Wednesday, March 20, 2024

So, you want to help the NVD?

There has been a lot of talk on LinkedIn lately about helping the NVD out of its problems, despite the fact that the NVD hasn’t announced they need help, or indeed announced anything at all about those problems – which have been going on for more than a month now. I have no problem with people trying to help the NVD, since I agree that in the short term, the NVD is essential to worldwide software security. However, I’ve seen this movie before – in fact, I was one of the stars!

In early 2022, the OWASP SBOM Forum (then just the SBOM Forum) put out a white paper that has held up very well and is still downloaded very regularly. It’s about changes we suggest for the NVD to fix the serious naming problems that CPE causes (those problems are described on pages 4-6 of the paper). We proposed to fix these problems by including alternative identifiers for software and intelligent devices in the NVD, without eliminating CPEs themselves. CPEs themselves can’t be reformed, but they will probably never die out; nor does that need to happen. The existing CVE reports in the NVD, which go back about two decades and almost all of which include CPE names, need to be preserved and continue to be available.

After initially receiving support from CISA for the suggestions in our paper, we were later disappointed to realize that support had waned. So, we reached out directly to Tanya Brewer of NIST, the leader of the NVD. We asked to meet with her to discuss how we might help the NVD with the naming problem (for those of you keeping score at home, NIST/NVD is part of the Dept. of Commerce, while CISA and CVE/MITRE are part of DHS).

Tanya was quite pleased to do that. She said they had read our paper and wanted to discuss it with us. We ended up having two meetings with her, which I described in four posts: firstsecondthird and fourth. The first two posts were written soon after the first meeting with Tanya. That meeting was quite upbeat, although Tanya specifically warned us about the following (the words below are not directly hers, but include my interpretations of what she said):

1.      Private organizations can’t provide money directly to federal agencies for use by the agency, to go into their general budget. What private organizations can do, at least with NIST, is negotiate and sign a Cooperative Research and Development Agreement (CRADA), which sets out specific research and/or development goals that NIST and the private organization will pursue together. However, no funds from the CRADA can go toward normal expenses of the agency (specifically the NVD in this case), meaning there will probably be no way for private organizations to provide money to NIST to alleviate their current crisis. If the problem is primarily due to lack of funds (which I doubt), the NVD will have to find the funds somewhere else, maybe as some sort of emergency allocation from NIST.

2.      Private organizations also can’t provide advice to federal agencies without following FACA, the Federal Advisory Commission Act. There are a huge number of hoops to jump through in order to form such a Commission: here they are. I imagine it would take at least a year to do that.

3.      Well, how about trying to get Congress to increase funding? That has three problems:

a.      Tanya made it clear that no federal employee can lobby Congress in any way, since they’ll almost surely be fired for doing so. They also can’t lobby through a third party. She didn’t forbid us from trying to lobby Congress, but her name needs to be entirely kept out of it.

b.      The government follows a fiscal year that starts in October. Since the budget is supposed to be in place at the beginning of the previous fiscal year, (it’s been years since that actually happened, of course), it’s too late to have any impact on budgets for the 2024-2025 FY. The earliest that any change could be made to the NVD’s funding would be starting in October of 2025. And you’d better get moving quickly if you want to be successful in doing that.

c.      Plus, if you do more than write a few letters to Congressmen or Senators, you have to be careful about not overstepping the line to becoming a lobbyist – without registering as one. A lot of people have gotten into legal trouble for this reason.

My third post was more downbeat, although not because of anything the NVD did or didn’t do. It was right at the moment last April/May when there was a serious possibility that the government would not only shut down, but default on its debts. This was just like a married couple arguing about whether they should pay their credit card bills. A last minute bipartisan agreement (between the President and the four leaders of Congress, from both major parties) was reached in May.

The agreement was supposed to cover the 2024-25 fiscal year, avoiding another possible government shutdown around now. However, within weeks, one party had already started to make clear they didn’t feel like following the agreement – with the result that, if a new agreement isn’t reached by Friday, most of the government, including the military, will shut down. This time, the Department of Commerce won’t shut down, so NIST and the NVD can continue to do what they’re doing.

However, the NVD’s current problem is entwined with CVE/MITRE. DHS will shut down, meaning all DHS employees (including CISA employees and MITRE contractors) are forbidden to work, even if they’re willing to do so without pay. So if there is a shutdown, CVE/MITRE will be closed, greatly complicating the task of fixing whatever the NVD’s problem is (which I’m sure is technical. It’s not due to the fact that they’re underfunded, since that’s been true for a decade or more).

There’s a specific twist that applies to MITRE: While government employees, including military personnel, are sure to receive back pay whenever the government reopens, contractors like those from MITRE will receive nada, although MITRE itself is presumably paying them a salary. However, and independent contractors (and the federal government is loaded with them) will be without any income (other than unemployment compensation) will never receive the pay that they missed during the shutdown. 

Let’s be clear: The fact that the government keeps having these shutdown scares (which happen regularly. The last was for 35 days in 2018-2019) must be having a debilitating effect on both the government employees who work for the NVD and especially the MITRE contractors who work for CVE.org. I don't think that's the primary cause for the recent problems, but it certainly must affect the motivation of the staff members (of CVE/MITRE and the NVD) who are supposed to be figuring out what the problem is. I would wonder, "Why the h___ do I need to bust my a__ to fix a problem with the NVD, when the country's elected representatives think the whole government should shut down?" And I would certainly be shopping my resume around at this time.

Some people talk loosely about how “we’ll all be better off if the government shuts down”. If you’re one of them, you should be ecstatic about the effect your loose talk is having in the real world – unless, of course, you think it’s important for there to be a well-managed, smoothly-running government-led vulnerability database. I honestly don’t know how either the NVD or MITRE can continue to hire new people, given that cybersecurity expertise is still in high demand in the private sector, when they know that at least once a year (and sometimes more often than that, like last year and probably this one as well), there will be a serious question whether they will even have a paycheck for some unknown number of weeks. Expect continuing problems like this in the NVD, unless everybody in Congress agrees that negotiations are the way to settle policy differences, not playing chicken with the well-being of the millions of people who work for the government.

My fourth post was written last June, after Tanya had returned to the SBOM Forum to tell us what she learned about public-private partnerships at NIST. She seemed to have good news: she described a Consortium she was going to set up, which would give private sector organizations a sounding board with the NVD and allow them to set up a CRADA to do research with the NVD, presumably on how to fix their 20+-year old infrastructure so it doesn’t keep crashing.

However, what she was clearly focusing on was a third way for the private sector to help: They could provide coders free of charge to the NVD. She wanted the coders to commit to spending six months there (I believe it had to be onsite). That wouldn’t be terrible for a big organization like Oracle or Microsoft, if it provided the coder a significant learning opportunity and an opportunity to do meaningful work. It would of course be out of the question for most smaller organizations to pay an employee to work for someone else for six months.

But the problem with this “offer” was that the “learning opportunity” was to learn an obscure old language I’d never heard of; evidently, this language is used in the foundations of much of the NVD. And the “meaningful work” (the words in quotes above are my language, not hers) would of course involve coding in that language. For a young coder (and I am neither of these), it might be an exciting opportunity just to work for 6 months in DC (although I don’t recommend the summers!). However, I wouldn’t call it a career-advancing step, unless your career is working for the NVD.

I consider this a bad sign for anyone who wants to help the NVD. That database has been around for about 25 years. Unfortunately, databases age like milk, not fine wine. There’s a lot of technical debt that has to be paid before they can even think of fixing the naming problem, etc. And my guess is that in February, that technical debt (or some of it) came due, resulting in the huge drop in their productivity. It’s a worse sign that, more than four weeks after this event must have happened, they still don’t know what the cause is – or if they do, they haven’t announced it to the vast unwashed masses like me and you.

And it’s an even worse sign that they haven’t bothered to make any announcement at all after more than 30 days, except to say that Tanya hopes (but doesn’t promise) that she’ll be able to say something this week.

Folks, the NVD clearly won’t be the foundation of the global vulnerability database that the world needs, although the NVD shouldn’t and won’t go away, either. Fortunately, I don’t think the GVD will have to be a huge project – but even if it is, it will be tiny compared to the project (and the risk) of building a great 21st-century database on top of a creaking (and now crumbling) late 20th century foundation called the NVD.

The NVD needs to remain in existence, and at least for now it needs to keep creating CPE names and adding them to CVE reports. But they haven’t been doing that for a month, and they haven’t even bothered to explain what the problem is. Until they’re willing and able to explain the problem, and until they ask for private sector help (and can identify a legal means to provide it), I think it’s a waste of time to even talk about providing help to them.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.

 

No comments:

Post a Comment