CVE funding cuts reversed after security concerns raised

Editor’s note: After this story was published earlier today, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.

A CISA spokesperson sent CSO (a sister publication to Computerworld) a statement saying: “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” (Sources indicate the contract extension will last 11 months.)

The story below reflects the state of events prior to the contract extension.

In what may yet be seen by some as a triumph of some kind, funding for the Common Vulnerabilities and Exposures (CVE) system, the world-renowned security service trusted and used by Apple and other tech firms across the planet, has been summarily cut.

CVE numbers are part of a globally recognized system used to identify and track vulnerabilities. Weakening it might save the US government budget a few dollars — at the cost of creating havoc across a security community already stretched by a politically-driven spike in cyberattacks. See also: CVE program averts swift end after CISA executes 11-month contract extension

What it is and why it matters

The CVE service provides a really easy way for individuals and organizations to report security vulnerabilities they find in any product. You can tell how important it is, given that a CVE number has pretty much become the market standard for identifying such problems. The numbers act as a common language and ensure everyone is referring to the same bug. But federal funding for the program has been cut, which could leave tech users less safe than before. 

In a letter to board members, MITRE Corporation (a not-for-profit, federally-funded group that supports CVE) warned that a break in the service might generate multiple bad impacts, “including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”

Mitre laid off more than 400 employees in anticipation of the cuts earlier this month; the funding reduction comes as the National Institute of Standards and Technology (NIST) continues to struggle to stay on top of the accelerating number of vulnerabilities disclosures.

No times like the present

With an accelerating number of active vulnerability disclosures and a growing volume of attacks, chaos in the language used by researchers to describe and act against these attacks can’t help but weaken ongoing security protection by slowing reaction times as new flaws are reported. 

Critics of the CVE system exist, and the people running it will admit that it was designed for a time when the level and scale of threat was lower. But the system is internationally accepted, works, and provides a level of infrastructure security on which researchers depend.

A funding cut with little warning will cause chaos in the community – though hopefully the big companies that rely on CVE for their own work will dig deep into their revenue to finance the organization. Doing so is, after all, in their own interests – the very rich, will, after all, be the only real beneficiaries of any tax cuts coming down the pipe in exchange for changes such as these.

It isn’t clear what Apple’s reaction will be, but given it has been referencing CVE numbers for years, there’s little doubt the system is important to the company and its network of independent security researchers. Before the system emerged, security researchers each used their own unique terminology to refer to risks, creating a lot of confusion when securing platforms. Weakening the system now makes little sense to professionals in the field.

“CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk,” Luta Security founder and CEO Katie Moussouris told The Register. “All industries worldwide depend on the CVE program to keep their heads above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills.”

Not giving up yet

The people behind the effort aren’t giving up. One group of CVE board members immediately repositioned themselves as a nonprofit group to be called the CVE Foundation, which will continue the mission. “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.” 

Other entities are also stepping up to mitigate the inevitable damage. “VulnCheck is actively monitoring the MITRE situation, and will ensure that our customers, partners, and the entire cybersecurity community will have continued access to timely, accurate vulnerability data,” said Anthony Bettini, founder and CEO of VulnCheck. “We recognize the critical role that the CVE program plays in the cybersecurity ecosystem, and we are actively preparing for any potential disruptions.”

We’ll see how this develops, but one way most everyone using digital devices could help maintain security is by being much more careful when clicking links in emails or elsewhere. Those aren’t the only attack vectors, of course, but when you can’t rely on the tech to save itself, you need to gather the fruit closest to the floor. Now is a good time to be more security aware, on any platform.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

This article was originally published with the headline “CVE funding shut down, giving the security community jitters.”