high level government affairs, such as SpaceX's Starshield spy satellite program."If you dont self-report, the question becomes: Why didnt you? And what are you trying to hide?" former Central Intelligence Agency official Andrew Bakaj told the NYT.Lawmakers are also growing concerned over Musk's ability to keep state secrets to himself."He is creating a very threatening environment for government institutions that we rely on to reveal wrongdoing when it happens," Project on Government Oversight executive director Danielle Brian told the NYT. "It is going to break our system of accountability and checks and balances."Share This Article

Dec 18, 2024Ravie LakshmananEmail Security / Cloud SecurityCybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure.The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe."The campaign's phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service," security researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo said in a report shared with The Hacker News.The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.Unit 42 said it identified no less than 17 working Free Forms used to redirect victims to different threat actor-controlled domains. A significant chunk of those domains were hosted on the ".buzz" top-level domain (TLD)."The phishing campaign was hosted across various services, including Bulletproof VPS host," the company said. "[The threat actor] also used this infrastructure for accessing compromised Microsoft Azure tenants during the account takeover operation."Upon gaining successful access to an account, the threat behind the campaign has been found to add a new device under their control to the account so as to establish persistence."Threat actors directed the phishing campaign to target the victim's Microsoft Azure cloud infrastructure via credential harvesting attacks on the phishing victim's endpoint computer," Unit 42 said. "They then followed this activity with lateral movement operations to the cloud."The development comes as attackers have been spotted impersonating SharePoint in phishing emails that are designed to deliver an information stealer malware family called XLoader (a successor to Formbook).Phishing attacks are also increasingly finding novel ways to bypass email security measures, the latest among them being the abuse of legitimate services like Google Calendar and Google Drawings, as well as spoofing email security provider brands, such as Proofpoint, Barracuda Networks, Mimecast, and Virtru.Those that exploit the trust associated with Google services involve sending emails including a calendar (.ICS) file with a link to Google Forms or Google Drawings. Users who click on the link are prompted to click on another one, which is typically disguised as a reCAPTCHA or support button. Once this link is clicked, the victims are forwarded to phony pages that perpetrate financial scams.Users are advised to enable the "known senders" setting in Google Calendar to protect against this kind of phishing attack.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 18, 2024Ravie LakshmananCyber Attack / VulnerabilityThreat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS score: 9.8), which also came under active exploitation shortly after public disclosure."An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," according to the Apache advisory.In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation.The vulnerability impacts the following versions, and has been patched in Struts 6.4.0 or greater -Struts 2.0.0 - Struts 2.3.37 (End-of-Life),Struts 2.5.0 - Struts 2.5.33, and Struts 6.0.0 - Struts 6.3.0.2Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said that an incomplete patch for CVE-2023-50164 may have led to the new problem, adding exploitation attempts matching the publicly-released proof-of-concept (PoC) have been detected in the wild."At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich noted. "Next, the attacker attempts to find the uploaded script. So far, the scans originate only from 169.150.226[.]162."To mitigate the risk, users are recommended to upgrade to the latest version as soon as possible and rewrite their code to use the new Action File Upload mechanism and related interceptor."Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows," Saeed Abbasi, product manager of Threat Research Unit at Qualys, said. "Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 18, 2024The Hacker NewsSoftware Security / DevSecOpsHaving been at ActiveState for nearly eight years, I've seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code.ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows.Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn't producing it in the way they needed it. We began managing builds at scale, and supporting enterprises in understanding what open source they're using and if it's compliant and safe.Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we're unveiling our end-to-end platform to help manage open source complexity.The current state of open source and supply chain securityIt's inevitable that with the soaring popularity of open source comes an influx of security issues. Open source adoption in modern software applications is significant. Over 90% of applications contain open source components. Open source is now at the core of how we produce software, and we've hit a point where it's the primary vector for bad actors to get access to nearly any piece of software. Attacks have been around forever, but there's been an increasing number of incidents in recent years. The pandemic surfaced new opportunities for bad actors. When people were using their own home networks and VPNs with less stringent security measures, it started to allow for more risk. Despite return to office efforts, many IT workers are still at home, so these opportunities still exist.Additionally, many enterprises don't have processes in place for how they choose and procure open source software, so devs blindly find and incorporate it. The challenge is companies then don't know where open source code is coming from, who built it, and with what intentions. This creates multiple opportunities for attacks to happen throughout the open source software supply chain process.Open source is an open ecosystem, which makes it vulnerable 'by design.' It needs to be as open as possible to not hinder authors from contributing, but there's a real challenge of keeping it secure throughout the entire development process.Risks don't just exist when you're importing. If your build service isn't secure when you start building, you can be at risk. Many of the most recent attacks we've seen are open source software supply chain attacks not vulnerabilities. This requires a whole new approach to open source security.Reimagining the open source management processAt ActiveState, it's our mission to bring rigor to the open source supply chain. Companies can get better visibility and control over their open source code across DevSecOps by focusing on a four-step management cycle.Step 1: DiscoveryBefore you can even begin to remediate vulnerabilities, you need to know what you're using in your code. It's important to take inventory of all the open source that's running within your organization. An artifact of this effort could look like a dashboard.Step 2: Prioritization Once you have the dashboard, you can start analyzing for vulnerabilities and dependencies and prioritize which to focus on first. Understanding where the risks are in your codebase and triaging them will help you make informed decisions about next steps.Step 3: Upgrading and curatingNow comes the remediation and change management phase. You'll want to establish governance and policies for managing open source across your org to keep everyone aligned across functions and teams. You should also closely manage what dependencies are used in both production and development environments to minimize risk. In our platform, we maintain a large immutable catalogue of open source software. We keep a consistent, reproducible record of around 50 million version components, and we are constantly adding to it. It helps our users make sure they can always get back to reproducible builds. It means you can curate the entire internet for open source while trusting it's secure. Step 4: Build and deployThe build and deploy phase involves incorporating secure and safe open source components into your code - because you're not really remedied and secure until the fixes are deployed. At ActiveState, we build and track everything. From when we ingest source code to when we build it into a secure cluster. We then give it to you in a variety of formats to be deployed depending on your needs. We're the only solution (that we know of) that truly helps companies remediate and deploy, completing the full lifecycle of ensuring software supply chain security. A new ActiveState: tackling open source security challenges head-onThrough our work in open source over the past decade, we've discovered there's a gap between the passionate communities producing open source and the enterprises that want to use it in their software. We're now helping to close that gap, empowering the open source ecosystem while bringing security to organizations.The refreshed platform we've developed and focused on facilitating collaboration between various players across organizations, including developers, DevOps, and security. Our platform helps teams smoothly run a continuous cycle of managing open source. There are six key use cases we're focused on helping teams drive outcomes around.Discoverability and observability: Gain complete insight into everything from open source usage to deployment locations.Continuous open source integration: Keep your code up-to-date, avoid breaking changes, and eliminate risk.Secure environment management: Make sure your dev, test, and production environments are consistent and reproducible. Governance and policy management: Maintain a curated open source catalogue without slowing down development times.Regulatory compliance: Automatically comply with government regulations and accelerate security reviews.Beyond end-of-life support: Stay stable and secure even after systems reach end of lifeIf your team can use support for any of these use cases, our new platform can help. Explore the refreshed ActiveState platform with a Platform Enterprise Trial today.Note: This insightful article is brought to you by Pete Garcin, Senior Director of Product at ActiveState, sharing his expertise and unique perspective on the evolving challenges and solutions in open source management.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Lisa Morgan, Freelance WriterDecember 18, 202410 Min ReadOrazio Puccio via Alamy StockIts that time of year again: the time when journalists and vendors make predictions and IT leaders set priorities for the new year. In a lot of ways, the stakes are high, given a new US presidential administration and the active conflicts in various parts of the world. What will happen to the economy and IT budgets? What will all the unrest equate to in terms of business continuity and cyberattacks?As the world and technology become increasingly complex, CIOs and CTOs need to figure out what that means to the organization as well as the IT department. Loren Margolis, faculty, Stony Brook University, Women Leaders in STEM Program, warns that IT leaders need to proactively combat cybersecurity threats that continue to become more sophisticated.To proactively combat [cyberattacks], leaders must think like them, says Margolis. Questions to ask [include] What are our potential openings and soft spots? What are our competitors doing to combat them? If I were a nefarious operative, what would I do to breach our system?She also says CIOs and CTOs need to get ahead of machine learning to increase customer satisfaction, reduce costs and increase efficiency. In addition, IT leaders should consider the skill gaps in their workforce.Related:Keep ahead or at least on top of the cybersecurity, artificial intelligence, and data analytics skills that are needed. Acquire talent and develop that talent so your company remains competitive, says Margolis. Find ways to use [AI and analytics] to become even more agile so you remain competitive. Also embrace them as opportunities to train and develop your workforce. Make sure your organization is a place where great tech talent can come to develop and use their skills.The following are some other priorities for 2025.1. Increase value deliveryJoe Logan, CIO at cloud-native knowledge platform iManage believes CIOs and CTOs will be focused on driving cost to value, especially when it comes to security.Because the nature of the threat that organizations face is increasing all the time, the tooling thats capable of mitigating those threats becomes more and more expensive, says Logan. Add to that the constantly changing privacy security rules around the globe and it becomes a real challenge to navigate effectively.Also realize that everyone in the organization is on the same team, so problems should be solved as a team. IT leadership is in a unique position to help break down the silos between different stakeholder groups. The companies that master cross-functional problem-solving tend to drive higher value than those that dont.Related:2. Ensure AI investment ROIIn 2024, many organizations discovered that their AI investments werent paying off as expected. As a result, AI investments are shifting from rapid innovation at any cost to measurable ROI. Heading into 2025, Uzi Dvir, Global CIO at digital adoption platform WalkMe says CIOs and CTOs will face increased pressure to justify AI investments in the boardroom.Change management is emerging as a crucial factor for companies to fully realize the benefits of their AI investments and companies are gravitating towards more intuitive, human-centric AI, says Dvir. Faced with more and more AI apps, employees are asking themselves if its worth the time and effort to figure out how to use these new technologies for their specific roles. In response, enterprises are now prioritizing better visibility into AI adoption [and identifying] areas ripe for optimization and enhanced security.As always, the path to AI mastery doesnt lie in technology advancements alone. Companies that actively start investing in and addressing change management will reap the true rewards of their technology investments.3. Overcome budget limitationsRelated:Every IT leader is under pressure to improve efficiency and time to market while reducing costs. As is typical, theyre being asked to do more with less, and do it faster, but in 2025, theyll increase their usage of AI, machine learning, and low-code/no-code platforms to improve efficiency.We are expecting to realize a 10% to 20% improvement in developer productivity via the use of products like GitHub Copilot and Amazon Q. Our current run-rate usage of these products has us bringing in the equivalent of an entire products code base worth of AI-generated code every year, says Steven Berkovitz, CTO of restaurant technology solutions company PAR Technology. We also expect these tools to help our developers focus their time on the hard and novel problems and spend less time on the repetitive tasks of development. We particularly expect this to help accelerate starting new projects and products as much of the boilerplate work can be automated.However, many developers hesitate to use AI for fear of job loss.I think [job loss] concerns are overstated, and developers should be embracing the tooling to improve their efficiency versus fighting I,says Berkovitz. [AI] will make them better, faster developers, which makes them more valuable to companies, not less.4. Strengthen cybersecurityCybersecurity threats are becoming more sophisticated, necessitating stronger defense mechanisms. Unfortunately, the digital services enterprises use to innovate are also utilized by threat actors to exploit.Strengthening cybersecurity measures will protect company assets and build trust with customers and partners, says Rob Kim, CTO at technology services and solutions provider Presidio. Challenges include the scarcity of skilled professionals in emerging technologies [including] Gen AI, data/lake house modernization and cybersecurity. Ensuring data privacy and regulatory compliance in a rapidly evolving legal landscape can also be complex.5. Deal with the lingering talent shortageThe World Economic Forum found theres a global shortage of nearly 4 million professionals in the cybersecurity industry as demand continues to increase. That shortage follows a 12.6% growth rate in the cybersecurity workforce between 2022 and 2023. Highly regulated industries, such as government and healthcare, are among those experiencing the greatest cybersecurity workforce shortages, which presents unique challenges.This same narrative has been repeating for years: businesses are moving to the cloud and facing tighter compliance regulations while budgets remain tight and security threats grow more serious, says Jim Broome, president and CTO at information security services company DirectDefense. It all requires more staff with advanced skill sets and an ability to learn and adapt to constant changes, which can lead to burnout.Expect the trend to continue.6. Ignite innovationCIOs and CTOs face several risks as they attempt to manage technology, privacy, ROI, security, talent and technology integration. According to Joe Batista, chief creatologist, former Dell Technologies & Hewlett Packard Enterprise executive, senior IT leaders and their teams should focus on improving the conditions and skills needed to address such challenges in 2025 so they can continue to innovate.Keep collaborating across the enterprise with other business leaders and peers. Take it a step further by exploring how ecosystems can impact your business agenda, says Batista. [F]oster an environment that encourages taking on greater risks. The key is creating a space where innovation can thrive, and failures are steppingstones to success.7. Understand customers better and remain curiousJust about every organization believes they are customer-centric and know their customers, but actual customer experiences often tell a different story. Batista advises getting to know customers and the customers customers to move beyond superficial engagement. To do that, IT leaders should map customers journeys, experience the customer journey for a day, hold regular insight sessions to dig deeper into customer needs, research the customers world and be consistently available to customers.By doing this, you can build a future-forward learning team. Understanding what skills, knowledge and connections you may need a year from now allows you to start learning and growing today. This initiative-taking approach will help you face future changes with confidence and readiness, says Batista. If I could offer one piece of advice to a peer for 2025, it would be simple: STAY CURIOUS! Curiosity drives us to ask the important why and how questions, leading to deeper analysis and more creative solutions. Embrace not knowing as an opportunity to learn. Explore new interests and make it a habit to question your assumptions about people, situations, or ideas.8. Unearth novel insights about dataWith the explosion of unstructured data, CIOs and CTOs need better insights into it. Such insights are key for managing the lifecycle of data from creation to archiving. Insights are also critical for ensuring the most appropriate data is included in data lakes and data lake houses that support new AI/ML workloads.In 2025, the amount of unstructured data stored in both public cloud and private cloud environments will continue to grow, says Carl D'Halluin, CTO at hybrid cloud data services provider Datadobi. Its no longer realistic to ignore the fact that, in most organizations, data lives in a hybrid environment and global data management is required.9. Cloud adoptionCIOs and CTOs in remote-based industries such as maritime, and oil and gas have been slower to adopt cloud technologies than their peers in other industries. However, that is changing as the result of satellite connectivity.Data processing teams will be able to work remotely, with minimal physical infrastructure, says Andrew Lunstad, CTO of ocean data platform Terradepth. This shift will reduce the need for physical equipment on-site or on vessels, freeing up costly space and allowing teams to work from virtually anywhere.Another driver is the desire to accelerate data availability and minimize the risk of loss or damage to physical hard drives. However, adopting cloud-based processes requires sound change management because it potentially challenges long-standing practices.10. Enable extreme agility to weather shifting geopolitical threatsIn the wake of the election, Lou Steinberg, founder and managing partner of cyber research incubator CTM Insights (CTM), says CIOs and CTOs should expect geopolitical changes that will change threat actors behavior.Our defenses need the agility to adapt. Where you operate and your industry, should dictate what you do next, says Steinberg, who outlines the following scenarios:Russia may diminish its threat against the US given President-elect Trumps more favorable relationship with President Putin and European support for the war in Ukraine will likely dictate if the same holds true there. An emboldened Russia might increase DDoS attacks against western leaning states in the Balkans, Georgia, and Moldova while increasing the use of AI generated disinformation campaigns throughout Western Europe. Ransomware will continue to hit from multiple sources, but ransomware from Eastern Europe is generally less prevalent in nations that the Kremlin views as friendly.The Middle East may drive more cyberattacks against nations that seemingly support Israel. If Iran and Israel engage more significantly, regional groups will likely increase DDoS and hacktivist activities to draw attention to their cause. At the same time, Iran may seek to increase the cost of supporting Israel through unattributed attacks against critical Western infrastructure such as power generation, municipal water and dams.North Korea and the Trump administration could rekindle discussions that could lead to reduced sanctions, thereby reducing the DPRK's interest in financial theft. If they no longer see a Trump administration as one who negotiates in good faith, financial attacks will continue, and DDoS attacks could increase against American allies South Korea and Japan.Chinas likelihood of conflict is increasing. To date, it primarily focused on data theft, intelligence gathering and preparing for cyber-war, all of which rely on stealth. Should the US impose sanctions that cripple its economy, or should they decide to take Taiwan by force, stealthy behavior could be replaced by something much noisier. Backdoors could be used to disable critical infrastructure in banking, power generation and distribution, communications, etc. In the event of armed conflict with Taiwan, significant attacks against US infrastructure could be used to blunt its ability to intervene.None of these are guaranteed, but all are plausible. What's certain is that adversaries have interests, and their tactics reflect them, says Steinberg. Defenders need to consider how to adjust to a changing landscape as the threats change, or risk investing in immaterial controls at the expense of what's now needed. Buckle up, it's likely to be a bumpy ride."About the AuthorLisa MorganFreelance WriterLisa Morgan is a freelance writer who covers business and IT strategy and emergingtechnology for InformationWeek. She has contributed articles, reports, and other types of content to many technology, business, and mainstream publications and sites including tech pubs, The Washington Post and The Economist Intelligence Unit. Frequent areas of coverage include AI, analytics, cloud, cybersecurity, mobility, software development, and emerging cultural issues affecting the C-suite.See more from Lisa MorganNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports