A last-minute reprieve from the U.S. Department of Homeland Security looks to have spared the Common Vulnerabilities and Exposures Program for now.
"The CVE Program is invaluable to the cyber community and a priority of CISA," a spokesperson from the DHS' Cybersecurity and Infrastructure Security Agency said Wednesday.
WHY IT MATTERS
Operated by the non-profit MITRE, a defense research organization that has also provided ransomware support for hospitals and health systems, the CVE program is an essential component of CISA's mission and part of its Cyber Hygiene Services for healthcare and other industries. MITRE's contract to support the CVE and Common Weakness Enumeration (CWE) programs was set to expire on April 16.
"For the benefit of the cybersecurity community and network defenders – and to help every organization better manage vulnerabilities and keep pace with threat activity – CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild," the agency says on its website.
In his letter to CVE board members on Tuesday – which was shared in a social media post by Jen Easterly, former CISA director and now CEO of Evenstar Cyber – Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, listed several cybersecurity concerns.
"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure," he said.
Easterly called it "one of the most important pillars of modern cybersecurity," and said that "losing it would be like tearing out the card catalog from every library at once – leaving defenders to sort through chaos while attackers take full advantage."
Healthcare IT News asked CISA if and when the CVE services might end or change, how new CVEs would be added to the database going forward and if another entity would be taking up the mantle of the work.
Without providing specifics, an agency spokesperson indicated by email Wednesday that CISA took action to protect the integrity of the cardinal resource and extended the contract 11 months.
"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services," the spokesperson said. "We appreciate our partners’ and stakeholders’ patience."
THE LARGER TREND
CISA has funded the development of the CVE reference system for software vulnerabilities to minimize discovery efforts and costs by cybersecurity stakeholders across industry and government.
MITRE has researched and maintained the CVE knowledge base since the Department of Homeland Security launched this effort in the 1990s.
Easterly described what is at stake without a properly maintained global catalog, including an inability for cybersecurity teams to assess priorities for patching and the breakdown of automated security tools that rely on CVEs.
Essentially, archiving the CVE would hobble CISA's efforts to prioritize software flaws and warn the public sector, she said, noting that it would also mar global cyber coordination efforts to defend against global cyber threats.
Cyber threat actors search networks for software vulnerabilities, and they've proved to be successful entry points and back doors into networks despite the agency's Known Exploited Vulnerabilities catalog distributed under the Creative Commons 0 1.0 License in numerous formats.
Many cyber breaches have been attributed to unpatched vulnerabilities, such as the largest 2021 breach of Florida Healthy Kids, which resulted in the exposure of 3.5 million individuals' personal information. Investigations showed that attackers had access to numerous unpatched CVEs accessible on its website since 2013.
ON THE RECORD
"Thanks to actions taken by the government, a break in service for the [CVE] program and the [CWE] Program has been avoided," Barsoum told Healthcare IT News by email on Wednesday. "CISA identified incremental funding to keep the programs operational.
"We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours," he added. "The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE and CWE as global resources."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.