Four congressional lawmakers are pushing Department of Homeland Security (DHS) Secretary Kirstjen Nielsen to update a program established nearly 20 years ago that helps public and private sector organizations catalog, track and share information on software bugs.
It’s largely a funding and oversight issue they’re complaining about. In a letter sent to Nielsen, House Energy and Commerce Committee Chairman Greg Walden (R-OR), Reps. Gregg Harper (R-MS), Marsha Blackburn (R-TN) and Rob Latta (R-OH), urged Nielsen to move the Common Vulnerabilities and Exposures (CVE) program from contract-based funding into the DHS budget as a line item, The Hill reported. The legislators sent a similar letter to MITRE, which created the program in 1999 backed by federal money and operates it through the Federally Funded Research and Development Center (FFRDC).
A little background (via BleepingComputer): The CVE is a database housing assigned tracking numbers for reported security vulnerabilities. It’s important because CVE numbers are used by cybersecurity pros and organizations to tie hacks to identified software bugs. The system isn’t just in use in the U.S., it’s also been adopted by a number of countries worldwide.
“As the standard mechanism, which organizations across the globe, including many federal government agencies and private sector stakeholders within the Committee’s jurisdiction, rely upon to identify and share information on cybersecurity vulnerabilities, the CVE program has become critical cyber infrastructure,” the Congressional Representatives wrote.
The problem is that the CVE’s erratic and unpredictable funding has hampered its performance with security researchers reporting delays in receiving tracking numbers for vulnerabilities they’ve submitted. Apparently, some requests have been ignored altogether. A subsequent investigation by the U.S. Senate Energy and Commerce Committee that began roughly 18 months ago yielded a report earlier this week blaming scattershot DHS funding and a lack of regular reviews to gauge the system’s effectiveness.
"From 2012 to 2015, the program has received on average 37 percent less year-over-year funding," the Committee wrote in the letters to the DHS and MITRE. By contrast, 2016 funding shot up 139 percent. "The documentation produced by DHS and MITRE shows that the CVE contract vehicle is both unstable and prone to acute fluctuations in schedule and funding," the letters said.
In calling existing practices for managing the CVE program "clearly insufficient," the Committee also recommended that both the DHS and MITRE conduct formal biennial reviews of the system to “ensure its stability and effectiveness." Without significant improvements, the CVE will continue to face "challenges that have direct, negative impacts on stakeholders across society,” the Committee said.
The lawmakers' recommendations come as the DHS is taking on a stronger presence to fortify U.S. cybersecurity defenses. A month ago, DHS said it will set up a new facility to centralize cyber collaboration between the public and private sectors to defend the country’s critical infrastructure from attack. And, in late May, the DHS issued a mandatory command to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. Earlier that month, the Department teed up a new national cybersecurity framework covering vulnerabilities, resilience, bad actors, incident response and the cyber ecosystem.
Last February, the Trump administration asked Congress for $3.4 billion in 2019 to fund a DHS division tasked with battling cyber threats to federal networks and critical infrastructure.
