2025-07-14 20:10:00
This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.
California is set to become the first US state to manage power outages with AI
California’s statewide power grid operator is poised to become the first in North America to deploy artificial intelligence to manage outages, MIT Technology Review has learned.
At an industry summit in Minneapolis tomorrow, the California Independent System Operator is set to announce a deal to run a pilot program using new AI software called Genie, from the energy-services giant OATI.
The software uses generative AI to analyze and carry out real-time analyses for grid operators and comes with the potential to autonomously make decisions about key functions on the grid, a switch that might resemble going from uniformed traffic officers to sensor-equipped stoplights. Read the full story.
—Alexander C. Kaufman
Why it’s so hard to make welfare AI fair
There are plenty of stories about AI that’s caused harm when deployed in sensitive situations, and in many of those cases, the systems were developed without much concern to what it meant to be fair or how to implement fairness.
But the city of Amsterdam did spend a lot of time and money to try to create ethical AI—in fact, it followed every recommendation in the responsible AI playbook. But when it deployed it in the real world, it still couldn’t remove biases. So why did Amsterdam fail? And more importantly: Can this ever be done right?
Join our editor Amanda Silverman, investigative reporter Eileen Guo and Gabriel Geiger, an investigative reporter from Lighthouse Reports, for a subscriber-only Roundtables conversation at 1pm ET on Wednesday July 30 to explore if algorithms can ever be fair. Register here!
The must-reads
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 Trump’s ‘big, beautiful bill’ is already hurting sick children
And hundreds of hospitals are likely to close, too. (New Yorker $)
+ His administration is going after easy targets, which includes sick children. (Salon $)
2 The US overseas worker purge is hitting Amazon hard
Its warehouse employees are losing their right to work in the US. (NYT $)
+ The US State Department has fired more than 1,350 workers so far. (Reuters)
3 Nvidia’s CEO claims China’s military probably won’t use its AI chips
But then he would say that, wouldn’t he. (Bloomberg $)
+ Even after the Trump administration has eased chip software tool export restrictions. (FT $)
+ Rival Huawei is planning a major AI chip overhaul. (The Information $)
4 Scientists are reportedly hiding LLM instructions in their papers
Instructing models to give their work positive peer reviews. (The Guardian)
5 Amazon is dragging its heels launching its web version of Alexa
It appears the company underestimated just how much work they had to do. (WP $)
6 SpaceX’s revenue is on the up
As Tesla continues to struggle. (WSJ $)
+ Musk is not in favor of merging Tesla with xAI. (Reuters)
+ Trump is still planning to slash NASA’s budget. (The Atlantic $)
+ Rivals are rising to challenge the dominance of SpaceX. (MIT Technology Review)
7 The Air India crash was caused by a cut in the plane’s fuel supply
Cockpit voice recordings reveal that one pilot asked another why he’d cut off the supply. (CNN)
8 The UK’s attempt to ape DOGE isn’t going well
Councils are already blocking Reform UK’s attempts to access sensitive data. (FT $)
+ DOGE’s tech takeover threatens the safety and stability of our critical data. (MIT Technology Review)
9 Even crypto executives can fall for crypto scams
Just ask the top brass from MoonPay, which lost $250,000 worth of Ethereum. (The Verge)
+ The people using humour to troll their spam texts. (MIT Technology Review)
10 Why landline phones refuse to die 
The business world still loves them. (WSJ $)
Quote of the day
“We don’t like to work like that. I’m a Buddhist, so I believe in karma. I don’t want to steal anyone’s money.”
—A man forced to work in an online scam center in Myanmar recounts his experience to Nikkei.
One more thing
China wants to restore the sea with high-tech marine ranches
A short ferry ride from the port city of Yantai, on the northeast coast of China, sits Genghai No. 1, a 12,000-metric-ton ring of oil-rig-style steel platforms, advertised as a hotel and entertainment complex.
Genghai is in fact an unusual tourist destination, one that breeds 200,000 “high-quality marine fish” each year. The vast majority are released into the ocean as part of a process known as marine ranching.
The Chinese government sees this work as an urgent and necessary response to the bleak reality that fisheries are collapsing both in China and worldwide. But just how much of a difference can it make? Read the full story.
—Matthew Ponsford
We can still have nice things
A place for comfort, fun and distraction to brighten up your day. (Got any ideas? Drop me a line or skeet ’em at me.)
+ You can easily make ice cream at home with just two ingredients.
+ Pink Floyd fans, this lecture is for you.
+ Lose yourself for a few minutes in the story behind an ancient Indian painting. (NYT $)
+ Remember the days of idly surfing the web? Here’s how you can still recreate them.
2025-07-14 17:00:00
California’s statewide power grid operator is poised to become the first in North America to deploy artificial intelligence to manage outages, MIT Technology Review has learned.
“We wanted to modernize our grid operations. This fits in perfectly with that,” says Gopakumar Gopinathan, a senior advisor on power system technologies at the California Independent System Operator—known as the CAISO and pronounced KAI-so. “AI is already transforming different industries. But we haven’t seen many examples of it being used in our industry.”
At the DTECH Midwest utility industry summit in Minneapolis on July 15, CAISO is set to announce a deal to run a pilot program using new AI software called Genie, from the energy-services giant OATI. The software uses generative AI to analyze and carry out real-time analyses for grid operators and comes with the potential to autonomously make decisions about key functions on the grid, a switch that might resemble going from uniformed traffic officers to sensor-equipped stoplights.
But while CAISO may deliver electrons to cutting-edge Silicon Valley companies and laboratories, the actual task of managing the state’s electrical system is surprisingly analog.
Today, CAISO engineers scan outage reports for keywords about maintenance that’s planned or in the works, read through the notes, and then load each item into the grid software system to run calculations on how a downed line or transformer might affect power supply.
“Even if it takes you less than a minute to scan one on average, when you amplify that over 200 or 300 outages, it adds up,” says Abhimanyu Thakur, OATI’s vice president of platforms, visualization, and analytics. “Then different departments are doing it for their own respective keywords. Now we consolidate all of that into a single dictionary of keywords and AI can do this scan and generate a report proactively.”
If CAISO finds that Genie produces reliable, more efficient data analyses for managing outages, Gopinathan says, the operator may consider automating more functions on the grid. “After a few rounds of testing, I think we’ll have an idea about what is the right time to call it successful or not,” he says.
Regardless of the outcome, the experiment marks a significant shift. Most grid operators are using the same systems that utilities have used “for decades,” says Richard Doying, who spent more than 20 years as a top executive at the Midcontinent Independent System Operator, the grid operator for an area encompassing 15 states from the upper Midwest down to Louisiana.
“These organizations are carved up for people working on very specific, specialized tasks and using their own proprietary tools that they’ve developed over time,” says Doying, now a vice president at the consultancy Grid Strategies. “To the extent that some of these new AI tools are able to draw from data across different areas of an organization and conduct more sophisticated analysis, that’s only helpful for grid operators.”
Last year, a Department of Energy report found that AI had potential to speed up studies on grid capacity and transmission, improve weather forecasting to help predict how much energy wind and solar plants would produce at a given time, and optimize planning for electric-vehicle charging networks. Another report by the energy department’s Loan Programs Office concluded that adding more “advanced” technology such as sensors to various pieces of equipment will generate data that can enable AI to do much more over time.
In April, the PJM Interconnection—the nation’s largest grid system, spanning 13 states along the densely populated mid-Atlantic and Eastern Seaboard—took a big step toward embracing AI by inking a deal with Google to use its Tapestry software to improve regional planning and speed up grid connections for new power generators.
ERCOT, the Texas grid system, is considering adopting technology similar to what CAISO is now set to use, according to a source with knowledge of the plans who requested anonymity because they were not authorized to speak publicly. ERCOT did not respond to a request for comment.
Australia offers an example of what the future may look like. In New South Wales, where grid sensors and smart technology are more widely deployed, AI software rolled out in February is now predicting the production and flow of electricity from rooftop solar units across the state and automatically adjusting how much power from those panels can enter the grid.
Until now, much of the discussion around AI and energy has focused on the electricity demands of AI data centers (check out MIT Technology Review’s Power Hungry series for more on this).
“We’ve been talking a lot about what the grid can do for AI and not nearly as much about what AI can do for the grid,” says Charles Hua, a coauthor of one of last year’s Energy Department reports who now serves executive director of PowerLines, a nonprofit that advocates for improving the affordability and reliability of US grids. “In general, there’s a huge opportunity for grid operators, regulators, and other stakeholders in the utility regulatory system to use AI effectively and harness it for a more resilient, modernized, and strengthened grid.”
For now, Gopinathan says, he’s remaining cautiously optimistic.
“I don’t want to overhype it,” he says.
Still, he adds, “it’s a first step for bigger automation.”
“Right now, this is more limited to our outage management system. Genie isn’t talking to our other parts yet,” he says. “But I see a world where AI agents are able to do a lot more.”
2025-07-11 20:14:00
This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.
Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable.
Over the past eighteen months, two pillars of global cybersecurity have been shaken by funding issues: the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—and the Common Vulnerabilities and Exposures (CVE) program, the numbering system for tracking software flaws.
Although the situation for both has stabilized, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time. Read the full story.
—Matthew King
This week I’m sending congratulations to two sets of new parents in South Africa. Babies Milayah and Rossouw arrived a few weeks ago. All babies are special, but these two set a new precedent. They’re the first to be born following “simplified” IVF performed in a mobile lab.
This new mobile lab is essentially a trailer crammed with everything an embryologist needs to perform IVF on a shoestring. It was designed to deliver reproductive treatments to people who live in rural parts of low-income countries, where IVF can be prohibitively expensive or even nonexistent. And best of all: it seems to work! Read our story about why it’s such an exciting development.
—Jessica Hamzelou
This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, sign up here.
The must-reads
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 Trump is seeking huge cuts to basic scientific research
If he gets his way, federal science funding will be slashed by a third for the next fiscal year. (NYT $)
+ The foundations of America’s prosperity are being dismantled. (MIT Technology Review)
+ Senators are getting ready to push back against proposed NASA cuts. (Bloomberg $)
2 Conspiracy theorists are starting to turn on Trump
He whipped them all up over the supposed existence of Epstein’s client list, and now they’re mad nothing’s being released. (The Atlantic $)
3 AI actually slows experienced software developers down
They end up wasting lots of time checking and correcting AI models’ output. (Reuters $)
4 The Pentagon is becoming the largest shareholder in a rare earth minerals company
It shows just how much competition is hotting up to secure a steady supply of these materials. (Quartz $)
+ The race to produce rare earth elements. (MIT Technology Review)
5 Solar power is starting to truly transform the world’s energy system
Globally, roughly a third more power was generated from the sun this spring than last. (New Yorker $)
6 Cops’ favorite AI tool auto-deletes evidence of AI being used
A pretty breathtaking attempt to avoid any sort of audit, transparency or accountability. (Ars Technica)
+ How a new type of AI is helping police skirt facial recognition bans. (MIT Technology Review)
7 Why Chinese EV brands are being forced to go global
Competition at home is becoming so intense that many have no choice but to seek profits elsewhere. (Rest of World)
+ China’s EV giants are betting big on humanoid robots. (MIT Technology Review)
8 Which Big Tech execs are closest to the White House?
Check out this scorecard showing how they’re all doing trying to stay in Trump’s good graces. (WSJ $)
9 Elon Musk says Grok is coming to Tesla vehicles
Yes, that’s the same Grok that keeps being racist. Shareholders must be delighted. (Insider $)
+ X is basically becoming a strip mine for AI training data. (Axios)
10 Trump Mobile is charging people’s credit cards without explanation
But I’m sure it’s all perfectly explicable and above board, right? Right?! (404 Media)
“It has been nonstop pandemonium.”
—Augustus Doricko, who founded a cloud seeding startup two years ago, tells the Washington Post he’s received a deluge of fury online from conspiracy theorists who blame him for the catastrophic Texas floods.
One more thing
What’s next for AI in 2025
For the last couple of years we’ve had a go at predicting what’s coming next in AI. A fool’s game given how fast this industry moves. But we gave it a go anyway back in January. As we sail pass this year’s halfway mark, it’s a good time to ask: how well did we do? Check out our predictions, and see for yourself!
—James O’Donnell, Will Douglas Heaven & Melissa Heikkilä
This piece is part of MIT Technology Review’s What’s Next series, looking across industries, trends, and technologies to give you a first look at the future. You can read the rest of them here.
We can still have nice things
A place for comfort, fun and distraction to brighten up your day. (Got any ideas? Drop me a line or skeet ’em at me.)
+ Let’s have more pop culture references in journal article titles, please.
+ Here’s some inspiration for things to cook this month (or, if it’s hot, just assemble).
+ There’s something so relaxing about gazing at these (award-winning!) landscape photos.
+ If you like birds, you’ll enjoy this artist’s work
2025-07-11 17:00:00
This week I’m sending congratulations to two sets of parents in South Africa. Babies Milayah and Rossouw arrived a few weeks ago. All babies are special, but these two set a new precedent. They’re the first to be born following “simplified” IVF performed in a mobile lab.
This new mobile lab is essentially a trailer crammed with everything an embryologist needs to perform IVF on a shoestring. It was designed to deliver reproductive treatments to people who live in rural parts of low-income countries, where IVF can be prohibitively expensive or even nonexistent. And it seems to work!
While IVF is increasingly commonplace in wealthy countries—around 12% of all births in Spain result from such procedures—it remains expensive and isn’t always covered by insurance or national health providers. And it’s even less accessible in low-income countries—especially for people who live in rural areas.
People often assume that countries with high birth rates don’t need access to fertility treatments, says Gerhard Boshoff, an embryologist at the University of Pretoria in South Africa. Sub-Saharan African countries like Niger, Angola, and Benin all have birth rates above 40 per 1,000 people, which is over four times the rates in Italy and Japan, for example.
But that doesn’t mean people in Sub-Saharan Africa don’t need IVF. Globally, around one in six adults experience infertility at some point in their lives, according to the World Health Organization. Research by the organization suggests that infertility rates are similar in high-income and low-income countries. As the WHO’s director general Tedros Adhanom Ghebreyesus puts it: “Infertility does not discriminate.”
For many people in rural areas of low-income countries, IVF clinics simply don’t exist. South Africa is considered a “reproductive hub” of the African continent, but even in that country there are fewer than 30 clinics for a population of over 60 million. A recent study found there were no such clinics in Angola or Malawi.
Willem Ombelet, a retired gynecologist, first noticed these disparities back in the 1980s, while he was working at an IVF lab in Pretoria. “I witnessed that infertility was [more prevalent] in the black population than the white population—but they couldn’t access IVF because of apartheid,” he says. The experience spurred him to find ways to make IVF accessible for everyone. In the 1990s, he launched The Walking Egg—a science and art project with that goal.
In 2008, Ombelet met Jonathan Van Blerkom, a reproductive biologist and embryologist who had already been experimenting with a simplified version of IVF. Typically, embryos are cultured in an incubator that provides a sterile mix of gases. Van Blerkom’s approach was to preload tubes with the required gases and seal them with a rubber stopper. “We don’t need a fancy lab,” says Ombelet.
Eggs and sperm can be injected into the tubes through the stoppers, and the resulting embryos can be grown inside. All you really need is a good microscope and a way to keep the tube warm, says Ombelet. Once the embryos are around five days old, they can be transferred to a person’s uterus or frozen. “The cost is one tenth or one twentieth of a normal lab,” says Ombelet.
Ombelet, Van Blerkom, and their colleagues found that this approach appeared to work as well as regular IVF. The team ran their first pilot trial at a clinic in Belgium in 2012. The first babies conceived with the simplified IVF process were born later that year.
More recently, Boshoff wondered if the team could take the show on the road. Making IVF simpler and cheaper is one thing, but getting it to people who don’t have access to IVF care is another. What if the team could pack the simplified IVF lab into a trailer and drive it around rural South Africa?
“We just needed to figure out how to have everything in a very confined space,” says Boshoff. As part of the Walking Egg project, he and his colleagues found a way to organize the lab equipment and squeeze in air filters. He then designed a “fold-out system” that allowed the team to create a second room when the trailer was parked. This provides some privacy for people who are having embryos transferred, he says.
People who want to use the mobile IVF lab will first have to undergo treatment at a local medical facility, where they will take drugs that stimulate their ovaries to release eggs, and then have those eggs collected. The rest of the process can be done in the mobile lab, says Boshoff, who presented his work at the European Society of Human Reproduction and Embryology’s annual meeting in Paris earlier this month.
The first trial started last year. The team partnered with one of the few existing fertility clinics in rural South Africa, which put them in touch with 10 willing volunteers. Five of the 10 women got pregnant following their simplified IVF in the mobile lab. One miscarried, but four pregnancies continued. On June 18, baby Milayah arrived. Two days later, another mother welcomed baby Rossouw. The other babies could come any day now.
“We’ve proven that a very cheap and easy [IVF] method can be used even in a mobile unit and have comparable results to regular IVF,” says Ombelet, who says his team is planning similar trials in Egypt and Indonesia. “The next step is to roll it out all over the world.”
This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.
2025-07-11 17:00:00
Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable.
Over the past 18 months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration.
Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalogue, NVD entries provide the detailed review with context around severity, scope, and exploitability.
In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data.
“CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes, Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.”
Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing—nearly 10 times the previous high in 2017, according to data from the software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog.
“Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog.
The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.”
As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time.
What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months.
Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she says, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains.
Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.”
The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.”
NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday.
Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system.
When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said.
In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.”
As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence.
That leaves security professionals to navigate multiple potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity.
As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse.
For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print.
“This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.”
This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation.
Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers.
She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.”
CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.”
It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline.
But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says.
AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources.
As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed.
Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.
2025-07-10 20:10:00
This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.
The news: A new technique called LightShed will make it harder for artists to use existing protective tools to stop their work from being ingested for AI training. It’s the next step in a cat-and-mouse game—across technology, law, and culture—that has been going on between artists and AI proponents for years.
How it works: Protective tools like Glaze and Nightshade change enough pixels to affect an image, so if it’s scraped up by AI models, they see it as something it’s not. LightShed essentially works by spotting just the “poison” on poisoned images. To be clear, the researchers behind it aren’t trying to steal artists’ work. They just don’t want people to get a false sense of security. Read the full story.
—Peter Hall
The “Big, Beautiful Bill” that President Donald Trump signed into law on July 4 was chock full of controversial policies. But one highly contested provision was missing. Just days earlier, during a late-night voting session, the Senate had killed the bill’s 10-year moratorium on state-level AI regulation.
The bipartisan vote was seen as a victory by many, and may signal a bigger political shift, with a broader and more diverse coalition in favor of AI regulation starting to form. After years of relative inaction, politicians are getting concerned about the risks of unregulated artificial intelligence. Read the full story.
—Grace Huckins
China’s energy dominance in three charts
China is the dominant force in next-generation energy technologies today. It’s pouring hundreds of billions of dollars into putting renewable sources like wind and solar, manufacturing millions of electric vehicles, and building out capacity for energy storage, nuclear power, and more. This investment has been transformational for the country’s economy and has contributed to establishing China as a major player in global politics.
So while we all try to get our heads around what’s next for climate tech in the US and beyond, let’s look at just how dominant China is when it comes to clean energy, as documented in three charts. Read the full story.
—Casey Crownhart
This article is from The Spark, MIT Technology Review’s weekly climate newsletter. To receive it in your inbox every Wednesday, sign up here.
The must-reads
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 Linda Yaccarino is stepping down as CEO of X
She managed to last almost exactly two years reporting to owner Elon Musk. (Axios)
+ She was planning to leave before Grok’s anti-Semitic rants, apparently. (NYT $)
+ Turkey has banned Grok after it insulted President Erdoğan. (Politico)
2 OpenAI is planning to release its own web browser
If it works out, it’ll give it the same advantage as Google: direct ownership over users’ data. (Reuters $)
+ AI means the end of internet search as we’ve known it. (MIT Technology Review)
3 McDonald’s hiring chatbot exposed millions of applicants’ data to hackers
Adding the insult of carelessness to an already pretty dystopian process! (Wired $)
4 AI-generated images of child sexual abuse are proliferating online
This is going to make an already very hard job for law enforcement even harder. (NYT $)
5 Autonomous fighter jets are on the horizon
European defense start-up Helsing just completed two successful test flights. (FT $)
+ Generative AI is learning to spy for the US military. (MIT Technology Review)
6 What happened to all the human bird flu cases?
Since February, the CDC has not recorded a single new case in the US. (Undark)
7 An interstellar object is cruising through the solar system
And it’s giving astronomers a chance to test out early theories of interstellar-object-ology (yes, that’s what it’s called!) (The Economist $)
+ Inside the most dangerous asteroid hunt ever. (MIT Technology Review)
8 Apple is planning its first upgrade to its Vision Pro headset
But no matter what upgrades it’s got, it’s going to be a real struggle to revive its flagging fortunes. (Bloomberg $)
9 Where have all the mundane social media posts gone?
Normies used to be what made social media good. We miss them and their photos of their breakfasts. (New Yorker $)
+ It’s heartening to see that ‘missed connection’ posts are making a comeback, though. (The Guardian)
10 A global shortage is turning MatchaTok sour
But it’s pretty easy to explain why it’s in short supply: the whole world’s started going mad for it. (WSJ $)
“You’ll be hard pressed to find someone that really believes in our AI mission. To most, it’s not even clear what our mission is.”
—Tijmen Blankevoort, an AI researcher at Meta, explains why he thinks expensive hires alone might not cure the company’s woes, The Information reports.
One more thing
The race to save our online lives from a digital dark age
There is a photo of my daughter that I love. She is sitting, smiling, in our old back garden, chubby hands grabbing at the cool grass. It was taken on a digital camera in 2013, when she was almost one, but now lives on Google Photos.
But what if, one day, Google ceased to function? What if I lost my treasured photos forever? For many archivists, alarm bells are ringing. Across the world, they are scraping up defunct websites or at-risk data collections to save as much of our digital lives as possible. Others are working on ways to store that data in formats that will last hundreds, perhaps even thousands, of years.
The endeavor raises complex questions. What is important to us? How and why do we decide what to keep—and what do we let go? And how will future generations make sense of what we’re able to save? Read the full story.
—Niall Firth
We can still have nice things
A place for comfort, fun and distraction to brighten up your day. (Got any ideas? Drop me a line or skeet ’em at me.)
+ Why Hollywood is so hell-bent on making sequels.
+ I love this sweet little town building program.
+ What makes Severance’s opening credits so darn good?
+ This ranking of HBO’s finest shows is fun.
