I consulted with a DC old timer for insight into the letter, and his response was consistent with Tom’s.
As Tom mentioned, it is important to note that it is “not a subpoena or an investigation” and is basically just a “respectful request for information about a program they deem important for the health of the economy”.
Also, as Tom mentioned, E&CC does not have oversight responsibilities for DHS.
The details of the inquiry, and the timing, are still interesting.
Responses by Mitre and DHS to Congress are very important, and more transparency for the CVE Board would be great.
Just ask some of those bank boards how they felt about the incredible lack of transparency from management during the subprime mortgage crisis.
They discovered that they were basically ornamental and non-functional, and not privy to some critical management decisions.
While the CVE Board has always had an important role in the CVE Program, we do need to remember that we are not the primary manager or
sponsor of CVE. Consequently, we do not have an absolute right to know about every action of the manager or sponsor.
There are limits to our roles and responsibilities.
In this case, I do wish we had been notified by Mitre instead of learning about it from a 3rd party.
Remember though that it’s just a routine inquiry, and not a red flag signaling the imminent demise of CVE/funding.
From: owner-cve-editorial-board-list@lists.mitre.org
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent
Sent: Thursday, May 11, 2017 4:36 PM
To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Scott Lawler <scott.lawler@lp3.com>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: On the topic of MITRE/Board transparency
Brian,
I was aware if the activities last year but was not aware at all of this set if inquiries. I agree the Board should have been alerted as we could have sent supporting letters
describing the active state of the CVE program compared to the concerns of 14 months ago.
I agree with you Brian and really appreciate you bringing it to our attention.
Now that this is not a private matter, what can we do to assist? I expect we will be alerted to these situations in the future. CVE is too important for massive disruptions,
especially while we are actually making real progress.
I hope the answers to the questions were complete and satisfactory from MITRE but since DHS has not responded, I would not be surprised if some committee chair wanted to see
a few MITRE / Board members in person.
Thoughts?
--
Kent Landfield
817-637-8026
kent_landfield@mcafee.com
This is the same committee we talked to last spring after DWF and CVE started making the news, and they are being diligent and following up to learn more about how we, and MITRE, manage the CVE program.
I believe MITRE's response has already been sent to the Committee. It is now the Committee's decision whether to release that to the public.
DHS is still preparing our response, which is quite comprehensive. To the due date for the responses - this is not a subpoena or an investigation, these are questions. Energy & Commerce Committee does not have oversight responsibilities
for Homeland Security, so this is a respectful request for information about a program they deem important for the health of the economy.
I share the concerns about more transparency being needed. That's a pretty clear issue.
However, there's also another side of the coin to consider. The Board is here to help MITRE respond to requests like this too.
Personally, I'll commit some time to help craft the response to Congress if needed. At a minimum, we can help edit a rough draft provided by MITRE. Did MITRE already respond to this request or
not?
Just let us know what you need and we will help.
Scott
Brian, thank you for bringing this to our attention.
Chris, thanks for the reply.
As Brian emphasized, this is a very significant issue. Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.
I do have a few questions, for Mitre and Brian:
1) Why was the board never notified directly by Mitre? That letter is
from March 31.
2) Why has Mitre not responded to Congress yet? The due date was
2017-04-13 at the latest.
3) When do you anticipate responding to Congress?
4) Has Mitre received anything like this before from any US government
agency?
5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?
Regards,
Ken Williams
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <jericho@attrition.org>
> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
> The world has changed significantly since CVE was released in 1999,
> and
> we are moving out rapidly to satisfy the needs of security
> researchers
> who need ready access to vulnerability IDs. To that end, MITRE will
> begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
> March 2016. We wish to underscore that this is in no way an attempt
> to
> circumvent the Editorial Board but is rather an experimental step
> toward the federated vulnerability ID methodology that the community
> has been discussing over the past several years. We will work
> closely
> with the Board to evaluate the results of the pilot and to work
> together to develop a long-term solution that continues to expand
> coverage moving forward.
>
> Details of the pilot program are provided in the Press Release
> below,
> which will be published to the CVE-ANNOUNCE email list and to the
> CVE
> web site later today. It is important to note that this approach was
> chosen to avoid any conflict with the existing CVE process as it is
> currently operating, and that the IDs issued under the federated
> scheme
> during the pilot will not be analyzed and incorporated into the CVE
> list or feeds. There will be no effect on external operations; all
> in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
> First, you bring up a number of things in your message which are all
> important and all should be discussed fully and transparently. We
> encourage you to share this message with the Board so we can discuss
> it
> with the whole Board's input. We can also forward it along, if
> you're
> prefer to begin the conversation.
>
> We encourage you to share this message with the Board so we can
> discuss
> it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <jericho@attrition.org>
> To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
> Cc: "Coffin, Chris" <ccoffin@mitre.org>,
> Common Vulnerabilities & Exposures <cve@mitre.org>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]
|