MITRE warns over lapse in CVE coverage

One of the cyber security world’s most significant assets, the common vulnerabilities and exposures (CVE) system operated by US-based non-profit MITRE appears to be heading for trouble after it emerged that the contract pathway for MITRE to continue to run the project on behalf of the US authorities, is set to lapse on Wednesday 16 April with no replacement ready.

In a letter to MITRE board members circulated today, a copy of which has been reviewed by Computer Weekly, Yosry Barsoum, vice president and director at the Centre for Securing Homeland (CSH) at MITRE, said the US government was currently making “considerable efforts” to continue MITRE’s longstanding role in the CVE programme.

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” wrote Barsoum.

“MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership,” he added.

A spokesperson for MITRE confirmed the legitimacy of Barsoum’s statement to Computer Weekly. They described the CVE programme as a “foundational pillar” of the cyber sector, anchoring a global industry worth close to $40bn (£30bn).

The 25 year-old CVE system is designed to serve as a reference and repository for disclosed cyber security vulnerabilities, and has been maintained by MITRE since its inception at the end of the 1990s, with funding drawn from the National Cyber Security Division of the Department of Homeland Security.

Over the years its impact on the world of security research has been of immense significance, providing cyber defenders with data on emerging vulnerabilities and threats, some of which have been implicated in some of the largest cyber incidents ever seen – such as WannaCry, SolarWinds Sunburst, Log4j, and MOVEit to name but a few.

Its continuing work will be familiar to most thanks to the sheer volume of CVEs – recognisable by their unique identifiers comprising the letters CVE, the year, and a numeric code – released on the second Tuesday of every month by Microsoft in its Patch Tuesday update.

If it was to have to cease operations, even temporarily pending a contract renewal, the impact would be keenly felt across the entire technology industry. Patch Tuesday aside, the current number of CVEs of all types being discovered and disclosed is running at record highs and shows no signs of slowing.

Disruption to the CVE system would be a gift to both financially-motivated cyber criminals and nation-state actors alike, who would be able to swiftly take advantage of any downtime as they continue to seek out, develop and weaponise new vulnerabilities, while security professionals would be left fumbling in the dark.

Coming amidst deep and painful government cuts being made in the US, the potential risk to the national security postures of the US and its allies from states such as China and Russia, is also extremely serious – a fact not lost on many members of the security community who took to social media late 15 April to spread the word.

Writing on LinkedIn, one observer speculated that the deprecation of MITRE’s contract was by design, and that taken alongside cuts to the likes of the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), the US was tearing down core security institutions amid a significant ongoing cyber crisis.