The National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST), plays a pivotal role in cybersecurity. It is not just a repository but the backbone of vulnerability management across the globe. However, recent disruptions have raised concerns about the reliability and responsiveness of the NVD.
Last week, over 50 distinguished cybersecurity professionals united to pen an open letter to Congress and Secretary of Commerce Gina Raimondo, highlighting urgent issues within the NVD and calling for immediate actions to address these concerns. This collective action underscores the strength and necessity of community in security. You can also read the entire letter here.
A Vulnerable State
Over the past months, the NVD has processed only a fraction of the Common Vulnerabilities and Exposures (CVEs) received this year. This year so far, the NVD has received over 10,000 CVE submissions and only processed 4,355 of these. From March 1st until now, a mere 245 CVEs have been processed, and what were initially described as 'temporary delays' have now extended nearly two months.
Patrick Garrity has been doing great visualizations to show the staggering number of unprocessed CVEs:
Patrick Garrity 👾🛹💙
This backlog hinders the effectiveness of vulnerability management across the globe and poses a significant risk to national and global security. The recent letter highlights that crucial metadata essential for evaluating threats has been absent from the NVD's entries since mid-February. This lapse disrupts the ability of organizations to prioritize and address vulnerabilities effectively.
Community Over Competition
What stands out most in this urgent call to action is the remarkable unity displayed by the cybersecurity community. In a landscape often dominated by commercial interests that tend to fragment our efforts, it is significant that over 50 cybersecurity experts chose to stand together in support of the National Vulnerability Database (NVD). This decision to rally behind a communal resource, rather than developing separate commercial products that could potentially compete with the NVD, speaks volumes about the community’s dedication to collective security.
This unified approach is especially crucial in an environment where the effectiveness of cybersecurity measures depends heavily on the sharing of accurate, timely, and comprehensive vulnerability data. By maintaining a central, trusted platform like the NVD, the community ensures that all stakeholders—regardless of their individual capabilities or resources—have access to the same critical information. This level of collaboration and mutual support is what allows us to anticipate and mitigate threats more effectively, ultimately enhancing the security landscape at a global level.
Furthermore, this solidarity is a powerful reminder that when it comes to safeguarding our digital world, we are stronger together. It reaffirms the principle that in the realm of cybersecurity, community-driven solutions are not only beneficial but necessary for facing the complex challenges of today’s digital ecosystem. The collective commitment to the NVD exemplifies how cooperation can transcend competitive instincts, fostering a more secure and resilient cyber environment for everyone.
Calls for Modernization
The open letter doesn’t just highlight problems; it also proposes solutions. It urges Congress to:
- Restore NVD operations immediately, suggesting that NVD should temporarily operate as a pass-through for data from CVE Numbering Authorities (CNAs) to minimize disruptions.
- Establish a comprehensive plan to address the backlog of vulnerabilities and improve NVD processes with stakeholder involvement.
- Secure sustained funding to ensure the NVD operates without interruptions, treating it as a critical infrastructure. Critical Infrastructure is a key term in the US government, which would place the NVD properly in a place where this type of disruption wouldn’t be possible again.
Moving Forward
As we navigate the challenges faced by the NVD, it's crucial for the cybersecurity community to harness our collective strength and remain unified in our approach. The overwhelming response to the open letter to Congress is a testament to the power of community in security. By coming together, we can amplify our voice and influence necessary changes more effectively.
In advocating for the NVD, we are not just addressing a technical failure, but rallying around a cause that affects the security infrastructure upon which the global community relies. The immediate task is to restore the NVD's functionality to prevent security lapses. However, we must also champion for an overhaul that ensures long-term reliability and effectiveness.
The call for modernization includes immediate operational restorations and strategic enhancements. It emphasizes the need for sustained funding and operational independence, ensuring the NVD remains a robust and dependable resource. This collective endeavor underscores the notion that while individual efforts are vital, our strength truly lies in our ability to work together.
This moment should serve as a catalyst for reinforcing our commitment to collective action and shared responsibility in cybersecurity. Let's continue to support the NVD and ensure it not only returns to its crucial role but is also fortified to meet future challenges. Together, we can turn this crisis into a pivotal moment for strengthening global cybersecurity measures.
The Full Letter
To read the full letter, I've included it below:
