Listen To This Story

The US just barely avoided a cybersecurity meltdown that no one knew about. And it could happen again. 

In April 2025, the Common Vulnerabilities and Exposures Program (CVE) — which tracks global software flaws — was hours from shutdown due to GOP gridlock when it was given an emergency 11-month extension just before the deadline.

Run by the MITRE Corp., a nonprofit that operates federally funded research and development centers, and funded by the Cybersecurity and Infrastructure Security Agency (CISA), CVE protects critical systems like hospitals, power grids, businesses, and transport. Without it, flaws go undetected, patches delay, and attackers gain advantage.

The contract renewal came just before the deadline, granting only an 11-month extension. MITRE warned that, without funding, vulnerability tracking would grind to a halt. This is the same system that enabled the coordinated response to the 2021 SolarWinds breach. 

This near miss exposes a bigger problem. CISA has been gutted under the Trump administration. Since late 2024, staff resisting politicization were forced out. Senior figures like Jen Easterly and Chris Krebs are gone. The Cyber Safety Review Board, modeled on the NTSB, has basically been dismantled.

Budget cuts hit hard: Although the 2025 defense bill initially included crucial cybersecurity provisions, last-minute amendments slashed the proposed funding. The Trump administration’s fiscal 2026 budget proposal calls for a substantial $495 million cut to CISA, slashing its allocation to $2.38 billion and reducing its workforce by nearly 30 percent.

Cisco, a global leader in networking and digital communications, reveals in its 2025 Cybersecurity Readiness Index that only 4 percent of organizations globally reach a mature readiness level — while AI-driven phishing, ransomware, and state-sponsored attacks have surged by 149 percent.

The US vulnerabilities are already clear:

• IT Services & Enterprise Operations: Ingram Micro (June 2025), a major IT distributor, suffered a ransomware attack disrupting internal systems.
• Cloud Health Care & Patient Data: Yale New Haven Health (April 2025) saw 5.5 million patient records exposed.
• Services & Supply Chains: The Snowflake breach (mid-2024) impacted over 160 organizations, including AT&T and Ticketmaster.
• Public Utilities & Critical Infrastructure: The Oldsmar, FL, water system poison hack (2021) showed how easily public utilities can be targeted.
• Energy & Fuel Distribution: Colonial Pipeline (May 2021), the largest US fuel pipeline, was hit by a Russia-linked ransomware attack, forcing a five-day shutdown and disrupting 45 percent of the East Coast’s fuel supply.

Experts are alarmed:

• Bruce Schneier: The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there’s no single way to talk about vulnerabilities. 
• Katie Nickels: Defunding essential cybersecurity programs like CVE leads to delayed patches, erratic vulnerability disclosures, and a collapse of trust across the internet
• Electronic Frontier Foundation: Without robust support for vulnerability tracking programs like CVE, it becomes harder to hold companies and governments accountable for protecting users. 

Cybersecurity isn’t just tech, it’s coordination, trust, and leadership. And that’s what’s being dismantled. The next breach won’t happen because we lacked tools, but because we fired, defunded, or ignored the people who knew how to use them. 

What must happen now: 

• Congress must secure permanent CVE funding. 
• CISA must be rebuilt as an independent, expert-led agency. 
• There must be accountability for those weakening our cyber defenses.
• Investigations into legislators voting to defund this essential program are needed. 

We got lucky in April. In a few GOP-led months, it might be a very different story.

‘Stupid and Dangerous’: CISA Funding Chaos Threatens Essential Cybersecurity Program

From Wired: “The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it.”

Trump Is Shifting Cybersecurity to the States, But Many Aren’t Prepared

From Stateline: “Only 22 of 48 states in a Nationwide Cybersecurity Review met recommended security levels.”

Cyberattack Risk? DOGE Cuts May Have Left the US More Vulnerable, Experts Warn

The author writes, “On June 22, 2025, the Department of Homeland Security released a security bulletin warning that the ‘ongoing Iran conflict’ has led to a ‘heightened threat environment.’ DHS believes that cyberattacks from ‘pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.’ However, the federal workers hired to protect the public and the government from attacks of this nature have been targeted by ‘department of government efficiency’ and the administration’s larger effort to reduce the size of the federal workforce.”

Trump Drops A Cybersecurity Bombshell With Biden-Era Policy Reversal

The author writes, “Less than 24 hours after his public feud with Elon Musk, President Trump issued a new cybersecurity executive order on June 6, introducing major revisions to the Biden administration’s final cybersecurity directives. The order not only modifies key elements of Biden’s January 2025 framework but also signals a broader realignment of federal cybersecurity priorities. It shifts focus away from federal digital identity initiatives and revises compliance-heavy software security mandates.”

DOGE Is Hacking America

From Foreign Policy: “In the span of just weeks, the U.S. government has experienced what may be the most consequential security breach in its history — not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound.”

Cyber Threats Abound as Trump Guts Cyber Agencies

From Politico: “The mood is grim at the nation’s cybersecurity agencies after weeks of major MAGA-fueled upheavals in leadership and job cuts — all as the country faces an ongoing onslaught of cyberattacks by foreign adversaries.”

Judge Says US Treasury ‘More Vulnerable to Hacking’ Since Trump Let the DOGE Out

The author writes, “Trump administration policies that allowed Elon Musk’s Department of Government Efficiency to access systems and data at the Bureau of the Fiscal Service (BFS) have left the org ‘more vulnerable to hacking’ according to federal Judge Paul A. Engelmayer in New York City. Judge Engelmayer used that phrase in an order filed in Feb 8 in the case of State of New York et al vs Trump et al, which saw 19 State attorneys’ general argue that allowing the Trump-blessed Elon-Musk-led Department of Government Efficiency to access systems and data at the Bureau of Fiscal Services (BFS) broke at least one law and violates the US Constitution, among other legal errors.”