Apple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.The fixes for CVE-2024-44308 and CVE-2024-44309 both attributed to Clment Lecigne and Benot Sevens of the Google Threat Analysis Group affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victims browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.Michael Covington, vice-president of strategy at Jamf, a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the frameworks criticality to the Safari web browser.The fixes provided byAppleintroduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able, said Covington.CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 which also made it into the US Cybersecurity and Infrastructure Security Agencys (CISAs) Known Exploited Vulnerabilities (KEV) catalogue.Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code execution on the vulnerable deviceAs ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by Google teams that have previously worked on vulnerabilities exploited by predatory commercial spyware vendors such as disgraced Israeli firm NSO may indicate the sort of people to whom these new flaws may be of interest.Apple remains alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware attack that was remotely compromising their devices.As usual, Apple users who have not enabled automated updates can download the patches by navigating to their devices Settings menu, then to General, then to Software Update.Read more about mobile securityMobile devices bring their own set of challenges and risks to enterprise security. To handle mobile-specific threats, IT should conduct regular mobile security audits.To keep corporate and user data safe, IT must continuously ensure mobile app security. Mobile application security audits are a helpful tool to stay on top of data protection.Behavioural-based biometrics offer tantalising advantages over more traditional biometric solutions. Learn about some of the benefits and potential challenges for safe and secure implementation.

The Information Commissioners Office (ICO) approach of only fining public sector organisations in the most serious cases is under fire from privacy campaigners at Open Rights Group (ORG), who say there is an urgent need to test the regulators claims that fines do not act as an effective deterrent for public sector bodies.The campaigners say the ICOs approach of limiting fines to public sector bodies for only the most serious data protection issues is not working, as problems often persist well after other, less-severe enforcement actions have been taken.In an increasingly digital world, data protection is vital for our personal security. TheICOs reluctance to take enforcement action, alongside its policy of not challenging public sectororganisations where needed, is not working, said ORG chief executive Jim Killock.As we see the development of AI technology and its increased use by public sectororganisations, we need strong data protection laws and a strong regulator who will act as the first line of defence for the British public.In July 2022, the ICO adopted a revised two-year trial approach to working with public authorities, with commissioner John Edwards arguing in an open letter that fines are ineffective in ensuring data protection compliance because of how they indirectly punish victims of data breaches in the form of reduced budgets for vital services.In July 2024, the ICO then published its Annual report and financial statements for the 2023-24 financial year, in which the data regulator reviews its performance over that period. It shows where the ICO has investigated public and private bodies, and the proportion of these investigations that have resulted in reprimands, enforcement notices (that obligate recipients to change their data practices), or fines.In terms of its actions against public sector bodies for data protection breaches, the ICO issued one fine (to the Ministry of Defence over a data leak that exposed the identities of 245 Afghanis), two enforcement notices (one regarding the loss of control of child abuse case files at the Crown Prosecution Service, and another against the Home Office for its GPS tagging of refugees), and 28 reprimands.Examples of these reprimands include one for Thames Valley Police for disclosing a witnesses address to suspected criminals, which forced the person to move house; one for theUniversity Hospital of Derby and Burton NHS Trust for failing to process outpatient data in a timely fashion, which delayed medical treatments for some patients for up to two years; and one for West Midlands Police over multiple incidents where the data mix-ups meant officers attended the wrong addresses.Other instances include two reprimands for the Ministry of Justice, one over the disclosure of adoption details against court instructions, and another for leaving four bags of confidential waste in an unsecured holding area in the prison, which both prisoners and staff had access to.Given the number of reprimands handed out for clearly harmful data practices in comparison to the low number of fines and enforcement notices, the ORGis therefore calling on theICOto use its full powers against public sectororganisations, including enforcement notices and fines where necessary.Computer Weekly contacted the ICO about the ORGs analysis and arguments, and was directed to an ICO statement on its public sector approach from June 2024.While we have continued to issue fines to public bodies where appropriate, we have also been using our other regulatory tools to ensure peoples information is handled appropriately and money isnt diverted away from where its needed the most, it said.We will now review the two-year trial before making a decision on the public sector approach in the autumn. In the meantime, we will continue to apply this approach to our regulatory activities in relation to public sector organisations.On 20 November 2022, in reference to the ICOs private sector enforcement, information commissioner John Edwards told The Times that the large financial penalties often issued by European regulators tend to result in lengthy legal battles, which could drain regulators resources and ultimately weaken their ability to enforce meaningful changes.I dont believe that the quantum or volume of fines is a proxy for impact, he said. You know, they get a lot of headlines. Its easy to compile league tables, but I actually dont believe that approach is necessarily the one that has the greatest impact.He added that the ICO prefers to engage with companies to encourage compliance rather than issue fines worth hundreds of millions of pounds.According to an ORG analysis of the ICOs latest annual report, the instances of enforcement action that have taken place show the gravity of the public sectors data mispractice, and that there is little evidence reprimands lead to genuine change despite the increased reliance on them.The ICO should use the full range of its enforcement powers in the public sector until and unless it can prove alternative approaches result in a substantial improvement in data protection compliance, said ORG in one of its recommendations for the ICO.It added that the regulator should publish all evidence resulting from the two-year public sector approach trial where public sector organisations were only fined as a last resort, and that this should be followed up by externally conducted independent audit to validate the findings.ORG further added that there should be amendments to the new Labour governments proposed Data Use and Access Bill (DUAB), so that the ICO is banned from issuing more than one reprimand to an organisation: Any subsequent breaches should result in an escalation of action not additional final reprimands that both undermine the premise of the initial reprimand and have little impact on behaviour.The DUAB should further be amended to require the ICO to publish a league table of public sector bodies subject-access request (SAR) performance, so that organisations which consistently fail to respond within the statutory times frame can be prioritised for enforcement action.SARs are an important vehicle for ensuring individuals privacy and safety, it said. Since 2018, however, the ICO has also been attempting to get three authorities to deal with their SAR backlogs without success. This year, six years after problem first became apparent, Plymouth City Council, Devon and Cornwall Police and Dorset Police were each sent a final reprimand.This year marks the first time the number of reprimands have been published by the ICO in an annual report, which it committed to doing in December 2022 after a freedom of information request from Jon Baines a senior data protection specialist at law firm Mishcon de Reya revealed the regulator had failed to disclose the majority of the 42 reprimands it had issued to public sector bodies between May 2018 and November 2021.A follow up freedom on information request from Baines from June 2022 found a further 15 reprimands since November 2021 that had not been publicly disclosed up to that point.Read more about UK data protection enforcementICO reprimands Essex school for illegal facial recognition use: The Information Commissioners Office has reprimanded Chelmer Valley High School in Chelmsford for introducing facial recognition and failing to conduct a legally required data protection impact assessment and obtain the explicit consent of students.ICO selectively discloses reprimands for data protection breaches: Data protection experts question ICOs selective approach to publishing formal reprimands for contravening the law, after FoI request reveals the Cabinet Office was among the organisations reprimanded.ICO police cloud guidance released under FOI: Long-awaited guidance from the UK data regulator on police cloud deployments highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues, but tells forces its up to.

Olena - stock.adobe.comNewsCMA clears Google over Anthropic partnershipThe UK competition watchdog has finished its initial investigation into Googles partnership with Anthropic, with no follow-up on the cardsByCliff Saran,Managing EditorPublished: 19 Nov 2024 16:01 The Competition and Markets Authority (CMA) has said Alphabets partnership with Anthropic does not qualify for investigation under the merger provisions of the Enterprise Act 2002.In October 2023, Alphabet invested $2bn in OpenAI rival Anthropic. The artificial intelligence (AI) startup has also received $4bn funding from Amazon.The CMA is concerned that the foundational model sector is developing in ways that risk negative market outcomes. In particular, the likes of Google, Amazon, Meta, Microsoft and Apple have the market dominance to buy up or shut down competition. It is also worried that partnerships between these major technology providers and developers of AI foundation models may limit choice and be anti-competitive.In September, the CMA concluded its investigation of Microsofts hiring of key staff from Inflection, finding that Inflection AI was not a strong competitor to the consumer chatbots Microsoft has developed directly in partnership with OpenAI.Discussing the outcome of the latest investigation, Joel Bamford, executive director of the CMA, wrote on LinkedIn: Our investigation has shown that Google has not acquired the ability to materially influence Anthropics commercial policy and therefore the partnership does not meet the jurisdictional threshold for UK merger control to apply.He described the conclusion of this latest investigation as another decision by the CMA which provides greater clarity for businesses and their investors.In a summary of its findings from the phase one investigation into the deal, the CMA said it did not believe Google had acquired material influence over Anthropic as a result of the partnership. The CMA said it looked at the risk of Google exercising influence over Anthropic at shareholder and/or board level, along with an assessment of Googles own Vertex AI product.The available evidence did not indicate that Google has the ability to exercise material influence over Anthropic through the partnership, the CMA concluded.The CMA said it had considered the fact that Anthropic and Google offer two of the leading foundational AI models globally. However, given Anthropics turnover is below the 70m threshold, which is one of the criteria it takes into account when assessing whether to look further into a deal, pursuing this thread of investigation was not necessary.The CMA is also looking at whether it should investigate Amazons partnership with Anthropic, due to the $4bn funding the AI startup received from Amazon.Some industry experts believe the CMA should continue looking at the foundation model market. Josh Mesout, chief innovation officer at Civo, said: While the CMA has decided not to pursue an investigation into the Anthropic/Alphabet partnership, the broader concerns raised in the investigation about potential market concentration in AI remain valid.Over-dependence on a handful of major firms could still stifle innovation, limit consumer choice and potentially lead to a monopoly that favours Big Tech. Even without a formal investigation, it is the responsibility of everyone in the industry to ensure the AI market remains fair, competitive and conducive to ongoing technological advancement.Read about other CMA investigationsCMA offers potential solution to Vodafone and Threes merger issues: Remedies Working Paper published by UK competition watchdog into merger of leading telcos says deal may proceed if appropriate remedies are implemented.AWS and Google slam Microsoft for claiming its cloud licensing tactics are not harming them: The CMA published the summary hearings from Microsoft, AWS and Google this week, which revealed all three had quite a lot to say on the Redmond software giants cloud licensing practices.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs

This years most influential woman in UK technology Sheridan Ash, founder and co-CEO of Tech She Can created the charity to bridge the accessibility gap that exists when it comes to female role models in the technology space.While there are many high-profile women in tech, these role models are people to aspire to be, and many young girls feel they need women only one or two steps ahead of them in their careers to show them the path to the top.Computer Weeklys Rising Stars category wasintroduced in 2014as a way to increase the number of women showcased as industry role models.Each year, alongside the top 50 list, Computer Weekly asks its judges to suggest Rising Stars who are starting their journey towards a possible place in the top 50 in the future, and who represent the future of the tech sector.This years Rising Stars are:Hendy founded digital suicide prevention tool R;pple in 2020, designed to help people who are making online searches relating to self-harm or suicide.She is CEO of the charity, which she does alongside her work as the cyber culture manager at Deloitte.With an extensive background in cyber, Hendy is also a TEDx speaker, an ambassador for One Young World and a JAAQ creator, covering the topic of suicide prevention.Underhill has spent her entire career at Lloyds Banking Group, since joining the firm as a graduate in 1999.She has held several roles at Lloyds, and is currently HR director for technology and data, part of the firms Group Chief Operating Office, where she is responsible for developing its people strategies for technology.She has previously sat on the board of now disbanded tech diversity collective the Tech Talent Charter.Clark has worked in the public sector for many years, most recently being appointed the parliamentary under-secretary of state for artificial intelligence (AI) and digital government at the Department for Science, Innovation and Technology (DSIT).Her responsibilities range across AI and digital, including AI regulation, transparency and ethics, as well as cyber security and digital identity, and public services.Before her Parliamentary career, Clarks focus was on medicine, having studied bioinformatics at the University of Exeter and worked in roles in diagnostic biochemistry and diagnostic virology.Find out more about our past Rising StarsHeavily focused on the use of AI, Duarte co-founded non-profit We and AI in 2020 to ensure AI is developed with everyone in mind, creating communities to ensure diverse teams of people are involved in the technologys future development.She is also the lead of Better Images of AI, a not-for-profit that offers a free library of images that better represent AI to reduce the use of stereotypical representations of AI such as humanoid robots, glowing brains, outstretched robot hands, blue backgrounds and the Terminator.In 2020, she also became the founding editorial board member of the AI and Ethics Journal, published by Springer Nature.Davis heads up talent, engagement and diversity, as well as learning and development, for IT infrastructure firm Softcat.Her role involves looking after the development of all employees across the organisation, as well as developing the firms graduate and apprenticeship programmes.She is also an advisory board member of community group Women of the Channel.Thakrar founded and is CEO of Included VC, a venture capital fund dedicated to making sure diversity entrepreneurs gain the funding they need.Its not her first time working with entrepreneurs previously she headed up innovation and entrepreneurship in Deep Science Ventures at Imperial College London.

peshkov - stock.adobe.comNewsMicrosoft Ignite: AI capabilities double every six monthsIf Moore's law promised a doubling of tech every 18 months, the pace is three times quicker with AI developments, says Satya NadellaByCliff Saran,Managing EditorPublished: 20 Nov 2024 9:38 During his keynote presentation at the start of Microsofts annual Ignite conference in Chicago, CEO Satya Nadella discussed artificial intelligence (AI) scaling, through which the capabilities of the tech is doubling every six months.Just like Moores Law, we saw the doubling in performance every 18 months with AI. We have now started to see that doubling every six months or so, he said.He believes a new scaling law will emerge for AI based on the amount of computational time needed to run AI inference. This ability to scale is leading to three major shifts in technological development, according to Nadella.The first is what he describes as a universal multimodal interface universal interface, which supports speech, images, videos, for both input and output.Second, he said: We have new reasoning and planning capabilities, essentially neural algebra to help solve complex problems and can detect patterns involving people, places and things.You can even find relationships between people, places and things using this new algebra.The third is what Nadella calls support for long term memory-rich context, adding: If you put all these things together, you can build a very rich agentic world defined by this tapestry of AI agents, which can act on our behalf across our work and life across teams, business processes, as well as organisations.The company kicked off the Ignite event announcing previews of new AI capabilities. Among these is Copilot Actions, now in private preview, which is designed to enable anyone to automate everyday tasks in Microsoft 365 using simple prompts.Microsoft also unveiled new agents in Microsoft 365, including a natural language AI assistant for Sharepointfor finding and querying content more quickly, and a new Teams agentprovides what Microsoft describes as real-time, speech-to-speech interpretation in meetings. According to Microsoft, meeting participants will also have the option to have the agent simulate their personal voice.Another new agent is for employee self-service. Available on Microsoft 365 Copilot Business Chat in private preview, this can be used to expedite answers for common policy-related questions and, according to Microsoft, simplifies action-taking on key HR and IT-related tasks, such as helping employees to understand their benefits or request a new laptop. The agent can be customised in Copilot Studio to meet an organisations unique needs.Other agents in public preview take real-time meeting notes in Teams and automate project management from start to finish in Planner.On the developer support side, Microsoft has introduced Azure AI Foundry, which it said gives customers access to all existing Azure AI services and tooling, plus new capabilities. Among these is the Azure AI Foundry software developers kit. Available in preview, this provides what Microsoft calls a unified toolchain for designing, customising and managing AI apps and agents.According to Microsoft, the Azure AI Foundry provides enterprise-grade control and customisation. It offers 25 prebuilt app templates and can be accessed from familiar tools such as GitHub, Visual Studio and Copilot Studio.Read more AI development storiesHow open source is shaping AI developments: The Linux Foundation outlines efforts to bolster enterprise AI adoption through a framework for managing and deploying AI applications, standardised tooling and open data alternatives.Microsoft aims at AI development: New data management and analytics suite features include databases and a data catalog to enable enterprises to develop and operationalize advanced applications.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueDomino fall release topples challenges across AI assembly, scale & governance CW Developer NetworkClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkView All Blogs

Sheridan Ash, founder and co-CEO of Tech She Can, has become the 13th person to be named Computer Weeklys Most Influential Woman in UK Tech.Launched in 2012, the Computer Weekly list of the 50 Most Influential Women in UK Tech started as a list of 25, expanding to 50 in 2015, and now seeing hundreds of nominations each year.The list was originally created to showcase the amazing women in the technology industry, shining a light on the sectors role models who may inspire the next generation of women in tech.As well as the 2024 longlist of more than 700 nominated women, and our list of Rising Stars, there are also new entrants to our Hall of Fame, launched to acknowledge those who have made a lifetime contribution to the UKs technology sector.This years winner, Sheridan Ash, launched Tech She Can to teach girls and young women about technology careers and subjects to inspire them to choose this path in the future.1. Sheridan Ash, founder and co-CEO, Tech She CanUntil 2023, Ash led technology innovation at PwC UK, and is currently co-CEO and founder of the charity Tech She Can. She was a board member of the Institute of Coding for four years and, in 2020, received an MBE for services to young girls and women through technology.Tech She Can is an award-winning charity with more than 240 member organisations, which together work with industry, government and schools to improve the ratio of women in technology roles. It provides initiatives and pathways into tech careers across all the different stages of girls and womens lives.At PwC, Ash led change in the technology workforce, pioneering initiatives that saw the percentage of women in tech more than double to reach 32%.2. Naomi Timperley, co-founder, Tech North Advocates; innovation director, Oxford InnovationTimperley is a freelance consultant and co-founder of Tech North Advocates, a private sector-led collection of tech experts who champion thetechnology sector in the north of England.In 2021, she co-founded advisory firm Growth Strategy Innovation, which helps to grow startup and scaleup organisations. She is now innovation director for Oxford Innovation, which helps organisations develop ecosystems for entrepreneurs and innovators, in turn boosting local areas.Timperley was named a Computer Weekly Women in Tech Rising Star in 2017 when, until 2021, she was a board member of FutureEverything. She previously co-founded Enterprise Lab.3. Sarah Turner, CEO and co-founder, Angel AcademeTurner founded Angel Academe, a pro-women and pro-diversity angel investment group focused on technology, and is currently CEO of the group.Until 2023, Turner was also an advisory board member of tech recruiter Spinks, and in 2007 co-founded consultancy Turner Hopkins, which helps businesses create digital strategies.Previously, Turner was an external board member and chair of the investment committee for venture capital fund the Low Carbon Innovation Fund and a board member of the UK Business Angels Association, the trade association for early-stage investment.4. Charlene Hunter, CEO and founder, Coding Black FemalesHunter founded Coding Black Females in 2017 to help black female software developers meet each other and network. Alongside her work at Coding Black Females, Hunter is a software developer.She is an advisory board industry representative in the University of Essex Onlines computing department, technical director at SAM Software Solutions, and technical director at full-stack and front-end training organisation Black CodHer Bootcamp.Previously, Hunter was lead software engineer at Made Tech, and held roles such as senior software developer, lead Java developer, app developer and technical consultant at various firms. She was named a Computer WeeklyWomen in UK Tech Rising Star in 2020.5. Samantha Niblett, founder, Labour Women in TechBefore her time as an MP, Niblett had a long career in technology, having roles such as industry sales leader at DXC Technology and head of alliances, channel and ecosystem in EMEA at 1E.Now, alongside her role as an MP, shes founder of the Labour: Women in Tech group, which campaigns to reach equal gender opportunities in the technology industry. Shes also the co-chair of the All-Party Parliamentary Group on FinTech and the Parliamentary Internet, Communications and Technology Forum (PICTFOR), as well as the chair for the Interparliamentary Forum on Emerging Technologies and a member of the Women and Equalities Select Committee.6. Anna Brailsford, CEO, Code First GirlsAn entrepreneur and co-founder, Brailsford joined Code First Girls as CEO in 2019, where she works to encourage more women into the tech sector by providing software development skills and education.Prior to her work at Code First Girls, she co-founded and was CEO of performance management firm Frisbee, which was part of venture capital fund Founders Factory. Until summer 2024, she was was a board member for the Institute of Coding, where she focused specifically on diversity and inclusion. She is also a self-employed commercial and strategy consultant.7. Deborah ONeill, partner head of digital, Europe, Oliver WymanAs part of her role as partner and head of digital for Europe at Oliver Wyman, ONeill leads digital transformation and new proposition launches at companies all over the world.Alongside this, she is also a strategic partner at FutureDotNow, a board trustee for Girlguiding and special adviser to the founder at The Youth Group.8. Hayaatun Sillem, CEO, Royal Academy of EngineeringSillem worked for the Royal Academy of Engineering for 12 years before being appointed its CEO in 2018. Previous roles at the academy include deputy CEO and director of strategy, director of programmes and fellowship, and head of international activities.As well as her work for the academy, Sillem is a trustee of EngineeringUK and the Foundation for Science and Technology, and CEO of the Queen Elizabeth Prize for Engineering.9. Priya Lakhani, founder and CEO, Century TechLakhani founded Century Tech as a teaching and learning platform focused on subjects such as artificial intelligence (AI), cognitive neuroscience, big data analytics and blockchain, where she is also CEO.A frequent public speaker, she has previously been a member of the UKs AI Council, a board member for the Foundation for Education Development, a board member for Unboxed 2022, and a non-executive director for the Department for Digital, Culture, Media and Sport (DCMS).She is a digital patron for Cottesmore School, and has appeared on the BBCs AI Decoded news segment. She was awarded an OBE in 2014.10. Mary McKenna, co-founder, AwakenHubMary McKenna is a huge supporter of entrepreneurship and startups, holding several roles as an adviser and investor. Her social enterprise, AwakenHub, where she is co-founder, is focused on building a community of female founders in Ireland.As well as being an expert adviser for the European Commission, she is an entrepreneurship expert with the Entrepreneurship Centre at the University of Oxfords Said Business School, and a trustee for CAST, among many other board memberships and non-executive directorships.11. Claire Thorne, co-CEO, Tech She CanThorne is co-CEO of Tech She Can, a charity aimed at increasing the number of women in the technology sector, as well as a venture partner at Deep Science Ventures and a diversity and inclusion advisory board member for the Institute of Coding.She has a background in the education sector, previously holding roles as director of innovation strategy for the University of Surrey and executive officer to the vice-president (innovation) at Imperial College London.12. Liz Williams, CEO, FutureDotNow; chair, Good Things FoundationWilliams is CEO of inclusion campaign FutureDotNow, which aims to ensure people are not left behind by the growing skills gap caused by digital adoption. She is a member of the UK governments Digital Skills Council, and chair of the Good Things Foundation.Prior to her current work, Williams spent more than 20 years at BT in a number of different roles, including programme director for sustainable business, director of tech literacy and education programmes, and director of digital society. Until 2024, she was a member of the board of trustees for Transport for London.13. Emma Wright, director, Institute of AI; partner, Harbottle and LewisWith a background in law surrounding telecoms, the internet and media, Wright now uses her expertise as director of not-for-profit The Institute of AI, as well as partner at Harbottle & Lewis, heading up the tech, data and digital group.She has worked in the tech sector for over 20 years. Her team atHarbottle & Lewis is comprised of 66% female and 66% ethnic minority members.During 2023, she worked with the OECD, WEF and the ITU to build a reputation in relation to the regulation of AI. She is also working with the Ditchley Foundation, considering whether the collaborative approach in relation to telecoms can work for AI regulation.14. Bina Mehta, chair, KPMG UKIn her 30 years at KPMG, Mehta has had many responsibilities, including building the firms focus on trade and investment, and helping scaleup clients to access financial support.She is now chair of the organisation, and in 2022 was awarded an MBE for services to UK trade and investment and supporting female entrepreneurs.15. Arfah Farooq, scout, Ada Ventures; founder, Muslamic Makers; founder, Muslim Tech FestAn expert in diversity, inclusion and community building, Farooq co-founded Muslamic Makers in 2016 as a networking group for Muslims in tech, design and development.As well as a freelance diversity and inclusion consultant, Farooq is a scout for Ada Ventures with special interest in edtech, healthtech and fintech, and until March 2024 was a community manager for Big Society Capital.She has an extensive background in digital and AI in both the private and public sectors.16. Beckie Taylor, CEO, co-founder, TechReturnersTaylor co-founded TechReturners, where she is currently CEO, to give skilled individuals who have had a career break the opportunity to connect with firms and help them back into mid-level to senior-level tech roles.She is also co-founder of The Confidence Community, which aims to provide resources, training information and events to give people more career confidence. Taylor is co-founder of community WIT North and co-founder of ReframeWIT.She recently founded community platform Voices in Tech to help connect speakers with event opportunities.17. Melanie Dawes, chief executive, OfcomDawes has headed up Ofcom since 2020 following her previous role as permanent secretary at the Ministry of Housing, Communities and Local Government, as well as many other roles across the Civil Service.She has previously been a trustee at Patchwork Foundation, which aims to encourage under-represented young people to participate in democracy, and a non-executive director of consumer group Which?.18. Avril Chester, founder, Cancer Central; CTO, Royal Pharmaceutical SocietyAward-winning entrepreneur Avril Chester is currently the CTO of the Royal Pharmaceutical Society, her most recent in a series of roles heading up technology in organisations. In 2018, she founded technology charity platform Cancer Central to help support people with cancer.19. Nicola Martin, BCS Women committee member and BCS Pride vice-chair; founder, Nicola Martin Coaching & ConsultancyMartin has a history of working as a test consultant at firms such as Barclays, Sony, the UK Home Office, Shazam and Sky, and is currently a startup adviser and founder of her own coaching and consultancy firm.Prior to this, she was head of quality at Adarga and is currently chair for the BCS Special Interest Group in Software Testing, and until January 2023 was the vice-chair of the BCS LGBTQIA+ tech specialist group.20. Amanda Brock, CEO, Open UKAmanda Brocks role at OpenUK sees her leading the sustainable and ethical development of open technologies in the UK, including technology such as open source software, hardware and data.She also sits on the boards of both the Cabinet Office Open Standards Board and US cyber security firm Mimoto, is an advisory board member of several firms, as well as acting as a judge for the CIO 100 Awards.21. Natalie Moore, CEO, Apps for GoodMoore has been at Apps for Good since 2019, originally as director of education, products and events, then as chief operating officer (COO), before becoming CEO in 2021.Her career background has been heavily weighted towards education, having been international education programme coordinator for London 2012, and volunteering as governor at the Harris Academy Ockendon and Sixth Form.22. Tristi Tanaka, head of the CMO portfolio, NHS Black Country ICB; BCS committee memberTanaka is currently part of the programme team for All4Health&Care, a community launched during the pandemic to connect digital healthcare providers with the public sector. She is also the head of the CMO Office for NHS Black Country ICB, and is on the community support committee for BCS.Previously, she has been a fellow, independent audit for AI systems for ForHumanity, and BCS Women membership secretary.23. Casey Calista, chair, Labour DigitalCalista has a history in both technology and the public sector.Alongside her role at Labour Digital, she is head of policy and public affairs at UK scaleup Vorboss, and she co-founded network Women in Tech Policy.She volunteers as an adviser for digital citizenship charity Glitch, and is a policy board member for OpenUK.24. Helen Kelisky, managing director UK&I, Google CloudWith experience in cloud at companies such as Salesforce and IBM, Kelisky started her role at Google in 2022 well-equipped with the skills needed to run its cloud division.Alongside this, Kelisky is on the board of directors for Calnex Solutions, and is a member of the board of directors for the Women in Telecoms and Technology networking group.25. Lila Ibrahim, chief operating officer, Google DeepMindLila Ibrahim became Google DeepMinds first COO in 2018, looking after teams in disciplines such as engineering, virtual environments, programme management and operations.Prior to this role, she was COO of online skills platform Coursera, and has also acted at general manager for emerging markets platforms in China at Intel.26. Kate Philpot, vice-president, global sales enablement, Getty Images; board member, TLA Black Women In TechPhilpot has a background in both sales, and learning and development, which she uses in her role as the vice-president of global sales enablement at Getty Images. She has held various roles both in and outside of sales at many notable firms, such as Shell, Mars and GSK.As well as being a board member for the TLA Black Women in Tech group, she is a member and speaker for the Sales Enablement Directive.27. Nicola Hodson, CEO for UK&I, IBMHodson has an extensive background in the technology sector, and has had roles such as managing consultant at EY and general manager at Siemens Business Services responsible for public sector, healthcare, financial services and manufacturing.More recently, she was vice-president for global sales, marketing and operations field transformation at Microsoft, before becoming chief executive of IBM in UK and Ireland at the beginning of 2023.Shes also a board member and deputy president of TechUK, and holds several non-executive directorships.28. Roni Savage, managing director, Jomas Associates (Engineering & Environmental)As managing director of Jomas Associates (Engineering & Environmental), Savage specialises in geotechnical and environmental engineering.She is also passionate about topics such as women in engineering and social mobility, and is on the UK governments SME Business Council.29. Allison Kirkby, CEO, BT GroupWith a long history of CEO positions, Kirkby has experience in running companies with a background in telecoms, and in February this year took over as CEO of BT Group. Her past CEO roles have included TDC group, Tele2 and Telia, and she is also a non-executive director of Brookfield asset management.30. Clare Barclay, president, enterprise and industry, Microsoft UKBarclay has been with Microsoft for more than 10 years, holding several roles including director of SMB, general manager of small and mid-market solutions and partners, COO, and CEO in the UK.In November 2024, she became president of enterprise and industry for Microsoft in the UK. She is chair of the industrial strategy advisory council for the Department for Business and Trade, volunteers as a board member for the British Heart Foundation and, until recently, was a non-executive director at CBI.31. Kike Oniwinde Agoro, founder and CEO, BYP NetworkOniwinde Agoro founded BYP Network in 2016 to help black professionals network and have easier access to jobs, after a trip abroad confirmed the challenges young black people face in getting jobs both in and outside the UK.Until 2024, she was board trustee for volunteer organisation Getting On Board, and has received several awards and accolades, including Forbes 30 Under 30 and Financial Times Top 100 BAME Leaders in Technology.32. Sharon Wallace, head of D&I, partnerships and people change, SkyWallace heads up diversity and inclusion, partnerships and people change at Sky, and one of her focuses in this role is designing and delivering the people strategy for technology within the firm.Outside of this, Wallace was a member of the advisory board for recently disbanded Tech Talent Charter, and volunteers as a cub and scout assistant.33. Toni Scullion, computing science teacher; founder of dressCodeScullion is a serial founder, having founded dressCode, a not-for-profit that encourages young women in Scotland to consider a career in computer science, and co-founded the Ada Scotland Festival, which aims to use collaboration to close the gender gap in computer science education in Scotland.These endeavours stem from her being a computer science teacher passionate about encouraging more children to take the subject. Alongside this work, she is a volunteer for the Scottish Tech Army, a not-for-profit aimed at using tech for good.34. Sarah Tulip, chief growth officer, Conquer Technology; co-founder, Women in Leeds DigitalEarlier this year, Tulip took on the role of chief growth officer at software engineering consultancy Conquer Technology. In 2018, she co-founded community-led initiative Women In Leeds Digital, which encourages and helps minority groups to consider a career in technology.Tulip is also chair of the regional productivity forum in Yorkshire, Humberside and the North East for the Productivity Institute, ambassador for Leeds as a digital city at Leeds City Council, and managing director at &Then Consulting.35. Zandra Moore, CEO and co-founder, PanintelligenceMoore co-founded data analytics and AI firm Panintelligence in 2010 with the aim of helping firms properly organise their data to more easily adopt AI. She became CEO in 2018.Alongside this, Moore also founded low-code tech community No Code Lab and gender equality community Lean In Leeds. As well as a position as chair for Lifted Ventures, Moore is an Ada Angel for inclusive venture firm Ada Ventures.36. Laura Moore, global director of identity, Sky; co-founder, Lift as we ClimbAs global director of identity at Sky, Moore is responsible for leading the firms identity management projects. Prior to this, she held several roles as a project manager, and was previously the head of infotainment group technology for Vodafone.As well as being a member of the board for Tech Talent Charter, she is the co-founder of female tech leaders community Lift as we Climb.37. Maria Axente, head of AI public policy and ethics, PwC UK; vice-chair and member of data analytics and AI Leadership Committee, TechUKMaria Axente is the head of AI public policy and ethics at PwC in the UK, where she combines her skills in analytics and ethical AI policy development to ensure AI is developed with humans in mind.Previously, she was the artificial intelligence and AI-for-good lead at the firm, responsible for advising clients on responsible use of AI, and ensuring ethical development of PwC AI operations, products and services.Shes a vice-chair for the data, analytics and AI leadership committee at TechUK, and in the past she has been an advisory board member for the APPG for AI, and adviser for the PHI for Augmented Intelligence.38. Bev White, CEO, Nash SquaredAs CEO of Nash Squared, White heads up the global firm which provides IT recruitment, technology solutions and leadership services out of 36 offices across the world.White has a long background in the tech sector, having previously held roles as CIO and director of IT, as well as completing a degree in computer science.39. Alice Bentinck, co-founder and CEO, Entrepreneur FirstBentinck was named aComputer Weekly Rising Star in 2014, and has co-founded several organisations, including Entrepreneur First, a firm that supports European technology startups, and not-for-profit coding training programme Code First Girls.She is on the Computer Science Department Industrial Liaison Board for Imperial College London, is a board trustee for Generation and is the author of startup business bookHow to be a founder.40. Janine Hirt, CEO, Innovate FinanceHirt joined Innovate Finance in 2015 as the industry bodys head of community, before eventually becoming its CEO six years later. She now heads up the organisation, aiming to drive innovation and transformation in the fintech sector to make it more inclusive.She has worked around the world in a variety of roles, including acting head of corporate relations for Chatham House in the UK, head of membership for the Brazilian-American Chamber of Commerce in New York, and head new hire trainer for an English language training programme in Japan.41. Cynthia Davis, CEO and founder, Diversifying GroupDavis is the co-founder of diversity career platform Diversifying, and founder and CEO of recruitment organisation BAME Recruitment and Consulting.She is chair of the board of directors for Pop Up Projects and a board trustee for charity Over the Wall, both aimed at changing young peoples lives for the better.Davis has previously held roles in talent acquisition in the STEM sector, at telecoms firm BT, and as part of a short-term project at an aerospace, aviation, F1 and motorsport organisation.42. Anne Keast-Butler, director, GCHQThe first female to head up GCHQ, Keast-Butler moved into the director role last year after serving as deputy director general of MI5. With a long career in security and defence, her previous roles have included overseeing the upkeep of functions that support MI5s operational activities and the launch of the UKs National Cyber Security Programme.43. Akua Opong, senior EUC engineer, infrastructure and cloud engineering, London Stock Exchange; STEM adviserAs well as her work as senior EUC engineer, infrastructure and cloud engineering at the London Stock Exchange Group, Opong is a freelancer and STEM adviser and a board trustee for The Blair Project Foundation.Until recently, she was part of the City of London Corporation volunteer advisory group for equality, diversity and inclusion, and was previously an advisory board member for Neurodiversity in Business, and a mentor at the TechUp mentor programme for Durham University.Opong was a contributor forVoices in the shadows, the book of black female role models created by the 2022 Computer Weekly Most Influential Woman in UK Tech, Flavilla Fongang.44. Sarah Munby, permanent secretary, Department for Science, Innovation and TechnologyMunby has a long history of working in government, and became permanent secretary leading the Department for Science, Innovation and Technology in February 2023.She has also been partner, leader of strategy and corporate finance practice in UK and Ireland at McKinsey & Company, where she led the firms work on productivity across the UK economy.45. Charlotte Crosswell, chair, Centre for Finance, Innovation and TechnologyCrosswell is managing director of consulting firm Exadin, as well as chair for the Centre for Finance, Innovation and Technology. She holds several other non-executive directorships in firms such as Freemarket and the Centre for Policy Studies. In 2021, she received an OBE for services to the financial services sector.46. Irene Graham, CEO, Scaleup InstituteGraham has been the CEO of not-for-profit the ScaleUp Institute since 2015, and has an OBE for services to UK business and economy.As well as being a visiting professor of entrepreneurship at Strathclyde University, Graham holds various non-executive and advisory roles.47. Zahra Bahrololoumi, CEO, Salesforce UK&IAs CEO of Salesforce in the UK and Ireland, Bahrololoumi is responsible for the workforce in these regions across all industries and functions, and is particularly focused on ensuring its customers are ready for digital transformation.She sits on several boards, including for Seeing Is Believing Coventry Place, Movement to Work and Cancer Research UK Corporate Partnerships, and is an independent non-executive director on the TSB board.In 2023, she was awarded a CBE for services to the information technology sector.48. Nzinga Gardner, business operations analyst, News UK Technology; chair of Women in Tech Network, News UKNaming the technology sector her familiar territory, Gardner has an extensive background in the technology sector, having held roles such as first line support at Fujitsu, senior supply chain administrator at Technicolor and project manager at the BBC as a member of the BBCs Design and Technology Business Management Unit HQ Team.Now, shes a business operations analyst as part of the technology arm of News UK, and is a board trustee of food and hygiene bank Necessities UK.49. Sarah Cardell, CEO, Competition and Markets AuthorityCardell has been at the Competition and Markets Authority since 2013, first as general counsel, then as interim CEO, and now as CEO.Prior to her time at the Competition and Markets Authority, she was a legal partner for the markets division of energy markets authority Ofgem, and in her early career spent 11 years at law firm Slaughter and May, working her way from trainee solicitor to partner.50. Elena Sinel, founder, Acorn Aspirations and Teens in AI; business mentor, Microsoft for StartupsSinel founded Teens in AI and Acorn Aspirations to help young people who want to solve real-world problems using technology such as AI, virtual, augmented and mixed reality.She has won awards for her work, including CogX 2017 Award in Using AI for Social Good Projects, and is currently an education taskforce committee member for the All Parliamentary Group on Artificial Intelligence, and a business mentor at Microsoft for Startups.Before working on Acorn Associates and Teens in AI, Sinel was a consultant for several firms, including the British Council, NGOs, Chittagong Hill Tracts and the Ethiopian Cultural Heritage Project.

My husband has to sew my buttons on I still cant sew, confesses co-CEO of technology education charity Tech She Can, Sheridan Ash.This years Computer Weekly most influential woman in UK technology has always had a sense of wanting to right the injustice inflicted on women by gender stereotyping.At school, the girls had to do sewing or needlework or typing, and the boys did metalwork and woodwork. So I went to the local newspaper. I set up a petition. I got other pupils to stand outside the school with placards. Anyway, I got it changed. Hence, I cant sew or type, but Im great at welding, says Ash.Computer Weekly attended the launch of the first Tech She Can research eight years ago, when it was still a part of Ashs work at PwC.Ash has since left the professional services firm to focus on the technology education charity full-time, but like many women in the tech sector, her journey has not been linear.Ash left school at 16 with no qualifications, which she puts down, in part, to undiagnosed dyslexia. Not knowing what to do, she accepted a modelling job she was offered when window shopping with her mother in London.While this sufficed for a while, in her early 20s, Ash needed a career change for various reasons. After getting help with her dyslexia, she returned to education to study psychological sciences, then worked in the pharmaceutical industry before returning to school again to gain a masters in business administration.Eventually, Ash was offered a job at PwC to implement the firms health and technology practice.Ash has always been passionate about equality hence wanting to weld at school and in her role at PwC, she started to notice the diversity gap in the technology sector.What was going wrong? Why was it so predominantly male? she found herself wondering at the time.After the firm selected its first technology leader to sit on the board, the work Ash had done to collect data around diversity, both within PwC and the wider sector, began to pay off in a big way.She explains: I worked directly for that technology leader. I wrote the whole technology and innovation strategy for the firm, and at the heart of that, I embedded the piece around diversity.It was when working with the board of PwC eight years ago that Ash was inspired to commission the first piece of research on diversity, which eventually evolved into the Tech She Can movement.Ash says while there had been research at the time about the lack of women in the sector and the reasons for that, there was not enough around why younger girls were overlooking jobs in tech.After asking thousands of young people between the ages of 18 and 24, Ash explains: They said, We know who Sheryl Sandberg is, and Ada Lovelace, but ones been dead a long time and the others a COO. What they were looking for is relatable role models, people [in roles] they could see a pathway to.The research also found girls were less likely than boys to have technology suggested to them as a career option by others in their lives, such as teachers, parents or career advisors.Girls were also more likely to say they wanted a career that has a positive impact on society, but Ash speculates the digital native generations dont see how technology can achieve that because its so embedded in their lives.Read more about diversity in techResearch by organisations Women in Tech North and Tech Returners finds that women believe developing alternative routes into tech jobs will help close the industrys diversity gap.Research from the Institute of Coding has found UK adults dont think tech represents the wider UK population, and are uncertain about the level of education needed for a tech job.She explains: They wanted to have a positive impact on themselves, the community, their family, the UK and the wider world, and they didnt understand the relationship between technology and doing that.Recognising that no single person or organisation will be able to shift the dial alone, Tech She Can is focused on acting as a bridge between government, schools and industry.Were quite good at bridging that demand and supply [gap], along with [addressing] whats putting girls off, the perception issues and all of those things, Ash claims. Often, you dont get [to hear] teachers, schools and childrens voices.Tech She Can was launched as a charter with 18 partner organisations to collaborate on improving the pipeline of women going into technology roles. As part of this, it has become focused on helping educate children about tech careers.A common barrier between young girls and tech careers is a lack of understanding about what a tech career involves, what roles are available, how to go about pursuing a tech career, and the kinds of people who work in the industry.This goes hand in hand with a lack of visible and accessible role models, as young women are less likely to be drawn to a career if they dont see anyone like them in such roles.Photographer: Elyse MarksI want to persuade girls they have a role to play in making sure that the world isnt just developed by a lot of white tech bros, that they could be part of making sure the world is a fit place for everybody, and that it is somewhere women are treated equally in creating that worldSheridan Ash, Tech She CanAsh urges: Weve got to start changing these perceptions and addressing the inspiration and aspiration gaps very early on, and childrens understanding of what technology is and what roles and careers there are out there. Nobody seems to be doing that.Tech She Can regularly visits schools and provides online learning to prepare young people for technology careers, educating them about possible roles and how technology will play a role in their future careers. It also helps government and industry connect with schools with the aim of closing the technology skills and diversity gaps.We dont teach the coding. We teach the inspiration, the aspiration, and show them how the technology they can use [translates into] careers and jobs.Last year, Ash left PwC to pursue Tech She Can full-time, launching the initiative as a charity in partnership with co-CEO Claire Thorne.The programme has gone from strength to strength. It now has 200 member organisations, 800 registered champions, and has reached more than 130,000 children.At a time when so many organisations are stepping back when it comes to implementing diversity and inclusion in their technology remit, how does Tech She Can make sure those involved are not using it as lip service?What we concentrate on is what we call our strategic partners, which are the people who fund us, and across all our partners we train champions to go into schools, we package up all our live lessons in a way that the champions can take them out and deliver them in person. In primary schools, they often do it to a whole assembly, and in secondary schools, its usually to individual classes.During these sessions, the champions explain technology concepts, how they apply in the real world and what tech jobs involve, which over time has changed the way children perceive technology, the subjects they choose to study and what careers they consider in the future.Underpinning it all is data. For example, the organisation uses social mobility data to ensure it offers its services to schools that have the greatest need for it.Wearing other hats, Ash is a non-executive director for several other organisations, leaning into her life-long need to help women achieve equality.But she still has moments when she needs to perform a Wonder Woman-style power pose to amp herself up.We often talk about technology role models, and in Ashs childhood, she aspired to be Wonder Woman.She kicked the ass of the baddies, she says. She wanted to have a positive impact. She did good shit. And that felt right from a young age, whether I was conscious or not about what I wanted in life.There is plenty of research highlighting the importance of role models for young women, especially in the technology space. Ash is a role model herself.Ash says she wants every young woman to know that not only is technology a joyful career, but it is going to be one of the most important factors of shaping her world.She says: I want to persuade girls they have a role to play in making sure that the world isnt just developed by a lot of white tech bros, that they could be part of making sure the world is a fit place for everybody, and that it is somewhere women are treated equally in creating that world.

NewsUK government seeks AI innovators to support clean energy transition and pursuit of net zero by 2050The UK government has launched the second round of the Manchester Prize, which is geared towards using artificial intelligence technologies to assist with the clean energy transitionByCaroline Donnelly,Senior Editor, UKPublished: 19 Nov 2024 8:18 The government is seeking support from artificial intelligence (AI)-focused academics and entrepreneurs to help build clean energy systems and help the UK hit its net zero by 2050 goal.Interested parties are invited to apply for funding to develop technologies that could decarbonise the UK energy grid, improve the nations energy security and help the government achieve its wider aim of positioning the country as a clean energy superpower.The funding is being made available through the launch of the second round of the Manchester Prize, an initiative launched in 2023 by the Department for Science, Innovation and Technology (DSIT) to support AI-led innovation in the UK over the coming decade.The first round of the Manchester Prize is due to conclude in April 2025, and is focused on the role AI can play in the areas of energy, the environment and infrastructure.The second round of the competition will see the government offer up to 100,000 to 10 applicants, and one winner will be chosen from them who will secure a 1m prize to support the further development of their AI offering. The closing date for applications is 17 January 2025.Over the next eight weeks, applicants can come forward to demonstrate how their innovations will boost low-cost energy, reduce energy demand and make energy use more efficient across the country, said the government in a statement.These could include new avenues for boosting the power generated by wind and solar farms, using AI to increase energy efficiency in our homes and businesses, and tapping into the technology to build up a better understanding of future spikes in energy demand.Expanding on this theme, Feryal Clark, UK government minister for AI, said the second round of the Manchester Prize looks set to have a transformative impact on the UK.AI can transform our public services, make us more productive and tackle some of the biggest shared challenges in society. AI is already having a positive impact on so many aspects of our lives, but theres much more waiting to be tapped into, said Clark.The second round of the Manchester Prize will bring brilliant British innovation to bear to deliver a clean, secure energy future for the UK. Whether in energy, healthcare, or beyond, were backing AI innovations to deliver real and lasting change across the country.Paul Monks, chief scientific adviser at the Department for Energy Security and Net Zero, said the climate crisis is the greatest long-term challenge society is up against, and initiatives like this will play an important role in helping address it.The greatest long-term challenge we face is the climate and nature crisis. Thats why we have our world-leading targets to decarbonise the electricity grid by 2030 and to reach net zero by 2050, he said.We need an ambitious approach to using artificial intelligence across the development, engineering and operation of our energy systems, so I am pleased to see the Manchester Prize recognising that with its dedicated new round on decarbonisation.Read more about UK government technology initiativesJeremy Hunts Spring Budget makes IT investment tax expendable for three years and announces support for artificial intelligence companies, including annual 1m Manchester Prize.The funding programme will be directed by the UKs AI Safety Institute, with grants being used to understand and mitigate the impacts of artificial intelligence, including any systemic risks it presents at the societal level.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs

NewsNationwide Building Society backs HPE GreenLake for hybrid cloud pushNationwide Building Society's digital transformation efforts are continuing apace, with the company enlisting the help of HPE GreenLake to meet its hybrid cloud goalsByCaroline Donnelly,Senior Editor, UKPublished: 19 Nov 2024 9:00 Nationwide Building Society is drawing on HPEs private cloud capabilities to help deliver on the next phase of its multi-year hybrid cloud strategy.The company, which has more than 17 million customers in the UK and employs 18,000 people, is in midst of a hybrid cloud-focused digital transformation project, geared towards improving the online experience for its customers.As previously reported by Computer Weekly, this work, which began in 2018, has seen the firm use public cloud technologies, such as those offered by Amazon Web Services, and embrace the use of DevOps-style software development methodologies within its teams.The project has also seen Nationwide adopt different cloud technologies based on what is best for that particular type of data or workload, which is why the company is now adding the HPE Greenlake private cloud setup to its supplier mix too.Nationwides hybrid cloud strategy is vital to our ability to compete and means we can continue to meet the needs and expectations of our customers HPE GreenLake cloud is a core component of our hybrid cloud strategy, said Paul Walsh, director of infrastructure and service delivery at Nationwide.With them, were building a cloud platform that will further improve our resilience and agility, enabling us to provide even better levels of service and deliver new capabilities to our developers faster than ever before.Specifically, Nationwide will use HPE GreenLake management services to automate and orchestrate its infrastructure management workloads and deliver infrastructure-as-code, the company said.This [will] enable [Nationwide] to focus on innovation, value-add activities and gain better control over application builds and security, said the company, in a statement. Faster release cycles will accelerate the time to market, providing consistent customer experiences across all digital platforms.The HPE GreenLake cloud setup will also provide Nationwide with an overview of its energy consumption and emissions, so that it can take proactive steps to reduce its environmental footprint, the company added.Matt Harris, senior vice-president and managing director for the UK, Ireland, Middle East and Africa at HPE, said the complexities of the deployment highlight why taking a public cloud-only approach would not work for a company like Nationwide.Nationwides modernisation journey showcases the effectiveness of HPE GreenLake cloud, with the storied institution transitioning from complex, legacy technology to a modern, future-proofed hybrid cloud operating model where a one-size-fits-all public cloud could never be the only answer, said Harris.Nationwide is not the only financial services company tapping into HPE GreenLake to deliver on its hybrid cloud strategy, as Barclays Bank also set out plans in September 2024 to ramp up its use of the technology for that purpose.Read more about financial services and cloudThe Financial Ombudsman Service is reaping the benefits of the cloud-based human resources and finance system it implemented last year.IBM Clouds push to provide sector-specific public cloud services to financial services firms enters a new phase.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs

Amazon Web Services (AWS) is to widen the scope of a mandatory multi-factor authentication (MFA) programme it introduced earlier this year, after seeing strong uptake among customers and a slump in password-related phishing attacks.The cloud giant made MFA compulsory for management account root users in the AWS Management Console beginning in May 2024, starting with its largest accounts. In June, it added support for FIDO2 passkeys as an MFA method to give users more options, and expanded the original requirement to include root users in standalone accounts, too.According to AWS principal product manager of account protection Arynn Crow, over 750,000 root users have enabled MFA since April, with customer registration rates more than doubling since the addition of FIDO2 passkeys to the mix. She claimed the policy change had prevented greater than 99% of password-related attacks.At AWS, weve built our services with secure-by-design principles from day one, including features that set a high bar for our customers default security posture, said Crow. Strong authentication is a foundational component in overall account security, and the use of MFA is one of the simplest and most effective ways to help prevent unauthorised individuals from gaining access to systems or data.Based on this early success, AWS will now be expanding MFA requirements to member accounts in AWS organisations from Spring 2025.Customers who have not enabled central management of root access will be required to register MFA for their AWS Organizations member account root users in order to access the AWS Management Console, said Crow.As with our previous expansions to management and standalone accounts, we will roll this change out gradually and notify individual customers who are required to take action in advance, to help customers adhere to the new requirements while minimising impact to their day-to-day operations.On the back of its early successes with an MFA mandate, Crow said AWS was keen to do more to shore up security for its customers, and had recognised another opportunity to try to eliminate unnecessary passwords for good.She said that on top of the run-of-the-mill security issues seen with standard passwords, attempting to secure password-based authentication was introducing too much operational overhead for AWS customers, especially those operating at scale or subject to regulatory requirements to rotate their credentials frequently.As such, AWS has now launched a new capability to centrally manage root access for accounts managed in AWS Organizations, enabling them to cut down on the number of passwords they need to manage while still keeping control over the use of root principals.Crow explained that customers can now turn on centralised root access with a quick configuration change either in the identity and access management console or the AWScommand line interface and then remove the long-term credentials of member account root users.This will improve the security posture of our customers while simultaneously reducing their operational effort, she concluded.Read more about cloud IAMPoor identity and access management puts enterprise data at risk, but the path to stronger IAM remains complex.Cloud adds a level of complexity to identity and access management. Be sure to follow these cloud IAM best practices to prevent identity-related security issues.This comparison dives into the differences among cloud IAM services from AWS, Azure and Google Cloud. Use it to evaluate features, resource hierarchy configuration and pricing.

cam_pine - stock.adobe.comNewsInfinidat gets in on the RAG act with workflow architecture offerStorage array maker says customers can get data from any NFS storage to use in RAG for internal enterprise AI projects, and claims its OS metadata expertise enables thisByAntony Adshead,Storage EditorPublished: 18 Nov 2024 15:54 Infinidat has launched a retrieval augmented generation (RAG) workflow architecture, deliverable as a consultancy service to its storage customers, which allows them to build in up-to-date, private data from multiple company data sources to artificial intelligence (AI) from any NFS storage in their organisation.The move reflects a trend that has seen multiple storage companies address AI workloads, and RAG issues in particular in generative AI (GenAI) that result when data used for training is incomplete, out of date or lacks the type of information that can only be gained from private data, such as within an organisation or from expert knowledge.When an organisation wants to develop GenAI, it puts a dataset through a training process in which the AI learns how to recognise particular attributes that can be used for information, or for triggers in applications.Those training processes are often built around datasets that are very general, can go out of date or perhaps initially lack specialised or private data. This is often the case with AI projects inside organisations that need to stay up to date over time, said Infinidat chief marketing officer Eric Herzog.A lot of organisations are using generative AI as an internal project with private data, said Herzog. And as well as wanting to protect their IP, they have concerns about accuracy, avoiding hallucinations, etc.For example, a large enterprise that generates vast amounts of data in sales, support, operations would want to boost the performance of what it is doing, and thats very much tied to its storage performance.The customer wants to see accurate data in near real time. It can use AI to understand the details it might be screws in a component, the type, the supplier, any number of details and be able to update that information on a continual basis.What Infinidat now offers is professional services consulting to allow its customers to access data for RAG purposes from its own and other suppliers storage, as long as it is in NFS file storage format.According to Herzog, that comprises help with configuring the storage system to get at data and metadata rapidly for RAG purposes. He said Infinidat is well-positioned to do this because of the importance it places on metadata and the neural cache within its architecture and the InfuzeOS environment.Infinidat arrays can be all-flash or hybrid spinning disk and solid state, and are mostly targeted at high-end enterprise andservice provider customers. Their hardware products feature triple-active controllers and use of a so-called neural cache that marshals data to the most appropriate media, with the bulk of I/O requests going via very fastDRAM, with a cache hit rate of more than 90% claimed.Infinidats focus here on RAG capabilities sees it join other storage suppliers that have recently made a push for customers embarking on AI projects.Pure Storage CEO Charlie Giancarlo was keen to highlight his companys AI push at its Accelerate event in June, with storage write speed and availability emphasised. Meanwhile, NetApp launched a push towards data management for AI with the announcement of data classification for AI via its OnTap operating system at its annual Insight shindig in September.Read more about storage and AIStorage technology explained: AI and data storage. In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products.Storage technology explained: Vector databases at the core of AI. We look at the use of vector data in AI and how vector databases work, plus vector embedding, the challenges for storage of vector data and the key suppliers of vector database products.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs

blindturtle - stock.adobe.comNewsFinal report on Nats calls for improvements to contingency processSuppliers need to be involved much sooner and a review of technical documentation is needed to speed up recoveryByCliff Saran,Managing EditorPublished: 18 Nov 2024 12:30 The major incident caused by the failure of the UKs National Air Traffic Services (Nats) in August 2023 may be a very rare occurrence, but a final report into the system failure has recommended 34 changes.The report, prepared for the UK Civil Aviation Authority (CAA) by the Independent Review Panel, looked at what could be done better to limit the effects of the failure that occurred because an incorrectly formatted flight plan was submitted to the system.In the event of a failure of a primary system, the backup system is designed to seamlessly take over processing. The authors of the Nats major incident investigation final report noted that in this instance, the primary system had not failed, but had acted as programmed. It placed itself into maintenance mode to make sure irreconcilable and therefore potentially unsafe information was not sent to an air traffic controller.However, the backup system applied the same logic to the flight plan with the same result. It subsequently raised its own critical exception, writing a log file into the system log, and placed itself into maintenance mode.The failure of Nats occurred because both the primary and backup Flight Plan Reception Suite Automated Replacement (FPRSA-R) subsystems were in maintenance mode to protect the safety of the air traffic control operations. This meant flight plans could no longer be automatically processed, and manual intervention was now required.The report recommended that Nats should review the current command structure, its supporting technology and processes. This should analyse whether the current model is likely to lead to the best outcomes in the majority of incidents, or whether it can be optimised further with the addition of alternative options.The reports authors recommended that this review should include, as a minimum, options for alternative models and examples of other effective command structures, including the use of a single incident manager model. They also noted that such options should include guidance about when the use of each option is most appropriate, and suggested a review of training requirements to maximise operational oversight capabilities during incidents, and system and process requirements to support selected structures, including decision-making, escalation and creation of a common operating picture.Read more stories on NatsDuplicate waypoints: Processing of waypoints that determine when a flight enters and leaves UK airspace caused the air traffic system to report a critical error.BT flies into Nats network: Nats implements transformational technology programme to keep skies safe and support customers worldwide.When Nats went offline, a subset of unprocessed data remained in the system but was outside the established pause queue. This required further escalation to identify the root cause of the issue.The report recommended that air traffic control documentation should be reviewed to ensure that the system complexity and behaviour can be better understood by engineers and users who are not dedicated to the system. There should also be a high-level joint Technical Services and Operations review of key critical systems. The report recommended that this review should confirm that the operational documentation for each system reviewed has sufficient description and clarity to allow the system to be operated safely and resiliently in unexpected circumstances.While escalation procedures were followed, the authors of the report pointed out that earlier contact with the supplier would most likely have expedited the resolution of the event.They recommended that Nats should update the escalation process to provide guidance on the time or other key criteria that should trigger when, and under what circumstances, supplier support is requested. Nats should create a single controlled document detailing the supplier contracts and associated contacts, who provide 24-hour support, the report stated. These details should be accessible by anyone in Nats likely to be required to support an incident response. As a minimum, these should include Levels 1 through 3 of engineering support.Among the minor recommendations is that given the complexity of the system architecture, which is regularly changed and upgraded, it is impossible to maintain up-to-date overall system mapping of Nats. The reports authors recommended conducting an assessment of the feasibility of using new technology, or a model-based engineering process, to rapidly produce the required system schematic information to the teams during the early stages of an incident.They also said that the technical services director should review the current operational documentation in support of implementing new technology, or a model-based engineering process that supports rapid mapping. This must ensure that there is sufficient and accurate detail for the various levels of engineering support to see the high-level, key interfacing systems and methods by which they connect, they wrote.The key aim of this review should be to assist in the identification of problems that might be upstream or downstream of the specific system where a fault first occurs.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs

sdecoret - stock.adobe.comNewsSchwarz Group partners with Google on EU sovereign cloudPartnership with Europes biggest retailer will offer client-side encryption and ensure data doesnt leave GermanyByCliff Saran,Managing EditorPublished: 15 Nov 2024 11:45 Google has partnered with retail giant Schwarz Group to deliver what the pair claim is truly secure and sovereign cloud-based collaboration for German and European regulated industries.Through the partnership, Schwarz Groups StackIT, the cloud provider for the retailer, which operates as an independent company offering sovereign cloud capabilities, will provide client-side encryption of customers Google Workspace data.StackIT said customers data will remain resident within the European Union (EU), with full redundancy offered by backups hosted solely in its European datacentres to meet customer demands around data protection, data residency and data resiliency.Germany and the EU have until now lacked enterprise-grade cloud collaboration solutions that fully address the sovereignty requirements of regulated industries, including ensuring all data is secured and backed up on local soil with absolutely no opportunity for access by foreign nations or platform providers, said Rolf Schumann, co-CEO of Schwarz Digits, the IT and digital division of the Schwarz Group.Our partnership and new offering with Google Cloud will fill this gap with an entirely new business model.Client-side encryption means Google has no access to customers data. According to Schwarz and Google, this safeguards the sovereignty of not only Schwarz Group, but also all customers who value the independence of their operations, giving them full confidence that their data is always in their control.This new partnership will enable the companies of Schwarz Group to combine its leadership in digital transformation with Google Clouds strengths in productivity, collaboration and security, enabled by our cutting-edge AI, said Sundar Pichai, CEO of Google and Alphabet. Together, we are opening up a world of new, sovereign opportunities for European organisations to innovate and build on our joint solutions, accelerating a new era of innovation.Read more about data sovereigntyUK governments M365 use under scrutiny: Microsofts hold on government IT is under scrutiny, following a disclosure to a Scottish policing body that saw the software giant advise that it cannot guarantee data sovereignty in Microsoft 365.NHS data sovereignty: Amid security concerns and AI advances, a majority of the British public still trusts the NHS to store and analyse their health data, but would prefer it remains domiciled in the UK.Through the partnership, Google Clouds security will be integrated with those of XM Cyber, Schwarz Digits hybrid cloud security company. This integrated offering will then be distributed to customers via the Google Cloud Marketplace.According to Google and Schwartz, this integrated security will help German and European organisations, particularly those in highly regulated industries, raise the bar on their enterprise and multi-cloud security. In addition, XM Cybers Continuous Exposure Management will be embedded into the sovereign Google Workspace office productivity suite offered to European enterprises.This partnership changes the game for regulated industry players in Europe by removing the sovereignty and security concerns that often hold back more ambitious adoption of the cloud for productivity and collaboration, said Thomas Kurian, CEO of Google Cloud. Our alliance with companies of Schwarz Group will enable entire industries in Europe to deliver digital innovation with security and compliance at its core.Schwarz Group is Europes largest retailer, and the fourth-largest in the world. The company plans to transition its global office workforce to Google Workspace. The partnership with Google, according to Schwarz Group, enables critical workplace data to be protected against third-party access including foreign government institutions, and also transferred to alternate service providers if needed.Switching to Google Workspace is an important step for us out of legacy and into innovative, efficient and future-proof cloud-based collaboration, said Christian Mller, Co-CEO of Schwarz Digits. Google Workspace is the most secure and reliable productivity platform in the industry today, and we expect our organisation-wide migration to have significant flow-on benefits to all areas of operations from simplifying IT management to rendering our point-of-sale workflows significantly more efficient.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs

Tens of thousands of IT contractors have been hit with life-changing tax bills relating to projects they worked on over a decade ago after enrolling in remuneration schemes that saw them paid for the work they did in the form of non-taxable loans, rather than a conventional salary.These loan-based remuneration schemes were typically run by offshore employee benefits trusts (EBTs), and were often erroneously marketed as being an HM Revenue & Customs (HMRC)-compliant means for contractors to bolster their take-home pay, with contractors often advised to join such schemes by respected tax advisers.In some instances, contractors were told they would be unable to work for certain organisations unless they agreed to be paid in loans, too.In recent years, however, scheme participants have found themselves in HMRCs crosshairs, thanks to the introduction of a piece of retroactive legislation known as the Loan Charge that is designed to help the government recoup the tax it claims participants avoided paying between December 2010 and April 2019.The individuals now being chased for backdated tax payments by HMRC claim they are the victims of mis-selling, given how these schemes were previously marketed to them as safe and compliant to use, and the situation has seen more than 200 MPs from various parties come out in support of their plight.In the years since the policy was introduced, and details of the toll it is taking on those in its scope have started to emerge, there have been a series of legal actions attempted to overturn the policy.There have also been calls from MPs for HMRC to stop doggedly pursuing the individuals involved, and start taking punitive measures against the employers, agencies and promotors who advised people to join these schemes in the first place.At the time of writing, though, the policy remains in place, and there are few signs from the government that it has any intention of revising its contents or how it works.The situation has drawn parallels with the Post Office Horizon IT scandal, given the people caught in scope of the Loan Charge are widely considered to be victims of mis-selling by accountants and trusted tax advisors who marketed these loan-based remuneration schemes as HMRC-approved.Sammy Wilson, an MP representing the Democratic Unionist Party (DUP), drew comparisons between the victims of the Post Office scandal and the individuals affected by the Loan Charge during a January 2024 Business Committee Back Bench debate in the House of Commons.As was the case with the Post Office scandal victims, the Loan Charge story similarly involves a group of people who were acting in good faith being prosecuted and pursued when the people who absolutely knew what they were doing are getting away scot-free, said Wilson.In the case of the Loan Charge, the parties responsible for marketing and promoting these loan-based remuneration schemes are not being pursued in the same way as the individuals who participated in them, which he described as wrong.HMRC are going after those who they regard as easy targets, said Wilson. The promoters of these schemes not one penny [has been demanded from them].Despite the promoters [making] hundreds of millions of pounds of these schemes, [they] have mis-sold the schemes, [and] have disappeared when there is any attempt to get after them, he added. Those promoters are not being pursued and yet individuals are being harassed harassed to the point that many of them have taken their own lives.The Loan Charge policy was introduced as part of an ongoing anti-tax avoidance campaign by HMRC, designed to counter the surge in the number of loan-based remuneration schemes in operation.The policy was put forward by HM Treasury during the 2017 Budget as means of recouping billions of pounds in unpaid taxes the UK government claimed contractors avoided paying by opting to be paid in the form of non-taxable loans rather than receive a conventional salary.The policy terms initially stated that any contractor who participated in a loan-based remuneration scheme between 6 April 1999 and 5 April 2019 would be in-scope of the policy, and would be expected to pay back any and all tax they avoided while enrolled in these schemes.The total amounts of unpaid tax HMRC said they owed are what is referred to as the Loan Charge.An independent review of the policy, published in December 2019, concluded the timeframe the policy covers should be shortened by 11 years, so that only individuals who enrolled in schemes after 9 December 2010 would be included.It is estimated this change resulted in around 10,000 people falling out of scope of the Loan Charge policy.Much of the controversy surrounding the Loan Charge relates to the retroactive nature of the policy, with critics often taking issue with the fact it effectively introduces a retrospective tax on something in this case, a loan that was previously technically considered to be non-taxable.The timeframe the policy covers also means the final amounts of unpaid tax that individuals can end up owing can end up being life-changing, with many of those affected at risk of financial ruin or facing bankruptcy as a result.There is also the fact that many of the individuals who participated in these schemes received assurances from trusted tax advisors and accountants that receiving payment for the work they did in this way was permissible and acceptable in the eyes of HMRC.When the policy was first introduced, HMRC estimated that implementing the Loan Charge would allow it to recoup 3.2bn in previously unpaid tax over the course of five years, but that figure was later revised up to 3.4bn. However, the publication of the independent review into the policy, which resulted in several tweaks being made to how it works, is estimated to have reduced the policys overall total tax take by 620m.HMRC suggests there are around 50,000 individuals affected by the Loan Charge policy, although volunteer-led non-profit the Loan Charge Action Group (LCAG) has previously told Computer Weekly it thinks the number of people affected is far, far higher.Those affected include a disproportionate number of IT contractors, as well as NHS workers, public sector agency staff, teachers and individuals working in the oil and gas sector.While the concept of loan-based remuneration schemes pre-dates the onset of the IR35 regulations, the number of these schemes in operation markedly increased in the wake of HMRC introducing these revamped tax avoidance rules in 2000.The IR35 regulations were introduced as part of a disguised employment push by the government that would see contractors having their engagements classified as being either inside or outside IR35 based on the kind of work they do and how it is carried out.Contractors that are determined to be working inside IR35 are considered to be employees for tax purposes, meaning they are liable to pay the same employment taxes and national insurance contributions (NICs) as a salaried employee, but are not entitled to employment benefits such as paid sick leave or pension contributions.In many cases, contractors were offered the opportunity to side-step the IR35 regulations entirely by opting to close down their limited company and sign on to become the employee of an umbrella company instead.Some of these umbrella companies operated in a non-compliant manner by promising contractors they could increase their take-home pay by agreeing to be paid in non-taxable loans issued by EBTs that were marketed as HMRC-compliant.HMRC, however, has always maintained that it has never approved the use of a loan-based remuneration scheme, and has also been of the view that such schemes do not work. In addition to that, it has also been repeatedly claimed by many of those affected by the Loan Charge policy that they were unwittingly enrolled in these schemes by umbrella companies that promised them too-good-to-be-true amounts of take-home pay without disclosing they would be paid in loans.While HMRC has repeatedly stated that no one in-scope of the Loan Charge will be forced to sell their main home to cover the amounts it claims they owe in unpaid tax, Computer Weekly has heard anecdotal reports from IT contractors who have done exactly that.HMRC has previously stated that it has no intention to make the individuals in-scope of the Loan Charge policy bankrupt, and that insolvency will only be considered as a last resort if the person involved is actively avoiding paying what they owe or are at risk of accruing further debt.Even so, members of the Loan Charge APPG have repeatedly spoken out about the toll the policy is taking on the health and well-being of those affected.There have also been 10 suicides linked to the Loan Charge to-date, as confirmed by HMRC, in a letter signed by its CEO, Jim Harra, in January 2023.The missive states that HMRC has had cause to refer itself to the Independent Office for Police Conduct on 10 occasions where a customer has sadly taken their life and had used a disguised remuneration scheme.This question is key to understanding the Loan Charge policy. Loans are typically not considered to be a form of taxable income, but according to HMRC the recipients of these loans should pay tax on them because they were never intended to be repaid.Furthermore, many contractors who participated in these schemes were of the understanding they would never be asked to repay the loans they received.But as extensively documented by Computer Weekly several attempts have been made in recent years by different parties to recall the loans contractors received, meaning in addition to HMRC they have also been asked to repay these loans in full, plus interest.In instances such as this, HMRC has restated that any individual that repays a loan they received during the timeframe covered by Loan Charge policy will still need to repay the tax it claims they still owe.This is an outcome few, if any, loan scheme participants have ever budgeted for, adding further pressure to their finances. Some individuals caught in the policys scope have sought settlements with HMRC to bring the matter to a close for them, although there are also anecdotal reports of people who went down this route and then received further payment demands from HMRC afterwards.There have been numerous legal challenges attempted to overturn the policy, as well as requests made to HMRC to consider letting those unable to pay off the full amounts owed pay a reduced settlement figure, so the government tax collection agency gets some money rather than none.MPs have also repeatedly called on the government to do more to tackle the people responsible for marketing these schemes, to prevent new schemes from emerging. There are further calls to also spread the tax burden on to the promoters, agencies and employers that encouraged individuals to join these schemes.During the Autumn Budget 2024, the government confirmed there would be a second independent review of the policy to bring the matter to a close for all those affected.This was on the back of representations made to Treasury Minister James Murray during a meeting facilitated by the APPG in August 2024, where various individuals in-scope of the policy outlined the toll the Loan Charge was taking on their health, well-being and their finances.At the time of writing, HM Treasury is yet to confirm the scope of the review and who will be tasked with overseeing it.In the meantime, Computer Weekly has learned that HMRC is offering to pause the settlement activity of anyone caught by the Loan Charge until the review has concluded.

NewsIT leaders raise concerns over IT security overspendHow many IT security products does it take to secure a business? Too many, according to some IT decision-makersByCliff Saran,Managing EditorPublished: 15 Nov 2024 15:00 IT leaders say they are overspending on cyber security tools, a survey of 800 IT leaders from Flexera has found.The poll reported that 31% of the IT decision-makers who took part in the survey ranked IT security tools as the top area of overspending. This represents a six-point increase from last years survey (25%).Even though reducing IT security risks ranked second (28%) behind artificial intelligence (AI) in terms of priorities over the next 12 months, the findings suggest that the conversations around the inflation of security tools and difficulties in integrating separate tooling together are ongoing.Last year, analyst IDC surveyed 503 IT decision-makers in North America looking at cloud-native application protection platforms; data security; endpoint detection and response; extended detection and response; network security; next-generation firewall; security information and event management; security service edge; and vulnerability and exposure management. The respondents had anywhere from 41 to 60 security tools in their environment, with 25% reporting 21 to 40 tools.Beyond IT security tools, the Flexera survey found that 68% of IT leaders say business units are spending far more on cloud and software as a service (SaaS) than they are aware of.According to those surveyed, the estimated average amount of overspending across cloud, software, SaaS and hardware is around 20-25%. When asked about their top IT spending challenges, 45% said it was controlling growth in IT spend; for 40%, the biggest challenge was tackling IT spending efficiency and avoiding waste; and 39% saw their biggest challenge as managing price hikes from their software providers.Flexera said the responses suggest that IT leaders desire more thorough visibility across their entire technology investment, yet are continually juggling unknowns as they seek to determine the best course of action to correct overspending and better balance their piece of the budget.Read more about IT security expenditureEMEA security spend will have another boom year: Cyber security services and technology will once again be the focus of major investment across EMEA during 2024, according to the latest Technology Spending Intentions study from TechTarget and ESG.Budgets rise as IT decision-makers ramp up cyber security: Few IT leaders surveyed in the TechTarget/Enterprise Strategy Group 2024 Technology Spending Intentions study say they are spending less this year.The survey results also suggest that AI is redefining IT leaders priorities. Almost half (48%) of the IT leaders polled put integrating AI as their top priority for the next 12 months.While IT leaders are facing a myriad of challenges and opportunities, artificial intelligence seems to pose the biggest potential gains in the short- and long-term, said Conal Gallagher, chief information officer at Flexera.Theres an extraordinary expense required of AI projects, creating an even greater sense of urgency to not only understand the impact of the investment, but to quickly demonstrate returns that advance core business objectives, he added.AI is not only disrupting and transforming IT for example, creating more focus on compute resources and data quality but planting the seeds to change the way we all work. Its no surprise that IT is at the forefront of recognising and ushering in this disruption, helping to be a guiding force for their organisations.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs

HN Works - stock.adobe.comNewsA fifth of new PCs shipped in Q3 were AI-optimisedPC manufacturers are working hard to showcase the benefits of premium devices that use neural processing units to deliver on-device AI accelerationByCliff Saran,Managing EditorPublished: 14 Nov 2024 14:58 A fifth of all PCs shipped in the third quarter of 2024 were equipped to support artificial intelligence (AI), Canalys has reported in its latest PC market report. The Canalys data shows that AI-capable PC shipments hit 13.3 million in the quarter, accounting for 20% of all PCs sold.The analyst firm defines AI-capable PCs as desktops and notebooks that include a chipset for dedicated AI workloads, such as a neural processing unit (NPU).Canalys reported that Windows devices accounted for a majority of AI-capable PC shipments for the first time, capturing a 53% share. What is significant is that these Windows-certified devices, known as Copilot+ PCs, are based on the Qualcomm Snapdragon ARM-based chip rather than an x86-compatible processor from the likes of Intel or AMD.Discussing the data, Canalys principal analyst Ishan Dutt said: Copilot+ PCs equipped with Snapdragon X series chips enjoyed their first full quarter of availability, while AMD brought Ryzen AI 300 products to the market and Intel officially launched its Lunar Lake series. However, both x86 chipset vendors are still awaiting Copilot+ PC support for their offerings from Microsoft, which is expected to arrive this month.While the Windows 11 refresh cycle and processor roadmaps will continue to drive penetration, however, Canalys believes there may be a reluctance to buy the new technology, which is designed to provide on-device AI.Despite the positive momentum, significant work must still be done to convince both channel partners and end customers of the benefits of AI-capable PCs, said Dutt. This is especially true for more premium offerings, such as Copilot+ PCs, which Microsoft requires to have at least 40 NPU TOPS [trillions of operations per second] alongside other hardware specifications.There is a sense that these devices appear to be targeting the premium end of the PC market. For instance, even with Black Friday deals, Currys cheapest AI-capable device is currently an HP OmniBook X 14in laptop Copilot+ PC, which is on sale at 799, reduced from 999. The most expensive is a 2,149 Microsoft 15in Surface laptop Copilot+ PC. The majority of the devices listed are over 1,000, which may put them beyond the budget of many organisations.In fact, just under a third (31%) of PC resellers do not plan to sell Copilot+ PCs in 2025, according to Canalys, while a further 34% expect such devices to account for less than 10% of their PC sales next year. With Windows 10 end of support now less than a year away, the coming quarters represent a critical opportunity to drive a significant portion of an aged installed base to be upgraded to an AI-capable PC, Dutt added.Given the premium these AI-capable devices command, Canalys noted that manufacturers are working with software firms to help them sell the benefits of AI PCs. For instance, at its Imagine AI event in September, HP showcased its collaboration with software providers to deliver on-device AI experiences. Lenovo, meanwhile, has focused on embedding proprietary AI tools and agents into its PCs, such as Creator Zone, Learning Zone and Lenovo AI Now.For vendors like Lenovo and Dell, whose offerings extend beyond PCs, on-device AI will be a key component of the delivery of broader, more holistic AI services and solutions, said Canalys analyst Kieren Jessop.The Canalys data also reveals how Apple is not directly competing with Microsoft. Since 2020, Apple has shifted away from using Intel processors to its own chips based on ARM architecture. It is now shipping devices with the M3 chip, the third generation of so-called Apple silicon. This potentially makes Apple devices running ARM-based hardware a more mature offering than the mainstay of PC manufacturers, which have jumped on the Copilot+ bandwagon.Apples strategic approach in this landscape is distinct, said Jessop. It is leveraging its vertically integrated ecosystem to create features that do not need to directly compete with Microsofts suite of productivity tools, such as Copilot Pro for Microsoft 365, which is compatible with macOS. Apple can instead focus its differentiation at the hardware and operating system level, positioning itself against Windows OEMs [original equipment manufacturers] in an effort to make market share gains during the ongoing refresh cycle.Read more about neural processing units (NPUs)ARM accelerates Edge AI: NPU said to deliver four times performance uplift for high-performance edge AI applications, such as factory automation and smart cameras, through new IoT reference design platform.Forrester preparing for the era of the AI PC: PC manufacturers are gatecrashing the artificial intelligence industry party. There are now a number of devices that incorporate AI acceleration hardware.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs

neppen1 - stock.adobe.comNewsWilliams Racing F1 team supports kids cyber campaignA multi-region campaign will teach pre-teen children cyber security basics with a little help from Formula 1 star Alex AlbonByAlex Scroxton,Security EditorPublished: 14 Nov 2024 15:30 Formula 1 team Williams Racing has joined forces with cyber firms Keeper Security and KnowBe4 to launch a global security education programme for schools, designed to empower online safety across the sector.The Flex Your Cyber campaign, which launches first in the US, with a UK roll-out planned for the near future, is aimed at children aged between five and 14, and is being supported by the National Cybersecurity Alliance (NCA), a security education non-profit.Keeper Security CEO and co-founder Darren Guccione said that with the education sector increasingly victimised by cyber criminals, and bountiful evidence of a clear awareness gap, it is becoming crucial to teach cyber fundamentals not just to teachers and admin staff, but to children too.Our goal is to empower the entire educational community with the knowledge they need to protect themselves from todays cyber threats, said Guccione. Starting this education at a young age will help ensure future generations are protected against the cyber threats plaguing our digital landscape.Flex Your Cyberwill provide tailored content for parents, teachers, administrators and children, ranging from practical tips and solutions for the grown-ups, to more age-appropriate activities for children.For children in the Little Kids category, which covers those aged up to about eight or nine, the campaign has developed a number of videos and games, an activity book and an infographic to introduce the youngest learners to some of the basics of online safety.This is where Williams Racing comes in. The team has loaned the services of its lead driver Alex Albon, who stars in a video in which he travels across the internet on a brightly coloured bike, battling cartoon cyber threats as he goes. Our goal is to empower the entire educational community with the knowledge they need to protect themselves from todays cyber threats Darren Guccione, Keeper SecurityChildren in the Big Kids category will be engaged with more interactive activities, cyber challenges and access to information that delve a little deeper into digital security concepts relevant to pre-teens. Meanwhile, Albon dodges cyber dangers such as privacy potholes and navigates the malware mile in a retro 8-bit style racing video game environment.Not to be forgotten, teaching staff will have access to tools, resources and age-appropriate lesson plans to integrate elements of security education in the classroom, while back office staff will receive more guidance on best practices and solutions to build secure digital environments within schools.More resources, information and videos including, just for fun, a game of cyber charades between Albon and Williams team principal James Vowles are available on the Flex Your Cyber campaign website.Cyber security is critical in all walks of life, and particularly in Formula 1, where protecting our data is vital to succeeding on track, said James Southerland, head of partnerships at Williams Racing.Forming good cyber security habits at a young age is becoming as important as learning to cross the road safely or wear a seatbelt, and we are delighted to be supporting our partner Keeper Security with this campaign.Stu Sjouwerman, CEO of KnowBe4, added: Keeper Securitys Flex Your Cyber initiative is a crucial step in safeguarding children in an increasingly digital world, cultivating a security culture in our future workforce from the ground up.By equipping students, parents and educators with accessible cyber security education and resources, Flex Your Cyber will foster a robust culture of cyber resilience essential for navigating todays complex threat landscape. We are proud to support this impactful programme, which promises to have a lasting, positive impact on the education community and beyond.Read more about security education and online safetyThe National Cyber Security Centre is expanding its PDNS for Schools service to encompass a wider variety of institutions up and down the UK.Schools are implementing smartphone-free policies in an attempt to curb students exposure to online harms, but teachers and parents are worried the Online Safety Act will only partially address concerns.In their first agreement on the subject of childrens online safety, the UK and US governments have said they will create a new working group to boost cooperation.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs

Lawyers representing a former boxer charged with serious drug trafficking offences are challenging the legality of the US governments use of intercepted messages obtained by a European police hacking operation against the worlds largest cryptophone network.The former heavyweight boxer from Montenegro, Goran Gogic, faces charges over his alleged involvement in the import of large quantities of cocaine. His lawyers accuse prosecutors of bypassing US legal protections by relying on overseas partners to conduct surveillance.The case will test the validity of evidence obtained by French law enforcement from the hacking and mass interception of 170,000 users of Sky ECC phones in a joint operation with Belgian and Dutch police in the US courts.Joseph Corozzo, a lawyer for Gogic, said the case is the first time legal arguments used to exclude evidence obtained through the torture of individuals outside of the US have been applied in an attempt to exclude overseas intercept material.Corozzo said his client, as a non-US citizen, did not benefit from Fourth Amendment protections against government surveillance under the US Constitution.If he were a US citizen, we feel strongly that the court would suppress [the intercept material] very quickly. Since he is a non-US citizen, its a greater burden to us to establish all the factors involved, he added.US prosecutors argue that the intercepted text messages used as evidence against Gogic in the case are broadly similar to the communications data that the government regularly receives from telecoms and social media companies in the US.Even if Gogic did have rights under the Fourth Amendment, the conduct of French law enforcement agencies in seizing the data does not shock the conscience and the US did not act with an intention to evade the constitution. they claim.Sky Global, a company with headquarters in Vancouver, Canada, began developing encrypted phones in 2008, which were later sold through a network of distributors and resellers.Belgian police began investigations into the use of Sky ECC phones by organised criminals in 2016, after seizing the encrypted phones in a drug trafficking operation in the port of Antwerp. Dutch police began parallel investigations following their own seizures of Sky ECC phones.By late 2018, Sky ECC was gaining international attention, and more than 20 police officers from the US, Canada, Australia and Belgium met at an international conference in Sydney to discuss ways of breaking the Sky ECC encryption.French investigators began intercepting encrypted messages from Sky ECC in June 2019. A breakthrough by Dutch technicians who discovered how to decrypt the platform led to the live interception and decryption of all Sky ECC messages from February 2021.French, Belgian and Dutch police launched an action day against Sky ECC users on 9 March 2021, making large numbers of arrests, searches and seizures in the three countries. The operation, dubbed Operation Argus, led to the interception of one billion messages.Gogic was arrested in Miami in October 2022 and faces charges under the US Maritime Drug Law Enforcement Act.His arrest came after police seized a shipment of 18 tonnes of cocaine in Philadelphia, in an operation described as one of the largest cocaine seizures in US history.The case stems from federal investigation into a vast network of international narcotics traffickers who smuggled cocaine from South America to the US and Europe in commercial container ships.Gorgics lawyers argue in a motion to suppress that US investigators engaged in forum shopping to circumvent US law and constitutional protections.They claim the US put its own investigation into Sky ECC on hold to obtain intercept material from France that would otherwise be inadmissible in the US.An internal French police report shows that during a meeting in Europol in May 2019, Belgian and Dutch investigators learned that the US intended to arrest Skys executives, based in Canada.However, the US agreed with the Dutch to suspend US investigations until after European police forces completed their investigation into Sky ECC.A tacit agreement between the American and Dutch authorities allowed the European investigations to continue, with the Americans suspending further operations pending the outcome of ongoing investigations, the report states.Belgium, France and Holland closed their investigation into Sky ECC in March 2021, making multiple arrests and seizures of drugs and firearms.Three days later, US prosecutors indicted Sky Globals Canadian CEO, Jean-Francois Eap, and a former phone distributor, Thomas Herdman, for racketeering and knowingly facilitating the import and distribution of drugs and the sale of encrypted communications devices. Their cases have not been heard in court.By receiving intercepted material from France, rather than carrying out its own interception, the US could maintain the faade of keeping its hands clean during the interception and then receive the same evidence anyway through requests for mutual legal assistance, Gogics defence lawyers claim.They point to evidence that Dutch police carried out a similar forum shopping exercise by obtaining intercept material from France that would not be admissible if carried out under Dutch law.According to a Dutch court document, in 2019, a Dutch magistrate refused an order to seize full copies of the Sky ECC servers as it could not be established that the users of Sky ECC were using the system exclusively for illegal purposes.The magistrate found that because there was no concrete suspicion against individual users, it would be too far reaching to grant unconditional permission to search the messages of all Sky ECC users.Dutch police ultimately obtained intercepted messages of all incoming and outgoing communications from Sky ECC from French law enforcement.Gogics lawyers claim that the Dutch authorities successfully circumvented the Amsterdam investigative judges 2018 denial of their application to copy the Sky ECC servers by getting the same relief they had been denied from a different venue: France.Defence lawyers are also pressing US prosecutors to disclose all documentation of how the US obtained Sky ECC data from European law enforcement.According to the motion, filed in the Eastern District of New York, a major problem from an evidentiary standpoint is that digital data is at a significantly higher risk of (intentional) manipulation or (unintentional) alterations.An expert who examined spreadsheets of intercepted messages provided by the US has found evidence that the files were modified on multiple dates.The motion claims there are thousands of missing media files and numerous other anomalies in the data supplied by US prosecutors.Defence lawyers are pressing US prosecutors to disclose the underlying raw data and hash values that would allow experts to check that data provided in evidence had not been modified.They point to a case in Panama where a judge acquitted 28 defendants after finding the leaked documents that formed the basis of the charges against them did not comply with digital evidence principles, and lacked the hash values necessary for verifying the authenticity and accuracy of digital data.Dutch police developed AI software known as Chat-X to access and analyse intercepted messages. According to Dutch lawyer Yehudi Moszkowicz, the artificial intelligence (AI)-based software was used to search millions of intercepted messages for keywords associated with threats to life, and later to automatically identify chat messages referring to money laundering and other crimes.Read more about Sky ECCMarch 2021Belgian police raid 200 premises in drug operation linked to breach of encrypted phone network: More than 1,600 police and law enforcement officials conduct drug raids after the compromise of an encrypted mobile phone network that has parallels with EncroChat.Police crack worlds largest cryptophone network as criminals swap EncroChat for Sky ECC: Belgian and Dutch police have breached the encryption of users of Sky ECC, the worlds largest cryptophone network.Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime: The US has issued arrest warrants for the CEO of Sky Global and a former distributor for racketeering, aiding and abetting the distribution of illegal drugs by supplying encrypted phones to criminals.November 2021Cryptophone supplier Sky Global takes legal action over US government website seizures: Canadian tech company Sky Global has filed a legal motion claiming that the US government unlawfully seized the companys internet sites following police investigations into the use of its cryptophones by organised crime.Sky ECCprovided free cryptophones to a Canadian police force: Internal emails disclosed in a US court show how Sky Global supplied sample encrypted phones to a Canadian police force before its phone users became subject to an international police investigation.September 2024Canadian arrested by France after cooperating with US on Sky ECC cryptophone investigation: Thomas Herdman, who faces charges in France over his involvement in distributing Sky ECC encrypted phones, arrested by French police despite agreeing to cooperate with US law enforcement.Chat-X also provided access to metadata, including the location from which a message was sent, the International Mobile Equipment Identity (IMEI) number (a unique identifying number for each handset), the Access Point Name (APN) and the IMSI (a unique identifying number for each SIM card).Defence lawyers claim that the US government has failed to disclose the metadata from the messages used as evidence in the case, which could be used, for example, to establish whether Gogic was present when the messages were sent. They have also asked the court to order the disclosure of the Chat-X software.US law allows evidence supplied by other countries to be used in US courts under the silver platter doctrine.But defence lawyers argue that the interception of Sky ECC amounted to a global fishing expedition and that there was no probable cause to suspect every one of the individuals placed under surveillance of criminality.The fact that Sky ECC phones were sold for cash by dealers who met clients in person, they say, does not establish reasonable suspicion, let alone probable cause, that criminal activity is afoot.Prosecutors argue that the Fourth Amendment does not apply to searches and seizures made against non-US nationals on foreign soil.Even if it did, the conduct of French law enforcement agencies in seizing the data from Sky ECC does not shock the conscience and was upheld by French courts.There is no plausible claim that the government cooperated with the Europeans with the intent to evade constitutional requirements, according to a prosecution motion.The most the facts show is that the US extended a courtesy to European law enforcement by delaying overt investigation and enforcement actions that could harm the European investigation.That is not a case where American officials use foreign officials to intercept phone calls made from the US to a foreign country to circumvent constitutional requirements that would apply if the same phone calls were intercepted in the US, they say.A sworn statement from the law enforcement officer who received the data from France would be all that is needed to prove its authenticity.Questions around chain of custody should only have a bearing on the weight of evidence, not its authenticity, according to the prosecutors. There is no reason to believe that materially different data exists, nor that it would be favourable to the defendant if it did, they added.Corello said US prosecutors were following the same argument as prosecutors in Europe that the court should honour the prosecutorial activities of France based on the French courts finding that the conduct was permissible.Theyre not addressing in any fashion the issues of reliability and chain of custody, he added.The Sky ECC hack2016: Netherlands and Belgium begin independent investigations into Sky ECC encrypted phones.2018: Twenty police officers from the US, Canada, Australia, Belgium and other countries participate in an international conference in Sydney, discussing ways to access Sky ECC. They follow up with a meeting in Antwerp.19 November 2018: A report by investigators identifies the location of Sky ECC infrastructure in the OVH datacentre in Roubaix, France.30 November 2018: A Dutch judge allows an application to seize copies of the Sky ECC servers for technical research into encryption and interception of messages on the phone network, but does not allow the collection of data on the services for use as evidence. The magistrate concludes that it is not established that the encrypted communication of SkyECC is almost exclusively used by organised serious crime.13 February 2019: A French prosecutor at the Lille court initiates a formal investigation into Sky ECC.27 May 2019: A meeting at Europol with the Belgian, Dutch and French authorities is told that US authorities had also opened an investigation into Sky ECC and their ultimate goal was to arrest the companys executive in Canada. The Americans reach a tacit agreement with the Dutch to suspend US investigations while European investigations continue.12 June 2019: A French prosecutor applies for a court order to intercept, record and transcribe communications passing through Sky ECC servers in France.14 June 2019: French court authorises the interception of Sky ECCs servers for one month. The order is repeatedly renewed until December 2020.13 December 2019: Dutch, Belgian and French law enforcement authorities agree to form a Joint Investigation Team to gather evidence about alleged criminal activities of Sky Global and its users, and to share technical information and resources.December 2020: Dutch investigators work out how to obtain encryption keys from Sky ECC handsets. Work begins on decrypting a backlog of intercepted encrypted data.February 2021: French investigators begin live interception and decryption of Sky ECC phones. More than 70,000 phones are monitored.9 March 2021: Sky ECC is shut down after a joint operation by French, Belgian and Dutch law enforcement authorities, known as Operation Argus. Arrests, house searches and seizures are made in Belgium and the Netherlands. 12 March 2021: US files an indictment against Jean-Francois Eap, CEO of Sky Global, and former phone distributor Thomas Herdman.

your123 - stock.adobe.comNewsRed Hat acquires tech to lower the cost of machine learningThe acquisition of Neural Magic by Red Hat is being positioned as a way to democratise machine learning and reduce the need for GPUsByCliff Saran,Managing EditorPublished: 13 Nov 2024 14:55 Red Hat has announced its intention to acquire Neural Magic, the lead developer behind the open source vLLM project.The acquisition is being positioned as a way for Red Hat and its parent IBM to lower the barrier to entry for organisations that want to run machine learning workloads without the need to deploy servers equipped with graphics processing units (GPUs). This reliance creates a barrier to entry, hindering the widespread adoption of artificial intelligence (AI) across various industries and limiting its potential to revolutionise how we live and work.The GitHub entry for vLLM describes the software as: A high-throughput and memory-efficient inference and serving engine for LLMs [large language models].In a blog discussing the deal, Red Hat president and CEO Matt Hicks said Neural Magic had developed a way to run machine learning (ML) algorithms without the need for expensive and often difficult to source GPU server hardware.He said the founders of Neural Magic wanted to empower anyone, regardless of their resources, to harness the power of AI. Their groundbreaking approach involved leveraging techniques like pruning and quantisation to optimise machine learning models, starting by allowing ML models to run efficiently on readily available CPUs without sacrificing performance, he wrote.Hicks spoke about the shift towards smaller, more specialised AI models, which can deliver exceptional performance with greater efficiency. These models are not only more efficient to train and deploy, but they also offer significant advantages in terms of customisation and adaptability, he wrote.Red Hat is pushing the idea of sparsification, which, according to Hicks, strategically removes unnecessary connections within a model. This approach, he said, reduces the size and computational requirements of the model without sacrificing accuracy or performance. Quantisation is then used to reduce model size further, enabling the AI model to run on platforms with reduced memory requirements.All of this translates to lower costs, faster inference and the ability to run AI workloads on a wider range of hardware, he added.Red Hats intention to acquire Neural Magic fits into parent company IBMs strategy to help enterprise customers use AI models.In a recent interview with Computer Weekly, Kareem Yusuf, product management lead for IBMs software portfolio, said the supplier has identified a business opportunity to support customers that want to easily mash their data into the large language model. This, he said, allows them to take advantage of large language models in a way that enables protection and control of enterprise data.IBM has developed a project called InstructLab that provides the tools to create and merge changes to LLMs without having to retrain the model from scratch. It is available in the open source community, along with IBM Granite, a foundation AI model for enterprise datasets. Listen to the full interview with Kareem Yusuf Dario Gil, IBMs senior vice-president and director of research, said: As our clients look to scale AI across their hybrid environments, virtualised, cloud-native LLMs built on open foundations will become the industry standard. Red Hats leadership in open source, combined with the choice of efficient, open source models like IBM Granite and Neural Magics offerings for scaling AI across platforms, empower businesses with the control and flexibility they need to deploy AI across the enterprise.Read more about IBMs AI strategyIBMs latest Z mainframe offers lessons in building AI systems: Studying the engineering behind IBMs mainframe architecture could help enterprises build higher reliability into the GPU clusters used to run AI applications.IBM throws its Red Hat into open source AI ring with RHEL AI: IBM and Red Hat open source their first LLMs, but IT experts say RHEL AI is more likely to stand out in the ways it links AI to hybrid cloud infrastructure.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs

zapp2photo - stock.adobe.comNewsClosing in on quantum computing with error mitigationCurrent quantum computers are prone to error. IBMs latest Heron machine uses software and hardware to get better resultsByCliff Saran,Managing EditorPublished: 13 Nov 2024 14:58 The latest machine onIBMs quantum computing roadmap, Heron, has been given a hardware and software boost as the company pushes towards its goal of error correction.Error correction is seen as the holy grail for quantum computing, which would open the gates to commercial adoption. This may be many years away, but IBM Heron offers error mitigation, which the company describes as techniques that allow users to mitigate circuit errors by modelling the device noise at the time of execution.In other words, it is something software developers need to do when programming IBM quantum computers to get around the noisiness in terms of errors that is inherent in todays quantum computing technology.Advances acrossIBM Quantum hardware and Qiskitare enabling our users to build new algorithms in which advanced quantum and classical supercomputing resources can be knit together to combine their respective strengths, said Jay Gambetta, vice-president of IBM Quantum.As we advance on our roadmap towards error-corrected quantum systems as a pillar of the future of computing, the algorithms discovered today across industries will be key to realising the full potential of unexplored computational spaces created by the convergence of QPUs [quantum processing units], CPUs [central processing units], and GPUs [graphics processing units].To tie in with the Heron announcement, IBM has introduced several new tools in its Qiskit software developers kit. These include tools such as the Qiskit Transpiler Service to power the optimisation of quantum circuits for quantum hardware with artificial intelligence (AI) and Qiskit Code Assistant to help developers easily generate quantum code withIBM Granite-based generative AImodels.It is also adding Qiskit Serverless, which enables software developers to run initial quantum-centric supercomputing approaches across quantum and classical systems and the IBM Qiskit Functions Catalog to make services available from IBM, Algorithmiq, Qedma, QunaSys, Q-CTRL and Multiverse Computing.Error correction is the breakthroughTobias Lindstrom, head of science for NPLs department of quantum technology, believes a step change in quantum computing will happen once error correction is fixed.Today, were limited by scaling because we dont have error correction, he said. Once you can build a logical error-correct qubit, as far as I understand, theres nothing stopping you from building more of them. It is an engineering challenge.Once there is error correction, you may spend more money but there is no limit to the scaling, he added, in response to the question of whether a working quantum computer would follow the same rules as Moores Law, which shows that the number of transistors on a processor doubles every two years for the same price.While there has been a lot of progress in schemes focused on error correction, Lindstrom expects quantum computing adoption will accelerate when the techniques are eventually mastered.Even if such a computer with perhaps 10,000 qubits has a ticket price of $1bn, Lindstrom believes the price is not likely to be a barrier for some organisations and governments: I dont think thats going to stop people when you are talking about something as useful as a quantum computer.What this means is that quantum computers will likely only be initially purchased by governments or very large companies.There is a certain class of problem which Lindstrom and many in the industry feel quantum computing will be able to optimise. Not surprising, he said, quantum-type problems such as quantum chemistry are among the big opportunities, where quantum computing can be applied in material science leading to opportunities such as the development of greener technologies.While not fully fledged computers, Lindstrom described the UK Research and Innovations quantum test bed programme as an important step. These demonstrators of quantum technology provide a way for quantum computing firms to develop machines that organisations can have direct access to in the UK.Solving problems and improving skillsLike IBMs Gambetta, Lindstrom sees quantum devices as part of the mix that will be used to accelerate certain workloads: A good analogy is probably something like using GPUs or FPGAs [file programmable gate arrays] in the context of high-performance computing. Youre still logging onto a regular computer, but for certain problems, youre using a GPU or an FPGA.The era of quantum computing will, like with GPUs, involve the quantum processor effectively acting as an accelerator or co-processor for the CPU. Lindstrom believes that, in an ideal world, a programmer would use their preferred programming language and their source code compiler tool would then look through this code and decide which steps in the program requires an optimisation step and then assess whether this is best serviced by offloading the task to a quantum processor.Thats the ideal scenario, in terms of user friendliness, but it may not be the best way to use existing resources, he said.For Lindstrom, there needs to be a group of specialist programmers who understand the computer architecture in depth: I think a good analogue would be classical computers in the 1980s, where people were programming in assembly language to squeeze the most performance out of the hardware.Looking at current industry efforts, Lindstrom said that there is work to make quantum computing more accessible to people who do not necessarily have an in-depth background in the technology, but this is not possible today.For the foreseeable future, you will need a second category of people as well who really understand quantum computing and who can formulate the problem before they even start writing the code, he said.What this means from a skills perspective, as CIOs plan for a future where quantum computing is part of the technology mix is, according to Lindstrom, a similar story to the upskilling needed for GPUs.People are GPU-aware because, again, it has been part of the computing ecosystem for so long, but they dont necessarily need to know how to build a GPU they just need to understand the APIs [application programming interfaces] and what problems GPUs can be used for.Read more quantum computer storiesDoes quantum matter: Ilyas Khan, CEO of Quantinuum, discusses the quantum computing revolution.IBM plots route beyond Condor: New quantum system and classical computing hybrid forms the basis of next-gen supercomputing at IBM.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs

beebright - stock.adobe.comNewsChinas Volt Typhoon rebuilds botnet in wake of takedownNine months after its malicious botnet comprising legacy routers was disrupted by the Americans, Chinese APT Volt Typhoon is rebuilding and presents as persistent a threat as everByAlex Scroxton,Security EditorPublished: 13 Nov 2024 16:06 The Chinese state threat actor most famously known as Volt Typhoon is staging a significant comeback after its botnet infrastructure was disrupted in a US-led takedown at the beginning of February 2024.Volt Typhoons malicious botnet comprised hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status and thus were no longer receiving security updates.The threat actor infected these devices with KV Botnet malware and used them to obfuscate the origins of follow-on hacks targeting critical national infrastructure (CNI) operations in the US and elsewhere.Now, nine months on, threat analysts from SecurityScorecard say that they have observed signs that Volt Typhoon is not only back in business, but is more sophisticated and determined than ever.SecurityScorecards Strike team has been poring over millions of data points collected from the organisations wider risk management infrastructure, and has determined that it is now adapting and digging in after licking its wounds in the wake of the takedown.The Strike Teams discoveries highlight the expanding threat posed by Volt Typhoon. As the botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, said SecurityScorecard senior vice-president of threat research and intelligence, Ryan Sherstobitoff.Volt Typhoon is both a resilient botnet and a warning. Without decisive action, this silent threat could trigger a critical infrastructure crisis driven by vulnerabilities left unresolved.In recent months Volt Typhoon has stood up new command servers using hosting services such as Digital Ocean, Quadranet and Vultr, and registered fresh SSL certificates to evade the authorities.The group has continued to exploit legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers. Sherstobitoff revealed that the operation was able to compromise 30% of the worlds visible Cisco RV320/325s in the space of just one month.The Strike Teams deep investigation has exposed Volt Typhoons complex network built on compromised SOHO and EOL devices. This group has weaponised outdated routers on a global scale, weaving layers of obfuscation that mask their presence and make detection exceptionally difficult, said Sherstobitoff.These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic. Analysts have identified MIPS-based malware on these devices, similar to Mirai, engineered to establish covert connections and communicate via port forwarding over 8443. This method keeps Volt Typhoons command operations off the radar, even for seasoned cyber security teams.Webshells, such as fy.sh, are strategically implanted in routers, allowing Volt Typhoon to maintain persistent access and secure remote control. The attack doesnt just hide it integrates seamlessly into routine network operations. The result? A resilient foothold, particularly within governmental and critical infrastructure sectors, that camouflages malicious activities and complicates any clean-up efforts, he said.As of September 2024, its new botnet cluster was observed routing traffic worldwide, much of it transiting through a compromised virtual private network (VPN) device which is acting as a silent bridge between Asia-Pacific and the US.This device is determined to be located somewhere in New Caledonia, a French island in the South Pacific Ocean, about 750 miles northwest of Queensland, Australia. By placing its hub in a location considered to be part of France though New Caledonias legal status as a sui generis overseas territory is both complex and controversial Volt Typhoon may be able to avoid additional scrutiny and extend the reach of its botnet even further.Sherstobitoff warned that CNI operators still presented an attractive target for Chinese state-sponsored attackers thanks to their essential role in economic stability, while the sectors lingering dependence on legacy technology is creating a perfect storm for disruption.He added that many third-party tech suppliers themselves lack robust defences, offering advanced persistent threat (APT) actors such as Volt Typhoon easy entry points.Read more about Volt TyphoonLumen Technologies researchers have observed Volt Typhoon exploitation of CVE-2024-39717 against four US organisations in the ISP, MSP and IT sectors.A panel of experts at RSA Conference 2024 discussed Volt Typhoon and warned the Chinese nation-state threat group is still targeting and compromising organisations.GCHQ director Anne Keast-Butler uses her first major public speech to warn that China poses a significant cyber security threat to the UK.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs

As the UKs Online Safety Act (OSA) approaches its first birthday, parents and teachers insist more must be done to protect young people and children from the various risks they are facing online.In particular, they cite the need for tighter measures around smartphone and social media use in schools, which led two parents to create the Smartphone Free Childhood (SFC) group in February 2024.Since then, the group which characterises itself as a grassroots movement on a mission to challenge Big Techs colonisation of childhood has expanded massively, with 150,000 parent members across the UK at the time of publication.Their concerns cover a range of areas, including the increasing rates of depression, anxiety and suicide among children since smartphones were introduced, the pervasive effects of cyber bullying, the risk of children being exposed to harmful content via algorithms and messaging apps, and the intentionally addictive design choices of tech companies that are intended to harvest ever-increasing amounts of data for profit.While the UK is one of the first countries to attempt to regulate global social media platforms such as Meta, X, TikTok and YouTube which from the start of 2025 can be prosecuted by online harms regulator Ofcom for failing to address illegal content, which includes the possibility of million-pound fines and criminal sanctions against high-ranking social media platform employees parents and teachers say there is mounting evidence that, despite any good intentions, the online world continues to have a range of harmful effects on young people.An international study across 44 countries published last month, for example, revealed a growing rate of problematic internet use in children, revealing the dire need for safer platforms for young people. In the US, legal action against the biggest social media platforms is unfolding over their inaction on harmful content and failure to protect children. In 2023, 42 attorney generals sued Meta, alleging addictive features that target children. Although the Online Safety Act is an important first step, it will only partly address the harms currently being inflicted on children through smartphones and social media Clare Fernyhough, Smartphone Free ChildhoodAlthough the Online Safety Act is an important first step, it will only partly address the harms currently being inflicted on children through smartphones and social media, says Clare Fernyhough, co-founder of SFC. Its not clear the act will address the addictive by design nature of both smartphones and social media platforms, meaning tech companies will continue to make billions from keeping our children constantly online. With some children spending as much as nine hours a day on their phones, the opportunity cost these devices carry is enormous.Given the ongoing concerns over the spread of online harms, and the role of smartphones in particular, the inception of SFC has prompted many schools to attempt going smartphone-free.In May 2024, for example, 20 primary schools across St Albans announced plans to ditch smartphones, and in September, Ormiston academies announced the decision to go smartphone-free across its 44 state schools.We had a phone switched off and in your bag policy for years. It was completely ineffective, says Damien McBeath, head teacher at John Wallis Academy, which launched its own smartphone-free policy in January, shortly before the formation of SFC. Since Covid, we have seen a real decline in socially acceptable behaviour lots of TikTok trends, pupils bundling into toilet cubicles, incidents of online predators sapping pupils attention.In his 25 years as a head teacher, McBeath adds smartphones have been a tidal wave of issues and disruption.In October 2024, SFC also launched a formal Smartphone Free Schools campaign, which has already inspired a number of other schools to attempt the policy. SFC says the concerns McBeath has are echoed by other teachers, who have reached out to the group for guidance and support.We have been inundated with stories from teachers grappling with the effects of smartphones, from distraction in lessons to cyber bullying and sharing of inappropriate content. This is an urgent situation that needs immediate government support, says Fernyhough.Will Orr-Ewing, schools engagement lead for the Smartphone Free Schools campaign, adds: The average child gets hundreds of notifications on their phone throughout the school day a constant call on their attention, which leads them to check their phone whenever they are out of a teachers eyeline, especially in bathrooms and breaktimes. The average child gets hundreds of notifications on their phone throughout the school day a constant call on their attention Will Orr-Ewing, Smartphone Free Schools campaignThat is why we recommend that schools devise ways to take the phone off the childs person for the full seven hours of the school day either by use of pouches or lockers, or by prohibiting children from bringing in a smartphone at all, and recommending brick phones for travel instead.Since adopting the smartphone-free policy, John Wallis Academy claims it has seen immense benefits both for pupils and staff, including a 40% reduction in the number of detentions, an 80% reduction in the rate of in-school truancy, and a reduction in staff turnover from 30% to 17%.Campaigners and teachers believe broader support from the government could lead to nationwide change. Currently, just 11% of UK schools have effective smartphone restrictions in place. In an open letter to the Department for Education in October, head teachers, governing bodies and local councils urged the government to commit funding to support schools that aim to go smartphone-free.Aside from parents and teachers, the proposed implementation of the UKs Online Safety Act has also been met with discontent from civil society groups, which have argued during the acts ongoing consultation that there is a need for tougher laws around online safety.Digital safety charity 5Rights, for example, claims: Ofcoms proposals as currently drafted are light-touch and incomplete, and fail to meet the needs of children and the expectations of parliamentarians, civil society, parents and teachers.Digital secretary Peter Kyle similarly told the BBCs Laura Kuenssberg that he was going to close loopholes in the Conservative government-led Online Safety Act, adding that the tech sector is the only sector ... that can release products into society without proving theyre safe before release.Support for more stringent legislation is also echoed by the public. Recent polling from the Molly Rose Foundation, for example, revealed overwhelming public and parental support for a new Online Safety Act, with 84% of parents and 80% of adults backing a new act to strengthen online safety measures.Labour MP Josh MacAlister has also recently launched a Private Members Bill, which could potentially lead to providing statutory guidance on smartphone use in schools, and increasing the age of internet adulthood from 13 to 16. The MP and former teacher was vocal on the importance of this policy for disadvantaged children in particular.The bill also aims to strengthen regulator Ofcoms powers so that it can enforce a code of conduct to tackle the addictive-by-design nature of social media platforms such as Instagram and TikTok.Concerns around addictive design models were echoed in a joint agreement on online safety from the UK and US governments, stating: Both countries acknowledge that risk-based and safety, privacy and inclusivity-by-design approaches throughout design, development and deployment are fundamental to childrens safety and well-being online, alongside increased transparency and accountability from online platforms.Read more about online harmsOfcom issues online safety warning to firms in wake of UK riots: Ofcom has issued a warning reminding social media firms of their upcoming online safety obligations, after misinformation about the Southport stabbings sparked racist riots throughout the UK.UK and US pledge closer working on childrens online safety: In their first agreement on the subject of childrens online safety, the UK and US governments have said they will create a new working group to boost cooperation.Misinformation runs deeper than social media: While social media may contribute to the increasing rapid spread and reach of misinformation, the root causes of the problem go much deeper than the role of a particular company or way of using technology to communicate.

Andreas Prott - stock.adobe.comNewsZero-day exploits increasingly sought out by attackersThreat actors increasingly favour zero-day exploits to attack their victims before patches become available according to the NCSC and CISA, which have just published a list of the most widely-used vulnerabilities of 2023ByAlex Scroxton,Security EditorPublished: 12 Nov 2024 16:49 Threat actors both state-backed and financially-motivated are increasingly taking advantage of previously unknown vulnerabilities, or zero-days, to compromise their victims before fixes or patches are made available by the tech industry, according to a new advisory published by the Five Eyes cyber agencies, including the UKs National Cyber Security Centre (NCSC) and the United States Cybersecurity and Infrastructure Security Agency (CISA).The agencies have collectively drawn up a list of the 15 most exploited vulnerabilities of 2023 and found that the majority of exploited vulnerabilities were zero-days compared to less than half in 2022. The trend has continued through 2024, said the NCSC.The NCSC said that defenders needed to up their game when it comes to vulnerability management, paying particular attention to applying updates as quickly as possible when they do arrive, and to making sure they have identified all the potentially affected IT assets in their estates.The organisation also urged suppliers and developers to do more to implement secure-by-design principles into their products, something that the Five Eyes governments Australia, Canada, New Zealand, the UK and the United States have become particularly vocal about in the past 18 months. Doing so helps reduce the risk of vulnerabilities being accidentally introduced during development, only to be taken advantage off further down the line.More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organisations and vendors alike as malicious actors seek to infiltrate networks, said NCSC chief technology officer (CTO) Ollie Whitehouse.To reduce the risk of compromise, it is vital all organisations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace, said Whitehouse.We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source, he added.The full list of the vulnerabilities most frequently exploited during 2023 is as follows:CVE-2023-3519, a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway;CVE-2023-4966, a buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, aka Citrix Bleed;CVE-2023-20198, an elevation of privilege (EoP) issue in Cisco IOS XE Web UI;CVE-2023-20273, a web UI command injection bug in Cisco IOS XE;CVE-2023-27997, a heap-based buffer overflow flaw in Fortinet FortiOS and FortiProxy SSL-VPN;CVE-2023-34362, a SQL injection vulnerability in Progress MOVEit Transfer, infamously exploited by the Cl0p ransomware gang, the fall-out from which is still being felt;CVE-2023-22515, a broken access control vuln it Atlassian Confluence Data Center and Server;CVE-2021-44228, a remote code execution (RCE) issue in Apache Log4j2, aka Log4Shell, the source of a major incident at the end of 2021 and still being widely-abused years later;CVE-2023-2868, an improper input validation flaw in Barracuda Networks ESG Appliance;CVE-2022-47966, an RCE issue in Zoho ManageEngine;CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG;CVE-2020-1472, an EoP vuln in Microsoft Netlogon, the source of another high-profile historic incident that there is now no excuse for not having addressed;CVE-2023-427983, an authentication bypass flaw in JetBrains TeamCity;CVE-2023-23397, an EoP issue in Microsoft Office Outlook, widely-used by Russian spooks;And last but not least, CVE-2023-49103, an information disclosure vuln in ownCloud graphapi.The full list, which can be downloaded from CISA, also contains details of a number of other issues that were observed being routinely exploited during 2023, prominent among them two vulnerabilities in Ivanti products disclosed in August 2023, and the infamous Fortra GoAnywhere flaw exploited, yet again, by the Cl0p gang.Read more about recent zero-daysQualcomm urges customers to patch the memory corruption vulnerability as Google researchers have observed targeted exploitation in the wild against the flaw.According to Fortinet, the FortiManager vulnerability 'may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.More than two weeks after threat actors exploited a zero-day vulnerability in a third-party utility to breach Rackspace, the details about the flaw and the utility remain unknown.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs

Microsoft has issued fixes addressing a total of 89 new Common Vulnerabilities and Exposures (CVEs) 92 including third-party disclosures to mark the penultimate Patch Tuesday of 2024, including four critical issues and a number of flaws that could be considered zero-days.Of these issues, one meets the full traditional definition of a full zero-day, a vulnerability that is both public and known to be exploited. This is CVE-2024-43451, a spoofing vulnerability in New Technology LAN Manager (NTLM) Hash.NTLM is a set of security protocols used to authenticate users identities. It dates back years and has been largely supplanted by vastly more secure protocols Microsoft has not recommended its use in over a decade, but since it was used in Internet Explorer, it remains supported to some extent and continues to cause problems, not least because at this stage, it is incredibly insecure.In this instance, successful exploitation of this issue could lead to total loss of confidentiality, according to Microsoft, as it discloses a users NTLMv2 hash to an attacker who could then use it to authenticate as the user if the victim can be tricked into minimal interaction with a malicious file, which could include merely selecting or clicking it, not even opening it. This may make it considerably more dangerous than its comparatively low severity score may indicate.Mike Walters, president and co-founder of Action1, explained: This issue arises from the mechanism where NTLM authentication credentials, specifically NTLMv2 hashes, are improperly exposed via a maliciously crafted file.The root cause of this vulnerability lies in improperly handling file interactions within systems, potentially allowing attackers to extract NTLMv2 hashes without requiring complete file execution, he told Computer Weekly in emailed commentary.All supported versions of Microsoft Windows are vulnerable to this issue, said Walters, especially if they use applications reliant on MSHTML and EdgeHTML platforms, while risk is further increased across different system environments thanks to the involvement of other scripting engines.Walters said the main concern with CVE-2024-43451 is the disclosure of NTLMv2 hashes that can be used to authenticate as the user and leveraged in pass-the-hash attacks, enabling further lateral movement for a canny threat actor.This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems, he said.Organisations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.Also on the list is CVE-2024-49309, which is exploited but not yet public. This is an elevation of privilege (EoP) vulnerability in Windows Task Scheduler.This stems from an issue where authentication tokens or credentials are improperly managed and could allow a low-privileged attacker to gain deeper access if they can execute a malicious application designed for the purpose. It impacts multiple versions of Windows that incorporate Task Scheduler as part of their routine task automation processes, and it is thought that environments with shared or multiple-user setups may be particularly vulnerable to it.This vulnerability serves as a potential entry point for attackers who have already accessed a system with low privilege. Once privileges are escalated, these attackers can utilise this foothold for further lateral movement within a network or to exploit other vulnerabilities that necessitate higher access levels, said Walters.The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorised access.Four further vulnerabilities have been made public but as of yet have seen no exploitation, according to Microsoft, and one of these, CVE-2024-5535, a remote code execution issue in OpenSSL, is among the three third-party disclosures incorporated into this months drop.The other three are CVE-2024-43498, a remote code execution (RCE) vulnerability in .NET and Visual Studio, CVE-2024-49019, an EoP vulnerability in Active Directory Certificate Services, and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.Chris Goettl, vice president of security products at Ivanti, shared further thoughts on both the Active Directory and Microsoft Exchange Server issues, and urged defenders to treat them as higher priorities than the official guidance might imply.[CVE-2024-49019] is rated Important and has a CVSS v3.1 score of 7.8. If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enrol or auto-enrol permissions, removing unused templates from certificate authorities, and securing templates that allow you to specify the subject in the request, said Goettl.The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.Goettl continued: [CVE-2024-49040] is rated Important and has a CVSS v3.1 score of 7.5. The vulnerability exists in the P2 From header verification. Microsoft Exchange Server is often targeted by threat actors who specialise in Exchange exploits. From a risk-based prioritisation perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical.Finally, three other Critical issues are listed as, CVE-2024-43625, an EoP vulnerability in Microsoft Windows VMSwitch; CVE-2024-43639, an RCE vulnerability in Windows Kerberos; and CVE-2024-49056, an EoP vulnerability in Airlift.microsoft.com. In each of these instances, no proof of concept has yet been made public and no exploitation in the wild has been observed.Read more about Patch TuesdayOctober 2024: Stand-out vulnerabilities in Microsofts latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilitieswill keep admins busy.August 2024: Microsoft patches six actively exploited zero-days among over 100 issuesduring its regular monthly update.July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-daysingled out for urgent attention.June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address inMicrosofts latest Patch Tuesday update.May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malwarethat is drawing attention.April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flawthat impacts all Windows users.March 2024: Two critical vulnerabilities in Windows Hyper-V stand out onan otherwise unremarkable Patch Tuesday.February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket,among more than 70 issues.January 2024: Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulnerabilities to be alert to, including a number ofman-in-the-middle attack vectors.

UK drivers working for ride-hailing and food delivery app Bolt should be classed as staff rather than self-employed, the Employment Tribunal has ruled.Being classified as workers means more than 100,000 Bolt drivers are now entitled to better workplace conditions and protections for the first time under UK employment law, including the right to be paid the national minimum wage, and to receive statutory minimum holiday pay and rest breaks, as well as protection from unlawful discrimination and whistleblowing.The Employment Tribunal specifically rejected Bolts claim that drivers are self-employed contractors running their own businesses, finding instead that the terms and conditions the firm applies to its relationship with drivers, as well as the level of control it has over their day-to-day work, means they are in fact workers.Overwhelmingly, the power lies with Bolt, said the ruling. There is nothing in the relationship which demands, or even suggests, agency. The agency notion is posited simply to defeat the obvious interpretation which the facts invite that Bolt employs the drivers to provide their labour in furtherance of its transportation business.It added: The supposed contract between the Bolt driver and the passenger is a fiction designed by Bolt and in particular its lawyers to defeat the argument that it has an employer/worker relationship with the driver.While Bolt currently only pays its drivers for time spent on trips, the Employment Tribunal also ruled they should be paid for time spent logged into the Bolt app, providing they are not also logged into apps for other private hire operators such as Uber or Deliveroo a practice those operators refer to as multi-apping.Lawyers from Leigh Day representing the drivers said the employment tribunal decision which was handed down on 8 November 2024 following a three-week hearing in September could lead to drivers receiving collective compensation worth more than 200m. They added that, on average, drivers could be entitled to compensation of over 15,000.While the ruling means Bolt will need to provide paid holiday and ensure drivers earn the minimum wage for any periods they work, the Employment Tribunal will hold a further session to decide exactly how much compensation the drivers are entitled to.We are very pleased that the employment tribunal has found in favour of our Bolt driver clients, said Leigh Day employment team solicitor Charlotte Pettman, who represented roughly 15,000 current and former Bolt drivers in their legal action.This judgment confirms that gig economy operators cannot continue to falsely classify their workers as independent contractors running their own business to avoid providing the rights those workers are properly entitled to. We call on Bolt to compensate our clients without further delay.Bolt driver Shuhel Ahmed also welcomed the ruling, adding: Its satisfying to know that our hard work and long hours have been recognised, and that we can fight on for better pay and conditions, and compensation will make a huge difference to my familys life. A spokesperson for Bolt which is currently reviewing its options, including grounds to appeal the decision said: Drivers are at the heart of what we do, and we have always supported the overwhelming majoritys choice to remain self-employed, independent contractors, protecting their flexibility, personal control and earning potential.The legal claim from Bolt drivers followed the UK Supreme Court determining in February 2021 that Uber drivers who were also represented by Leigh Day should be classified as workers rather than self-employed. That specific legal challenge was brought by private hire driver Yaseen Aslam and his union, the App Drivers and Couriers Union (ADCU).However, although Uber agreed in March to pay its UK drivers the minimum wage, it said this would only apply for the time they are assigned to trips, rather than, as the Supreme Court explicitly ruled, from the time they log in to the app.Commenting on the latest Employment Tribunal hearing decision regarding Bolt which explicitly noted that drivers should be paid for all time spent logged into the app ADCU general secretary Zamir Dreni said it vindicates our position on working time and demonstrates that neither Bolt nor Uber have never fully complied with the Supreme Court ruling, which means that between 40% and 60% of true working time remains unpaid.Rather than force workers back into courts for another decade of litigation, the government needs to step in now and fix the current employment bill, which omitted protections for gig workers, so that Britains hard-working minicab drivers and delivery couriers get the protections they deserve.However, different rulings related to the working relationship between drivers and other operators have come to different conclusions.In June 2021, theUK Court of Appeal ruled in a case originally brought by the Independent Workers Union of Great Britain (IWGB) in 2017 that Deliveroo riders are self-employed, further finding they do not have the right to organise via a trade union.Despite this, one judge conceded that the ruling could be seen as counterintuitive because it is easy to see that riders might benefit from organising collectively to represent their interests, as against Deliveroo.Another judge agreed that the decision may seem counterintuitive, adding: I quite accept that there may be other cases where, on different facts and with a broader range of available arguments, a different result may eventuate.Lord Justice Underhill added that the Uber case, which largely revolved around UK-specific employment law, had no bearing on this Deliveroo case because it did not engage Article 11 of the European Convention on Human Rights (which protects the right to form and join trade unions), adding that unlike Deliveroo, Uber did not rely on any substitution clause that meant others are allowed to complete the work.In September 2022, the IWGB once again appealed the ruling, arguing that riders have been denied collective bargaining rights and once again seeking to establish their worker status. However, this was dismissed by the Supreme Court in November 2023, which noted the way riders work with Deliveroo is inconsistent with an employment relationship.Read more about ride-hailing and delivery appsUber CEO denies pricing algorithm uses behavioural patterns: Uber workers are concerned about what data is being used by the companys algorithm to set variable pay and pricing levels after CEO Dara Khosrowshahi admits to using drivers behavioural patterns.Deliveroo accused of soft union busting with GMB deal: Smaller grassroots unions have criticised Deliveroo and GMB for making a hollow deal that will ultimately undermine workers self-organising efforts.Uber and Ola ordered to hand over more data to drivers: A Dutch court has rejected Uber and Olas claims that drivers collectively taking action to access their data amounts to an abuse of their individual data access rights, laying the ground for drivers to form their own union-controlled data trust.

sakkmesterke - stock.adobe.comNewsHyperscalers net-zero plans hit roadblockHyperscalers are looking at nuclear to power their energy-hungry datacentres and meet net-zero targets but regulations may curb their plansByCliff Saran,Managing EditorPublished: 11 Nov 2024 15:30 In 2022, datacentres were estimated to consume about 2% of global energy. By 2026, that number is predicted to double to 4%, equivalent to about 1000 terawatt hours a year, which, according to Gartner, is equivalent to the consumption of a country the size of Japan.Lloyd Jones, vice-president analyst at Gartner, said the company's energy utility clients are saying no to datacentres because they cannot guarantee 24/7, 365 days a year uninterruptible supply.But there is plenty of interest in the use of nuclear power as an alternative to fossil fuels to provide localised power for datacentres.Last month, Alphabet signed a deal with Kairos Power to develop the use of small modular nuclear reactors (SMRs) to complement the companys use of renewables to power its datacentres. Michael Terrell, senior director of energy and climate at Google, said in a blog post that the deal with Kairos Power would help the hyperscaler reach its net-zero targets for emissions.In September, Microsoft announced a 20-year agreement to buy electricity from Constellation Energys Three Mile Island (TMI) nuclear plant, and in March, Amazon acquired Talen Energys Cumulus Data Assets datacentre site, which is opposite the Susquehanna Steam Electric Station.In a new report, Powering data centers with new nuclear capacity faces tech, regulatory challenges, ratings agency Moodys notes that nuclear power enables electricity generating capacity free of greenhouse gas emissions and, unlike renewable energy sources such as solar or wind, nuclear reactors provide a 24/7, dispatchable source of electricity.But the report also highlights the risk of SMRs, which are considered a new technology. As Moodys points out, efforts to develop new nuclear generating capacity in the US have been frequently marked by construction holdups and cost overruns that have caused significant credit deterioration, severe financial distress and even utility bankruptcies. For instance, Utah Associated Municipal Power Systems and NuScale Power Corporation said in November 2023 that they had decided to terminate their plans to build an SMR because of rising development costs.Read more about hyperscalers energy strategyMicrosofts latest moves to secure electricity and more datacentres tackle two problems faced by major cloud providers: insufficient power and space to meet AI demands.Sustainable and renewable energy sources are necessary for data centers to meet emissions requirements by 2030. Nuclear power is a unique option for clean energy to run datacentres.While hyperscalers are busy signing deals to build out nuclear power plants to power their datacentres, Jones said: Take this with a pinch of salt, because we have not seen a small modular nuclear reactor being licensed and being built as a prototype, never mind receiving a licence for commercial manufacturers at industrial scale.Moodys notes that the technology is still under development and is likely to face heavy regulatory scrutiny. In addition, the ratings agency noted that efforts in the US to develop new nuclear generating capacity have been frequently marked by construction holdups and cost overruns.Given the fact that SMRs have yet to be built in a way that can make them operationally cost-effective, Jones predicts the hyperscalers will slowly roll back some of their net-zero commitments. The only thing they can do, he said, is use power from gas generators, which they will need to install on-site since the utilities firms are curbing applications for more datacentre power. Commitments are being rolled back on quietly and were seeing artificial intelligences (AIs) dirty secret puffing out as carbon intensity rises, he added, referring to the vast power requirements needed to run machine learning and AI inference workloads.However, building such microgrids onsite to generate electricity local to datacentre facilities is likely to face intense regulatory scrutiny. In what amounts to a major setup for Amazon Web Services, the US Federal Energy Regulatory Commission recently ruled against regional electricity transmission firm PJM Interconnections request to increase the capacity of Talen and Amazons interconnection service agreement to 480MW from the currently approved 300MW.Moodys said the order is likely to slow the proliferation of behind the meter deals under which datacentres are able to purchase electricity directly from a power plant on the same site, enabling them to bypass transmission and distribution costs. Such agreements would, in theory, provide datacentres with the quickest access to existing generation, Moodys said.Its likely there will be more regulatory barriers to overcome before microgrids and the idea of SMRs providing on-site power for datacentres gets any closer.However, Moodys believes that utility companies can help to de-risk the development of SMRs by working closely with the tech sector. Such partnerships would help to make SMRs commercially viable, and help both sectors carbon transition efforts. The scale and financial resources of hyperscalers like Amazon, Google, Microsoft and Meta Platforms position them well to shoulder the associated financial burdens of SMR development, Moodys said.In The Current Issue:Data bill will boost NHS and police access to data, says governmentDell CTO: Enterprise AI poised to take off in 2025Download Current IssueRedgate 'smartens up' database DevOps portfolio CW Developer NetworkOpenUK: Ponder procurement & policy perfection, please Open Source InsiderView All Blogs

NetApp has upgraded its AFF A- and C-series flash storage arrays while also boosting capacity and performance in StorageGrid object storage and E-series storage area networks (SANs), mostly as a result of new 60TB arrays plus central processing unit (CPU) and backplane enhancements.AFF A- and C-series performance and capacity-oriented respectively get new-generation CPUs, reworked peripheral component interconnect express (PCIe) connectivity, and are now fully modular to allow component upgrades in place while the chassis remains. With 60TB drives, capacity is now boosted also.Storage is via the Ontap operating system and can be file, block or object. While that is the case, NetApp also has its ASA block storage array, which it upgraded in September. Dedicated object storage capacity comes in its StorageGrid line, of which more below. AFF arrays come with full cloud connectivity for backup, tiering and migration.The arrays in the performance-oriented A-series are the A20, A30 and A50. NetApp claims they are now 41%, 96% and 153% quicker than their predecessor products, A150, A250 and A400.These new arrays replace existing ones at the lower end of the AFF range. They complement the A70, A90 and A1k at the high end that go to nearly 4PB raw and more than 15PB useable in the A1K, with nearly 200PB possible in a cluster configuration.In the QLC flash-equipped C-series, the new arrays are the C30, C60 and C80. Maximum capacity in the largest of these is nearly doubled over its predecessor, the C800 from 7.4PB to 14.7PB while at the other end, the new C30 goes to 2.2PB compared with the older C250, which went to 1.5PB.Possible capacities in the C-series can go to just over 700PB in a cluster of C80 arrays.Read more on NetAppNetApp maintains push to data management for AI. From data storage to intelligent data infrastructure thats the plan from NetApp, which has announced data curation for artificial intelligence as well as additions to its ASA and FAS storage arrays.NetApp: NAS pioneer well set for the cloud revolution. In this storage profile, we look at NetApp, which built a reputation in file access storage but seems to be set fair to navigate a future of hybrid cloud, cloud-native and containerisation.Grant Caley, UK and Ireland solutions director at NetApp, said: Since the advent of flash storage, the bottleneck of disk performance is no longer the factor for platform refreshes. Now it is about controller performance to that storage. So, capacities arent changing significantly, but controller performance is.Also, NetApps StorageGrid object storage arrays the offspring of E-series hardware and Bycast object storage software get an upgrade centred on 60TB arrays with more than 2PB possible in 3U possible in its SGF6112 product. An upgrade to StorageGrid software also allows for workloads in a cluster to be segregated into nodes for data only and metadata, plus 5,000 buckets per tenant possible.While object storage is possible in NetApps Ontap-equipped hardware, StorageGrid targets dedicated object storage use cases.Dynamic policy management allows the customer to decide on security, lifecycle, etc, in a much larger platform than object in Ontap, which is aimed at transient storage of object data or where it is managed by an application, such as backup, said Caley.Meanwhile, the companys E-series SAN arrays the only ones in the product line that dont use the Ontap OS also get 60TB drives and a CPU refresh, to provide two new platforms. These are the E4012 and E4060, which go to 264TB and 1.3PB raw capacity respectively. Those go to 2.1PB and 6.6PB raw with expansion shelves.E-series hardware is SAN-only, and aimed at customers that want affordable, basic storage capacity. Caley said the E-series target is simple SAN.It has snapshots and replication but is aimed at video surveillance, backup, archive storage, he said. It is for extreme performance or density, not data management, and has Infiniband, so it can be used for HPC storage.Besides array hardware upgrades, NetApp also announced a raft of enhancements to the software ecosystem surrounding it. These included Kubernetes data protection in Trident that includes snapshots, backup and restore, disaster recovery, and workload migration, available on-premise and in the cloud.Tridents data protection features are now also available where it works with Red Hats OpenShift environment, where there are also new collaborations between NetApp and Cisco in FlexPod converged offerings for OpenShift configurations aimed at virtualisation and artificial intelligence.

Identity and access management (IAM) is a difficult and enduring challenge for enterprises. Organisations need to balance securing and managing identities effectively with ease of use for employees, customers and suppliers. Put in too many layers of identity and access control, and the result is friction: processes that make it harder for employees to do their jobs.Many organisations start their identity journey with a combination of only short-term objectives, poor identity data, immature identity architecture and weak user verification, warns Scott Swalling, a cloud and data security expert at PA Consulting.A poor IAM approach, at best, can make it cumbersome and frustrating for your users and administrative staff. Onerous processes that dont take full advantage of IAM capabilities will breed users finding ways around them as they always have leading to security issues and potentially breaches.Even with the expansion of measures such as multifactor authentication (MFA) and biometrics, access remains a weak spot in enterprise security, as well as data compliance and privacy. IAM has become even more critical as enterprises move away from a fixed perimeter to flexible working, the cloud and web applications.The scale of the problem is very real. According to Verizons 2024 Data breach investigations report, stolen credentials were used in 77% of attacks against basic web applications. Googles 2023 Threat horizons report found that 86% of breaches involve stolen credentials.We need to transition to an identity-first security culture, warns Akif Khan, a vice-president analyst at Gartner who focuses on IAM. If you dont identify your users, its hard to have any type of security. If you dont know who is accessing your systems, how do you know if they should be accessing them, or not?IAM, Khan suggests, is replacing the old idea of organisations having a secure perimeter. The risks of relying on perimeter security alone are clear.In June this year, data breaches at Ticketmaster and Santander were traced back to unsecured Snowflake cloud accounts.Securing privileged accounts goes hand in hand with strong identity management and initiatives such as zero trust. But as zero trust requires significant, long-term investment, CIOs and CISOs should also be looking to improve existing security for credentials and move to risk-based approaches for identity.This is prompting organisations to move towards policy-based access controls and risk-adaptive access controls. These systems allow firms to enforce multifactor authentication if an action appears high risk, or block it altogether. But this depends on a clear IAM strategy throughout the organisation.Get the basics right to ensure you have clear visibility and control of who has access to your resources, recommends PAs Swalling. Ensure identity data is good. Coupling this with robust privilege access management, utilising automation and machine learning where possible, will streamline and enhance administrative tasks and reduce user frustration.Frustrated users make for ready victims, agrees Mustafa Mustafa, EMEA solutions manager for identity at Cisco, with a very real risk of MFA flood attacks.Cisco is a proponent of the zero-trust security model, but Mustafa admits few organisations have fully achieved it.In fact, Cisco research found that 86% of enterprises have started on zero trust, but just 2% say they have reached maturity. Barriers include complexity and an inconsistent user experience.The principle is trust no one, verify everyone, says Mustafa. The only way to implement a zero-trust policy is continuous verification of all users, devices and applications at all times and locations within or outside a given network. This includes deploying multifactor authentication, least privilege access and micro-segmentation.Zero trust is worth the effort, he argues. It improves security, compliance and risk management, but also simplifies operations once it is properly implemented and potentially allows organisations to reduce administration overheads, costs, and delays and frustrations for users. It also makes hybrid and remote working easier to manage.Meanwhile, enterprises need to continue to invest in MFA, identity governance and administration, privileged access management, and single sign-on, to list just a few. This can force CIOs to operate in two lanes one for improving security around identity and access now, and a separate, longer-term objective of moving to zero trust.In time, this will include making more use of artificial intelligence (AI) to spot unusual user behaviour or actions that could be evidence of a breach, and a move towards IAM based on risk, rather than just identity. This is sometimes also called adaptive authentication.By integrating real-time risk assessments, organisations can grant access based on context rather than identity alone, says John Paul Cunningham, CISO at Silverfort, an identity protection provider. This shift would reduce the operational overhead and data burden of managing authentication and authorisation. Ultimately, adopting this model would enable businesses to strengthen security, improve user experiences and lower the cost of maintaining identity security, he says.In practice, organisations are likely to rely on layers of security for layers of access, at least for now.The more forward-thinking organisations are prioritising identity. But the challenge still exists of stitching together disparate systems, says Cunningham. Looking at the future you can build new platforms, but people still have a lot of legacy architecture.However, enterprises still need to verify the identity of a user whether an employee, supplier, or customer in the first place. Here, the move towards global identity wallets (GIWs), usually part of a government-backed scheme, can help.Most often associated with digital government initiatives, GIWs might not be the most suitable tool for day-to-day access management, but they could play a role in onboarding staff or customers, and potentially cut fraud and credential theft. Already, there is some convergence between GIWs and IAM, with Microsofts Entra Verified ID integrated into the companys Authenticator app, for example.According to Gartner, more than 500 million people worldwide will use phone-based digital identity wallets by 2026. This represents significant growth, and should ease a number of issues around identity verification, especially for government services.In principle, you could have an identity wallet on your phone, and its not hugely different from an authenticator app. That could be used, says Khan. Its not a Microsoft ID, but an ID in a Microsoft app.Open standards around digital ID and interoperability between platforms are likely to drive adoption among government agencies and, in turn, take-up by citizens. Global identity wallet technology, for all its advantages, is likely to be too expensive for enterprises to set up on their own. And part of their advantage lies in scale, and in the trust that comes with government-issued ID.The market is moving towards portable digital identity, so users wont have to verify their identities again and again, but instead have an ID wallet on a mobile device which verifies that ID, says Khan.Businesses that currently pay for third-party identity verification services could even save money through a GIW. How the commercials stack up will be key to this, he says. Organisations also need to accept the identity asset in the wallet, which is again why government backing, and open standards and interoperability, are so important. And using GIWs could give advantages in areas as diverse as recruitment or providing services to new customers.From a technical point of view, it makes perfect sense if there is a route to onboard someone more quickly, says Khan. In a competitive market, organisations will look to explore that.Even so, GIWs look set to be part of the IAM landscape, rather than a replacement for internal identity and authentication systems. You have an ID, and that ID has attributes such as Im an employee of Gartner. Then you have your attributes for access rights, which is layers upon layers of information, says Khan. That might not all be in the wallet. Firms will still need to check details against their own identity infrastructure.The prospects for enterprise use of identity wallets, and much of the future development of IAM, will depend on the type of information, and the levels of access, organisations need to secure.Read more about identity and access managementBlack Hat USA 2024 showcased recurring themes of data security and IAM, encompassing the platform versus point product debate, cleaning identity data and GenAI security.The IAM landscape is experiencing profound change thanks to the advent of biometrics. Learn about the latest advantages and key benefits of biometrics in identity.Digital wallets can play a significant role in day-to-day authentication, extending beyond one-off events like onboarding or identity verification, says Silverforts Cunningham. By embracing digital wallets as a daily authentication tool, organisations can strengthen their security posture while enhancing user convenience and productivity.He expects to see take-up in healthcare, government, access to benefits and border control, at least initially.But digital wallets could also strengthen MFA and give hard-pressed data security teams some breathing space as they look at longer-term options, including zero trust.Digital wallets serve as an additional factor in MFA, a unique identifier similar to certificate-based tokens, and a secure storage solution for sensitive data like passwords and cryptographic keys, says Cunningham. Used well, they could improve security and ease of use while also reducing support costs for enterprises.

NetApp has upgraded its AFF A- and C-series flash storage arrays while also boosting capacity and performance in StorageGrid object storage and E-series storage area networks (SANs), mostly as a result of new 60TB arrays plus central processing unit (CPU) and backplane enhancements.AFF A- and C-series performance and capacity-oriented respectively get new-generation CPUs, reworked peripheral component interconnect express (PCIe) connectivity, and are now fully modular to allow component upgrades in place while the chassis remains. With 60TB drives, capacity is now boosted also.Storage is via the Ontap operating system and can be file, block or object. While that is the case, NetApp also has its ASA block storage array, which it upgraded in September. Dedicated object storage capacity comes in its StorageGrid line, of which more below. AFF arrays come with full cloud connectivity for backup, tiering and migration.The arrays in the performance-oriented A-series are the A20, A30 and A50. NetApp claims they are now 41%, 96% and 153% quicker than their predecessor products, A150, A250 and A400.These new arrays replace existing ones at the lower end of the AFF range. They complement the A70, A90 and A1k at the high end that go to nearly 4PB raw and more than 15PB useable in the A1K, with nearly 200PB possible in a cluster configuration.In the QLC flash-equipped C-series, the new arrays are the C30, C60 and C80. Maximum capacity in the largest of these is nearly doubled over its predecessor, the C800 from 7.4PB to 14.7PB while at the other end, the new C30 goes to 2.2PB compared with the older C250, which went to 1.5PB.Possible capacities in the C-series can go to just over 700PB in a cluster of C80 arrays.Read more on NetAppNetApp maintains push to data management for AI. From data storage to intelligent data infrastructure thats the plan from NetApp, which has announced data curation for artificial intelligence as well as additions to its ASA and FAS storage arrays.NetApp: NAS pioneer well set for the cloud revolution. In this storage profile, we look at NetApp, which built a reputation in file access storage but seems to be set fair to navigate a future of hybrid cloud, cloud-native and containerisation.Grant Caley, UK and Ireland solutions director at NetApp, said: Since the advent of flash storage, the bottleneck of disk performance is no longer the factor for platform refreshes. Now it is about controller performance to that storage. So, capacities arent changing significantly, but controller performance is.Also, NetApps StorageGrid object storage arrays the offspring of E-series hardware and Bycast object storage software get an upgrade centred on 60TB arrays with more than 2PB possible in 3U possible in its SGF6112 product. An upgrade to StorageGrid software also allows for workloads in a cluster to be segregated into nodes for data only and metadata, plus 5,000 buckets per tenant possible.While object storage is possible in NetApps Ontap-equipped hardware, StorageGrid targets dedicated object storage use cases.Dynamic policy management allows the customer to decide on security, lifecycle, etc, in a much larger platform than object in Ontap, which is aimed at transient storage of object data or where it is managed by an application, such as backup, said Caley.Meanwhile, the companys E-series SAN arrays the only ones in the product line that dont use the Ontap OS also get 60TB drives and a CPU refresh, to provide two new platforms. These are the E4012 and E4060, which go to 264TB and 1.3PB raw capacity respectively. Those go to 2.1PB and 6.6PB raw with expansion shelves.E-series hardware is SAN-only, and aimed at customers that want affordable, basic storage capacity. Caley said the E-series target is simple SAN.It has snapshots and replication but is aimed at video surveillance, backup, archive storage, he said. It is for extreme performance or density, not data management, and has Infiniband, so it can be used for HPC storage.Besides array hardware upgrades, NetApp also announced a raft of enhancements to the software ecosystem surrounding it. These included Kubernetes data protection in Trident that includes snapshots, backup and restore, disaster recovery, and workload migration, available on-premise and in the cloud.Tridents data protection features are now also available where it works with Red Hats OpenShift environment, where there are also new collaborations between NetApp and Cisco in FlexPod converged offerings for OpenShift configurations aimed at virtualisation and artificial intelligence.

The UK government has committed to resolving the fallout from a controversial, retroactive UK tax policy that has left thousands of IT contractors living under the shadow of life-changing tax bills since it came into force in April 2019.In its recently announced Autumn Budget 2024, the government confirmed the policy (known as the Loan Charge) will be subject to an independent review to help bring the matter to a close for those affected, whilst ensuring fairness for all taxpayers.The governments wording here is interesting, because it neatly highlights the conflict and controversy at the centre of this policy, which has plunged contractors into financial ruin and been linked to at least 10 suicides.The policy was created to claw back money HM Revenue & Customs (HMRC) claims it is owed by thousands of contractors who joined loan-based remuneration schemes between December 2010 and April 2019.Participants in these schemes are typically paid in part for the work they do in the form of non-taxable loans. This means they pay no tax on this loan-based income, allowing participants to bolster their take-home pay.Given HMRCs role as the UK governments tax collection agency, its not difficult to see why it sought to clamp down on people using loan-based remuneration schemes to artificially minimise the amount of income tax they pay.However, the policys critics claim it fails to take into account that when these schemes were first set up, many were erroneously marketed as being an HMRC compliant means for contractors to bolster their take-home pay, with individuals often advised to join such schemes by respected tax advisers.Its further claimed contractors were also reportedly told they would be unable to work for certain end-hirers unless they agreed to be paid in loans. For this reason, the contractors now being pursued by HMRC for backdated income tax payments claim they are victims of mis-selling, and facing financial ruin for agreeing to be part of an arrangement that trusted sources assured them was safe and compliant to participate in.The situation has prompted calls from a 200-strong group of cross-party MPs for HMRC to stop doggedly pursuing the individuals involved, and instead direct its enforcement efforts towards the employers, agencies and scheme promoters who advised people these setups were safe to use.Given the amount of time that has passed since contractors took part in these schemes and HMRC began its Loan Charge enforcement action, tracking these parties down could prove difficult, as many of these firms and individuals have since disappeared from the market.Since the policys introduction, there has been talk of legal challenges being mounted to overturn the policy and campaigns, calling for the government to write off some of the tax amounts that are owed by contractors.As confirmed by the government in its statement about its plans to place the policy under independent review, the Loan Charge legislation remains in force, and any repayment settlement plans contractors have in place with HMRC must be honoured until the outcome of the review is known. HMRC will consider what updates need to be made to relevant guidance once the government announces further details about the review and once the review has concluded, the government said, in its statement.At the time of writing, no further details have been forthcoming from the government about what shape this independent review will take, or who will be tasked with overseeing it.Computer Weekly contacted HMRC for further details, but was told HM Treasury would be fielding questions on the Loan Charge review. At the time of writing, though, no response to Computer Weeklys questions had been received.This will be the second independent review the policy has been the subject of, with the first appearing in December 2019, after months of delays.Dave Chaplin, CEO of contracting authority ContractorCalculator, said a new review into the inner workings of the Loan Charge is most welcome.The human cost of this heavy-handed and poorly implemented policy cannot be overstated, he said. HMRC must be held accountable for this punitive, retrospective tax, which has had devastating consequences, with some affected individuals tragically taking their own lives due to the immense pressure.The first Loan Charge review was overseen by ex-National Audit Office (NAO) chief Amyas Morse, and was focused on ascertaining if the policy was the most appropriate way to tackle disguised remuneration.In the immediate aftermath of its publication in December 2019, the government announced a couple of amendments to the loan charge policy, including one that pledged to write off the tax bills of 11,000 people previously caught in its scope.It achieved this by cutting 11 years off the original 20-year period the policy covered, and by cancelling the Loan Charge for any individuals who previously disclosed to HMRC that they participated in a scheme on their tax returns if the agency failed to act on this information.The review also prompted the government to revise the policys repayment terms by making it possible for those in-scope to pay back what they owe over several tax years instead of one.While these amendments were initially welcomed by contracting market stakeholders, once the dust settled on the December 2019 review, misgivings about its contents began to surface, with tax advisers and contractors claiming the proposed changes did not go far enough.Some six months after the review dropped, in June 2020, a cross-party group of MPs operating as the Loan Charge All-Party Parliamentary Group (APPG) claimed its contents had been subject to outside interferenceby HMRC and the Treasury, which the latter denied in a statement to Computer Weekly at the time.Meanwhile, campaigners from the Loan Charge Action Group (LCAG) have been calling for all retrospective elements of the policy to be removed for years, and in a statement, its spokesperson, Steve Packham, said this second review into the policy must be genuinely independent and take a much broader look at how the fallout from the Loan Charge came to be.Read more about the Loan ChargeThe fallout from HMRC's controversial disguised remuneration clampdown, the Loan Charge policy, has been likened to the Post Office Horizon scandal during a House of Commons debate.A document dump of emails shared between HMRC officials has prompted loan charge campaigners to further question the legal footing of the governments controversial disguised remuneration policy.On this point, Packham said LCAG is keen for the review to touch on how the IR35 off-payroll rules fuelled the emergence of loan-based remuneration schemes at the turn of the century, and also HMRCs treatment of contractors caught up in the Loan Charge.It is hugely positive that the Chancellor, Rachel Reeves, has made good on her promise to commission a fresh, independent review of the Loan Charge, he said. We thank her and James Murray for this and for actually listening to those whose lives have and are being ruined by the Loan Charge scandal.This fresh review must be genuinely independent and this time must look at the whole issue, the role of IR35 legislation, the entire contractor supply chain and the misconduct and failures of HMRC, said Packham.There must now be a pause in related HMRC activity, to allow for the review to be established and to then properly examine the whole scandal, leading to a fair and final resolution for the thousands of families affected.Computer Weekly asked HM Treasury if there were any plans to pause HMRCs Loan Charge enforcement activity as the finer details of the review are worked out, but no response was received at the time of publication.For now, it remains to be seen what form this review will take, but its safe to assume the tens of thousands of people living under the long shadow of the Loan Charge will be watching and waiting with interest.

Storage has long been the monolith of datacentre components. Deployed in forklift upgrades on multi-year refresh cycles, shiny new arrays have not taken long to lose their sheen and become complex to manage and laggardly in performance.Meanwhile, the cloud has emerged and made pay-as-you-go a norm that perpetually retains the sheen of newness for the customer. It brings flexibility in use, deployment, upgrades, scalability, speed of development and roll-out, and with the promise of better cost efficiency.And so storage suppliers have adapted. Procurement options now range from full ownership with lifetime upgrades to pay-as-you-go with storage capacity and performance upgrades triggered viaAIOps monitoring.In this article, we look at consumption models of storage, the pros and cons and whats available from vendors.The traditional storage refresh cycle takes place every three years and entails the entire replacement of all storage infrastructure by new hardware. It is a capital purchase in which ownership is transferred entirely to the customer, with licensing and support contracted from the supplier from then on.There are some benefits to the traditional storage refresh cycle. These include that the customer gets a brand new set of hardware, with adequate capacity and sufficient storage controller power, plus confidence in the security and software update status of the equipment. Customers will likely see a huge improvement in performance following a refresh.Often, new equipment will be more energy efficient and need way less maintenance, both of which cut costs. Scalability will be enhanced and new systems are more likely to provide better flexibility and integration with newer components of the wider infrastructure. Here, think cloud connectivity or containers, for example.Most things that are benefits in traditional procurement cycles can also become downsides.While equipment may arrive shiny, new and work well, with huge amounts of capacity to move into, performance will likely degrade over time.With storage, increases in the volume of data held can affect performance and reliability. Technologies move on, and what was good two years ago might be in sore need of an upgrade now and old hardware might just not scale easily after a certain point in its lifespan.There are also limits to improvements that can come via software patching. The concatenation of updates over time can result in a complex build-up of infrastructure patches.Older hardware will tend to suffer performance degradation and likely more outages. Meanwhile, outdated hardware will struggle to meet the needs of newer software and applications.And then, when the time comes to upgrade infrastructure, there is likely to be huge disruption as installation, migration and go-lives take place.Buying storage hardware outright entails a transfer of risk from the vendor to the customer. The customer may pay for maintenance going forward, but ultimately its the customers business that suffers if outages occur and/or the infrastructure falls short of whats required.Capital expenditure (capex) is money spent to buy or upgrade physical, non-consumable assets. Its a one-time investment with ownership transferred to the buyer. Capex cant usually be deducted from taxes, but fixed assets can be depreciated over time to spread out expense over the lifetime of the asset.Operational expenditure (opex) is money spent on day-to-day running costs that can be one-time or recurring. In storage and IT, the obvious example is payment for cloud services.Opex is listed in financial statements and can be deducted for the year in which it occurs, and it is listed on the companys balance sheet.Opex is included in calculations of operating income, which is then used to calculate net income, or the bottom line.Notably, some organisations in the UK public sector, for example have mostly paid for infrastructure via capex purchases, but that is changing.Why is all this relevant to storage purchasing? The emergence of the cloud and models of operating and purchasing that have arisen from it have brought opex as a commonly used method of expenditure for storage and IT.The cloud operating model arose with the consumption methods of purchasing prevalent in the cloud. Instead of owning infrastructure in the cloud, customers consume it.The cloud operating model has a number of benefits for hardware procurement, including storage.Key among these are that the organisation is not locked into the three-year refresh cycle, and can avoid all the downsides that come with it.Storage hardware can be paid for on an as-you-go basis. That means the vendor makes sure equipment is updated, capacity is increased to meet current and future needs and breakdowns are attended to.That also means no disruptive forklift upgrades every three years, and no necessity to suffer increasing levels of infrastructure inefficiency as it ages. Equipment can be updated on an ongoing basis, with the latest hardware and required capacity always on tap.Often thats taken care of via remote monitoring in which some vendors allow for cloud-like purchasing of increased capacity and performance, while also monitoring for technical issues in the infrastructure stack.Costs can come down or can be matched more effectively to ongoing needs as organisations pay for storage on a pay-as-you-go basis.All that can also mean fewer on-premise employees for support and maintenance while existing employees are freed to focus on more strategic projects.While capex procurement entails a transfer of risk to the purchasing organisation, consumption (opex) procurement brings different concerns and risks.This can include some loss of control.Where outright ownership can bring a feeling of control and security to the organisation, handing over ongoing maintenance and upgrades to a third party may entail the opposite.Its potentially a double-edged sword, because to hand over responsibility is exactly what the customer wants from as-a-service purchasing. If all goes well, thats a benefit.But when things go wrong in the traditional model, everything remains in the customers hands. That might not be the case where a vendor monitors and controls on-premise infrastructure.In particular, there may be security and compliance needs that a cloud service provider cannot adequately meet, which can mean as-a-service procurement just doesnt fit some organisations.Some kind of relationship management with the vendor is absolutely essential for any customer in a cloud operating model so that supply of services and their performance can be monitored and managed.Finally, it can be argued that paying for storage infrastructure as a service brings supplier lock-in.Storage vendors offer consumption purchasing that range frompure opex as-a-service models to fully owned capex spend, but with contracted hardware upgrades.In as-a-service models, customers usually commit to base levels ofusage with upgrades to storage and controller hardware delivered as required.At thecapexend of the spectrum, customers can purchase storage hardware while still benefiting from upgrades to storage hardware, with monitoring and predictive analytics.Dell Apex Flex on DemandDells consumption model for hardware isApex Flex on Demand. This allows customers to select from block, file and object storage hardware, plus data protection appliances.Dell and its customers work out a committed capacity and buffercapacity that is likely to be required in the future. Raw and usable capacity data is measured at component level using automated tools installed with the hardware.Customers commit to a usage term, after which they can go month-to-month, extend the subscription or return and refresh hardware. Also, customers can view and approve pre-invoice reports of metered infrastructure usage and costs via the APEX Console.Storage available via Flex includes PowerStore, PowerMax, PowerFlex, PowerScale and ECS. PowerProtect DD and PowerProtect DP data protection appliances are also available, as are PowerEdge servers and HCI solutions.HPE GreenlakeHPE GreenLakedelivers preconfigured hardware and software and manages the system during its lifecycle with payment via a monthly subscription fee.Storage offered includes block, file and object, that includes HPE Primera high-end flash, HPE Nimble all-flash and hybrid-flash, Simplivity hyper-converged, Qumulo hybrid cloud scale-out storage, and StoreOnce data protection appliances.Storage from GreenLake consumption comes alongside the whole of HPEs datacentre offer. So, GreenLake comes with the full range of the HPE offer behind it, from composable infrastructure such asHPE Synergy, third-party software and services and professional and operational services fromHPE Pointnext.Hitachi VantaraHitachi Vantaras Flex plans offer storage hardware via purchase or lease, as well as consumption models. The latter is EverFlex and is its storage as-a-service offer, which varies depending on whether infrastructure is managed and monitored by the customer or Hitachi. Both of these are pay-per-use, cloud-like models.IBMIBM offers storage as a service and Storage Utility consumption purchasing.Storage as a Service can work across on-premise datacentre and hybrid cloud and is based onIBM FlashSystemand DS8900F hardware. It comes with a base level to meet current needs plus 50% on top of that pre-installed. Base and expansion capacity are charged at the same rate.Storage Utility is a pay-per-use model that delivers 200% over base needs capacity on day one with datacentre upheaval avoided by over-provisioning and use of IBM Storage Insights to monitor capacity needs.Customers pay only for what they use and if their data needs shrink during any month the bill will reflect capacity usage, with a minimum base. The purported benefit of over-provisioning means additional capacity is readily available, at least within the contract period.NetApp KeystoneNetApp Keystone offers hardware in various non-capex formats that includeon-premise and cloud capacity.Keystone payment options range from pay outright for the hardware (Flex Pay), through Flex Subscription pay-as-you-go, to Flex Utility, which aligns costs to usage.A range of service levels is available and billing is for predicted committed capacity, plus pay-per-use for burst capacity and support for file, block, object and cloud storage services.NetApps Active IQ dashboard allows customers to monitor and manage storage usage, provision storage and data protection policies, review usage and billing, and to request capacity and services.NetApps BlueXP provides a single control plane in which all NetApp storage is visible, on-site and in public clouds.Pure StoragePure Storages as-a-service-likeofferings comeunder the Evergreen brand.Evergreen//Forever offers customers purchase outright, but with lifetime upgrades.Evergreen//Flex allows hardware to be purchased but capacity bought on a pay-as-you-go basis. Capacity can be delivered on any Pure hardware that can host it. So, in theory, Flex allows customers to use capacity in any of their arrays.Evergreen//One unifies on-premise and public-cloudstorageresources in a single subscription to provide block, file and objectstorage. Customers pay only for what they use.Pure1 management tools allow management across datacentre and cloud from a single dashboard. This includes monitoring and provisioning, as well as the ability to manage capacity and performance upgrades from Pure.Read more about storage technologyStorage technology explained: AI and data storage. In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products.Storage technology explained: Flash vs HDD. In this guide, we examine the differences between flash storage and HDD, the rise of NVMe and much denser formats such as QLC, and whether or not flash will vanquish HDD in the all-flash datacentre.

Since the launch of ChatGPT by Open AI in November 2022, interest in generative artificial intelligence (GenAI) tools has increased dramatically. Its ability to generate a response based on a question or request has seen it used for a variety of purposes, from writing emails to underpinning chatbots.The recent Work trend index report by Microsoft, based on a survey of more than 31,000 professional employees, shows that 75% of knowledge workers are now using some form of GenAI in their jobs, and nearly half of those surveyed started using it within the past six months. However, nearly 80% of those using GenAI are bringing their own AI to work, and the percentage increases slightly when focusing on small businesses. It is worth noting that this adoption is not just by younger users, who are typically more likely to embrace new technology, but by users of all ages.As more information is generated and needs to be processed, we increasingly struggle with what is known as digital debt. An example of this is email overload. The Microsoft report notes that approximately 85% of emails are read in less than 15 seconds this shows why people are keen to move towards tools that help streamline the mundane tasks in their working lives.There is this digital debt that has built up over decades, but it has been accelerated during the pandemic, says Nick Hedderman, senior director of the modern work business group for Microsoft. 68% of the people we spoke to said theyre struggling with the volume and pace of work. Nearly 50% said they feel burnt out.The generative AI tools that are typically being used by professionals are those found on smartphones (such as Galaxy AI) or on the internet (such as ChatGPT). Unfortunately, because these tools are open source, they are outside of corporate oversight. Furthermore, when an online tool is free, then the user is frequently the product as their information is usable by others.If its free, you need to think about it in the same way as any social media site. What data is it being trained on? In essence, are you now the commodity? says Sarah Armstrong-Smith, chief of security for Microsoft. Whatever you put in, is that going into training models? How are you verifying that data is held securely and not being utilised for other purposes?More than anything else, the use of external generative tools is a data governance challenge, rather than a GenAI problem, as it relies on shadow IT hardware or software used in an organisation that is not overseen by the IT department.Youve always had sanctioned versus unsanctioned applications. Youve always had challenges with data sharing across the cloud platforms, says Armstrong-Smith. If its that easy to cut and paste something out of any corporate system and put it into a cloud application, irrespective if its a generative AI app or any other app, you have a problem with data governance and data leakage. The fundamental issues of data control, data governance and all of those things dont go away. In fact, what its highlighted is the lack of governance and control.The data governance problem of using external generative AI tools is twofold.First, there is data leakage, where users are copying potentially confidential information and pasting it into an online tool that they have no control over. This data could be accessed by others and used in the training of AI tools. If you take a random dataset that you have not verified and dont know what its trained on, and then bring that dataset into a corporate environment or vice versa, you can poison the model or algorithm because youre introducing non-verified data into the corporate dataset Sarah Armstrong-Smith, MicrosoftThere is also leakage into an organisation, if unverified and uncorroborated information is added to an organisations knowledge base. Users are all too often assuming that the information provided by an external GenAI tool is correct and appropriate they are not corroborating the data to ensure it is factually accurate, which they would be more likely to do when searching for information on the internet.The danger is, if you take a random dataset that you have not verified and dont know what its trained on, and then bring that dataset into a corporate environment or vice versa, you can even poison the actual model or the algorithm because youre introducing non-verified data into the corporate dataset, says Armstrong-Smith.This latter is the more serious problem, as potentially incorrect or misleading data is incorporated into a knowledge base and used to inform decision-making processes. It could also poison datasets that are used to train in-house AI, thereby causing the AI to give misleading or incorrect information.We have already seen instances of improperly used GenAI tools leading to poor results. Generative AI is being trialled within the legal profession as a possible tool to assist in writing legal documents. In one instance, a lawyer used ChatGPT to prepare a filing, but the generative AI hallucinated fake cases, which were presented to the court.In a corporate environment, you have to be mindful of the fact that it is business data, says Armstrong-Smith. It is a business context, so what tools do you have available today that are going to have all the governance in place? Its going to have security; its going to have resilience. Its going to have all of those things built in by design.If a significant proportion of employees are routinely relying on external applications, then there is demonstratively a need for that digital tool. To ascertain the most appropriate generative AI solution, it is best to identify the use cases. That way, the most appropriate tool can be deployed to meet the needs of employees and to seamlessly fit into their existing workflow.The key advantage of using a corporate generative AI tool rather than an open platform, such as ChatGPT, is that data management is maintained throughout the development process. As the tool is kept within the network boundaries, corporate data can be protected. This mitigates possible leakages from using external tools.The protection offered by using a corporate AI tool is that the back-end system is protected by the AI provider. However, it is worth noting that protection for the front end as in the use cases and deployment models remains the responsibility of the user organisation. It is here that data governance remains key and should be considered an essential element of any development process when deploying generative AI tools.Weve always referred to it as a shared responsibility model, says Armstrong-Smith. The platform providers are responsible for the infrastructure and the platform, but what you do with it in terms of your data and your users is the responsibility of the customer. They have to have the right governance in place. A lot of these controls are already built-in by default; they just have to take advantage of them.Once generative AI tools are available in-house, employees need to be aware of their presence for them to be used. Encouraging their adoption can be challenging if employees have developed a way of working that relies on using external GenAI platforms.As such, an awareness programme promoting the generative AI tool would educate users on the tools accessibility and functionality. Internet moderation systems could also redirect users from external platforms to the in-house GenAI tool.Generative AI is here to stay, and while expectations may have peaked, its uses are likely to grow and become ubiquitous.I think for a lot of companies, and where you will certainly see Microsoft focusing, is on this concept of agentic generative AI, says Henderson. This is where you take a business process and figure out how an agent might serve an organisation internally. An agent could operate within an organisations network and carry out specific functions, such as scheduling meetings or sending invoices.Although generative AI is a new technology, which could mitigate mundane and time-consuming tasks, data protection continues to remain a key concern. It is therefore incumbent upon organisations to make employees aware of the risks posed by using external tools and to have the appropriate generative AI tools within their own network to protect the sanctity of their data.As we know with technology, as it gets more commoditised, the price is going to come down, which means AI is going to be more mainstream across the board and youve got more choice about what model to use, concludes Armstrong-Smith.Read more about generative AI riskAs its adoption grows, GenAI is upending business models and forcing ethical issues like customer privacy, brand integrity and worker displacement to the forefront.At the MIT Sloan CIO Symposium, enterprise leaders grappled with AIs benefits and risks, emphasising the need for cross-team collaboration, security controls and responsible AI.With great power comes, in the case of GenAI, great security and compliance risks. Learn how an AI acceptable use policy can help ensure safe use of the technology.

As more companies adopt cloud services and remote work, the limitations of virtual private networks (VPNs) are becoming obvious. VPNs were designed to secure a fixed network perimeter, but they dont work well with decentralised, cloud-based infrastructures.Todays complex IT environments need solutions that offer more than just encrypted traffic. Data shows that almost 70% of VPN providers fail to meaningfully comply with privacy regulations. In this current environment, other remote access alternatives are both more secure and come with fewer privacy-related inconveniences.VPNs have been crucial for secure remote access but were designed for a time when employees worked in fixed locations, which isnt the case today. As more people work remotely and use cloud applications, VPNs have struggled to keep up.One of the biggest issues is scalability. When too many employees and devices connect through a VPN, performance drops. This leads to slower speeds, higher latency and a frustrating user experience. VPNs also rely on a perimeter-based security model, assuming that everything inside the network is trusted. This leaves organisations exposed to threats that come from within the network.Another problem is the lack of control. VPNs lack detailed, dynamic security policies. Once users connect, they can access more resources than they may need, which becomes a security risk if their credentials are stolen. This means that additional identity theft protection measures may be required, depending on the importance of the data involved.VPNs also arent built for cloud environments, where resources are distributed across different services, making them harder to secure.Software-defined perimeter (SDP) is a modern security framework designed to provide secure remote access by hiding network resources from unauthorised users. Unlike traditional security models that rely on a fixed perimeter (such as firewalls), SDP takes a zero-trust approach, where no one is trusted by default, regardless of their location.SDP works by dynamically creating secure, encrypted connections between users and the specific resources they need. It first verifies the users identity, device and context before granting access, and only allows connection to the resources that user is authorised for.This approach reduces the attack surface because unauthorised users cant even detect the existence of resources they dont have access to.Another key benefit of SDP is its flexibility. Its cloud-native, meaning it can secure connections across on-premise and cloud environments seamlessly. This makes it ideal for remote work, BYOD policies and hybrid infrastructures where traditional VPNs fall short.Additionally, SDP minimises the risks of lateral movement within a network. Thanks to the zero-trust model, if an attacker gains access to one part of the network, they cant move freely to other areas. SDP also integrates well with multi-factor authentication (MFA) and other identity verification tools to enhance security further.Secure access service edge (SASE) is a cloud-based architecture that combines network and security functions into a single, integrated service. Unlike traditional setups where security tools and networking are separate, SASE merges them, providing security and networking through the cloud. This approach is designed to support todays distributed workforces and cloud-based applications.SASE offers important security features such as firewall-as-a-service (FWaaS), secure web gateways (SWG), cloud access security brokers (CASB), and zero-trust network access (ZTNA). These features work together to give users secure access to the resources they need from any location, without relying on traditional on-premise security systems.A key strength of SASE is its scalability. It easily adapts to different environments, such as hybrid, multicloud and remote work setups. Since it operates in the cloud, SASE reduces the need for complex on-site infrastructure, saving costs and simplifying management.SASE excels in performance as well. Instead of routing traffic through a centralised datacentre, which can cause delays and higher latency, SASE sends traffic through the nearest cloud service point. This results in faster data transmission and a smoother user experience. Studies have shown that SASE significantly reduces latency compared with traditional VPN setups, boosting productivity for remote teams worldwide.SASE enhances performance further by minimising latency. Rather than sending traffic through a central location, SASE directs it through the nearest cloud service, optimising speed and efficiency.Choosing between VPNs, SDP and SASE depends on the specific needs of your organisation and how you manage remote access.VPNs can still be a good option for smaller organisations with limited remote access needs or for individuals to use to secure their digital footprints. They are simple to set up and cost-effective for securing smaller, less complex networks.However, as larger organisations increasingly leverage AI for automating processes like customer service, data analysis or sales, the security risks grow in complexity. VPNs, which rely on traditional perimeter-based security models, are often not equipped to handle the advanced threats that emerge with AI integration.AI-driven systems handle sensitive data and are prone to new forms of attacks, such as AI-targeted malware or data breaches. Even efficient use of AI for sales might create problems for remote companies. Is the boost in productivity worth the higher risk?This raises the stakes for companies, making advanced security solutions such as SDP and Secure SASE more attractive.SDP uses a zero-trust model that verifies every user and device before giving access, which is critical for protecting AI systems and sensitive data. On the other hand, SASE combines networking and security into one cloud-based service. It works well for large teams, multiple offices and cloud-heavy businesses.The choice depends on your organisations size, network complexity and security needs. If your company is facing any of the following situations, it may be time to make the switch:Increased reliance on remote work or hybrid teamsIf a significant portion of your workforce is working remotely, VPNs may not scale efficiently. When too many users connect, VPNs often create latency and performance bottlenecks, leading to productivity loss.Additionally, traditional VPNs arent built to secure cloud resources, making remote access to cloud applications vulnerable.Need for better securityVPNs operate on a perimeter-based model, which assumes that anyone inside the network is trusted. This can be risky as it opens up the network to potential lateral movement if one segment is compromised.SDPs zero-trust approach verifies every user and device before granting access, ensuring tighter security controls, especially for organisations handling sensitive data or complying with regulatory standards such as GDPR, HIPAA, or PCI-DSS.Challenges with managing complex or distributed environmentsIf your organisation is spread across multiple locations or heavily dependent on cloud applications, managing a traditional VPN setup can become cumbersome.SASE offers an integrated solution that combines networking and security in a single cloud-based platform. This reduces the need for separate, on-premise security tools, simplifies management, reduces operational costs and ensures better performance through local cloud gateways.Performance issues due to network complexityVPNs often route traffic through a central location, which can lead to delays and higher latency, especially for global teams. SASE optimises performance by routing traffic through the nearest cloud service, reducing latency and improving the user experience.If your users are experiencing significant delays with VPNs, moving to SASE can alleviate those issues.Organisations are changing how they manage secure remote access due to the need for stronger, more adaptable solutions. Traditional perimeter-based security no longer fits todays decentralised, cloud-based environments.As remote work grows and cyber threats become more advanced, the need for better security is clear. Solutions such as SDP and SASE offer the flexibility, scalability and security that older technologies lack.Companies that adopt these modern solutions are better equipped to protect their networks and data while allowing secure access from anywhere.Read more about network securityVPN use continues despite its outdated status in the networking industry. But usage has declined as enterprises make room for remote access alternatives, like ZTNA, SASE and more.Managed services, secure remote access, AI applications and 5G wireless network connectivity are four important trends that should propel the SD-WAN market.When it comes to adopting SASE or zero trust, its not a question of either/or, but using SASE to establish and enable zero-trust network access.

Cyber security analysts at ESET have released an in-depth look at the inner workings of the RedLine Stealer operation and its clone, known as Meta, in the wake of a Dutch-led operation thatsaw the cyber criminal empire laid low.Operation Magnus saw the Dutch National Police force, working with European Union support and other agencies including the FBI and the UKs National Crime Agency (NCA), dismantle the infamous infostealers infrastructure.The action was the culmination of a lengthy investigation to which ESET which initially notified the authorities in the Netherlands that some of the malwares infrastructure was being hosted in their jurisdiction was a key contributor, taking part in a preliminary operation last year that targeted the gangs ability to use GitHub repositories as a dead-drop control mechanism.In an extensive dossier, ESET said that having conducted an extensive analysis of the malwares source code and backend infrastructure in the run-up to Operation Magnus, it was now able to confirm with certainty that both Redline and Meta did indeed share the same creator, and identified well over 1,000 unique IP addresses that had been used to control the operation.We were able to identify over 1,000 unique IP addresses used to host RedLine control panels, said ESET researcher Alexandre Ct Cyr.While there may be some overlap, this suggests on the order of 1,000 of subscribers to the RedLine MaaS [malware as a service], he added.The 2023 versions of RedLine Stealer ESET investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.The IP addresses found by ESET were dispersed globally, although mostly in Germany, the Netherlands and Russia, all accounting for about 20% of the total. Approximately 10% were located in Finland and the US.ESETs investigation also identified multiple distinct backend servers, with about 33% in Russia, and Czechia, the Netherlands and the UK all accounting for about 15%.Ultimately, the goal of the RedLine and Meta operations was to harvest vast amounts of data from its victims, including information on cryptocurrency wallets, credit card details, saved credentials, and data from platforms including desktop VPNs, Discord, Telegram and Steam.The operators clients bought access to the product, described by ESET in corporate terms as a turnkey infostealer solution, through various online forums or Telegram channels. They could select either a monthly rolling subscription or a lifetime licence, and in exchange for their money received a control panel to generate malware samples and act as a personal command and control server.Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns, said Ct Cyr. Some notable examples include posing as free downloads of ChatGPT in 2023 and masquerading as video game cheats in the first half of 2024.At its peak, prior to the takedown, RedLine was probably the most widespread infostealer in operation, with a comparatively large number of affiliates. However, said ESET, the MaaS enterprise was likely orchestrated by a very small number of people.Crucially, the creator of the malwares, named as Maxim Rudometov, has been identified and charged in the US.Read more about malwareBlackBerrys latest Global threat intelligence report details a surge in unique malware samples as threat actorsramp up the pace of targeted attacks.Peach Sandstorm, an Iranian state threat actor, has developed a dangerous new malware strain that forms a key element ofa rapidly evolving attack sequence.US State Department puts a $2.5m bounty on the head of Angler exploit kit developer and ransomware crew member Volodymyr Kadariyaas part of a major developing case.

anystock - stock.adobe.comNewsGartner Symposium: Time to get rid of the dead woodIT architecture complexity is set to increase in a way that means IT departments are juggling multicloud and legacy environmentsByCliff Saran,Managing EditorPublished: 07 Nov 2024 16:05 The idea of lifting and shifting workloads into the public cloud is never going to deliver a good return on investment. Instead, according to analyst firm Gartner, IT leaders need to focus on consolidating applications. In particular, CIOs need to get rid of the old wood, Philip Dawson, a research vice-president at Gartner said in a podcast interview with Computer Weekly.Dawson, who presented a session called The Future of Infrastructure Is Distributed and Hybrid at the Gartner Symposium in Barcelona, said cloud management of IT infrastructure is key. He said this becomes increasingly important as IT leaders choose to keep or rehost elements of their enterprise IT platforms on-premise.As IT becomes more complex, Dawson urged IT leaders to rationalise or retire applications. Get rid of your dead wood and only modernise the stuff you really need to modernise, he said. If it has high IT complexity and low business value, get rid of it. You dont need that cost. Download this podcast This also applies in the cloud, where applications have been moved to public cloud infrastructure without first being optimised to take advantage of the elastic compute and platform capabilities available from public cloud providers.A distributed hybrid infrastructure incorporates cloud-native infrastructure principles, such as programmability, elasticity, modularity and resiliency, and can be deployed and managed in any location the customer chooses, including on-premise, at the colocation, at the edge or in the public cloud. For Dawson, this means having a single control plane that can manage the system in any location.Dawson said modernising and refactoring applications is far easier to do on-premise than in a cloud environment.His presentation identified the main companies offering on-premise to cloud capabilities as IBM, with IBM Cloud; Nutanix, with its Cloud Platforms and Cloud Clusters offerings; and VMware, which includes a number of cloud products such as Azure VMware Solution, Google Cloud VMware Engine and VMware Cloud on Amazon Web Services (AWS).A company like Red Hat, which IBM acquired in 2018, is pitching its OpenShift platform as an environment for virtual machines and containers. Dawson regards the tactic Red Hat has adopted with OpenShift as being focused on customers looking for application modernisation. But such platforms only deliver tangible benefits when applications are refactored. As Dawson points out, moving a workload from a virtual machine into a fat container is never going to deliver the efficiencies IT wants to achieve. Moving to containerisation requires a big refactoring of applications, he said.Even if there is an ambition to containerise 30% to 40% of new applications, Dawson said: Youve also got to think that theres two-thirds of stuff that need to be modernised such as legacy Java.net and other legacy environments.This means IT departments will end up with a heterogeneous IT environment comprising some private cloud, some public cloud and some cloud-native environments, along with business application clouds. On top of this, datacentre equipment providers are selling equipment on a pay-per-use basis, with the ability to extend this into their own cloud or to public cloud providers. In addition, the likes of Alibaba, AWS, Microsoft Azure, Google, Oracle and TencentCloud offer public cloud to on-premise capabilities.As Dawson points out: You not only have multicloud heterogeneity, but multiple platforms plugging into common infrastructure. Comparisons not only of the infrastructure, not just the platform itself, but the software sitting on top as well.This is the reason he recommends that IT leaders look closely at which applications to refactor, which ones should be moved to the cloud, and then identify applications that should eventually be discontinued.Read more from the Gartner SymposiumFor some CIOs, there is only a 48% chance their digital business initiatives will succeed, but collaborating with non-IT functions can increase success rates.We report on how a deal between ServiceNow and Rimini Street may offer IT leaders an alternative route to enterprise AI.The keynote presentation on the second day of the Barcelona conference examined whether artificial intelligence should be more intelligent than humans.In The Current Issue:Data bill will boost NHS and police access to data, says governmentDell CTO: Enterprise AI poised to take off in 2025Download Current IssueAppercept founder: Bringing Delphi into the AWS cloud era CW Developer NetworkWhat to expect from NTT R&D Forum 2024 CW Developer NetworkView All Blogs

The cyber security community has reacted positively to Googles 4 November announcement that it will begin to enforce multifactor authentication (MFA) for millions of Google Cloud users worldwide during 2025, with the move being described as a significant step forward in securing the wider digital ecosystem.The enhanced policies, announced earlier this week by Google Cloud vice-president of engineering Mayank Upadhyay, will see mandatory MFA rolled out to every user who currently signs in with just a password.We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments, said Upadhyay.Weve been strong advocates for our MFA system for over a decade, and were here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. Thats why were rolling out mandatory MFA in phases, he added.The first phase, beginning this month, will see Google begin to target unprotected users with more reminders and information on MFA in their Google Cloud Console, specifically targeting the 30% of service users not already enrolled. This guidance will push organisations towards raising awareness and planning for MFA, as well as providing advice on testing processes and enablement.From early 2025, Google will begin to require MFA for all new and existing users who sign in with a password, with notifications and guidance on this appearing throughout the Google Cloud Console, Firebase Console, gCloud, and other platforms. Those that wish to continue to use these tools will have no option but to enrol in MFA at this time.Finally, by this time next year, MFA requirements will have been extended to all users who federate authentication into Google Cloud. There will be a number of options available to meet this requirement organisations may choose to enable MFA with their primary identity provider prior to accessing Google Cloud, and work is ongoing to ensure there are standards and procedures in place to make this easier. Or users may wish to add extra layers of MFA through their Google accounts, if they prefer to use Googles own system.Introducing mandatory MFA for cloud services is very much an idea whose time has come, and Google is not the only cloud giant to be making such moves earlier in 2024,Microsoft announced it was introducing such a policy in the wake of a number of high-profile cyber attacks involving its users, and it has been in force across Azure since the beginning of October.Meanwhile, open source community giant GitHub, which brought in compulsory MFA for select developers and projects in 2023, said it has seen an opt-in rate of 95% across code contributors who received the MFA requirement, and a 54% uplift in MFA adoption among all active contributors to projects that it hosts.Mike Britton, CIO atAbnormal Security, said Googles move was long overdue: [MFA]I believe that software vendors should provideMFA and other core security services like SSO to their customers as part of their standard baseline offering. We shouldnt be monetising basic security capabilities and features in our product unless those features are cost prohibitive to provide without additional subscription fees, which is often not the case.Patrick Tiquet, vice-president of security and compliance atKeeper Security,The multi-step plan, starting with console reminders and advancing to full enforcement, prioritises user adoption and minimises operational disruption with gradual transition to ease users intoMFA paving the way for smoother implementation and stronger compliance.However, organisations usingGoogleCloudwill also need to plan for implementation within their workforce. Employee training about the importance ofMFAwill be critical and tools like a password manager can facilitate adoption by securely storing and fillingMFAcodes.Anna Collard, senior vice-president of content strategy and evangelist at security training specialistKnowBe4, also praised Googles new policy, but said that MFA alone was no silver bullet.Effective security relies on a layered defence approach that combines multiple strategies to protect assets and data. Not allMFAquality is equal either, for example phishing-resistantMFA, such as those enabled by FIDO are a much better option than text-based or push-basedMFA, she said.Read more about MFA and identityThe Security Think Tank considers best practices in identity and access management and how can they be deployed to enable IT departments to combat cyber-attacks, phishing attacks and ransomware.Not every MFA technique is effective in combating phishing attacks. Enterprises need to consider new approaches to protect end users from fraudulent emails.Traditional MFA provides benefits but tests users patience. Explore how invisible MFA can make it easier to access resources and reduce MFA fatigue.

UK prime minister Keir Starmer has committed an extra 75m to the recently established Border Security Command (BSC) to fund its acquisition and use of state-of-the-art surveillance equipment, as part of a wider clampdown on the national security threat of people smuggling gangs.Speaking at the Interpol general assembly in Glasgow on Monday 4 November, Starmer said that the UK government will apply a counter-terrorism approach to border security in an attempt to end the fragmentation between policing, Border Force and intelligence agencies.The world needs to wake up to the severity of this challenge. I was elected to deliver security for the British people. And strong borders are a part of that. But security doesnt stop at our borders, he said.Theres nothing progressive about turning a blind eye as men, women and children die in the Channel. This is a vile trade that must be stamped out wherever it thrives.So, were taking our approach to counter-terrorism, which we know works, and applying it to the gangs, with our new Border Security Command.The new investment in border security builds on 75m the UK government previously committed to the BSC in September 2024, which focused on unlocking sophisticated new technology and extra capabilities, such as covert cameras, monitoring technologies, new intelligence units, and improving intelligence and information flows between law enforcement bodies.This means the overall investment into the BSC which was set up in July 2024 to coordinate the work of the National Crime Agency (NCA), intelligence agencies, police forces, Immigration Enforcement and Border Force will be 150m over the next two years.The government outlined the additional 75m investment into the BSC will be used to boost the NCAs technology and capabilities, including through the delivery of advanced data exploitation, using technology to boost collaboration with European partners, and providing it with a further 100 specialist investigators and intelligence officers.The funding will also see the creation of a specialist intelligence unit to cohere intelligence flows from key police forces, and provide the 300 new staff to the BSC itself.Our new Border Security Command, with the investment set out today, will mean a huge step change in the way we target these criminal gangs, said home secretary Yvette Cooper. People smugglers and traffickers operate in networks across borders, thats why we have launched a major boost to our cooperation with international partners including other European countries, the G7 and Europol, and why we are so pleased to be hosting the Interpol conference on tackling international crime in Glasgow today.Speaking on BBC Breakfast after the BSC funding announcement, Cooper said: We need to make progress as fast as possible because no one should be making these dangerous boat crossings, adding that small boat crossings are undermining Britains border security and putting lives at risk.However, some charities have criticised the governments focus on enforcement, noting it could lead to desperate people taking more dangerous and deadly journeys. They suggested that, instead, the government should focus on creating safe and legal routes for refugees to enter the UK, which are currently extremely limited.Enver Solomon, the chief executive of the Refugee Council, said: The government must recognise that enforcement measures alone will not end this horrific trade. It must balance strong action against criminal networks with its commitment to uphold international rules that provide safety to those who need it most.Fizza Qureshi, CEO of the Migrants Rights Network, added that the UK governments focus on the intermediaries supporting sanctuary seekers to get to safety in the UK is just another attempt to deflect the UKs refugee protection obligations.Current legislation is already making people vulnerable to using intermediaries to get to the UK because they are refusing to offer safe routes for people of all nationalities, said Qureshi. Offering safe routes for all instead of focusing on invasive tech surveillance would reduce the need for anyone to have to use intermediaries to reach the UK, and eliminate the unnecessary investment in surveillance technologies that invade all of our privacies.A Parliamentary research briefing published 7 October 2024 noted while there are four broad categories of safe and legal routes to the UK, each has a distinct eligibility criteria, and not all of them grant the beneficiaries actual refugee status (which means that only some people on the UKs safe and legal entry pathways receive all the protections laid out in the 1951 Refugee Convention).It added: The Labour government isnt considering increasing safe and legal routes to the UK.As it stands, Amnesty International has said that the current immigration rules provide no safe or legal routes for someone to come to the UK for the purpose of claiming asylum, unless they are from Ukraine, Hong Kong or Afghanistan (and, in that case, have worked for the British government). While people are able to claim asylum from within the UK,the Home Office is explicit that it will not consider claims made from abroad.Computer Weekly contacted the Home Office for comment, including about the criticisms that the UK government is focusing on enforcement over creating safe routes.Asked in Parliament on 30 October 2024 about whether the government plans to introduce new safe and legal routes, undersecretary for migration and citizenship Seema Mlahotra said that these routes would continue to play an important role.This country will always do our bit alongside others to help those fleeing war and persecution, but we need a proper system where rules are enforced, she said. Our priority right now is the relocation of those who have been identified as eligible for resettlement under our resettlement schemes, and fixing the gaps in existing routes. That is why we have already taken steps to support the reunification of Afghan families under the [Afghan Citizen Resettlement Scheme] ACRS route.The Home Office said that 230 people crossed the English Channel in small boats on 31 October, bringing the total for that month to 5,417. The total for 2024 so far stands at 30,661. More than 50 people have died trying to cross the English Channel this year, the highest since figures were first recorded in 2018.In February 2024, the Home Office signed a data sharing and technology-collaboration agreement with EU border agency Frontex to crack down on small boats crossing the English Channel. Apart from improving both sides operational response through improved intelligence and information sharing, the agreement also promised closer collaboration on research and development (R&D) into technologies such as drones and airborne surveillance.The Telegraphreportedthat the deal would also enable Border Force officers to access live intelligence mapping of migrants movements across Europe, giving UK authorities eyes over the entirety of the blocs external borders.The previous UK government also repeatedly committed to making Channel crossings on small boats unviable, which it sought to achieve in part by makinga range of surveillance capabilities available to border authorities.The UKs already-extensive surveillance capabilities in the English Channel a stretch of water just 21 miles long include the use unmanned aerial vehicles, manned aircraft such as planes or helicopters, artificial intelligence-powered satellites, and a variety of sensors and radars.These technologies and the data they produce are often advertised as a way of monitoring and countering migrant crossings in the Channel.Lawyers, human rights groups and migrant support organisations previously told Computer Weeklythat while the various technologies deployed do have the capacity to protect peoples lives if used differently, they are currently used with the clear intention of deterring migrants from crossing or helping to punish those who do.A similar enforcement-focused approach is being adopted by other European countries, which are seeking increasingly hardline approaches to irregular migration. In early October 2024, for example, 17 European countries including 14 European Union (EU) members signed a letter demanding a tough paradigm shift on migration, arguing that governments must be empowered to carry out deportations in full respect of fundamental rights.People without the right to stay must be held accountable. A new legal basis must clearly define their obligations and duties, said the countries in a letter to the European Commission. Non-cooperation must have consequences and be sanctioned.Read more about technology and immigrationHome Office eVisa scheme is broken, says Open Rights Group: Digital rights campaigners say the Home Offices plan to make its new electronic Visa scheme a real-time online-only process is part and parcel of the hostile environment around immigration status.Data sharing for immigration raids ferments hostility to migrants: Data sharing between public and private bodies for the purposes of carrying out immigration raids helps to prop up the UKs hostile environment by instilling an atmosphere of fear and deterring migrants from accessing public services.Home Office GPS tagging of asylum seekers breaches data protection law: The Information Commissioners Office has issued an enforcement notice against the Home Office after finding its programme to tag asylum seekers with GPS monitors breaches data protection law.

Lords have expressed serious concerns over the use of live facial recognition (LFR) technology by retailers, and are calling for new laws to ensure its safe and ethical use by private companies.In May 2024, the House of Lords Justice and Home Affairs Committee (JHAC) launched an inquiry into tackling shoplifting, which partly focused on how police and retailers are using both live and retrospective facial recognition(RFR) to deal with retail crime.Following its inquiry, the JHAC has now written to the Home Office detailing its concerns over facial recognition in retail, and is calling on the UK government to bring forward new legislation outlining general principles and setting minimum standards for the use of new technologies, especially when being used by private companies for crime prevention purposes.Highlighting the fact that retailers will often collaborate with one another to create localised databases and watchlists of known shoplifting offenders, the Lords explained there is no criminal threshold for being included, which could lead to a number of issues.This means an individual can be placed on a private facial recognition watchlist and blacklisted from their high street (and subscribing retailers across the region) at the discretion of a security guard, without any police report being made and without the individual being informed that they have been added to a watchlist, they told the Home Office.We are concerned about the implications of what is effectively privatised policing, the hidden nature of the decisions being made on the basis of data matched with entries in a private database, and the lack of recourse for individuals who may have been wrongly entered in the database due to a misidentification, they added.We are concerned about potential GDPR [General Data Protection Regulation] infringements and the risk of misidentification due to bias and discrimination within the algorithms.Noting evidence from campaign group Big Brother Watch, the committee highlighted that the European Unions (EUs) AI Act broadly prohibits the use of LFR given the extraordinary risks it poses to individuals rights and freedoms, adding that there is also a risk of bias and discrimination from the algorithms in use, with studies showing the systems are less accurate for people with darker skin.While the committee heard in September 2024 from retailers that LFR would be of limited use in tackling shoplifting due to the associated safety and ethical concerns (which it believes can be cleared up through new primary legislation), they also said working with police to automatically identify offenders after the fact with RFR should be standard practice.Paul Garrard, the Co-op Groups public affairs and board secretariat director, for example, told Lords that while the organisation itself does not use LFR to detect shoplifting in real time, it will compile an evidence pack for police when reporting a theft, which will include material like CCTV and staff body-worn camera footage to be run through RFR software.He added that although some police forces will take the compiled footage and compare it with photos contained in the Police National Database (PND) which holds millions of custody images, many of which are being unlawfully retained by the Home Office it is not currently standard practice for police to automatically check the images provided against the database.In October 2023, the UK government launched abusiness-police partnership called Project Pegasus, part of which revolves around 14 of the UKs biggest retailers including M&S, Boots and Co-op sharing CCTV footage with forces so they can run it through the PND using RFR software.Noting the positive steps made by Pegasus to tackle organised retail crime, the JHAC said it would welcome the continuation of the scheme which focuses specifically on the organised criminal aspects of shoplifting rather than local or prolific offenders adding that it should receive a further year of Home Office funding.We recommend the development of improved reporting systems to expedite the process by which retailers can report crime to the police, it said. This includes the introduction of a retail flag to identify in the Police National Database and criminal justice case management systems when a crime has taken place in a retail setting.The JHAC also highlighted its previous investigation into advanced algorithmic technologies by UK police including facial recognition and various crime prediction tools which found the tech is being deployed without a thorough examination of their efficacy or outcomes, with police and the Home Office essentially making it up as they go along.It further described the situation as a new Wild West characterised by a lack of strategy, accountability and transparency from the top down. Given the potential costs of technologies and the problems that can and do arise from their implementation, including with respect to privacy rights, freedoms and discrimination, we consider that a stronger legal framework is required to prevent damage to the rule of law, it said.A short follow-up inquiry by the JHAC specifically looking at the use of LFR by police also found that they are rapidly expanding their use of the technology without proper scrutiny or accountability, and lack a clear legal basis for their deployments. However, the government claimed in the wake of the inquiry that there is already a comprehensive legal frameworkin place.We reiterate our earlier recommendation and believe there is a need for regulation of new technologies, particularly in relation to the use of it by private companies for crime prevention measures, the JHAC told the Home Office in its shoplifting inquiry letter. We consider that this approach would strike a balance between concerns that an overly prescriptive law could stifle innovation and the need to ensure safe and ethical use of technologies.Computer Weekly contacted the Home Office about the JHAC inquirys findings, including whether it still holds the position that there is already a comprehensive framework in place governing the use of facial recognition.Shoplifting is at a record high, said a Home Office spokesperson. This government is taking strong action by removing the 200 threshold for low-value shoplifting and making it a specific criminal offence for assaults on shopworkers. Facial recognition technology is an important tool that is helping the police identify offenders and bring them to justice. We constantly review its use to keep our streets safe and ensure we restore public confidence in our police.Both Parliament and civil society have repeatedly called for new legal frameworks to govern law enforcements use of biometrics including two of theUKs former biometrics commissioners,Paul WilesandFraser Sampson; anindependent legal reviewby Matthew Ryder QC; theUKs Equalities and Human Rights Commission; and theHouse of Commons Science and Technology Committee, which called for a moratorium on LFR as far back as July 2019.During his time in office beforeresigning in October 2023, Sampson also highlighteda lack of clarity about the scale and extent of public space surveillance, as well as concerns over the general culture of retention in UK policing around biometric data.Read more about facial recognition technologyBan predictive policing and facial recognition, says civil society: A coalition of civil society groups is calling for an outright ban on predictive policing and biometric surveillance in the UK.Outgoing police tech watchdog warns of declining oversight: The outgoing biometrics and surveillance camera commissioner for England and Wales discusses police deployment of powerful new surveillance technologies, and the declining state of oversight in this area.Met Police deploy LFR in Lewisham without community input: The Mets latest live facial recognition deployment in Catford has raised concerns over the lack of community engagement around the police forces use of the controversial technology.

Prostock-studio - stock.adobe.coNewsGartner Symposium: Why the chance of digital success is randomFor some CIOs, there is only a 48% chance their digital business initiatives will succeed, but collaborating with non-IT functions can increase success ratesByCliff Saran,Managing EditorPublished: 06 Nov 2024 16:50 Research from analyst firm Gartner has found that just 48% of digital initiatives meet or exceed business outcome targets, which means over half of such projects are set to fail.The companys annual global survey of more than 3,100 CIOs and technology executives, and more than 1,100 executive leaders outside of IT (CXOs), reported that for a certain cohort of IT leaders, the chance of a successful digital initiative is random. Daniel Sanchez-Reina, vice-president analyst at Gartner, described the findings as the curse of random success.He added: Your chance to succeed is 50:50. Its like flipping a coin.Speaking to Computer Weekly during the analyst firms annual European conference in Barcelona about why the chance of success is random, Sanchez-Reina said one of the most common issues is that all the responsibility for the project rests on the shoulders of the CIO.He said CIOs who have a high proportion of digital initiative failures believe they are solely responsible for the projects. The CXOs do not feel accountable and feel it is the CIOs responsibility, he said. The business areas participate at the beginning to give CIOs the specifications for what they need and the deadline, but then they disappear. When, after two to three months, the CIO shows the application, the chances it matches their original expectations are very low because they disappeared during the process.Gartners survey found that CIOs who co-own the delivery of digital initiatives with business leaders achieve project success 71% of the time. Sanchez-Reina said this more positive outcome demonstrates the benefit of CXOs taking equal responsibility and participating equally with the CIO at every stage of the project. Adopting such an approach, he said, breaks out of the random success stigma inherent in projects that lack shared ownership.Tangentially, project failure is also associated with CIOs failing to relinquish control of IT. Many CIOs do not want to break down the walls of IT to allow other technologists beyond IT, such as IT roles in finance, marketing and human resources, to participate in the delivery of digital initiatives.According to Sanchez-Reina, they may feel they lose power and influence if they open up access and control of the IT that has traditionally been managed entirely by the IT department.This is a wrong expectation because the CEO does not care if you do it only with IT people or with people outside IT. The CEO just wants the digital solution on time and of high quality, he said.Sanchez-Reina said business executives should break down the organisational wall with IT and participate more in technology production. Given businesses are becoming increasingly digital, this involves business aligning with IT, rather than treating IT simply as the part of the business that delivers digital functionality.Gartner uses the term digital vanguard to identify a new breed of CIO who is focused on collaborating closely with business executives to achieve success in digital projects.Behind every digital vanguard CXO, a digital vanguard CIO is guiding and enabling CXOs and their teams to co-lead and co-build digital delivery with IT, said Sanchez-Reina. Digital vanguard CIOs nurture their peers to become digital vanguard CXOs. Those CIOs make it easier for their CXOs to lead digital with them and for business area staff to build digital solutions together with IT.From an IT architecture and platform perspective, Sanchez-Reina urged CIOs to ensure the platforms their teams develop and deploy are not only designed for the IT specialists within the organisations IT function. The platform needs to be usable by technologists outside the IT department, such as those working in finance and human resources.The digital skills of these people outside of IT also need to be kept up to date, he said, to enable them to collaborate and work alongside the IT department to deliver digital initiatives successfully. Overall, the approach requires agile project management.Read more from the Gartner Symposium in BarcelonaTerminator film star shares lessons from his life experiences to help IT leaders succeed.Artificial intelligence project costs can quickly escalate, so IT leaders need to focus on the business objectives and invest appropriately.We report on how a deal between ServiceNow and Rimini Street may offer IT leaders an alternative route to enterprise AI.In The Current Issue:Data bill will boost NHS and police access to data, says governmentDell CTO: Enterprise AI poised to take off in 2025Download Current IssueWhat to expect from NTT R&D Forum 2024 CW Developer NetworkA software sextuplet for KubeCon Americas 2024 Open Source InsiderView All Blogs

The UK government is launching an artificial intelligence (AI) assurance platform to help businesses across the country identify and mitigate the potential risks and harms posed by the technology, as part of a wider push to bolster the UKs burgeoning AI assurance sector.Noting that 524 firms currently make up the UKs AI assurance market employing more than 12,000 people and worth more than 1bn the government said the platform would help raise awareness of and drive demand for the sector, which it believes could grow sixfold to around 6.5bn by 2035.Launched on 6 November 2024, the platform is intended to act as a one-stop shop for AI assurance by bringing together existing assurance tools, services, frameworks and practices in one place, including the introduction to AI assurance and the portfolio of AI assurance techniques guidance previously created by the Department for Science, Innovation and Technology (DSIT).The platform will also set out clear steps for businesses on how to carry out impact assessments and evaluations, as well as how to review data used in AI systems for bias, so as to generate trust in the technologys day-to-day operations.Digital secretary Peter Kyle said while AI has incredible potential to improve public services, boost productivity and rebuild the economy, to take full advantage, we need to build trust in these systems which are increasingly part of our day-to-day lives.The steps Im announcing today will help to deliver exactly that giving businesses the support and clarity they need to use AI safely and responsibly while also making the UK a true hub of AI assurance expertise.While DSIT plans to develop new resources for the platform over time including an AI Essentials toolkit to distil key tenants of relevant governance frameworks and standards so they are comprehensible for industry the department has already launched an open consultation for a new AI assurance self-assessment tool.AI Management Essentials [AIME] will provide a simple, free baseline of organisational good practice, supporting private sector organisations to engage in the development of ethical, robust and responsible AI, said a DSIT report on the future of AI assurance in the UK.The self-assessment tool will be accessible for a broad range of organisations, including SMEs. In the medium term, we are looking to embed this in government procurement policy and frameworks to drive the adoption of assurance techniques and standards in the private sector.It added that insights gathered from the AIME self-assessment tool would also help public sector buyers make better and more informed procurement decisions involving AI, and that the general suite of products on offer through the platform would further help support organisations to begin engaging with AI assurance and establish the building blocks for a more robust ecosystem.The development of safe and responsible AI systems is central to the UK governments vision for the technology, which it sees as an area where the country can carve out a competitive advantage for itself.According to DSITs AI assurance market report, the department will also seek to support this goal by increasing the supply of third-party AI assurance, which it will do in part by developing a roadmap to trust third-party AI assurance with industry; and enabling the interoperability of assurance by developing a terminology tool for responsible AI, which it said would help assurance providers navigate the international governance ecosystem.In further support of the governments vision, the UKs AI Safety Institute (AISI) launched by former prime minister Rishi Sunak in the run-up to his governments AI Safety Summit in November 2023 will be running the Systemic AI Safety Grants programme, which will make up to 200,000 of funding available to researchers working to make the technology safer.On the same day as the assurance platform launch, the AISI announced it had signed a partnership agreement with Singapore, which will see both countries AI safety institutes collaborate to drive forward research and work towards a shared set of policies, standards and guidance.We are committed to realising our vision of AI for the Public Good for Singapore, and the world. The signing of this Memorandum of Cooperation with an important partner, the United Kingdom, builds on existing areas of common interest and extends them to new opportunities in AI, said Singapores minister for digital development and information, Josephine Teo.Of particular significance is our joint support of the international network of AI Safety Institutes (AISI). Through strengthening the capabilities of our AISI, we seek to enhance AI safety so that our people and businesses can confidently harness AI and benefit from its widespread adoption.Ian Hogarth, chair of the UK AISI, added: An effective approach to AI safety requires global collaboration. Thats why were putting such an emphasis on the international network of AI Safety Institutes, while also strengthening our own research partnerships.Our agreement with Singapore is the first step in a long-term ambition for both our countries to work closely together to advance the science of AI safety, support best practices and norms to promote the safe development and responsible use of AI systems.Read more about AI safetyUK and others sign first binding treaty on AI and human rights: The UK, US and EU have all signed a treaty from the Council of Europe that aims to mitigate the threat AI poses to human rights, democracy and the rule of law, but commentators say it lacks enforcement mechanisms and creates loopholes.UK AISI to open San Francisco branch: News of the AI Safety Institutes expansion to the US follows the first public release of its AI safety testing results.Report highlights disagreement among experts on AI safety: An interim AI safety report coming out of the Bletchley Declaration shows AI experts are not in agreement over some of the biggest risks.