Losing control of the systems meant to secure society - Best infosec long reads 5/23/26

Full access to Metacurity's curated infosec long reads is available to paid subscribers. Our goal is simple: make it financially viable to keep investing the time and expertise required to find, vet, and contextualize the most important security journalism each week. Free readers will still get highlights, but subscribers will get the complete, deeply curated set.

Please help support Metacurity achieve our goal by upgrading your subscription to gain full access to this issue and all content published on Metacurity, including the archives.

May 23: This week's long reads describe a world in which technological acceleration is outpacing governance. France’s wave of massive data breaches, research showing AI voice systems can be manipulated through adversarial audio, Seattle’s sprawling public-private surveillance network, mounting conflict over global cyber governance at the UN, and warnings against treating AI development as a geopolitical arms race all point to the same underlying reality: the institutions charged with managing technological power increasingly appear unable to control the systems they have built or unleashed.

In a tsunami of data leaks, French society remains vulnerable and authorities powerless

Le Monde's Martin Untersinger, Elsa Delmas, Léa Girardot, and Léa Tanda examine how France is experiencing an unprecedented wave of massive data breaches that have exposed millions of citizens’ personal information while revealing the inability of regulators and institutions to contain systemic digital insecurity.

Despite the deluge of leaks and the damage they cause, this issue remains a blind spot in French policy. Few MPs have made it a priority. On April 28, Marie-Agnès Poussier-Winsback, a center-right vice president of the Assemblée Nationale, questioned the Interior Ministry about data leaks and their possible serious consequences in terms of identity theft. "Beyond scams, the future consequences of data leaks could be terrible. We could imagine health data being sold to unscrupulous insurance companies," she predicted.

Under pressure from repeated cyberattacks and following a data leak – limited in severity but affecting a key government service, the National Agency for Secure Documents (ANTS) – Prime Minister Lecornu finally made several announcements: €200 million to strengthen the protection of digital services, redirecting fines collected by CNIL into a fund for IT modernization and merging two government agencies that manage France's public digital infrastructure. Not all experts are convinced by those promises. "I still haven't understood what the minister proposed," lamented centrist MP Philippe Latombe, who is highly active on digital issues and fears the creation of a "factory of bureaucracy."

These repeated data breaches have exposed deep vulnerabilities in both society and the state when it comes to digital security. Worryingly, they have not even been perpetrated by elite hackers, but rather by young individuals who are not necessarily very skilled technically.

That is what prosecutor Brousse emphasized after the April 25 arrest of a 15-year-old accused of hacking ANTS. "[This teenager] is not a prodigy. He is a warning. The cyber threat is becoming commonplace. It is up to us, collectively, to raise our level of cyber resilience," she wrote on LinkedIn. CNIL made the same observation, noting that these leaks often follow the same pattern, one that is easy to thwart. In fact, "nearly 80% of major [data] breaches" in 2024 became possible due to the lack of multi-factor authentication – a digital security mechanism that requires users to prove their identity using at least two types of authentication, such as entering a password on a computer and then typing in a code sent to a phone.