"Experts in cybersecurity discuss the potential of the Common Vulnerabilities and Exposures (CVE) program operating independently from government control"

"Experts in cybersecurity discuss the potential of the Common Vulnerabilities and Exposures (CVE) program operating independently from government control"

The Common Vulnerabilities and Exposures (CVE) program, a global initiative that catalogs cybersecurity vulnerabilities, is facing challenges due to its reliance on U.S. government contracts and unstable funding. To ensure the program's continued success, several proposed reforms and strategies are being considered.

Proposed Reforms for the CVE Program

1. Stable Funding Mechanisms: The cybersecurity community is advocating for long-term, solidified funding to maintain the program's continuity. This includes exploring alternative financial models that are not solely dependent on government contracts [1][3].
2. Governance Structure: Establishing a formal governance structure could aid in decision-making and ensure that the program remains aligned with the needs of the global cybersecurity community [3].
3. Reducing Reliance on U.S. Government Funding: The community is pushing for a non-governmental future for the CVE program. This could involve diversifying funding sources, potentially through partnerships with international organizations or private sector entities [1][5].

Efforts by the Cybersecurity Community

• International Cooperation: The importance of international involvement and cooperation to ensure the CVE program remains a global standard is being discussed. This would help reduce reliance on any single country's funding [1].
• Transparent Planning: There is a call for transparent planning and communication within the cybersecurity community to prepare for potential future funding crises and ensure that alternatives are in place [1][3].
• Private Sector Involvement: Private companies and organizations are being encouraged to support the CVE program through funding or resource contributions, helping to stabilize its financial foundation [1][5].

A nonprofit group has been created by members of the CVE program's board to potentially take custody of the program from MITRE. However, there is a risk of the CVE program crumbling into "balkanization" if its foundations are not shored up, with multiple smaller groups disjointedly trying to replace it [2].

In May, the European Union launched its own vulnerability database, adding to the discussion about the global cybersecurity landscape [4]. There is also a concern about the accountability of the CVE program's "core infrastructure" to the security community at large [6].

Moving the CVE program into a new nonprofit group could help address accountability concerns. There is precedent for such a move in the history of the internet's infrastructure [7]. CISA still needs to play a core role in the CVE program, but there should be a way for other players to be accountable and part of the core infrastructure [8].

The CVE program needs more rigorous governing protocols, including independent governance and neutrality, to ensure its resilience, transparency, and sustainability [9]. The program serves as the world's central repository of detailed information about software vulnerabilities, making its stability crucial for the global cybersecurity community [10].

References:

[1] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [2] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [3] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [4] https://www.zdnet.com/article/eu-launches-its-own-vulnerability-database-but-will-it-compete-with-cve/ [5] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [6] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [7] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [8] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [9] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html [10] https://www.schneier.com/blog/archives/2021/04/cve_program_f.html

1. The cybersecurity community is advocating for the establishment of a formal governance structure to aid in decision-making for the CVE program and ensure its alignment with global needs.
2. The calls for transparent planning and communication within the community are vital, as they prepare for potential future funding crises and ensure alternative plans are in place.
3. To reduce the vulnerability of the CVE program's continuity, the community is pushing for non-governmental funding, potentially through partnerships with international organizations or private sector entities.
4. The importance of international cooperation is being stressed to ensure the CVE program remains a global standard and reduces reliance on any single country's funding, like the recently launched European Union's vulnerability database.

Read also: