CybserSecurity News

Tag: NIST

  • Ending the AI Regulation Maze: Tech Giants and Security Titans Launch MOSAIC to Harmonize Global Standards

    Architects of artificial intelligence security standards are increasingly confronted by a predicament as formidable as the threats themselves: a proliferation of regulations characterized by a profound lack of cohesion. Disparate terminologies and divergent methodologies complicate the ability of corporations to discern which recommendations to prioritize, compelling security practitioners to squander invaluable time deciphering documentation rather than engaging in practical defense.

    In response, OWASP, SANS Institute, NIST, the Cloud Security Alliance, the Center for Internet Security, the Coalition for Secure AI, and the Berryville Institute of Machine Learning have coalesced to form MOSAIC—the Multi-Organization Secure AI Coordination initiative. This collective was inaugurated on April 21, 2026, at the AI Security Policy Forum in Arlington, held in conjunction with the SANS AI Cybersecurity Summit. The SANS Institute formally announced the launch on April 28.

    MOSAIC is engineered to attenuate the fragmentation prevalent in AI security guidelines. According to the SANS 2026 Workforce Research Report, 60% of organizations acknowledge a deficit in the skills necessary to counter contemporary threats, with 27% attributing security incidents directly to these competencies gaps. Amidst this talent scarcity, the incongruent definitions of “AI risk” across authoritative bodies only serve to exacerbate the burden on security teams.

    The SANS Institute posits that contradictory recommendations have stymied specialists safeguarding critical infrastructure—such as hospitals, power grids, and financial institutions—for two years. Rob T. Lee, Chief Curriculum Officer and Head of Research at SANS, observed that market participants often receive conflicting advice regarding standard selection, a fragmented approach ill-suited for robust operational defense.

    Rob van der Veer, a primary catalyst for MOSAIC, founder of the OWASP AI Exchange, and co-editor of the security standards for the EU AI Act, clarified that the group does not intend to fabricate yet another layer of requirements. Rather, MOSAIC seeks to interweave existing frameworks, enabling practitioners to implement recommendations without superfluous confusion.

    The participants aspire to establish a streamlined coordination model, eschewing cumbersome bureaucracy. Immediate objectives include the creation of a centralized repository for knowledge exchange, the harmonization of fundamental concepts—such as safety, security, and risk—and the establishment of unified operational principles to expand the community. GitHub has been selected as the collaborative platform, adhering to OWASP’s tenets of transparency, equity, and integrity.

    MOSAIC is presented as an inclusive initiative for established projects dedicated to AI security. As part of the launch, the OWASP AI Exchange introduced a comprehensive taxonomy powered by OpenCRE, which maps terms, safeguards, and concepts across diverse standards. Further details regarding the MOSAIC repository and the evolution of this taxonomy are expected to be disclosed in the near future.

  • The Breaking Point: NIST Abandons Universal Data for the National Vulnerability Database

    The deluge of vulnerability reports has reached such an overwhelming crescendo that even governmental infrastructures struggle to maintain pace. The National Institute of Standards and Technology (NIST) has conceded that its traditional methodology for processing entries is no longer sustainable, prompting a fundamental shift in the rules of engagement.

    The crisis is centered within the National Vulnerability Database (NVD), the repository for CVE data. Historically, specialists appended detailed descriptions and severity assessments to every entry upon its inclusion. NIST has now abandoned this universal practice, electing to enrich only those records that surpass a newly established priority threshold.

    The impetus for this pivot is starkly mathematical: the first quarter of 2026 witnessed a nearly 30% surge in submissions compared to the previous year. In 2025, NIST processed approximately 42,000 vulnerabilities—surpassing its prior record by 45%—yet even this accelerated cadence failed to intercept the relentless tide of new disclosures.

    Henceforth, detailed metadata—often referred to as “enrichment”—will be reserved primarily for vulnerabilities within the CISA Known Exploited Vulnerabilities (KEV) catalog. Such entries are promised enrichment within twenty-four hours of notification. Priority will also be extended to products utilized by the U.S. government and mission-critical software.

    Remaining vulnerabilities will persist within the database but will remain devoid of supplementary data. Furthermore, NIST will cease assigning its own independent severity scores for all entries, instead deferring to the assessments provided by the original reporters.

    NIST characterizes these adjustments as a strategic attempt to concentrate on truly critical anomalies while advancing automation protocols. This structural strain is partially attributed to the proliferation of AI-driven tools, which facilitate the rapid identification of even minor flaws in ubiquitous products. Concurrently, anxieties are mounting that automated systems may soon not only identify but instantaneously weaponize these vulnerabilities.

    These systemic failures have been gestating for some time. In 2024, amidst budgetary contractions and staffing shortages, nearly 90% of entries remained unproccessed. This prompted CISA to temporarily assume a portion of the workload, while industry leaders petitioned the U.S. Congress and Secretary of Commerce Gina Raimondo to fortify the NVD.

    The situation remains precarious. NIST currently employs a mere 21 staff members to manage an exponentially growing archive. The agency has admitted that the accumulated backlog remains insurmountable; consequently, all unprocessed entries published prior to March 1, 2026, will be categorized as “Unscheduled.” While a select few may be revisited if deemed critical, the majority will remain in a state of administrative limbo.

    Even within the halls of NIST, officials acknowledge that this new framework is imperfect and risks overlooking significant threats. While specialists may still request the manual enrichment of specific records, the industry perceives this shift as a concession to the inevitable. In the current landscape, the centralized analysis of every discrete vulnerability is a logistical impossibility; increasingly, priorities are dictated not by a database entry, but by the ferocity with which a flaw is wielded in active combat.

  • The Fracture of Truth: How China’s Secretive Databases Are Outpacing the Ailing CVE System

    In the realm of information security, it has long been standard practice to categorize vulnerabilities via the CVE system: a breach is assigned a designation, followed by a CVSS severity score, a CWE type, and a list of impacted products, thereby allowing defenders to orchestrate their patching priorities. However, the years 2024 and 2025 have underscored the fragility of this apparatus when its fundamental nodes falter.

    The initial tremor occurred in February 2024, when the National Vulnerability Database (NVD), maintained by NIST, suffered a significant degradation in performance. For decades, the NVD performed the thankless yet vital task of enriching CVE entries with essential metadata—CVSS scores, error classifications, and software CPEs. Faced with a burgeoning backlog, the NVD admitted to an inability to sustain its pace, prioritizing contemporary threats while leaving a vast “tail” of unprocessed records in its wake.

    This was followed by an organizational upheaval. At VulnCon 2025, public discourse turned toward the precarious funding of the CVE program. A panic ensued when it was revealed that a critical Department of Homeland Security contract had neared expiration without renewal, sparking fears of a fragmented cataloging system. Although funding was eventually secured, the episode served as a sobering reminder that even the industry’s most venerable pillars possess inherent vulnerabilities.

    Recently, researchers at Bitsight expanded the scope of this inquiry, examining sovereign vulnerability repositories beyond the Western sphere, specifically the dual databases of China: CNNVD and CNVD.

    China operates two parallel state databases that function under distinct regulatory paradigms. While both utilize proprietary identifiers, they maintain cross-references to CVE numbers when available. However, because direct synchronization between CNVD and CNNVD is virtually non-existent, correlation must be meticulously performed through shared descriptions.

    • CNNVD: Operated by CNITSEC, a center linked to the Ministry of State Security. Its publication cadence suggests a focus on international intelligence; it frequently serves as a mirror for global CVE disclosures, albeit filtered through Chinese regulatory mandates.

    • CNVD: Governed by CNCERT, this repository aligns more closely with traditional defensive databases, focusing on identifying novel threats and assisting in the remediation of domestic infrastructure.

    In July 2021, China implemented a stringent regulatory layer known as RMSV. This mandate redefined the cadence of disclosure, diverging sharply from Western “Coordinated Vulnerability Disclosure” (CVD) norms. RMSV requires that all discovered vulnerabilities be reported to the state within 48 hours. Technical details—and specifically Proof-of-Concept (PoC) code or exploits—are strictly prohibited from public release until a patch is available. This replaces the voluntary collaboration between researcher and vendor with a prescribed order that prioritizes state control over the tempo of disclosure.

    Accessing this data remains an arduous task for automation. Both repositories lack robust APIs, requiring manual interface interactions to generate XML exports. These files are frequently marred by structural errors and typographical blunders—such as mangled CVE identifiers and erroneous date fields—which necessitate significant manual cleaning by analysts.

    A temporal analysis reveals intriguing patterns. While approximately 90% of entries appear within a week of their initial acquisition, a minute fraction (roughly 0.55% for CNNVD and 0.18% for CNVD) precedes the official CVE or NVD publication. In these rare instances—numbering about 1,400 since 2011—the Chinese repositories lead by an average of three months.

    Since the implementation of RMSV in 2021, the volume of vulnerabilities published without an associated CVE has shifted noticeably. CNVD has significantly slowed its publication of such entries, while CNNVD has shown a recent resurgence in non-CVE records. This suggests a complex interplay of factors: improved internal cross-referencing, the strategic withdrawal of certain vulnerabilities from the public eye under new regulations, or a focus on highly localized software that lacks international relevance.

    Ultimately, the Chinese ecosystem highlights a global trend: the control of information regarding software flaws has become a critical instrument of state power.

  • The Quantum Countdown: Why Google is Racing to Patch the Future of Global Encryption

    Quantum computing, once relegated to the realm of speculative science fiction, is rapidly approaching practical manifestation. While promising transformative breakthroughs in pharmacology, thermodynamics, and materials science, these advancements simultaneously pose a profound existential threat to digital security. Google warns that conventional encryption methodologies are on the precipice of obsolescence, urging a proactive transition to fortify our digital defenses for this nascent epoch.

    At the core of this transition lies the principle of quantum mechanics. Unlike classical systems, quantum architectures can evaluate a multitude of variables simultaneously, surmounting computational hurdles that would stifle even the most potent supercomputers. Paradoxically, these same capabilities render contemporary asymmetric cryptography—the very bedrock of modern banking, private correspondence, and sovereign state secrets—perilously vulnerable to compromise.

    The corporation posits that a sufficiently robust quantum processor could, within a few years, dismantle prevalent encryption schemes. Furthermore, adversaries are likely already engaged in a strategy known as “harvest now, decrypt later,” accumulating encrypted datasets in anticipation of future computational superiority.

    Cryptography specialists have not remained idle. They have engineered post-quantum cryptography (PQC)—algorithms specifically designed to withstand the rigors of quantum-assisted attacks. In 2024, the National Institute of Standards and Technology (NIST) codified the inaugural suite of these standards following an exhaustive global vetting process.

    Google asserts that its preparatory measures commenced as early as 2016. The firm is actively experimenting with post-quantum protocols, integrating them into its ecosystem while championing “cryptographic agility”—the capacity to seamlessly update or replace cryptographic primitives without disrupting operational continuity. This transition is currently underway within Google’s internal architecture and consumer-facing products, aligned with prevailing regulatory mandates.

    Moreover, Google advocates for governmental bodies to accelerate their readiness for the quantum era. This mandate encompasses the protection of vital infrastructure, the integration of post-quantum standards into artificial intelligence development, and the harmonization of international security protocols. The organization emphasizes the necessity of sustained collaboration with the scientific vanguard to anticipate the exact moment when quantum systems reach the threshold of practical decryption.

    The company remains optimistic that quantum technology will yield immense societal dividends, provided that the evolution of data protection keeps pace with computational progress. Should security remain stagnant, this technological triumph could precipitate an unprecedented crisis of global insecurity.

  • PQC Readiness: Cloudflare Secures Half of Traffic Against ‘Harvest Now, Decrypt Later’ Threat

    The transition to post-quantum cryptography is becoming increasingly tangible. At the end of October, Cloudflare reported that over half of all human-initiated interactions with its infrastructure are now protected by quantum-resistant algorithms. This milestone marks a crucial step in countering the so-called “harvest now, decrypt later” strategy — where adversaries intercept encrypted data today with the intent to decrypt it in the future, once quantum computers attain sufficient computational power.

    As the long-anticipated “Q-Day” — the moment when quantum machines will be able to break established encryption schemes such as RSA-2048 and ECDSA — draws closer, global efforts to adopt new cryptographic standards have intensified. The U.S. National Institute of Standards and Technology (NIST) recently completed the first phase of post-quantum standardization, selecting ML-KEM for key establishment and ML-DSA, SLH-DSA, and FN-DSA for digital signatures. ML-KEM has seen the fastest adoption due to its relative ease of implementation, whereas post-quantum signature schemes pose more significant challenges — notably their larger data size and higher computational demands.

    The primary difficulties lie not in the mathematical resilience of these algorithms, but in their practical deployment. For example, FN-DSA offers strong performance in both speed and compactness, yet requires extreme implementation precision, particularly for real-time signing. More avant-garde schemes like SNOVA and MAYO exhibit promising efficiency and robustness, but remain too immature for production use.

    Beyond the algorithms themselves, the integration layer — encompassing protocols such as TLS, DNSSEC, and certificate authority infrastructures — plays an equally critical role. While many clients now support the hybrid key agreement scheme X25519MLKEM768, which combines classical and post-quantum cryptography, the authentication phase migration remains a much longer process. Each web session involves multiple signatures, creating risks of increased latency or compatibility issues with legacy systems.

    Meanwhile, regulators have already set firm deadlines. Agencies across the United States, United Kingdom, Australia, and the European Union have mandated the transition to post-quantum cryptography between 2030 and 2035, shifting the global question from “When will it happen?” to “Will we be ready in time?”

    On the server side, support for PQ algorithms is expanding rapidly. Major providers — including Google, Microsoft, Amazon, Fastly, and thousands of smaller hosts — have implemented PQ key support. Cloudflare reports that 39% of the world’s top 100,000 websites already employ post-quantum protection on their public endpoints. However, adoption between these sites’ edge servers and origin infrastructure remains low, at around 3.7%, despite rapid growth over the past year.

    Within Cloudflare itself, modernization now encompasses nearly its entire internal network, including migration of WARP client traffic to the QUIC protocol. Yet, the company acknowledges that the shift to post-quantum signatures will face not only technical, but also organizational challenges — manual configurations, outdated partial implementations, and difficulties in aligning emerging standards across ecosystems.

    Despite the remarkable progress, the Internet remains far from fully secure. What matters most now is that experts still have time not merely to apply temporary fixes, but to fundamentally upgrade the entire cryptographic foundation. Cloudflare urges organizations to move beyond passive assessment and take active measures — updating software, automating certificate management, and conducting compatibility testing. For once quantum computers reach their critical threshold of capability, the window for remediation will have already closed.

  • Beyond the Lab: The Troubling Reality of Facial Recognition on Our Streets

    Stories of mistaken arrests caused by facial recognition technology are no longer rare. In 2020, Detroit resident Robert Williams was taken into custody after a faulty match generated by a low-quality surveillance image. Four years later, a similar incident unfolded in London: activist Shaun Thompson was misidentified as a criminal by the Live Facial Recognition system, resulting in an aggressive police stop.

    An independent audit of the London Metropolitan Police’s trials revealed that out of 42 supposed matches, only eight proved accurate. Despite such failures, the technology continues to be deployed in airports, shopping centers, and city streets, its adoption justified by laboratory statistics boasting up to 99.95% accuracy. Yet these numbers are deeply misleading—the reality on the ground is far less precise.

    To understand the gulf between laboratory results and practical outcomes, one must examine the nature of benchmark tests conducted by the U.S. National Institute of Standards and Technology (NIST). Its Facial Recognition Technology Evaluation (FRTE) has become the gold standard underpinning adoption worldwide, including by British police. But these tests are ill-suited to measure performance in uncontrolled, real-world environments. They may demonstrate how a system works in an airport terminal, but reveal little about its reliability on a crowded street or in poor lighting. The reports, in turn, create an illusion of near-infallibility, while in reality the systems falter amid everyday noise and interference.

    To build test sets, researchers compile databases of photographs against which algorithms are tasked with finding matches. Yet these collections come with significant limitations. First, the images are too “perfect”: static, evenly lit, and free of distortions. In the real world, faces are obscured by masks, glasses, shadows, motion blur, or crowds. Even NIST’s attempts to include webcam shots failed to bridge the gap, as those images remain far cleaner than typical footage from street cameras.

    Second, the sheer scale of operational databases far exceeds laboratory sets. While test collections may contain millions of images, real police systems often handle hundreds of millions of profiles. The larger the pool, the higher the risk of false positives. Yet current standards do not adequately account for this exponential increase in error rates.

    Third, demographic representation is uneven. Algorithms trained primarily on light-skinned subjects perform markedly worse on darker-skinned individuals, producing systemic biases. Reports by the UK’s National Physical Laboratory—the very documents supporting London’s use of facial recognition—barely account for adolescents and exclude children under twelve altogether, though minors are often subject to street-level scans. This gap renders official conclusions incomplete and casts doubt on the legitimacy of deploying such technology against youth.

    There is now an urgent need to move beyond laboratory trials to independent, large-scale evaluations in real-world conditions. New assessment methods must measure accuracy in crowded spaces, across broad populations, and within diverse demographic groups. Equally critical is the establishment of legally binding minimum accuracy thresholds for applications in sensitive domains such as criminal investigations. Without real-world data and transparent oversight, decisions remain rooted in statistics divorced from reality, perpetuating cases like those of Williams and Thompson.

    A study published in May 2025 by criminologists and computer scientists at the University of Pennsylvania added weight to these concerns. The authors demonstrated that as image quality declines, algorithmic accuracy plummets—particularly with blurred frames, altered angles, or low resolution. Moreover, these errors fall disproportionately on racial and gender minorities, with false matches and misidentifications significantly more likely among them.

    While researchers note that, on average, facial recognition may surpass some traditional forensic methods—including fingerprinting and ballistics—their emphasis lies elsewhere: in practice, image quality becomes the critical factor, capable of transforming an advanced tool into an instrument of discrimination.

    The problems are not purely technical. A 2023 report by the U.S. Government Accountability Office revealed that many American law enforcement agencies deploy facial recognition without adequate staff training or civil-rights policies. The consequences are starkly illustrated in the Algorithmic Justice League’s Comply to Fly? study, which found that the Transportation Security Administration uses facial recognition systems without properly informing passengers. Travelers often remain unaware that they may opt out of scans, and two-thirds of those who attempt to do so face hostility from TSA staff.

    Against this backdrop, NIST has issued new recommendations on detecting “morphed” faces—digital composites blending features of multiple individuals—designed to evade authentication systems.

    A February 2024 report prepared for the Innocence Project by researcher Alexandria Sanford highlighted that confirmed wrongful identifications are already on record: of seven known cases, six involved Black citizens. In 2025, the Electronic Frontier Foundation added two more names to the list of Americans wrongly arrested. Civil rights advocates insist that, regardless of claimed accuracy rates, the very use of facial recognition in policing is too dangerous to be tolerated—and must be outlawed.

  • NIST Unveils World’s Most Accurate Clock: A Quantum Leap in Timekeeping

    American scientists have set a new benchmark in precision timekeeping: researchers at the National Institute of Standards and Technology (NIST) have developed the most accurate clock in the world. This groundbreaking device operates using a single aluminum ion, confined within an electromagnetic trap. Far surpassing conventional optical systems, the clock achieves a measurement precision of 19 decimal places—an unprecedented feat in the field of chronometry.

    Yet it is not merely the extraordinary accuracy that sets this clock apart, but its remarkable stability. The new apparatus is 2.6 times more resilient to noise than previous ion-based timekeepers. This leap forward was made possible through a meticulous redesign of the entire system—from the geometry of the trap and the properties of its coating to the configuration of the vacuum chamber and the integration of its optical components. In terms of precision, the system outperformed the previous world record by 41%.

    The aluminum ion proves to be an ideal candidate for ultra-precise measurements due to its stable oscillation and minimal sensitivity to external disturbances such as temperature shifts and magnetic interference. However, it presents significant challenges for direct laser cooling and detection. To circumvent this, researchers introduced a companion ion—magnesium.

    This method, known as quantum logic spectroscopy, leverages the manageability of magnesium to cool the aluminum ion, synchronize its motion, and relay its quantum state. In essence, data is read through the behavior of the magnesium ion, sidestepping the difficulties of direct interaction with aluminum. This clever design allows scientists to exploit aluminum’s advantages without being hindered by its limitations.

    Even with this synchronization, the system encountered several technical hurdles. One significant issue involved excess micromotion of the ions due to asymmetric electric fields—an invisible yet disruptive factor affecting signal stability. To address this, the team reinforced the trap’s base with a diamond substrate and reconfigured the gold plating on its electrodes, effectively eliminating the distortions and stabilizing the ion environment.

    The vacuum chamber, too, required a major overhaul. The prior stainless steel enclosure released hydrogen molecules that interfered with the ions, disrupting their behavior and necessitating frequent system resets. The new titanium chamber reduced residual hydrogen levels by a factor of 150, enabling continuous operation for several days—in contrast to the 30-minute intervals previously required for recalibration.

    The laser system, crucial for reading ion oscillations, remained one of the most sensitive components. In 2019, it required weeks of averaging to suppress frequency fluctuations. This challenge was overcome with the help of Jun Ye’s laboratory at JILA—a joint institute of NIST and the University of Colorado Boulder—home to one of the most stable lasers in existence.

    A signal from the JILA laser was transmitted via a 3.6-kilometer fiber-optic link laid beneath city streets and synchronized with the aluminum ion clock using an optical frequency comb—a tool that serves as a spectral ruler. This integration transferred the reference laser’s stability directly into the operational system.

    Following these refinements, the team succeeded in sustaining the ion’s excited state for an entire second, compared to just 150 milliseconds previously. This enhancement reduced the time required for ultra-precise measurements from several weeks to just one and a half days.

    Beyond setting a new standard of precision, this clock has evolved into a robust platform for quantum experimentation. Its architecture lends itself to testing novel configurations, including multi-ion systems and entangled states—ushering in new possibilities for advanced quantum logic and precision metrology.

    Moreover, this advancement brings the global scientific community closer to redefining the second. Next-generation atomic clocks like this one can detect geophysical phenomena—such as gravitational potential differences at varying altitudes—with previously unthinkable accuracy. They may even enable tests to determine whether the fundamental constants of physics change over time.