- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
National Security Agency Discovers Major Vulnerability in Microsoft Windows 10
The National Security Agency (NSA) revealed a major vulnerability in Microsoft Windows that would have allowed hackers to compromise the newest versions of Windows 10, an operating system used by nearly one billion devices. The vulnerability, which Microsoft published a patch for on January 14, would have allowed an attacker to disguise malware as legitimate software and intercept and modify encypted internet traffic. In what some have argued is a break from the past, the NSA publicly acknowledged that it brought the vulnerability to Microsoft and asked Microsoft to remedy it. Historically, the NSA would have done it quietly or not publicized their findings at all, exploiting detected vulnerabilities for their own offensive goals. The decision to notify Microsoft represents efforts by the NSA’s recently launched Cybersecurity Directorate to rebuild the agency’s image and “build trust” with the cybersecurity community. While the agency has not observed any exploits of the vulnerability, there is still a window of opportunity for attackers to target Windows computers in delay between when a patch is made available and when users download it.
Senators Urge $1 Billion Plan to Loosen China’s Grip on 5G
Alarmed by Huawei’s buildout of 5G networks worldwide, a bipartisan group of U.S. senators led by Richard Burr (R-NC) and Mark Warner (D-VA) has proposed the Utilizing Strategic Allied Telecommunications Act which will steer at least $750 million to a research fund for U.S. companies developing 5G technology and create a separate $500 million Multilateral Telecommunications Security Fund for companies that deploy “trusted and secure” equipment globally. The research fund is aimed at supporting smaller U.S. companies to gain a foothold in a market that has largely been dominated by Huawei, ZTE, Ericsson, Nokia, and Samsung. The National Telecommunications and Information Administration would oversee grants from the fund. Huawei has criticized the “trusted and secure” language used to describe the proposed security fund as “vague” and expressed concern that the fund is actually meant to entice countries to purchase non-Chinese equipment, which it appears to be.
India to Ease Some Internet Restrictions in Kashmir
The Indian government says it will reinstate some internet access to essential institutions, such as government offices, hospitals, and banks this week in Kashmir, but will continue to block mobile internet service and social media sites during what continues to be the longest internet blackout ever imposed in a democracy. The easing of internet restrictions comes after India’s highest court last week ruled that indefinite suspension of services in Kashmir was unconstitutional and impermissible. The Indian government has used internet blackouts to quell public unrest on multiple occasions, with potential economic consequences for the country. Last year, there were more than four thousand hours of internet blackouts, which cost the economy about $1.3 billion in lost commerce and productivity. Some have complained that the blackouts undermine the Digital India initiave, which seeks to provide digital services to Indian citizens.
Federal Reserve Bank of New York Warns a Cyberattack on Banks Could Cause Major Disruption
The Federal Reserve Bank of New York has released a paper, termed a “pre-mortem analysis,” that assesses the impact a cyberattack could have on the U.S. banking system. The paper warns that a cyberattack that compromises the payment systems of the five biggest banks, or even banks with less than $10 billion in assets, could destabilize the broader financial system. The bank estimates that the numerical impact in foregone payments in this scenario would reach more than 2.5 times the United States’ daily gross domestic product (GDP), or about $143 billion. For this reason, the authors of the paper note that banks’ payment systems could be natural candidates for an attacker intent on inflicting the greatest possible damage to the U.S. economy. Concern over cyberattacks against the United States has grown since the U.S. killing of Qasem Soleimani in early January, and analysts warn that Iran could retaliate by targeting critical infrastructure and financial institutions.
Amnesty International Suit Against NSO Group Heads to Court
On Thursday, a judge in Tel Aviv’s district court began to hear arguments over whether Israel’s Ministry of Defense should revoke the export license of NSO Group as part of a May 2019 lawsuit filed by Amnesty International against the company. Amnesty International alleges human rights abuses stemming from NSO Group’s technology, which has infected devices in at least fourty-five countries, while NSO Group, founded by former members of the Israeli military, maintains that it thoroughly vets potential clients before selling their software. Israel’s Ministry of Defense has asked the Tel Aviv court to dismiss the case, and the court has granted its request for a gag order on national security grounds, forcing the hearing behind closed doors. NSO Group is also being sued by WhatsApp, which alleges that the company helped governments exploit a security flaw in its messaging platform to hack the phones of roughly 1,400 users globally.