CVE at risk: U.S. faces strategic cyber gap as governance model falters
The backbone of global vulnerability tracking nearly collapsed this year due to contract uncertainty – raising alarms across industry, government and international partners. At the center of the crisis is CVE, the Common Vulnerabilities and Exposures program, a universal identifier system that’s quietly underpinned software security for more than two decades. But as Nick Leiserson warns, its continued survival may depend on whether policymakers can move from crisis management to structural reform.
Former Assistant National Cyber Director Leiserson, who is now SVP for policy at the Institute for Security and Technology, told Frank Cilluffo on the Cyber Focus podcast that the CVE system has rarely received external review in 26 years. He said that “cracks are beginning to show” and a recent near-shutdown “caused a huge tectonic shift in the community.” According to Leiserson, the CVE Advisory Board received a letter from MITRE, the nonprofit that manages the program, earlier this year stating that unless federal contract issues were resolved within 24 hours the program would be paused. The funding gap was ultimately closed – but the scare revealed just how fragile the governance and resourcing structure has become.
Leiserson noted that the United States has effectively bankrolled CVE’s global utility since its inception. “Uncle Sam has been paying for 26 years for the globe to have this benefit,” he said, adding that while the U.S. also gains from it, the imbalance is unsustainable. Without greater financial participation from other governments and industry partners, he warned, the world’s most widely used vulnerability tracking system remains one funding lapse away from failure.
That funding gap doesn’t just create strain – it opens the door to fragmentation. Leiserson pointed to a recent close call in Europe, where officials nearly created a separate vulnerability system that could have split off from the global CVE standard. “Governments are the greatest risk of fragmentation,” he said. In that case, the EU was persuaded to keep their new system indexed to CVEs – but Leiserson isn’t sure that decision would hold today.
He also warned of the risks if governments try to take over the process entirely, sidelining the experts who’ve run CVE for decades. That kind of top-down fix, what he called a “10,000-meter screwdriver,” could break more than it solves. A better approach, he argued, is bringing both government and industry into the fold – formally and transparently – so the system stays strong and unified.
The warning comes amid broader concerns about U.S. cyber policy implementation. The F5 breach – a compromise of a critical internet infrastructure vendor used by 80% of the Fortune 500 – raised red flags reminiscent of the SolarWinds breach. Yet the federal directives meant to prevent such attacks remain unfulfilled. “We’re failing at the last mile,” Leiserson said, adding, “We need sustained attention from senior leadership to say ‘no, you actually have to do this.’”
Whether through updated governance, broader financial participation or clearer accountability structures, the future of CVE now rests on the decisions of policymakers and stakeholders across sectors. The system’s long-term resilience may hinge not on any single fix, but on the willingness to coordinate before another disruption puts global vulnerability management at risk.
To hear the full conversation, subscribe to Cyber Focus in your favorite podcast app, or watch it on YouTube.