A critical database that tracks cybersecurity threats around the world was hours away from losing its federal funding this week, until experts raised the alarm, and the funding was restored.
The Common Vulnerabilities and Exposures database tracks cybersecurity breaches and other threats, sharing information with governments and private cybersecurity researchers working to find and fix computer network vulnerabilities.
So why was such a critical program at risk, and what could have happened if funding had dried up?
To understand what happened – or perhaps more accurately, what almost happened – Texas Standard turned to Francesca Lockhart, Cybersecurity Clinic Program lead at the Strauss Center for International Security and Law at UT Austin. Listen to the interview above or read the transcript below.
This transcript has been edited lightly for clarity:
Texas Standard: For starters, explain to us – what is CVE?
Francesca Lockhart: So this is the Common Vulnerabilities and Exposures program, which is essentially a coordinated catalog for logging and disclosing vulnerabilities in software.
It really is the backbone of the cybersecurity industry because it provides researchers and cyber defenders – as well as the tools that they use to secure their networks and systems – a single source of truth for identifying and managing weakness in software, and those weaknesses are often exploited by adversaries.
This program is administered by the MITRE Corporation, which is a nonprofit research center, and it’s funded by the U.S. Department of Homeland Security.
Okay, so why have cybersecurity experts been so frazzled about CVE?
So, as with many other programs and contracts, the contract to fund the CVE program at MITRE was up for renewal, and the cybersecurity community was notified by the CVE board that the contract was likely to not be renewed, meaning that the CVE program would end yesterday, April 16.
I just want to understand something. You talked about a contract with MITRE. This is a federal government contract, right? This is what pays for this common database?
That’s correct.
Well, I guess a lot of folks are wondering why would such a critical program be at risk? And furthermore, what would have happened if there were no funds for this program?
So this is, you know, part of a broader effort by the second Trump administration to cut costs to revisit the value of different contracts, particularly those with long-funded entities that run important programs like this.
There’s essentially this reexamining of the criticality and the need for continued funding. And this is all part of that broader conversation with regard to whether or not some programs like this should be ended or privatized.
» GET MORE NEWS FROM AROUND THE STATE: Sign up for Texas Standard’s weekly newsletters
This was on the chopping block, but you say it could have run out yesterday. It didn’t. What happened?
That’s correct. So thankfully, the Cybersecurity and Infrastructure Security Agency, which is the subagency within the Department of Homeland Security that provides the funding and was negotiating the extension of the contract with MITRE, they executed the contracts option period.
So funding is temporarily extended for 11 months while negotiations continue, meaning that the CVE program will continue for at least that long and hopefully longer.
All right, I want to get a sense of what would have happened if, in fact, that funding had been cut off, as a lot of people clearly feared. Could you give us a practical sense of how this could have affected everyday folks?
Sure. So the immediate impacts may not be perceptible to everyday consumers.
What would happen on the back end is new vulnerabilities might be identified, and then cybersecurity researchers would be scrambling to come up with a common nomenclature and disclose these vulnerabilities to the companies and industry researchers that rely on them.
But what would then happen are cascading impacts to our everyday software and devices wherein patches, those updates that get pushed to our systems like our iPhones, for example, are slower to come out. Maybe they’re containing fewer bug fixes than they currently do because of the unknown vulnerabilities or the inability of researchers to code and patch fixes for these weaknesses in the short span of time that they currently do because of the existence of the CVE program.
So longer-term, we would potentially see some additional weaknesses in our devices and software for a longer period of time, which could lead to outages and exploit by attackers.
