Morning Briefing — 19 March 2026

Today’s signal: The United States launched an aerial campaign to reopen the Strait of Hormuz, closed by Iran since late February. Iranian drones struck Kuwait’s largest refineries, taking ~730,000 bpd offline. Brent spiked to $119 before settling at $113. The European Council opened in Brussels with defence and Middle East at the top of the agenda. In cyber, CISA flagged a critical Cisco FMC zero-day already exploited by ransomware operators for 36 days before disclosure.

---

Security & Defence

US begins aerial campaign to reopen the Strait of Hormuz

The United States launched strikes against Iranian coastal targets to forcibly reopen the Strait of Hormuz, which Iran has kept closed since February 28. A-10 and AH-64 aircraft were deployed against Iranian fast-attack boats and drone positions along the strait. Leaders of Canada, France, Germany, Italy, Japan, the Netherlands and the UK issued a joint statement supporting safe passage through international waterways.

Why it matters: This is the first military operation to reopen the world’s most critical oil chokepoint. The Strait handles roughly 20% of global oil transit. The seven-nation joint statement signals this is being treated as an international security issue, not a bilateral US-Iran confrontation.

Wikipedia: Strait of Hormuz Campaign (reference) · Reuters (primary)

European Council opens: defence ramp-up and Middle East ceasefire call

EU leaders convened in Brussels for a two-day summit. On day one, the Council adopted conclusions calling for an immediate ceasefire, a moratorium on strikes against energy and water facilities, and condemned Iran’s indiscriminate strikes on Gulf states. On defence, leaders pushed for concrete capability-coalition projects by H1 2026, backed by the SAFE instrument and the European Defence Industry Programme.

Why it matters: The EU is simultaneously calling for de-escalation while accelerating its own defence industrial capacity. This dual posture — diplomacy plus rearmament — reflects the lesson that the Iran war has laid bare Europe’s energy and security vulnerability.

European Council (official)

Energy & Infrastructure

Iranian drones strike Kuwait refineries — 730,000 bpd offline

Iranian drone strikes hit Kuwait’s Mina Al-Ahmadi and Mina Abdullah refineries, sparking fires and shutting processing units with a combined capacity of approximately 730,000 barrels per day. Brent crude spiked to $119/bbl before settling around $113.71. The strikes expanded the war’s energy footprint beyond Iran itself into Gulf state infrastructure.

Why it matters: Iran is now targeting the energy infrastructure of US-allied Gulf states — not just defending the Strait. This changes risk calculations for every energy operator in the GCC. European utilities dependent on Gulf supply chains face direct exposure.

Al Jazeera (primary) · Fortune (primary)

Cyber & Vulnerabilities

CISA flags Cisco FMC zero-day — exploited by ransomware for 36 days before disclosure

CISA added CVE-2026-20131 to its KEV catalogue — a critical (CVSS 10.0) deserialization flaw in Cisco Secure Firewall Management Center allowing unauthenticated remote code execution as root. Amazon’s threat intelligence team confirmed the Interlock ransomware group had exploited this vulnerability since January 26, a full 36 days before Cisco’s public disclosure on March 4. Victims include US healthcare organisations.

Why it matters: Enterprise firewalls are a crown-jewel target. A 36-day exploitation window before public disclosure means any organisation running Cisco FMC may already be compromised. Healthcare was hit hardest — a sector with zero tolerance for downtime.

CISA (official) · The Hacker News (primary)

93% of UK critical infrastructure operators breached in past 12 months

Cybersecurity firm Bridewell released its annual CNI Research Report, revealing that 93% of UK critical national infrastructure operators experienced at least one successful cyber incident in the past year. Phishing and BEC averaged 11 attacks per year per organisation; ransomware averaged 6 per year. AI risk management jumped to the #2 concern at 39% of respondents.

Why it matters: Near-universal breach rate across energy, finance, transport and government in a Five Eyes nation. This is not a projection — it is measured reality. Organisations in equivalent sectors across Europe should assume comparable exposure.

IT Security Guru (primary) · New Civil Engineer (primary)

---

48 sources scanned · 11 countries · 09:00 CET
Primary and official sources take precedence. State media is marked. This is an intelligence briefing, not editorial commentary.