On April 23, Jen Easterly, former Director of CISA, put up a post on LinkedIn about the bizarre episode of April 15 and 16. On April 15, a leaked letter to CVE Board members from Yousry Barsoum, VP and Director of MITRE, revealed that the next day “the current contracting pathway for MITRE to develop, operate and modernize CVE and several other related programs…will expire.”
This led to a virtual firestorm in the software security
community, since there is currently no replacement worldwide for the CVE
Program; shutting it down abruptly would inevitably disrupt software security efforts
worldwide. However, the next day, CISA announced “Last night, CISA executed the
option period on the contract to ensure there will be no lapse in critical CVE
services.” Thus, it seems the cavalry arrived in time to save the fort.
Ms. Easterly wrote a week later:
Today, CISA's Deputy Executive Assistant Director for
Cybersecurity's Matt Hartman released a statement committing to the sustainment
and evolution of the CVE program, including "to fostering (sic) inclusivity,
active participation, and meaningful collaboration between the private sector
and international governments to deliver the requisite stability and innovation
to the CVE Program." The statement also clarified that there was no actual
funding issue but rather an "administrative issue" that was resolved
prior to a contract lapse.
In stating that “there was no actual funding issue”, she obviously
intended to give comfort to her readers. After all, “administrative issues”
happen all the time and don’t kill whole programs, while funding issues do kill
programs. Therefore, she’s saying the worldwide alarm caused by Mr. Barsoum’s
letter was misplaced. Move along…nothing to see here.
Unfortunately, this begs the question why Mr. Barsoum put
out his letter and sent it to all the members (20+) of the CVE.org board, if
the issue was so trivial. Why didn’t he just pick up the phone, find out what
the “administrative issue” was and get it fixed? It also ignores the fact that a)
many programs in the federal government have been literally cancelled overnight
with no advance warning at all recently, and b) CISA is known to be in the
process of letting a number of employees go, which almost always means some
programs will need to be sacrificed as well.
In other words, Mr. Hartman’s assertion, and Ms. Easterly’s repetition
of it, missed the main lesson of this whole sorry affair. To provide some
background, the CVE Program was started from nothing in 1999. From the
beginning, it was run by MITRE (in fact the idea for CVE first appeared in a
paper written by two MITRE staff members that year), although it wasn’t called
the “CVE Program” then. Since MITRE was already a US government contractor, it
made sense for the government to engage MITRE to run the program. It can truly
be said that the CVE Program might not exist at all today, were it not funded
by the US government.
However, things change. Today, both governments and private
industry worldwide are concerned about software vulnerabilities and rely on the
CVE Program to faithfully identify and catalog those vulnerabilities. Given the
worldwide use of CVE data, there is no reason why the US government should remain
the sole funder of the program.
Yet that is exactly what Ms. Easterly advocates in the
remainder of her post. She says, “Some parts of cybersecurity can and should be
commercialized. Some should be supported by nonprofits. But vulnerability
enumeration, the foundation of shared situational awareness, should be treated
as a public good. This effort should be funded by the government and governed
by independent stakeholders who are a balanced representation of the ecosystem,
with government and industry members. CISA leading this effort as a
public-private partnership assures the program is operated in service of the
public interest.”
In other words, she thinks the private sector shouldn’t be funding the CVE Program, since it’s a public good that should only be funded by the public – i.e., the government (and CISA in particular). That would be wonderful if we lived in a world where the government is quite willing to fund cybersecurity initiatives and always stands behind their commitments. However, the likelihood that the CVE Program was almost shut down because – and I’m not going too far out on a limb in saying this – somebody who has no idea what it is decided it was a good candidate for defunding is in my mind prima facie evidence that its entire funding should not come from the US or any other government.
To produce these blog posts, I rely on support from people like you. If you appreciate my posts, please make that known by donating here. Any amount is welcome, but I will treat any donation of $25 or more as an annual subscription fee. Thanks!
But let’s suppose Mr. Hartman was correct in asserting there was no “funding issue”. In my (reasoned) opinion, that makes the case against exclusive government funding even stronger. Mr. Barsoum was clearly concerned that the CVE Program would be shut down, which strongly implies he knew the reason that might happen. If the reason was simply an administrative error – e.g., somebody forgot to check a box on some form – this means we’ll need to start worrying not only about funding cutoffs to the program, but about any administrative error that anybody at CISA, DHS, etc. might make. Does that give you a warm and fuzzy feeling?
I’m sorry, Ms. Easterly, but the CVE Program needs to be
moved away from the federal government, although I hope the feds will still
provide some of its funding. This doesn’t have to happen tomorrow, but it
should at least be done when the contract has to be renewed next March; this is
especially important since it’s quite likely the contract won’t be renewed then,
anyway. If the software security community gets caught flat-footed again next
year, we will have nobody to blame but ourselves. Tragedy repeated is farce.
Fortunately, the cavalry is already onsite and is planning
for that eventuality. I’m referring to the CVE Foundation, a group that was
already holding informal discussions before April 15, but which had not been
formalized before then. When I saw the first announcement of it on April 16 –
the announcement only had one name on it – I thought it might be a late April
Fool’s Day prank. But the following week, it became clear
that they have a great lineup of heavy hitters currently involved in the program,
including CVE.org board members, heads of CVE working groups, and
representatives of private industry.
Last week, this became even clearer, when I heard Pete Allor
of Red Hat, CVE Board member and Co-Chair of the CVE Vulnerability Conference
and Events Working Group, describe the success the CVE Foundation has had so
far. They’ve lined up large companies and governments who have said they will
be ready with funding when it comes time to make the break with Uncle Sam
(although I certainly hope my dear Uncle will get over his hurt feelings and
realize that a child leaving home because they have outgrown the need for
incubation is an occasion for rejoicing, not barely concealed anger. After all,
DNS was nurtured by the National Technology and Information Administration - NTIA
- 40-50 years ago. When it was time to let DNS leave home, it found a truly
international home in ICANN. At last report,
DNS is still alive and well 😊. Perhaps CVE will find a similar home).
Fortunately, you don’t have to take my word for what Pete
said. Last Thursday, Patrick Garrity of VulnCheck posted a link to an excellent podcast
in which Pete went into a lot of detail on why the CVE Foundation was…well, founded,
and the success they have had so far in lining up support (although he didn’t
name potential financial supporters, of course). Then on Friday, Pete
elaborated on what he’d said, under withering questioning by me and others at
our regularly scheduled OWASP
SBOM Forum meeting.
So, you don’t need to worry about whether the CVE Program
will survive more than 11 months longer; the answer is yes. The real question
is what changes need to be made to the program, both in the intermediate
term and the longer
term. Those will be interesting discussions, and I’m already trying to spark
them. Stay tuned to this channel!
If you would like to comment on
what you have read here, I would love to hear from you. Please email me
at tom@tomalrich.com. And while you’re at it, please donate
as well!