There has been a lot of talk on LinkedIn lately about helping the NVD out of its problems, despite the fact that the NVD hasn’t announced they need help, or indeed announced anything at all about those problems – which have been going on for more than a month now. I have no problem with people trying to help the NVD, since I agree that in the short term, the NVD is essential to worldwide software security. However, I’ve seen this movie before – in fact, I was one of the stars!
In early 2022, the OWASP SBOM Forum (then just the SBOM
Forum) put out a white
paper that has held up very well and is still downloaded very regularly. It’s
about changes we suggest for the NVD to fix the serious naming problems that
CPE causes (those problems are described on pages 4-6 of the paper). We
proposed to fix these problems by including alternative identifiers for
software and intelligent devices in the NVD, without eliminating CPEs
themselves. CPEs themselves can’t be reformed, but they will probably never die
out; nor does that need to happen. The existing CVE reports in the NVD, which
go back about two decades and almost all of which include CPE names, need to be
preserved and continue to be available.
After initially receiving support from CISA for the
suggestions in our paper, we were later disappointed to realize that support
had waned. So, we reached out directly to Tanya Brewer of NIST, the leader of the
NVD. We asked to meet with her to discuss how we might help the NVD with the
naming problem (for those of you keeping score at home, NIST/NVD is part of the
Dept. of Commerce, while CISA and CVE/MITRE are part of DHS).
Tanya was quite pleased to do that. She said they had read our
paper and wanted to discuss it with us. We ended up having two meetings with
her, which I described in four posts: first, second, third and fourth.
The first two posts were written soon after the first meeting with Tanya. That
meeting was quite upbeat, although Tanya specifically warned us about the following
(the words below are not directly hers, but include my interpretations of what
she said):
1.
Private
organizations can’t provide money directly to federal agencies for use by the
agency, to go into their general budget. What private organizations can do, at
least with NIST, is negotiate and sign a Cooperative Research and Development Agreement
(CRADA), which sets out specific research and/or development goals that NIST
and the private organization will pursue together. However, no funds from the
CRADA can go toward normal expenses of the agency (specifically the NVD in this
case), meaning there will probably be no way for private organizations to
provide money to NIST to alleviate their current crisis. If the problem is primarily
due to lack of funds (which I doubt), the NVD will have to find the funds
somewhere else, maybe as some sort of emergency allocation from NIST.
2.
Private
organizations also can’t provide advice to federal agencies without following
FACA, the Federal Advisory Commission Act. There are a huge number of hoops to
jump through in order to form such a Commission: here
they are. I imagine it would take at least a year to do that.
3.
Well, how about
trying to get Congress to increase funding? That has three problems:
a.
Tanya made it
clear that no federal employee can lobby Congress in any way, since they’ll
almost surely be fired for doing so. They also can’t lobby through a third
party. She didn’t forbid us from trying to lobby Congress, but her name needs
to be entirely kept out of it.
b.
The government follows
a fiscal year that starts in October. Since the budget is supposed to be in
place at the beginning of the previous fiscal year, (it’s been years since that
actually happened, of course), it’s too late to have any impact on budgets for
the 2024-2025 FY. The earliest that any change could be made to the NVD’s
funding would be starting in October of 2025. And you’d better get moving
quickly if you want to be successful in doing that.
c.
Plus, if you do
more than write a few letters to Congressmen or Senators, you have to be
careful about not overstepping the line to becoming a lobbyist – without registering
as one. A lot of people have gotten into legal trouble for this reason.
My third post was more downbeat,
although not because of anything the NVD did or didn’t do. It was right at the
moment last April/May when there was a serious possibility that the government
would not only shut down, but default on its debts. This was just like a married
couple arguing about whether they should pay their credit card bills. A last
minute bipartisan agreement (between the President and the four leaders of
Congress, from both major parties) was reached in May.
The agreement was supposed to cover
the 2024-25 fiscal year, avoiding another possible government shutdown around now.
However, within weeks, one party had already started to make clear they didn’t
feel like following the agreement – with the result that, if a new agreement
isn’t reached by Friday, most of the government, including the military, will
shut down. This time, the Department of Commerce won’t shut down, so NIST and
the NVD can continue to do what they’re doing.
However, the NVD’s current problem
is entwined with CVE/MITRE. DHS will shut down, meaning all DHS employees
(including CISA employees and MITRE contractors) are forbidden to work, even if
they’re willing to do so without pay. So if there is a shutdown, CVE/MITRE will
be closed, greatly complicating the task of fixing whatever the NVD’s problem
is (which I’m sure is technical. It’s not due to the fact that they’re underfunded,
since that’s been true for a decade or more).
There’s a specific twist that applies to MITRE: While government employees, including military personnel, are sure to receive back pay whenever the government reopens, contractors like those from MITRE will receive nada, although MITRE itself is presumably paying them a salary. However, and independent contractors (and the federal government is loaded with them) will be without any income (other than unemployment compensation) will never receive the pay that they missed during the shutdown.
Let’s be clear: The fact that the
government keeps having these shutdown scares (which happen regularly. The last
was for 35 days in 2018-2019) must be having a debilitating effect on both the government
employees who work for the NVD and especially the MITRE contractors who work
for CVE.org. I don't think that's the primary cause for the recent problems, but it certainly must affect the motivation of the staff members (of CVE/MITRE and the NVD) who are supposed to be figuring out what the problem is. I would wonder, "Why the h___ do I need to bust my a__ to fix a problem with the NVD, when the country's elected representatives think the whole government should shut down?" And I would certainly be shopping my resume around at this time.
Some people talk loosely about how “we’ll
all be better off if the government shuts down”. If you’re one of them, you
should be ecstatic about the effect your loose talk is having in the real world
– unless, of course, you think it’s important for there to be a well-managed,
smoothly-running government-led vulnerability database. I honestly don’t know
how either the NVD or MITRE can continue to hire new people, given that cybersecurity
expertise is still in high demand in the private sector, when they know that at
least once a year (and sometimes more often than that, like last year and probably
this one as well), there will be a serious question whether they will even have
a paycheck for some unknown number of weeks. Expect continuing problems like
this in the NVD, unless everybody in Congress agrees that negotiations are the
way to settle policy differences, not playing chicken with the well-being of
the millions of people who work for the government.
My fourth post was written last June,
after Tanya had returned to the SBOM Forum to tell us what she learned about
public-private partnerships at NIST. She seemed to have good news: she
described a Consortium she was going to set up, which would give private sector
organizations a sounding board with the NVD and allow them to set up a CRADA to
do research with the NVD, presumably on how to fix their 20+-year old
infrastructure so it doesn’t keep crashing.
However, what she was clearly
focusing on was a third way for the private sector to help: They could provide
coders free of charge to the NVD. She wanted the coders to commit to spending
six months there (I believe it had to be onsite). That wouldn’t be terrible for
a big organization like Oracle or Microsoft, if it provided the coder a
significant learning opportunity and an opportunity to do meaningful work. It
would of course be out of the question for most smaller organizations to pay an
employee to work for someone else for six months.
But the problem with this “offer”
was that the “learning opportunity” was to learn an obscure old language I’d
never heard of; evidently, this language is used in the foundations of much of
the NVD. And the “meaningful work” (the words in quotes above are my language,
not hers) would of course involve coding in that language. For a young coder (and
I am neither of these), it might be an exciting opportunity just to work for 6
months in DC (although I don’t recommend the summers!). However, I wouldn’t
call it a career-advancing step, unless your career is working for the NVD.
I consider this a bad sign for anyone
who wants to help the NVD. That database has been around for about 25 years.
Unfortunately, databases age like milk, not fine wine. There’s a lot of technical
debt that has to be paid before they can even think of fixing the naming
problem, etc. And my guess is that in February, that technical debt (or some of
it) came due, resulting in the huge drop in their productivity. It’s a worse
sign that, more than four weeks after this event must have happened, they still
don’t know what the cause is – or if they do, they haven’t announced it to the
vast unwashed masses like me and you.
And it’s an even worse sign that they
haven’t bothered to make any announcement at all after more than 30 days, except
to say that Tanya hopes (but doesn’t promise) that she’ll be able to say
something this week.
Folks, the NVD clearly won’t be the
foundation of the global
vulnerability database that the world needs, although the NVD shouldn’t and
won’t go away, either. Fortunately, I don’t think the GVD will have to be a
huge project – but even if it is, it will be tiny compared to the project (and
the risk) of building a great 21st-century database on top of a creaking
(and now crumbling) late 20th century foundation called the NVD.
The NVD needs to remain in existence,
and at least for now it needs to keep creating CPE names and adding them to CVE
reports. But they haven’t been doing that for a month, and they haven’t even bothered
to explain what the problem is. Until they’re willing and able to explain the
problem, and until they ask for private sector help (and can identify a legal
means to provide it), I think it’s a waste of time to even talk about providing
help to them.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment