Lawmakers Want the Cyber Vulnerabilities Register Improved

The Homeland Security Department should conduct audits every other year of its program for collecting and publicizing computer security vulnerabilities, congressional investigators said Monday.

The department should also begin paying for the vulnerability log with a dedicated program funding line in its annual budget request rather than with ad hoc contract payments, leaders of the House Energy and Commerce Committee said in a letter to Homeland Security officials.

Since its inception in 1999, the government has funded the Common Vulnerabilities and Exposures, or CVE, program with a series of contract awards and modifications within a broader contract vehicle with MITRE, the federally-funded research center that manages the CVE program.

That scattershot funding model has forced CVE to focus on short-term goals rather than thinking long term, according to the letter from Energy and Commerce Chairman Greg Walden, R-Ore., and the Republican chairs of the committee’s oversight, technology and digital commerce panels.

The letter comes about 17 months after the committee began investigating reports that security researchers were waiting weeks or even months for MITRE to incorporate newfound vulnerabilities into the CVE register.

Those delays could lengthen the time that vulnerable organizations remain unaware of vulnerabilities and that malicious hackers could exploit them.

The CVE database essentially applies a common naming and numbering system to computer vulnerabilities so the myriad organizations that discover and patch computer vulnerabilities can be sure they’re talking about the same thing.

According to the committee’s review, CVE funding dropped an average of more than 35 percent year on year from 2012 through 2015 before spiking up by 139 percent in 2016. That funding also came through an erratic schedule of new contracts and modifications that never provided consistency for the program.

“A dedicated source of funding would mean the program’s goals would no longer be dominated by short-term projects that could be accomplished within the small window of time a single contract is active,” the letter states.

The letter also criticizes Homeland Security and MITRE for not doing enough analysis about the program's weaknesses even after a handful of 2016 press reports that highlighted a large backlog of vulnerabilities that hadn’t been assigned a number

Homeland Security and MITRE turned over all the analyses they had, but there wasn’t much there, the lawmakers said, adding that the “lack of documentation” was “revealing in and of itself.”

A Homeland Security spokesman declined to comment on the letter saying the department doesn’t comment on correspondence with the secretary as a matter of policy.