US funding lapse casts uncertainty over global CVE system

The expiration of US government funding for MITRE's Common Vulnerabilities and Exposures (CVE) programme has prompted concern across the global cybersecurity sector.

The cessation of funding threatens the future of both the CVE and the Common Weakness Enumeration (CWE) programme, which have long played a central role in cataloguing and communicating cyber vulnerabilities.

Sachin Bhatt, Technical Director DFIR at the global cyber consultancy CyXcel, issued a statement on the potential risks posed by the funding lapse.

"The Common Vulnerability and Exposure (CVE) and Common Weakness Enumeration (CWE) program have been a cornerstone for public communication, common convention, identification, and tracking of disclosed vulnerabilities using a standardized form. Today's expiry of the US government's funding to the MITRE program is likely to give rise to substantial impact and ensuing risk to the global cybersecurity community," Bhatt commented.

The CVE system has allowed security professionals worldwide to react to new threats quickly, relying on a centralised authority to track and communicate vulnerabilities as they are uncovered. With the funding now expired, the continuation of these core functions is uncertain.

Bhatt described how this could affect the industry's ability to respond to new cyber threats. "The immediate impact is a likely cessation of new CVE being identified and assigned will likely lead to the deprivation of security experts being able to respond effectively to new security threats and flaws. The consequence will include elements vital to the security of organizations and national infrastructure being unable to rely upon the national vulnerability database which in turn will impede incident response efforts globally," he said.

The absence of a central governing body, Bhatt warned, could have widespread repercussions beyond the security industry alone, affecting sectors dependent on cybersecurity, such as critical national infrastructure.

"The absence of having centralized authority to oversee and maintain CVE data will have a domino effect on all industries. Security vendors and professionals rely upon this to be able to provide an informed outlook and remediation to threats. Vendors of security tools will struggle to keep their tooling product current as a result. Critical National Infrastructure (CNI) is dependent on the timely information CVEs provide to face off against threat and protect critical services," he stated.

Without the coordination provided by the MITRE-backed programme, Bhatt believes that the recording and sharing of vulnerability data could become fragmented, potentially making it easier for cyber adversaries to exploit weaknesses before they are broadly recognised or addressed.

"This will result in a fragmented version of published vulnerabilities, possibly leading to missed opportunities to defend against weaknesses or confusion without a common language and governance structure. At worst, threat actors will capitalize on a lack of coordinated global efforts which in turn could translate to more potential incidents and ultimately a cybersecurity national crisis," Bhatt said.

Despite the risks, Bhatt suggested that solutions may emerge to fill the gap left by MITRE's withdrawal. "There might be a glimmer of light at the end of the tunnel. Either by way of a U-turn or alternate funding or the emergence of another organization could fill the vacuum and take over the program; The CVE Foundation has been named as a possible one," he concluded.

The CVE programme, created for the standardisation and communication of cybersecurity vulnerabilities, is widely used by security vendors, researchers, and national infrastructure operators across the world.