How the CVE Nearly Died, and What Happens Next

Danny Bradbury examines the turmoil surrounding a decision to cut critical CISA funding

It’s been a whirlwind first 100 days for many people inside and outside the US, as the country’s mercurial new administration announced drastic changes. Unfortunately, cybersecurity professionals haven’t escaped unscathed. A multitude of cuts and policy changes have affected the Cybersecurity and Infrastructure Security Agency (CISA), sending shock waves around the globe. As these shocks show little sign of abating, what can CISOs expect?

CISA under the knife

President Trump, who set up CISA in 2018 during his first term, has been critical of the agency since then-director Chris Krebs challenged his narrative that the election was stolen. CISA stood behind Krebs, calling the 2020 election the most secure in history. Trump nevertheless fired Krebs and soured on CISA, threatening the agency should he ever return to power.

He delivered on those threats on his first day in office, publishing Executive Order 14147, Ending the Weaponization of the Federal Government. The Order is effectively an announcement of retribution against law enforcement and intelligence agencies that he felt had wronged him. An accompanying fact sheet calls out individual agencies including CISA, using more colourful language.

“I hope that the NCSC will take a more active role in issuing advisories.” Niels Hofmans

“CISA was more focused on cooperating with Big Tech to target free speech than our nation’s critical systems,” it says. The White House highlighted its efforts to monitor and mitigate disinformation as a prime target for cuts to what it called the “Censorship Industrial Complex”.

“The budget refocuses CISA on its core mission – federal network defence and coordinating with critical infrastructure partners – while eliminating weaponisation and waste,” the fact sheet proclaims. “The budget also streamlines the agency by consolidating redundant security advisors and programs.”

The “refocusing” went deep. First came over 100 firings in February, which a federal judge ruled unlawful the following month. Elon Musk’s slash-and-burn DOGE team subsequently fired at least 100 more workers in late February to mid-March, including red team staffers, outlets reported.

In April, things escalated with reports that up to half of CISA’s full-time staff and 40% of its contractors were scheduled for termination. In May, the Office of Management and Budget (OMB) sent a letter to the Congressional Committee on Appropriations proposing a $491m (17%) cut to CISA’s approximately $3bn budget

This will have a profound effect on CISA’s capabilities, warns Niels Hofmans, head of security and IT at global crowdsourced security provider Intigriti.

“You can imagine the kind of impact if you let go of 40% of your workforce,” he tells Assured Intelligence. “So it will for sure impact strategic projects, like the protection of critical sectors. To give a more practical example; it completely stopped the Salt Typhoon hack incident investigation.”

He’s referring to the president’s early dismissal of all members of the Cyber Safety Review Board. This was a Biden-era creation on which Krebs sat, that was investigating the China-linked intrusion campaign into federal government networks.

C’est la vie, CVE?

Mid-April saw another shock; the near-death of the Common Vulnerabilities and Exposures (CVE) service. The service, formed by MITRE and managed by the Homeland Security Systems Engineering and Development Institute, and now funded through CISA, is the backbone of the software vulnerability management effort.

“It’s the Rosetta Stone for vulnerability identification and communication,” Bugcrowd founder, Casey Ellis, tells Assured Intelligence. “Almost every major security tool, threat intelligence feed, and patch management process relies on CVE identifiers to track and remediate vulnerabilities.

“Mid-April saw the near-death of the Common Vulnerabilities and Exposures service.”

From humble beginnings (it posted just 321 records in 1999) the CVE system has ballooned. This is due largely to how MITRE has delegated the creation of bug records.

A relatively small number of staff would quickly become a bottleneck if it tried to interpret and file vulnerability information alone. Instead, MITRE created the CVA Numbering Authority (CNA) programme, which enlisted organisations to produce CVEs for their own products. There are now over 440 of them, and the number of annual CVE records posted hit 40,077 last year.

MITRE’S contract to maintain the CVE service was due to expire on April 16. A day prior, Yosry Barsoum, VP and director at the Center for Securing the Homeland at MITRE, sent an alarming letter to CVE board members pointing out that it hadn’t been renewed.

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter warns.

At the last minute, CISA was able to exercise an option that would continue funding the program for the next 11 months. CISA’s acting executive assistant director for cybersecurity said that funding wasn’t the problem; it was a “contract administration issue”.

“The CVE got an 11th hour reprieve, but only for 11 months.”

Which is scarier: the prospect that the threat intelligence community’s jugular might have been cut by a government that has slashed more fat than is comfortable from CISA’s budget, or that a new administration asleep at the tiller risked doing the same because someone didn’t read the memo? Either way, the consequences would be dire not just within the US but further afield, warn experts.

“Other similar organisations operate around the world and share relations with CISA of course, but the CVE programme could be considered a single point of failure, dependent upon CISA and the US government for vital funding,” says Paul Watts, a former CISO across multiple sectors in the UK and distinguished analyst at the Internet Security Forum (ISF).

“This is why there was such a shocked global reaction to recent events.”

Effects overseas

The impact of these changes – and near misses – extends beyond national borders, warn experts. As the US steps backward, Intigriti’s Hofmans believes that others will have to step up.

“There will be shared intelligence or feeds that were previously being provided by CISA that will have disappeared. So those [foreign cybersecurity] agencies will have to step up their game and take more action to fill in those gaps, with the US intel and tooling dropping away,” he says.

His worry is that other governments might not have the necessary budget or authority to do so. “I hope that, for example, the NCSC will take a more active role in issuing advisories, international incident coordination and will invest in a larger workforce to provide a counterbalance to the hole that CISA is leaving,” he adds.

Others are already trying to shore up the community. The European Agency for Cybersecurity (ENISA) launched the European Union Vulnerability Database (EUVD) in May to provide a counterbalance to the disruption in the US. It will gather publicly available vulnerability data from sources including national computer security incident response teams (CSIRTs), threat researchers, and the CVE system itself.

Bugcrowd’s Ellis envisages other governments collaborating more with each other internationally to provide a more reliable fabric of protection.

“If a break in service were to occur, we anticipate multiple impacts to CVE.” Yosry Barsoum

“This could mean more international collaboration, joint advisories, and perhaps even a move toward a more federated or distributed model for vulnerability management – potentially with more regional CVE authorities or alternative databases,” he says. “The key will be ensuring interoperability and consistency so that the global security community doesn’t fragment.”

These are all high-level policy issues over which the average CISO in the UK has little-to-no control. Yet the ramifications of America’s backwards step on cybersecurity will have trickle-down ramifications. So what can UK CISOs do to protect themselves?

Elbows up

The experts Assured Intelligence interviewed offer several key pieces of advice:

Factor volatility in threat intelligence into your risk analysis. ISF’s Watts warns that companies must consider cyber risk in the context of operational risk, looking for weak spots that could derail their efforts to secure their assets.

“Where single points of failure can be identified, controls and/or supply chains should be adapted to ensure that controls reliant upon the CVE programme remain effective in the event of disruption or loss,” he argues.

Each organisation will have different tolerance levels for disruption in threat intelligence services as a result of what the White House is doing. Weighing the potential for disruption and a degradation in US intel is good practice.

Diversify your information sources. Look at how robust your threat intelligence sources are and broaden them where necessary, providing a level of redundancy.

Seek strength in numbers. Building relationships with industry groups will help you to broaden your threat intelligence, says Bugcrowd’s Ellis. He also suggests pushing for open standards to make the exchange of information easier.

Know your vendors. Ensure that you know who external intelligence sources are, and whether they have backup sources.

The CVE got an 11th hour reprieve, but only for 11 months. Given the volatility at CISA, it’s unclear if it will be renewed when the time comes around again next year.

“Many internal programs within the US also rely indirectly on this, which is a cause for concern,” points out Morten Mjels, CEO at consultancy Green Raven. This time, all eyes will be on the agency.

As the US government’s fast-paced retrenchment and cultural shift continues, uncertainty is the only certainty. CISOs are well-advised to take preventative measures now, folding current events (and the possibility of future ones) into their risk profile. For cybersecurity pros everywhere, it promises to be a bumpy ride.