The House Energy and Commerce Committee completed its investigation of the Common Vulnerabilities and Exposures program this week and requested “significant changes to the very foundation of the CVE program.”
The investigation began in March of 2017 following media reports on extensive issues with the CVE tracking system, including long backlogs for assigning vulnerability scores. In letters to both the Department of Homeland Security (DHS) and MITRE Corporation — the two entities that manage the CVE program — members of the E&C Committee noted that changes have already been made to the CVE program, but said these changes didn’t address root issues with the program.
“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” Committee members wrote in the letters. “The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes — the contract-based nature of the program and the lack of oversight — which have yet to be addressed.”
During its investigation into the CVE program, the E&C Committee found red flags right from the start.
“Given the importance of the CVE program as critical cyberinfrastructure, the Committee expected to receive substantially more documentation in response to its request than was produced,” the Committee wrote in the letter to DHS. “[T]he Committee was surprised by the dearth of produced analyses, timelines, and other oversight materials documenting the year-over-year health of the program. The Committee finds the lack of documentation produced by DHS and MITRE to be revealing in and of itself.”
The Committee members said the contract-based nature of the CVE program led to inconsistent funding, short-term planning and thousands of vulnerabilities per year that didn’t receive CVE numbers. The Committee suggested this be changed to make funding a PPA (Program, Project, or Activity) line item in the DHS budget in the hopes of forcing DHS and MITRE to take the program more seriously.
“The documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyberinfrastructure. Instead, both organizations continued to manage and fund the program through a series of contract which themselves were unstable,” the committee wrote. “This approach was perhaps to be expected given that neither organization, according to produced documentation, performed the lever of oversight needed to ensure the program continued to fulfill its purpose and meet stakeholder needs.”
The Committee also requested DHS and MITRE perform biennial reviews of the CVE program “to ensure its effectiveness and stability.”
“Since the CVE program’s inception, the nature of cybersecurity threats it is meant to address has drastically evolved. So, too, have stakeholders’ needs. Yet the scope and mission of the CVE program have not undergone similar transformation,” the Committee wrote. “By conducting regular reviews of the program, officials would be able to develop short, medium and long-term goals and then evaluate their progress at achieving those goals.”
However, even these changes to so-called “root-causes” of the CVE program’s issues weren’t enough for all experts. K. Reid Wightman, vulnerability analyst at Dragos Inc., said on Twitter the recommendations showed “the wildly inaccurate CVSS scores that accompany most CVEs was out of scope,” but added he would be “glad if some progress is made on assignments at least.”
DHS and MITRE have until Sept. 4 to respond to the recommendations made by the E&C Committee.