China's latest open-weight artificial intelligence model is drawing attention within the cybersecurity community after independent evaluations indicated that it can rival some of the vulnerability detection capabilities of leading U.S. frontier AI systems. The findings are fueling renewed debate over whether restricting access to advanced American AI models is enough to slow the spread of powerful cyber capabilities.
Chinese AI company Zhipu AI, also known as Z.ai, released its GLM-5.2 model on June 13 under a permissive open-weight license. Unlike proprietary AI systems that are only accessible through controlled cloud services, open-weight models allow researchers and developers to download the model weights and run them on their own hardware. This approach enables offline deployment, customization through fine-tuning, and unrestricted experimentation without requiring ongoing approval from the model developer.
The release stands in contrast to Anthropic's Claude Mythos, one of several advanced AI systems whose availability has been limited under U.S. export controls because of concerns that highly capable models could be misused for offensive cyber operations. While GLM-5.2 still falls behind leading models from Anthropic and OpenAI across many general-purpose reasoning benchmarks, recent testing suggests it performs remarkably well in one highly specialized area: identifying software vulnerabilities.
Independent benchmarking conducted by Semgrep found that GLM-5.2 achieved an F1 score of 39% when detecting Insecure Direct Object Reference (IDOR) vulnerabilities. IDOR flaws arise when applications expose internal object identifiers without properly verifying whether a user is authorized to access the requested resource, making them a common source of unauthorized data access and privilege abuse. Under the same evaluation conditions, Claude Code recorded scores ranging from 32% to 37%, placing GLM-5.2 slightly ahead in this specific cybersecurity task.
The benchmark also underlined a notable economic advantage. Researchers estimated that GLM-5.2 identified vulnerabilities at an average cost of approximately $0.17 per finding, roughly one-sixth of the cost associated with comparable Claude-based workflows. Lower operating costs could make advanced AI-assisted vulnerability research accessible to a much broader range of organizations, independent researchers, and software security teams.
Additional benchmarking conducted by Graphistry reached similar conclusions, reinforcing the view that an openly downloadable Chinese model can compete with frontier U.S. AI systems in narrowly focused cybersecurity applications. The independent evaluations are particularly noteworthy because they relied on standardized testing methodologies designed to reduce benchmark contamination and minimize vendor-specific bias.
The findings arrive amid growing concern in Washington over the national security implications of frontier artificial intelligence. The Trump administration has increasingly treated advanced AI models such as Mythos and Fable as strategic technologies because of their ability to automate complex cybersecurity tasks, including discovering previously unknown software vulnerabilities that could potentially be weaponized in cyber operations.
Those concerns have shaped U.S. export control policies that restrict access to some advanced AI systems for foreign organizations, including researchers based in China. The underlying assumption behind these controls is that limiting access to the most capable American models would delay competing nations from acquiring comparable cyber capabilities. GLM-5.2's performance is prompting renewed questions about whether restricting model access alone can achieve that objective when capable alternatives are being developed elsewhere.
The discussion is further informed by Anthropic's Project Glasswing, which previously demonstrated the cybersecurity potential of frontier AI by identifying more than 10,000 critical software vulnerabilities during its initial research phase. The project illustrated how advanced language models can assist security researchers in reviewing large codebases, prioritizing weaknesses, and accelerating vulnerability discovery. If open-weight models begin approaching similar levels of performance, comparable capabilities may no longer remain exclusive to a small number of tightly controlled AI providers.
The latest development also comes shortly after OpenAI introduced GPT-5.6 with limited availability because of concerns surrounding misuse. Together, these decisions reflect a broader effort by U.S. AI developers to place increasingly capable models behind controlled access mechanisms while balancing innovation with national security considerations.
Cybersecurity researchers note that advances in open-weight models create opportunities as well as risks. Defensive teams could use these systems to automate code reviews, strengthen secure software development practices, and accelerate vulnerability remediation. At the same time, threat actors may attempt to exploit the same capabilities to identify weaknesses in software before organizations have an opportunity to patch them. Because GLM-5.2 can be downloaded and operated locally, these capabilities are available globally regardless of whether users have access to commercial U.S. AI services.
The emergence of GLM-5.2 does not necessarily indicate that Chinese AI has surpassed American frontier models across every benchmark. However, its strong performance in specialized cybersecurity evaluations suggests that the technological gap is narrowing in selected high-value domains. The development is likely to intensify debate over whether hardware restrictions and access controls alone are sufficient to preserve leadership in AI-driven cybersecurity, or whether future policy must place greater emphasis on strengthening defensive capabilities, accelerating software patching, and preparing for a world where advanced vulnerability discovery tools become increasingly accessible worldwide.
The Federal Communications Commission (FCC) has approved a series of new regulations aimed at strengthening the cybersecurity of the United States' emergency communication systems while modernizing security requirements for the country's undersea cable infrastructure.
The newly adopted rules introduce stronger safeguards for the nation's two primary public warning platforms—the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA)—to reduce the risk of cyberattacks and unauthorized access.
The EAS is widely used by federal, state and local authorities to broadcast emergency information, including severe weather warnings, AMBER Alerts and other public safety notifications through television and radio networks. Meanwhile, the WEA delivers similar alerts directly to mobile devices through text messages.
According to the FCC, a successful cyberattack on either platform by a foreign government, cybercriminal organization or malicious actor could spread misinformation, create public confusion or disrupt emergency response efforts during critical situations.
Any vulnerability in systems like the Emergency Alert System “can have serious consequences,” said FCC Commissioner Olivia Trusty in a statement after the vote.
“That is why it has been appropriate for the Commission to conduct a comprehensive review of the EAS framework by focusing on the security of the system itself,” Trusty continued. “As cybersecurity threats continue to evolve, EAS participants must take appropriate steps to safeguard the infrastructure that supports the delivery of life-saving alerts.”
As part of the new cybersecurity framework, organizations responsible for operating EAS and WEA systems will be required to adopt stronger cyber hygiene measures. These include implementing robust passwords, promptly installing vendor-issued security updates and patches, and deploying firewalls to restrict unauthorized access to critical systems.
The FCC has also introduced a new authentication identification system that will verify emergency alerts before they are transmitted, helping prevent duplicate, fake or unauthorized alerts from being distributed.
In a separate decision, the Commission also approved its first major overhaul of submarine cable regulations in several decades. The updated framework seeks to enhance cybersecurity oversight for undersea cable infrastructure while simplifying licensing procedures for trusted operators.
Under the revised rules, certain undersea cable providers will no longer be required to undergo the extensive national security licensing review conducted by "Team Telecom" before operating cables connected to U.S. territory.
Team Telecom is an interagency group led by the Department of Justice's Foreign Investment Review Section, along with other federal agencies that evaluate the national security implications of telecommunications infrastructure.
The updated policy allows submarine cable applicants to qualify for an exemption if they can self-certify that they meet high security standards designed to improve certainty, streamline reviews and shorten licensing timelines.
“Currently, all submarine cable applications get referred to Team Telecom…the changes adopted would exempt applications from applicants that have operated cables without incident, can certify to the highest national security standards, and agree to ongoing oversight and monitoring,” the FCC said in a release.
The new regulations also expand the FCC's oversight of key operational components within submarine cable systems. Companies responsible for submarine line terminal equipment, which connects undersea cables to U.S.-based terrestrial facilities, will now be required to obtain licenses.
Additionally, the Commission has introduced updated security measures to address risks associated with essential equipment, third-party vendors and vulnerabilities across the broader submarine cable supply chain, further strengthening the resilience of critical communications infrastructure.
The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated public service announcement warning that Russian intelligence-linked threat actors have expanded an ongoing phishing campaign targeting Signal users. Rather than attempting to intercept authentication codes alone, the attackers are now seeking victims' Signal Backup Recovery Keys, enabling them to restore encrypted cloud backups and gain access to historical conversations.
The latest advisory builds on an alert released in March 2026, when the agencies disclosed that Russian-backed operators were targeting users of commercial messaging applications, particularly Signal, through carefully crafted phishing campaigns. Those earlier attacks focused on compromising accounts by deceiving users into handing over verification codes, account PINs, or linking unauthorized devices to their Signal accounts, instead of defeating the application's end-to-end encryption.
According to the FBI, the threat actors have refined their social engineering techniques by impersonating automated Signal support accounts and introducing a new objective: convincing users to disclose the recovery keys that protect their encrypted backups.
The agencies said the campaign continues to concentrate on individuals considered to be of intelligence value, including current and former U.S. government officials, government personnel from allied nations, military members, political figures, journalists, and officials located in Ukraine.
The activity has been attributed to Russian Intelligence Services (RIS), including officers associated with Russia's Federal Security Service (FSB) Border Guards and additional actors operating on behalf of the Russian military. Security researchers publicly track the activity under the designations UNC5792 and UNC4221.
Phishing campaign evolves beyond account hijacking
The updated advisory describes a notable change in the attackers' methods. Earlier phishing attempts largely sought one-time verification codes, Signal PINs, or persuaded victims to connect attacker-controlled devices to their accounts. The current campaign instead attempts to obtain the cryptographic recovery key used by Signal's Secure Backups feature.
To begin the attack, the operators pose as Signal's support team and distribute fraudulent messages claiming the messaging platform is introducing mandatory two-factor verification following an alleged increase in attacks carried out by hackers from Iran and post-Soviet countries. The messages falsely state that the security changes require users to configure Signal Backups in order to avoid losing conversations and media files.
Victims are instructed to navigate through the application's backup settings, enable Secure Backups, reveal the Backup Recovery Key, copy it to the clipboard, and complete what appears to be a legitimate setup process.
Signal's Secure Backups feature allows users to store encrypted copies of conversations on the company's cloud infrastructure. Those backups remain protected through end-to-end encryption, with the Backup Recovery Key serving as the only credential capable of decrypting and restoring the archived data. Because Signal does not retain this key, anyone who obtains it can restore the encrypted backup onto another device.
After victims complete the initial steps, the attackers send a second phishing message while continuing to impersonate Signal support. This follow-up communication claims the user's account is experiencing a synchronization problem and warns that stored messages and media could be permanently lost unless immediate action is taken.
The fraudulent notification instructs users to revisit the backup settings, copy the Backup Recovery Key once again, and paste it directly into the conversation under the pretense of preventing data loss.
If victims comply, the attackers obtain the recovery key and use it to restore the encrypted backup on devices under their control. This grants access to previously archived communications, including private conversations and group chats.
The FBI emphasized that these attacks do not compromise Signal's encryption itself. Instead, they rely entirely on social engineering techniques that manipulate users into voluntarily surrendering the credentials needed to decrypt their own backups.
Compromised recovery keys remain a risk even after creating a new account
The updated advisory also highlights a recovery scenario that affected users may easily overlook.
According to the FBI, creating a new Signal account with the same phone number does not invalidate a Backup Recovery Key that has already been stolen. If attackers previously acquired the key, they may still be able to access any encrypted backups downloaded before the compromise was discovered.
To prevent future backup restorations using a compromised credential, users should generate a new Backup Recovery Key through Signal's backup settings. Creating a replacement key invalidates the previous one for subsequent backup downloads. However, the agencies cautioned that this action cannot revoke access to backups that attackers have already restored using the stolen key.
Agencies urge users to remain cautious of unsolicited support messages
The FBI and CISA reminded users that legitimate messaging platform support teams communicate only through official company email channels. They do not request verification codes through the application itself, nor do they send unsolicited messages instructing users to verify accounts, restore backups, or disclose recovery credentials.
Anyone who believes they may have interacted with the phishing campaign is encouraged to report the incident to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
The advisory accentuates the fact that well-designed encryption remains effective only when the credentials protecting it remain under the user's control. Rather than attempting to break modern cryptography, state-sponsored threat actors are increasingly directing their efforts toward manipulating trusted users into revealing the keys that unlock their own protected data.
CISOs today are no longer measured solely by the effectiveness of an organization's cyber defenses. With the increase of cyber threats, the acceleration of offensive capabilities with artificial intelligence, and increasing regulatory scrutiny, the role of enterprise-wide risk management, strategic decision making, and executive accountability has increased.
The rapid evolution of the security industry, however, exposes a critical imbalance. Although companies increasingly rely on Chief Information Security Officers to safeguard their business operations, sensitive data, and corporate resilience, many security leaders are still lacking board-level support, clearly defined governance frameworks, or an universally accepted ethical framework.
With the rise of data breaches and the growing concern about AI-enabled cyber threats, the question is not whether CISOs are equipped to deal with technical security challenges, but whether the profession itself requires a code of ethics that guides high-impact decisions that extend beyond cybersecurity in order to guide high-impact decisions.
In addition to managing firewalls, security tools, and incident response operations, the CISO position has evolved far beyond managing firewalls and security tools to encompass a strategic role that encompasses more than ethical accountability. It is the chief information security officer's responsibility to design, implement, and enforce enterprise-wide security policies as well as ensuring the organization's long-term business strategy remains infused with cybersecurity.
A CISO is responsible for overseeing the implementation of security technologies and workforce awareness programs to reduce the risk of data breaches and system compromise, in addition to fostering a security-first culture that strengthens organizational resilience and facilitates compliance with a growing range of regulatory and industry guidelines.
An organization's security posture must first be evaluated, existing controls evaluated, capability gaps identified, and risks prioritized to develop a security roadmap aligned with business objectives. These responsibilities require a combination of cybersecurity expertise, executive leadership, and strategic decision-making to accomplish.
The modern CISO must have extensive knowledge of risks, threat detection, and response, as well as compliance standards such as GDPR, NIST, and SOC 2. They must also be equipped to manage security teams, budgets, and enterprise resources simultaneously. Board members and executive leadership must also be able to translate complex cyber risks into business-focused insights in order to facilitate informed decision-making and facilitate cross-functional collaboration capable of adapting to an increasingly sophisticated threat landscape, which is equally critical.
According to recent findings, these challenges in governance translate into measurable risks in the operating environment. In the Voice of the CISO survey, conducted during the first quarter of 2025, 1,600 chief information security officers were surveyed across 16 countries by organizations with over 1,000 employees.
According to nearly two-thirds of respondents, their organizations have suffered a material loss of sensitive information within the past year—a sharp increase over 46% reported in the previous survey. As a consequence, three quarters of CISOs are concerned that their organizations will be susceptible to material cyberattacks in the next 12 months. As a result of increased regulatory oversight and the demand for greater transparency, security leaders are increasingly willing to disclose security incidents as a result of these rising figures, indicating more than an increase in threat activity.
Patrick Joyce, Global Resident CISO at Proofpoint, observed that CISOs are increasingly open about cyber risk exposure as a result of evolving governance expectations. The majority of respondents stated that they were confident in their organizations' cybersecurity culture, however six out of ten stated that they were not adequately prepared to handle a major cyber-attack.
A significant proportion of CISOs indicated that they would consider paying a ransomware demand in order to recover critical data or restore business operations, highlighting the difficulty of making ethical decisions during crisis response. The findings also emphasize the complex balance between business continuity, risk management, and ethical decisions.
A formal code of ethics for CISOs is gaining renewed relevance in light of this background. It is argued that technical expertise alone is no longer sufficient to fulfill the role of Chief Information Security Officer, which involves high-impact decisions affecting national infrastructure, business continuity, compliance with regulatory requirements, and public trust frequently. This framework is deliberately concise, incorporating four mandatory canons that describe the profession's fundamental ethical obligations rather than replacing individual professional judgment.
By providing advisory guidance, the framework aims to assist security leaders in navigating complex situations in which competing responsibilities are often not clear on a technical or legal level. The code's preamble emphasizes that the CISO's primary responsibility is to protect society, organizational stakeholders, and critical infrastructure, making compliance with the code a mandatory assignment.
According to the four core principles, cybersecurity professionals are expected to protect society and essential infrastructure, act with honesty, integrity, and stewardship, serve their organizations competently and diligently, and actively strengthen and safeguard the cybersecurity profession as a whole.
A practical objective complements these mandatory canons, which encourage cybersecurity research, education, mentoring of future practitioners, and the preservation of professional certification values, while discouraging conduct that could adversely affect public confidence or security. There are many ways a professional can undermine ethical credibility, such as creating unnecessary fear or uncertainty, providing false reassurance, promoting poor security practices, exposing inadequately secured systems to a public network, or participating in professional associations that compromise ethical standards.
A further requirement of the framework is that compliance with the preamble and four canons be enforced, and any conflicts between ethical obligations are resolved in accordance with the order in which the canons are defined. This ensures that security professionals have a structured hierarchy for resolving complex ethical dilemmas without creating conflicting obligations.
CISOs continue to assume increasingly extensive legal, operational, and ethical responsibilities, and industry experts emphasize that personal crisis management strategies should also be developed to protect security executives along with the organizations they serve.
A comprehensive incident response plan should not only prepare for technical incident response, but also consider professional, legal, financial, and reputational risks that may arise following an investigation by the government or a major cyber incident. It is important to maintain comprehensive documentation of security decisions, risk assessments, mitigation strategies, and executive communications, including instances where recommendations for security measures are declined by senior management or the board.
By maintaining an auditable record of both approved and rejected security recommendations, companies can demonstrate due diligence, compliance with regulations, and informed decision making when faced with legal scrutiny.
A CISO's security strategies must align with changing compliance obligations as they evolve in cybersecurity legislation, disclosure requirements, and regulatory frameworks by engaging in continuous professional development and consulting with legal counsel regularly.
In addition, experts recommend that executives take out professional liability insurance specifically designed for executive cybersecurity roles, as standard corporate policies may not cover CISOs who have not been appointed as officers or directors by the organization, potentially leaving them personally liable for the consequences. As an added safeguard, a documented ethical decision-making framework will be developed that will serve as a consistent reference when dealing with incidents involving conflicting legal obligations, executive pressures, or sensitive disclosure decisions.
The establishment of strong working relationships with legal, finance, public relations, and corporate communications teams is essential to the coordination of incident response, which ensures that regulatory notifications, public disclosures, and stakeholder communication remains both legally compliant and ethically sound during times of crisis.
In the age of cybersecurity, enterprise resilience and national digital security continue to be shaped by it, which means that CISOs are increasingly responsible for more than just technical oversight. Effective cyber leadership requires strong governance, ethical accountability, transparent risk communication, and executive support.
The organizations that empower security leaders with clear ethical frameworks, documented decision-making processes, and cross-functional collaboration will have better chances of navigating an increasingly complex threat landscape while maintaining trust, regulatory compliance, and long-term operational efficiency.