Since 1999

 

4 minutes estimated reading time.

The Imminent Funding Lapse of the CVE Database: A Cybersecurity Crisis

Breaking news: The CVE database faced a funding lapse, crucial for tracking cyber threats. However, CISA has extended its contract, ensuring continued security coordination for the moment. The long-term impact remains uncertain.

By — Published

News started breaking yesterday of an imminent funding lapse for the United States government-funded Common Vulnerabilities and Exposures database maintained for the last 25 years under contract with MITRE Corporation. The reporting yesterday included Funding Expires for Key Cyber Vulnerability Database (krebsonsecurity.com) and this lapse has been confirmed by multiple sources CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo (csoonline.com) and CVE Program Funding Expires—What It Means And What To Do Next (forbes.com).

While not a program at the forefront of the general public’s awareness, the CVE system is a vitally important coordination effort for tracking cyber security threats to the software and devices we all use every day. The reason that the U.S. government funds this coordination effort when so many well funded private vendors such as Microsoft, IBM, Google and organizations and countries worldwide benefit from it is in part history and in part practical. In part, companies have traditionally been incentivized to hide vulnerabilities and certainly not publicize them or coordinate with competitors. This is in part why security researchers have faced legal threats rather than companies working to swiftly patch. And the other major part is that cyber security threats do not recognize borders and it is in the national security interest of the United States for all U.S. organizations and persons to be secure. This national security interest is why the Department of Homeland Security (DHS) funded this coordination system.

To explain the national security interest in protecting private sector information technology (IT) operations, I have long used the analogy that internet threats are much more like piracy threats on the high seas. Every person, every organization, every small government office, has to actually be able to directly withstand the assault from our foreign adversaries. There is no border, no firewall, no cyber security police that can stop these attacks. This threat model can be hard to conceptualize because it is different than our intuition from our every day physical reality. Our lived reality is based on an understanding that we live in houses with locked doors, with police who patrol the area and arrest criminals, and state and Federal courts that enforce the laws, and national borders, and military. In short, there are many layers of protection from a lot of physical harms. The same is not true for cyber security harms.

The Federal and State governments all rely on a combination of public and private sector IT. Protecting national security also involves protection of the entire power grid, the supply of natural gas and methane, the internet and telephone systems, the water supply, logistics, Federal programs from medicare to social security, education, and the entire Federal government’s systems. Even departments such as the CIA, FBI, Secret Service and Homeland security itself.

As a company, Rietta works daily with our State government and private sector clients to keep their custom web application infrastructure secure on these digital high seas. The CVE database has been a daily driver to call our attention immediately to supply chain threats that need to be addressed. This encompasses the entire infrastructure, including obscure open source packages and systems that are not the products of large, well funded companies. A lapse in the CVE system degrades our ability to protect our customers. We will keep monitoring the situation and work diligently to stay on top of the threats with the other resources at our disposal.

In some 11th hour breaking news, Forbes is reporting that “in an eleventh hour turnaround, the U.S. Cybersecurity and Infrastructure Security Agency said it had extended the contract with MITRE. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services,” a CISA spokesperson told me over email. “We appreciate our partners’ and stakeholders’ patience” (forbes.com).

It really cannot be overstated that there is no border in cyber security. Infrastructure that is operated by both government or private organizations are directly attacked by our foreign adversaries. Knowing that a dependency in your supply chain has to be patched is a very critical tool in this defense. It is hard enough to get these things fixed while having an authoritative database with all of the appeal to authority there. Without it, we are running blind.

This interim funding from the Cybersecurity & Infrastructure Security Agency (CISA.gov) is good news if confirmed by MITRE. I have sympathy to the idea that the industry and other nations have to do more to fund this coordination effort. However, it remains strongly in the national security interest of the United States to have robust coordination to cyber security threats. If there is to be a transition period to other funding mechanisms for this critical security function, then the process should be orderly and should not be abruptly cut off. Coordination is vitally important and impacts all sectors of the economy.