America’s cyber defenses are being dismantled from the inside – Source: go.theregister.com

Opinion We almost lost the Common Vulnerabilities and Exposures (CVE) database system, but that’s only the tip of the iceberg of what President Trump and company are doing to US cybersecurity efforts.

When it comes to technology security, let’s face it. We’re lame and we’re lazy. But we don’t normally go out of our way to make it worse. Until now. Until President Donald Trump and his cohort of tech minions, better known as Elon Musk’s Department of Government Efficiency (DOGE), took over.

You might think, if you’re outside the US, who cares? Unfortunately, whether you like it or not, the US has long taken the lead in technical security.

Take, for example, the fact that we almost lost the Common Vulnerabilities and Exposures (CVE) database. Anyone familiar with cybersecurity will have heard of the CVE. It’s the master list of essentially all security holes for the last 25 years.

As Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency (CISA), explained on LinkedIn: “It’s the global catalog that helps everyone – security teams, software vendors, researchers, governments – organize and talk about vulnerabilities using the same reference system.”

Without it, everyone is using a different catalog or no catalog at all, no one knows if they’re talking about the same problem, and defenders waste precious time figuring out what’s wrong. Worst of all, threat actors take advantage of the confusion.

How could such an important project go under? Easily. It wasn’t funded. The group that oversees the CVE, CISA, had been targeted for staff cuts of over a third of its employees. In addition, CISA employees were given until midnight Monday to choose between staying on the job or resigning. So it was that the decision to extend the MITRE CVE contract didn’t come until literally the 11th hour.

That contract will still run out in March 2026. Who knows if Trump et al will extend it again? Once upon a time, this kind of decision would be a no-brainer. I mean, all technology security, for better or worse, depends on the CVE system. Now? Your guess is as good as mine.

You can’t depend on guesses when it comes to security.

The Trump administration’s tenure, though, has already been marked by significant setbacks to US federal government technology security efforts, over and over again.

For example, General Timothy D. Haugh, the head of the National Security Agency (NSA) and US Cyber Command, was fired in early April. General Haugh was a pivotal figure in defending the nation’s cyber infrastructure, especially noted for countering Russian interference dating back to the 2016 election. His dismissal, along with the removal of other senior cyber officials, has significantly weakened the country’s cyber defense. Why? What was his offense? Laura Loomer, a far-right conspiracy theorist and Trump buddy, disliked him.

The administration has also systematically dismantled critical cybersecurity advisory bodies. Notably, the Cyber Safety Review Board (CSRB), established under the previous Biden administration to investigate major cyber incidents, was effectively disbanded by terminating all its members. This move halted investigations into significant cyberattacks, including the Chinese “Salt Typhoon” hacks.

Mind you, the Salt Typhoon attacks were also aimed at Trump and VP JD Vance, but for some reason, don’t ask me why, they don’t care. We already know that Trump is buddy-buddy with Russia, but China? The country he’s having a major trade war with? This makes no sense to me.

So, who should be in charge of protecting the US’s cyber resources? The state and local governments, would you believe?

According to Trump’s Achieving Efficiency Through State and Local Preparedness executive order: “Preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government. Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyberattacks, wildfires, hurricanes, and space weather.”

• It’s fun making Studio Ghibli-style images with ChatGPT – but intellectual property is no laughing matter
• Musk’s move fast and break things mantra won’t work in US.gov
• Windows 10’s demise nears, but Linux is forever
• Is it really the plan to take over Greenland and the Panama Canal? It’s been a weird week

Part of that clearly sets the stage for getting rid of the Federal Emergency Management Administration (FEMA), but space weather!? Cyberattacks!!? Do you know how few real IT security experts are out there? Do you think all 50 states can hire enough? I don’t. Oh, and let us not forget, cyberattacks aren’t only made against, say, North Carolina and West Virginia, they hit everyone, everywhere. Fifty different groups trying to cope with state-sponsored elite hacking teams is too stupid for words.

Oh, and did I mention? Earlier in his tenure, Trump had cut funding for cybersecurity-specific federal grant programs. So, good luck hiring top-flight security mavens to protect your home state.

Let’s also not forget the enemy inside. DOGE has access to sensitive federal systems. These include the Treasury Department’s payment systems and the Social Security System. It appears that this data had been copied to God alone knows where and can now be accessed by people without the right to see or use it.

So not only has America’s external cyber defenses been dismantled, but the data is out there for the greatest security attacks ever on individual citizens. 1.6 million people had their Social Security information stolen from an insurance company? That’s so penny-ante.

The US will suffer the most from these self-inflicted security wounds, but the entire world will feel the pain. “Buckle up, we’re in for a bumpy ride.” ®