The document provides a behavior-based model of the tactics and techniques employed by fraudsters.

The post MITRE Releases Fight Fraud Framework appeared first on SecurityWeek.

A European cybersecurity organization has launched a decentralized system for identifying and numbering software security vulnerabilities, introducing a fundamental shift in how the global technology community could track and manage security flaws.

The Global CVE Allocation System, or GCVE, will be maintained by The Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when the Cybersecurity and Infrastructure Security Agency initially failed to renew its contract with MITRE, the nonprofit that operates the CVE system. A last-minute extension averted immediate collapse, but the near-miss exposed the 25-year-old program’s dependence on a single funding source and triggered development of competing models.

Unlike the traditional CVE system, which relies on a centralized structure for assigning vulnerability identifiers, GCVE introduces independent numbering authorities that can allocate identifiers without seeking blocks pre-allocated from a central body or adhering strictly to centrally enforced policies. Each approved numbering authority receives a unique numeric identifier that becomes part of the vulnerability identification format, allowing organizations to assign identifiers at their own pace and define their own internal policies for vulnerability identification.

The system maintains backward compatibility with the existing CVE infrastructure through a technical accommodation. All existing and future standard CVE identifiers are represented within the GCVE system using the reserved numbering authority designation of zero. A vulnerability identified as CVE-2023-40224 in the traditional system can be represented as GCVE-0-2023-40224, allowing the new framework to coexist with established practices without disrupting existing databases and tools.

The system’s emergence reflects broader concerns about the CVE program’s governance and sustainability. The April funding crisis occurred less than a month after MITRE celebrated the program’s 25th anniversary, creating what several experts described as panic among cybersecurity defenders who rely on CVE identifiers as the foundation for tracking, disclosing, and remediating software vulnerabilities. The near-shutdown followed a separate 2024 funding crisis at the National Institute of Standards and Technology, which stopped providing critical metadata for many vulnerabilities due to budget shortfalls. In May of last year, the Department of Commerce’s inspector general launched an audit of that program. The office told CyberScoop the audit will be “completed this summer.”

The GCVE system fits within the European Union’s cybersecurity infrastructure, which includes the EU Computer Security Incident Response Teams network coordinated by the European Union Agency for Cybersecurity. ENISA operates the European Union Vulnerability Database, which relies on CIRCL’s vulnerability-lookup software. 

Organizations seeking to become GCVE numbering authorities can apply by contacting CIRCL, with existing CVE numbering authorities and organizations meeting eligibility criteria able to provide basic organizational information similar to the format used in the numbering authority directory file. The approach allows for expansion while maintaining coordination through the central registry.

Following last year’s funding crisis, the CVE Foundation formed as a U.S.-based nonprofit seeking to establish private-sector and multi-government funding for vulnerability tracking, with treasurer Pete Allor stating that financial backers are close to being announced and the foundation could be operational by the end of 2025. CISA published its own reform vision in September, outlining plans to expand participation, diversify funding, and improve data quality, though several experts said the agency has not reached out to organizations developing alternative systems. The Institute for Security and Technology released a separate proposal in October calling for creation of a Global Vulnerability Catalog that would build upon the existing CVE program with expanded governance and diverse funding while maintaining U.S. government involvement.

UPDATE, 1/22/26: This story has been updated with comment from the Department of Commerce’s Inspector General’s office.

The post GCVE launches as a decentralized system for tracking software vulnerabilities appeared first on CyberScoop.

The National Institute of Standards and Technology announced that it will partner with The MITRE Corporation on a $20 million project to stand up two new research centers focused on artificial intelligence, including how the technology may impact cybersecurity for U.S. critical infrastructure.

On Monday, the agency said one center will focus on advanced manufacturing while the second — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will focus more directly on how industries that provide water, electricity, internet and other essential services can protect and maintain services in the face of AI-enabled threats. According to NIST, the centers will “drive the development and adoption” of AI-driven tools, including agentic AI solutions.

“The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.

The two centers are part of a larger federal government investment to create  federally funded AI research centers at NIST, some of which predated the Trump administration.

Earlier this year the White House overhauled the name and mission of the AI Safety Institute, rebranding it the Center for AI Standards and Innovation, that mirrored the administration’s broader shift away from AI safety issues while prioritizing American competition with China. Next year NIST plans to make another award for the creation of a new AI for Resilient Manufacturing Institute, a five-year, $70 million federal investment to combine expertise in AI, manufacturing and supply chain networks and promote resilience in the manufacturing sector.

AI boosters in the government, industry and Congress are betting that more federal muscle behind these applications will lead to innovation for U.S. AI projects. Huergo wrote that NIST “expects the AI centers to enable breakthroughs in applied science and advanced technology.”

Acting NIST Director Craig Burkhardt said the centers will collectively “focus on enhancing the ability of U.S. companies to make high-value products more efficiently, meet market demands domestically and internationally, and catalyze discovery and commercialization of new technologies and devices.”

CyberScoop reached out to NIST for additional details on the centers and their work.

In response to further questions, Brian Abe, managing director of the national cybersecurity division at MITRE, told CyberScoop that the nonprofit corporation is bringing “all of MITRE to bear” to carry out the mission of the centers. He said the goal is to make an exponential impact on U.S. manufacturing and critical infrastructure cybersecurity within three years.

“We will also leverage the full range of MITRE’s lab capabilities such as our Federal AI Sandbox,” said Abe. “More importantly, we will not be doing this alone. These centers will be a true collaboration between NIST and MITRE as well as our industry partners.”

Nearly every source contacted by CyberScoop for reaction said they supported broader collaboration from government and industry on AI security and critical infrastructure.

Many industrial sectors have been pummeled by ransomware, foreign hacking and other digital threats over the past decade. The speed and scale advantages provided by large language models could put more stress on IT and security teams, many of whom already deal with chronically underfunded budgets.

Randy Dougherty, CIO of Trellix, told CyberScoop that by focusing on cybersecurity for critical infrastructure, “NIST is tackling the ‘high-stakes’ end of the AI spectrum where accuracy and reliability are non-negotiable.”

Some sources said it was important for any effort to invite stakeholders from the industries they’re trying to protect and ensure their input is included.

Gary Barlet, public sector chief technology officer at cybersecurity company Illumio, flagged two sectors in particular – water and power – that are essential to most modern critical services, saying that securing their IT, OT and supply chains should be among the center’s first priorities.

But in order to help, Barlet said that NIST and the government must ensure those sectors have a meaningful seat at the table and can translate any research insights into workable solutions. Getting those parties on board will be crucial because, he said, those are the people “who will be answering to Congress if something goes wrong, not the AI developers.”

“Too often, these centers are built by technologists for technologists, while the people who actually run our power grids, water systems, and other critical infrastructure are left out of the conversation,” Barlet said.

The post NIST, MITRE announce $20 million research effort on AI cybersecurity appeared first on CyberScoop.