Thanks, but no thanks, CISA

Note from Tom:

I have moved to Substack as my primary blog platform. If you want to see all my new posts, as well as my 1200+ legacy posts starting in 2013, please support me by becoming a paid subscriber to my Substack blog. The cost is $30 a year. Thanks!

Last week, my friend Patrick Garrity of VulnCheck – the most respected vulnerability researcher cum skateboarder in the world – posted on LinkedIn about a paper that CISA put out last week titled “CISA Strategic Focus: CVE Quality for a Cyber Secure Future”. The paper describes what CISA would like to do to improve the CVE Program. For a short 101-level overview of that program, go here.

Since the CVE Program isn’t run by CISA, you may wonder why CISA is concerned about improving the program. The answer is that CISA fully funds the CVE Program, although it is operated by the MITRE Corporation, a (nonprofit) Federally-Funded Research and Development Center, under the direction of the Board of the nonprofit CVE.org. CISA fully funds MITRE’s contract, which costs, as I’ve heard from different sources, somewhere between $44 and $57 million per year.

On April 15, the international vulnerability management community was shaken by a letter sent by MITRE to the members of the CVE.org board; the letter indicated their contract wasn’t going to be renewed by CISA and the program would have to shut down the next day. The letter caused a veritable firestorm of concern and criticism, which immediately bore fruit. By the next day, MITRE announced that everything was hunky-dory again, since the contract had been extended after all.

But everything really wasn’t hunky-dory. The fact that the contract had almost been cancelled and that CISA was (and still is) planning to cut a lot more people, led me and many others to conclude that it was close to certain the contract won’t be renewed next March (don’t ask me why the renewal was in April this year but will be in March next year. Such questions are above my pay grade).

Fortunately, literally at that moment a white knight appeared on the horizon, in the form of a new international non-profit organization called the CVE Foundation. The Foundation’s Board is comprised entirely of longtime members of the CVE.org Board, including Lisa Olsen of Microsoft (an important contributor to the CVE Program, who is also now Executive Director of the Foundation), my friend Pete Allor of Red Hat, and Dave Waltermire of NIST. I was quite impressed when their lineup was finally announced a few weeks after April 16, the day the Foundation was officially launched.

The Foundation’s board members have all been in the thick of discussions about what’s needed in the CVE Program during the 25 years that CVE records have been reported and disseminated. In fact, one of those board members has been involved with CVE since 1999 (that was the year CVE records started to be disseminated. That year, around 350 CVEs were identified. This year, probably around 45,000 new CVEs will be identified – and those are still just the tip of the iceberg). While the board members haven’t put out a plan for the changes they want to make, I know they’re already working hard on them.

However, there’s something else that the Foundation’s board members have been working on: fundraising. They have been approaching private organizations and government agencies worldwide and are getting a great response. They already have a lot of funds committed; they’re sure they will have more than enough funds available when it comes time to buy out MITRE’s contract next March.

Which brings me back to CISA. They are now making a big effort to make amends for their mistake in April and are campaigning hard to keep the CVE Program under their belt. Their document describes a lot of nice things they pledge to maintain or put in place. Here are three of them.

1. Good governance

Without naming the CVE Foundation, CISA’s document attacks the Foundation’s proposal to take over funding and running the CVE Program – in partnership with MITRE. They call this “privatization” and imply that governance would suffer because the Foundation won’t be able to ensure “conflict-free and vendor neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership.” Given the chaotic history of CISA since the new administration came in, including the many threats to close the agency entirely, the complete elimination of entire programs (and their staffs) without any attempt to demonstrate why this was necessary, and most importantly the outright hostility exhibited to longtime employees before they were terminated (as if they were doing something wrong just by being employed by CISA), this assertion seems a little out of place.

2. “Public good”

The second section of CISA’s document includes these two sentences: “Privatizing the CVE Program would dilute its value as a public good. The incentive structure in the software industry creates tension for private industry, who often face a difficult choice: promote transparency to downstream users through vulnerability disclosure or minimize the disclosure of vulnerabilities to avoid potential economic or reputational harm.”

Essentially, this is saying that accepting money from software companies – along with government agencies from all over the world, nonprofit foundations, and many other types of organizations – will inevitably corrupt the CVE Foundation, since software companies face the “difficult choice” of whether to disclose vulnerabilities.

I don’t deny that software companies face that choice, but I can attest that at least the larger software companies (who produce a huge percentage of all commercially available software products) have almost all made the choice for the side of Virtue, since they’re the biggest advocates for (and funders of) software security. In fact, I’m sure that over 95% of CVE records are generated by either

1.      A CNA that works for the software company (or open source community like the Linux Foundation or GitHub) that developed or supports the software (e.g., Microsoft, Oracle, HPE, Red Hat, Cisco, Siemens, Schneider Electric, etc.), or

2.      A CNA that the developer approached to create the record (usually because the developer is in the CNA’s “scope”).

In fact, on the second page, CISA writes, “Many in the community have requested that CISA consider alternative funding sources. As CISA evaluates potential mechanisms for diversified funding, we will update the community.” Of course, given the extreme pressure on the entire federal government to cut costs as much as possible, it’s quite understandable that CISA would want to look for alternative funding sources. Setting aside the question of whether they would be allowed to accept funding from outside the government (see below), it’s worth noting that one of the most likely prospects to help CISA out is…you guessed it: large software companies.

3. Dump MITRE?

Patrick Garrity pointed out in his LinkedIn post that CISA’s document never mentions MITRE. Patrick speculates this means CISA is considering not renewing MITRE’s contract next March, even though they clearly want to keep the CVE program going. Unfortunately, CISA is deluded if they think they can keep the program going by themselves, let alone improve it. MITRE staffs the whole CVE Program now (along with many volunteers, most notably the 470+ CVE Numbering Authorities). They have been running the program since 1999, when two MITRE researchers came up with the CVE idea and described it at a conference.

The MITRE team reports to the Board of Trustees of the nonprofit CVE.org; that board includes representatives from government (including CISA and the National Vulnerability Database - NVD), as well as private industry (as mentioned earlier, the entire board of the CVE Foundation consists of current members of the CVE.org board). While there are certainly things MITRE has not done well in their many years running the CVE Program, it would be hard to find anyone knowledgeable about the situation who says MITRE’s work hasn’t overall been good, if not excellent.

Of course, I’m sure CISA management thinks they can do better than MITRE at running the program. If they drop the MITRE contract, they will presumably have a lot of money available to lavish on their own people. One of those people was Edward Coristine. He was listed as a Senior Advisor to CISA in February, having been installed by the “Department of Governmental Efficiency” or DOGE (Coristine had a famous nickname that I can’t repeat here, since this is a family blog).

Mr. Coristine had success in the cybersecurity field while still in high school (which wasn’t long ago, since he was 19 when he was at CISA. He’s either 19 or 20 today). He must be quite good at whatever he does, since his company, DiamondCDN, was complimented by a customer called EGoodly. They posted on Telegram, “"We extend our gratitude to our valued partners DiamondCDN for generously providing us with their amazing DDoS protection and caching systems, which allow us to securely host and safeguard our website…”

What kind of company, pray tell, is (or was) Egoodly? They were described by Reuters (in the article linked above) as “a ring of cybercriminals”. Perhaps I’m old-fashioned, but it doesn’t seem to me that someone who has done work for cybercriminals should be installed as a senior advisor to CISA (with access to their most sensitive systems, of course). At the very least, one would expect that CISA’s (and DHS’s) management team would have requested a background check first – and if it was refused, they would have refused to give Mr. Coristine access to any system, except perhaps the cafeteria menu system. But it seems there was no background check.

Of course, I’m sure that CISA management last February and March was under tremendous pressure to do whatever DOGE told them to do. Even if DOGE demanded system access for Vladimir Putin, it would probably have been granted. I guess we can at least be happy that didn’t happen.

Nevertheless, I think this incident alone should disqualify CISA from taking over operation of the CVE Program from MITRE next year. The CVE Foundation is much more qualified, experienced, and connected than whoever happens to be in charge of CISA this month. They will be able to raise much more money than CISA could raise on their own – even if CISA were allowed to raise money from private sector organizations (of course, they’re not. That’s known as bribery). And of course, whatever money CISA has today may very well be gone tomorrow. That’s how things happen in Washington nowadays.

Most importantly, the CVE Foundation will build on MITRE’s vast experience, starting with their “invention” of CVE. I know for a fact they won’t let MITRE just continue to do the same old same old, but I also know for a fact that the MITRE staff members I know are quite motivated to make improvements (and they’re continually making them now); they also don’t want the same old same old. Next year, working with the CVE Foundation, they’ll continue to make improvements, and even pick up the pace. The CVE Foundation is making big plans.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com or comment on this blog’s Substack community chat.