US Government Almost Kills Critical Cybersecurity Database
from the seems-pretty-fucking-bad dept
In what appears to be the latest move in this administration’s total incompetence with regards to critical government tech infrastructure, MITRE announced yesterday that funding had run out for the Common Vulnerabilities and Exposures (CVE) system, the fundamental framework that basically everyone in cybersecurity relies on to keep computer systems safe. After the entire cybersecurity world freaked the fuck out, one of the remaining unfired people at the the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that they had extended the funding for another 11 months.
But just the fact that it came literally hours away from shutting down is both terrifying and a real sign of how totally incompetent and clueless the administration is, and how they’re putting everything at risk by just totally YOLOing all sorts of critical projects.
If you’re unaware of the CVE system, as former CISA director Jen Easterly explains, imagine if someone suddenly deleted the Dewey Decimal System and expected librarians to still be able to find books. Now, make it so every bit of computer security that you depend on relies on librarians being able to accurately find the necessary books as quickly as possible, and you just scrambled the entire organization system with effectively no warning.
That’s exactly what’s almost happened, as evidenced by this alarming letter from MITRE:
If you can’t see that, it says:
April 15, 2025
Dear CVE Board Member,
We want to make you aware of an important potential issue with MITRE’s enduring support to CVE.
On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire. The government continues to make considerable efforts to continue MITRE’S role in support of the program,
If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.
MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership.
Sincerely,
Yosry Barsoum
VP and Director
Center for Securing the Homeland (CSH)
Security and privacy researcher Lukasz Olejnik puts it bluntly: losing CVE means “total chaos, and a sudden weakening of cybersecurity across the board.” The consequence will be a “breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they’re referring to the same vulnerability.”
This isn’t hyperbole. According to Forbes, security teams had to scramble to figure out how to function without this vital infrastructure:
Greg Anderson, CEO and founder of DefectDojo, voiced what many in the community are feeling: “MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place.”
Anderson added a sobering thought experiment: “If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.”
Cool cool.
We mentioned Easterly’s comment about the Dewey Decimal System above, but it’s worth reading her full post as she has explained the problem in simple-to-understand terms for those not in the cybersecurity field:
Think of the CVE system like the Dewey Decimal System for cybersecurity. It’s the global catalog that helps everyone—security teams, software vendors, researchers, governments—organize and talk about vulnerabilities using the same reference system. Without it:
— Everyone is using a different catalog or no catalog at all
— No one knows if they’re talking about the same problem
— Defenders waste precious time figuring out what’s wrong
— And worst of all, threat actors take advantage of the confusion
Just like librarians trying to find a book in a disorganized library, cybersecurity professionals would be trying to defend your systems without knowing exactly what the threats are or where to find them.
For an administration that loves to talk about national security and claims to have Elon Musk as its “tech support,” its actions tell a different story. After dismantling important technical know-how and stripping away cybersecurity expertise, letting CVE’s funding lapse represents something even more dangerous: demolishing the very infrastructure that keeps our systems secure.
The fact that CISA came through at the last minute with more funding to keep CVE alive is better than letting the system collapse, but it’s still horrifying. The entire cybersecurity world had to spend much of yesterday trying to figure out contingency plans and work out what the fuck to do about all of this.
The fact that the administration let it get to this point — where a system this fundamental to global cybersecurity could vanish overnight — demonstrates an administration that isn’t just incompetent, but recklessly destructive. They’re not just failing to understand the consequences of their actions — they’re failing to even recognize there might be consequences worth understanding.
Filed Under: cve, cybersecurity, vulnerabilities
Companies: mitre
Comments on “US Government Almost Kills Critical Cybersecurity Database”
It’s not “incompetence.” They’re intentionally tearing down public infrastructure and services. They are, in fact, fully competent. As evidenced by the speed with which they’re tearing down public infrastructure and services, which is their goal.
Yet we always have money for tax-breaks for the ultra-wealthy, funny that...
It’s easy to be dismissive of the security of everyone else when you only care about yourself and are and always have been able to make your security someone else’s problem to deal with.
Re: An unwritten sequel
The final disposition of Galt’s Gulch is all the makers die of infighting and cholera, because not only do they not trust each other, but no one is willing to help anyone else.
Re:
Problem is, even the filthy rich peoples cyber security relies on this. Sure they might be able to keep up security wise for a. little while but it won’t take long for their cybersecruity to break down also.
Re:
It’s not generally a good idea to give up an income stream without replacing it, but it doesn’t cost money. Like, if you have $0 in the bank, you technically have enough money to quit your job. (Hell, you’ll even avoid income taxes—without being ultra-wealthy—and some tax protesters have done it for exacly that reason.)
They're burning the libraries
Because that’s what fascists always do. And having done so, they then blame those people for the consequences.
This doesn’t make sense. Why did MITRE wait until the day before funding ran out to notify the CVE board?
Re:
Because one would assume CSH would know when the parking meter runs out?
Personally, I’m betting that it was disruption from DOGE. It sounds like some wunderkind saw it, knew that the CVE database was public, and didn’t think CSH needed to fund something that was “free”.
Future-proof, or at least USA-proof
Seems like the US Government is no longer a reliable guardian of vital global services.
We kinda have the tech to be able to mitigate this somewhat (distributed systems/blockchain are a portion of the solution, but there are a lot of moving parts and questions that would need to be answered first).
As flawed as they are, perhaps the model of ICANN would be the way to go as a governing body for the CVE system, with no one government controlling it, and a diversity of members?
If a rogue nation (USA-MAGA) decided to shit the bed and withdraw, at least the other member nations could pick up the slack.
Re:
Blockchains are a solution to a very limited set of problems, and “maintaining the CVE database” is most assuredly not one of them.
Yes, there are people who want to throw blockchains at every problem that comes along, but I’ve noticed that almost all of them are people who’ve never taken an algorithms class, do not know what a Merkle tree is, have never written any code to manage any tree, and have no idea how to analyze a problem space and ascertain which approaches are reasonable and which are not.
Re:
Distributed systems, sure, but as usual I’m hard-pressed to see what blockchain brings to the table that can’t be done more efficiently with a regular-ass database.
Re: Re:
The closest I’ve seen to something useful that relates to blockchain is Matter’s use of a Distributed Compliance Ledger to verify the Digital Attestation Certificate of components when commissioning. I believe the intention here was to make sure products can outlive their companies existence.
The jury is very much still out on the success of Matter, let alone the DCL use case.
Re:
It was pointed out on Hacker News that the funding reductions have been going on for the last year. So this is one thing that’s maybe not the fault of the “MAGA” people.
If you mean blockchain in the cryptocurrency sense… you’d better say more, because that’d surprise me. If you mean in the generic Merkle Tree sense, maybe, but I don’t think it’s a particularly important part of the solution.
I agree, and I think most people have not yet realized how difficult it will be to regain trust here. If the Republicans don’t push back against Trump soon, the world will see any American commitment as something that can and probably will be undone in the next election cycle. It’s fine to switch between parties with philosophical disagreements; but, historically, there’s still been a general sense of stability. Other than chaos, I don’t get the sense that Trump even has a philosophy.
Re: Re:
“Other than chaos, I don’t get the sense that Trump even has a philosophy.”
“Having a philosophy” would require an intellect, literacy, education, knowledge, contemplation, and more. Trump is completely incapable of any of these things. He can’t read. He can’t think. He can’t compose a cogent sentence in either written or verbal form. He is no more capable of formulating a philosophy than my dog is of understanding quantum mechanics.
And the dog is ahead in that contest. (Good dog!)
Re:
Blockchain is just a CWE.
Let me start of with: the MITRE CVE system has MANY problems. These include: an incentive to publish CVEs for “improper” reasons, like resume padding. And there are issues of either fraudulent CVEs, or CVEs that overstate their issue in a deceptive way.
However: despite ALL of those problems (and all the ones I dont know of), the system DOES provide value. It’s a place issues are tracked and cataloged. Any replacement/improvement (which AFAIK our administration isn’t even thinking of) needs to be done carefully and thoughtfully so that the critical system that depend on the proper functioning of the CVE databases are not compromised in the process.
Oh, I’d say this is exactly the story “Elon Musk as tech support” tells.
At any rate, the CVE board has announced a nonprofit foundation to handle funding in the future, which will hopefully prevent this from happening again. Guess we’ll see.
Move fast and break things
I’m sure the DOGE script-kiddies will knock something together to take the place of this inefficient, overly complicated, antiquated system to save the government billions of dollars. It shouldn’t take them more than a few weeks.
Re: Trust?
The CVE system requires trust, and nobody is going to trust something thrown together in a few weeks by a bunch of script kiddies more interested in seeing the US burn than in providing reliable security information to the real professionals out there on the Internet.
Re:
Citations definitely need.
You know, it is funny you said that. Some of our most robust, resilient and reliable systems or software are about that old as well.
In computer software parlance, “antiquated” is equally likely to mean “actually the speaker doesn’t know what they are talking about” as it is to mean anything else.
As a seasoned software developer: I have seen quite a bit of “this thing is old and needs modernization”, and an alarming portion of that is usually young developers who don’t know what they are doing, nor do they understand the system they wish to ax, or why it works the way it does.
When good software developers look to actually “modernize” a system, they start by understanding they system. They look for what it actually needs to do, and what currently can be cut out, or moved elsewhere. A simple “burn it all, and start over” is never the correct approach… even when you intend to rewrite from scratch.
I haven’t personally see the servers and software stack mitre use. But your characterization, without evidence or even an actual argument, is not compelling.
Re: Re:
I thought my inclusion of “script-kiddies” would make it obvious that I was being sarcastic. But given the times we’re currently trying to negotiate I should have included the “/s” tag as these days it seems anything is possible.
My apologies for any confusion.
It’s not like they weren’t collecting “secure” data by the terabyte all in the interest of “national security” already and making “cybersecurity” in the U.S. just another worthless buzzword like “rights.”
Let it burn.
Was it a mistake though? Could it have been planned so DOGE has an easier job with their Hack-A-Thon for SS and such? Maybe making it easier to find blackmail material?
There is far too much chaos going on for it to be pure incompetency. Too much, too soon.
Millions literally died in wars to preserve the American Dream, and Republicans along with Mango Jabba has spent the past 3 months defecating on their graves.
Well done, Repulican Voters.
The best part is while we can’t get to the people personally responsible, we can get to Republican Voters and the way this is going, they are about to start getting some payments for this debt. Hopefully with pool cues in alleys.
Re:
frgoodnessake don’t let Mango Jabba hear you say that, or the very next fund-raising scam from said Mango Jabba will be Trump Pool Cues! With Trump Pol Cue emblazoned in gold letter5ing downsaid Trump Pool Cue.
Other than that, that’s a thought that has occurred to me on occasion …