Funding Cuts Threaten Foundational Cybersecurity Infrastructure, Harming U.S. Interests and global Cyber resiliency

The zealous government budget and staffing cutting of the Trump administration has been affecting global Cybersecurity and the latest example is that we might soon lose the Common Vulnerabilities and Exposures (CVE) database maintained by the federally funded, non-profit research and development organization MITRE. This has been reported and verified by U.S. based Cybersecurity reporter Brian Krebs1

U.S. institutions, notably the Cybersecurity and Infrastructure Security Agency (CISA) and MITRE, serve as indispensable hubs for coordinating cybersecurity efforts on an international scale. The CVE list, in particular, provides a universal dictionary for identifying and tracking vulnerabilities, forming the bedrock for effective communication and response among defenders worldwide. While these platforms foster crucial global cooperation, it is undeniable that the foremost beneficiaries of this public-private coordination are the major U.S.-based technology and cybersecurity corporations. Companies such as Google, Microsoft, Palo Alto Networks, CrowdStrike, SentinelOne, Cybereason, and countless others heavily rely on this shared intelligence infrastructure to secure their products, services, and customers.

alt text CVE Interplay between public and private organizations2

The cuts made to the publicly funded programs at CISA3 and MITRE are potentially seen by the Musk lead DOGE team as cutting tax payer funded program that benefit disproportionately organizations outside the U.S., who are not contributing towards them, but the truth is that this going to predominately destroy value for US based organizations and their shareholders, while reducing cyber resiliency on a global level.

This creates a clear lose-lose situation: global security is weakened, while significant economic value within the U.S. is put at risk. Furthermore, such targeted cuts often fail to make a substantial impact on overall budget deficits4, making the strategic cost disproportionately high compared to any potential fiscal savings. Investing in shared cybersecurity infrastructure is not simply expenditure; it is a critical investment in national security, global stability, and the continued prosperity of the U.S. digital economy.

Update 2025-04-16 13:25:00 UTC

News about global politics has accelerated to a breakneck pace for the past few months (years, really) and this unfortunately is reflected as well in the Cybersecurity industry. The following exert is from an update that James Berthoty shared on LinkedIn and I am publishing without any changes :

Latest updates on hashtag #MITREMELTDOWN (it needs a thunderdome name if it’s going to be a major cybersecurity event):

  1. CISA has extended the MITRE contract, so crisis averted for now - https://lnkd.in/euzY5syu (bluesky quote from this: https://lnkd.in/eDZtPhZR)

  2. Patrick Garrity 👾🛹💙 pointed out that the CVE printer is still working - https://lnkd.in/eSJMNFiZ

  3. Tib3rius pointed out the formation of the CVE Foundation, which is apparently made up of some CVE board members, but there’s no information really at this point - https://lnkd.in/evCGr3Nk

  4. Others have pointed to a global effort - https://gcve.eu, as well as Tom Alrich with OWASP - https://lnkd.in/epYsgwd9

  5. The latest Brian Krebs update seems to suggest that CVE publications from CNAs will still work (which is the vast majority of them), we just don’t know for how long and what the long term plan is

I tried to call out in my video (linked below) that the main issue here is one of coordination and adoption, not the technical difficulty of creating a database. Almost every vendor has their own vulnerability database to host NVD and their own discovered vulnerabilities.

Instead, the challenge is CNA adoption of some new process and standards. There are over 450 CNAs who do most of the daily work, and no vendor is jumping at the opportunity to help all their competitors, inherit all of the drama of managing the CVE ecosystem, try to coordinate the daily work, and not make any money in the process.

I’ve been talking to a ton of vendors all of which are willing and wanting to help, but none of which can do it alone - most are hoping the best positioned like GitHub, Microsoft, or Google steps in to save the day.

Video: https://lnkd.in/eFFEh-qr

References:

  1. Brian Krebs,Funding Expires for Key Cyber Vulnerability Database, KrebsOnSecurity

  2. James Berthoty, LinkedIn

  3. Brian Krebs, Trump Revenge Tour Targets Cyber Leaders, Elections

  4. AP, US budget deficit grows to $1.3 trillion, the second highest six-month level on record, Associated Press