Category Archives: Government and Regulation

A true chance to make CVE a true community program

This is something I always say – we have too little global, horizontal, community initiatives in cybersecurity. Lots of private and commercial initiatives, but fewer community ones.

The CVE program, run by MITRE, is running out of funding from the US government.
This event can be a trigger to change this. This is a golden opportunity for a change for good for the industry.

This is a chance to change it to be a global program, not only US controlled, funded by governments from around the world, plus core monetary support from the cybersecurity vendors and services giants who make billions of dollars out of cybersecurity and rely on CVE data.

“U.S. Govt. Funding for MITRE’s CVE Ends April 16, Cybersecurity Community on Alert”
https://thehackernews.com/2025/04/us-govt-funding-for-mitres-cve-ends.html

Law enforcement bodies ask social media to open end-to-end encryption (E2EE) for them

Interesting. Does these almost same-time publications are a coincidence? I tend to doubt it.
 
Both law enforcement bodies in Europe and Australia publicly turn to the private market, with focus on Social Media, asking it to ease its end-to-end encryption (E2EE), so law enforcement can read relevant data, for law enforcement reasons.
 
In my view this can mostly one of two:
1. Law enforcement has a real problem here
2. Law enforcement has the ability to overcome end-to-end encryption (E2EE) so they use these publications to pretend to be helpless against it, hence building the criminals/enemies confident that these platforms are safe for them, so they will act freely in them and so the law enforcement bodies will be able to spy on them
 
If it is the first reason – then I think it looks like we are escalating towards a clash.
 
News article
“Police Chiefs Call for Solutions to Access Encrypted Data in Serious Crime Cases”
 
The Europol post about it
 
The declaration (PDF file)
 
News article
“The director general of Australia’s lead intelligence agency and the commissioner of its Federal Police yesterday both called for social networks to offer more assistance to help their investigators work on cases involving terrorism, child exploitation, and racist nationalism.”

Sad declaration

“There have been zero successful cyber-attacks on critical national infrastructures in the past year”

This is what Yigal Unna, the head of the National Cyber Directorate of Israel, declared at the CyberTech conference, held last week in Israel. Stunning declaration in my opinion.

I thought there is no 100% in information security (which is true for physical security as well). How can he know this for sure? Information security, and certainly as part of risk management, involves recognizing that there is never any certainty. You can always be attacked successfully and you will know about it as it happens and you may never know. You always have to assume that at any given moment, at any part of your systems – you lose, because you know you don’t cover everything and can’t cover everything.

This is a statements in the style that existed before the Yom Kippur War. Smugness and arrogance that have no place in our profession and I believe that sooner or later they will run into the wall of reality and shatter.