CVE Program Saved, CISA Nomination Blocked, OpenAI's AI Models Released, SolarWinds Goes Private

[00:00:02] It's Thursday, April 17th, 2025, and I'm Dave Sobel. Four things to know today. From panic to pivot, the US saves the CVE Program at the 11th hour. A cybersecurity meltdown, one senator blocks, another leader quits, and a whole Pentagon team walks out. OpenAI just leveled up AI reasoning but left out the fine print. And SolarWinds is private again, what that means for MSPs watching the roadmap. This is the Business of Tech.

[00:00:32] I took the morning off yesterday for personal reasons and so didn't publish the Daily News Pod, and I hope you enjoyed the interview with Peter Kujawa diving into compensation instead. And this first story managed to play out entirely in that time. The US government's funding for the Common Vulnerabilities and Exposures Program, or CVE, a critical database for tracking security flaws, was set to expire on April 16th. Established 25 years ago, the program assigns unique identifiers

[00:01:02] to security vulnerabilities, enabling consistent communication across the cybersecurity landscape. Without renewed funding, experts warned that new vulnerabilities may go untracked, risking national security and critical infrastructure. The funding loss coincides with expected budget cuts at the cybersecurity and infrastructure security agency, which partners with MITRE on the program. The US government indicated that it would not renew the contract with MITRE.

[00:01:28] In response, two key initiatives emerged. The CVE Foundation, a new nonprofit aimed at ensuring the program's independence, and the Global CVE Allocation System, a decentralized platform introduced by the European Union.

[00:01:43] The CVE Foundation was launched on April 16th to eliminate reliance on government funding and promote global collaboration, emphasizing the need for a sustainable model. Meanwhile, the Global CVE Allocation System empowers independent authorities to assign vulnerability identifiers, enhancing flexibility and scalability.

[00:02:02] The Trump administration then decided to continue funding the common vulnerabilities and exposure program, ensuring no interruption in its critical cybersecurity services. The US Cybersecurity and Infrastructure Agency confirmed that it executed the contract option to maintain these services. The CVE Foundation, which aimed to transition the program into a nonprofit entity, has yet to clarify its future now that the government's support has been renewed.

[00:02:28] Why do we care? This story highlights a real-time stress test of our cybersecurity ecosystem's foundational dependencies and shows how close we came to a major fracture. The CVE system is essential plumbing for the cybersecurity industry. If vulnerability disclosures become inconsistent, fragmented, or stalled, the entire patch management and threat intelligence pipeline slows or breaks.

[00:02:54] The whiplash in this story, from defunding to renewed government support in a matter of hours, should concern every operator. It shows how politically fragile critical infrastructure funding has become even when tied to national security. If there is any upside, it's that this could be the start of a more globally inclusive, resilient vulnerability ecosystem. The risk? We break something in the transition. Today's episode is supported by Huntress.

[00:03:24] Most cybersecurity solutions are built for massive enterprises with big budgets. Not Huntress. They're the fully managed cybersecurity platform built for all businesses, not just the 1%. Huntress purposely builds security solutions like EDR, ITDR, SIM, and security awareness training to equip their team of elite threat hunters to handle the heavy lifting of security for you.

[00:03:47] When threat actors strike, Huntress' 24x7 Global Sock shuts them down before they're even on anyone else's radar. But they do more than just chase alerts. They lead the charge in industry research and knowledge, bringing expert protection and peace of mind. That's why users on G2 rate their EDR number one for growing businesses. To see how their expert threat hunting team gets the job done, visit Huntress.com slash MSB Radio.

[00:04:16] And while we're on the regulation front, Oregon Senator Ron Wyden announced that he is blocking the nomination of Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency. He cites the agency's ongoing refusal to release a crucial, unclassified report from 2022.

[00:04:36] The report outlines security issues within U.S. telecommunications companies, which Wyden describes as a multi-year cover-up of negligent cybersecurity practices. He argues that the public deserves to see this technical document as it does not discuss policy options and is essential for understanding current threats and the need for improved cyber defenses.

[00:04:58] Wyden's statement follows the fallout from the SALT typhoon hack, which compromised multiple telecommunication companies and exposed sensitive communications, including those of Vice President J.D. Vance and President Donald Trump. The senator has been urging CISA to publish the report since July of 2022, but the agency has cited a deliberative process privilege as the reason for withholding it.

[00:05:23] Wyden claims that U.S. telecommunications companies still fail to meet minimum cybersecurity standards, leaving critical vulnerabilities unaddressed. And the Cybersecurity and Infrastructure Security Agency is also facing potential cuss that could affect nearly 40 percent of its workforce, with reports suggesting that up to 1,300 employees may be laid off. Experts warn that these reductions could significantly weaken U.S. national security amid rising cyber threats from nation-state actors.

[00:05:52] Recent layoffs at CISA included critical personnel, such as threat hunters, which could hinder the agency's ability to share vital threat intelligence with the private sector. In March, CISA also slashed funding by $10 million for the Multi-State Information Sharing and Analysis Center, which is crucial for state and local governments' cybersecurity efforts.

[00:06:15] Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs has pledged to combat a federal investigation initiated by President Trump, which accuses him of falsely asserting that the 2020 election was not rigged. In an interview, Krebs announced he will resign from his position at cybersecurity firm Sentinel-1 to address these allegations, which include the loss of his security clearance.

[00:06:40] Krebs, who was appointed by Trump in 2018, was dismissed in November 2020 after affirming the integrity of the election results. He emphasized that the government is using its power to suppress dissent and target corporate relationships. Finally, nearly all staff members of the Defense Digital Service at the Pentagon are resigning, following pressure from the Department of Government Efficiency led by Elon Musk.

[00:07:05] This mass resignation, expected to be completed by May 1st, will effectively shut down the program, which was created in 2015 to accelerate technology adoption during national security crises. The Defense Digital Service played a crucial role in developing rapid response tools during the Afghanistan withdrawal and other key initiatives.

[00:07:27] Jennifer Hayes, the director, stated that the team had hoped to contribute to Musk's plans for automating operations and adopting artificial intelligence, but felt sidelined by the new department's direction. As a result, the Pentagon's so-called SWAT team of nerds will dissolve, reflecting broader challenges faced by digital modernization efforts within the government. Why do we care?

[00:07:50] This cluster of stories, widens blockade, layoffs at CISA, Krebs' legal battle, and the collapse of the Defense Digital Service, exposes an unraveling of U.S. cybersecurity leadership and modernization capability at a time when threats are escalating. I was criticized recently for saying the CISA cuts could not be overstated. I'll see perhaps over-amplification of the message.

[00:08:14] Some may argue this is bureaucratic noise that day-to-day cybersecurity operations continue regardless of who leads CISA or whether one team leaves the Pentagon. That's only partially true. The internet and cyber threat landscape operate on trust, collaboration, and speed. Erosion in any of these, especially at the government level, directly degrades the threat response ecosystem.

[00:08:38] As I've argued here continuously, if you believe selling cybersecurity is key to your customers and your business, then you very much care that the marketplace trusts the cybersecurity market of which these standards and neutral government groups are part of. OpenAI has announced the release of two new artificial intelligence reasoning models known as O3 and O4 Mini.

[00:09:02] The O3 model is touted as the company's most powerful reasoning model, while the O4 Mini is a smaller and faster version that offers remarkable performance for its size and cost. Both models have the capability to integrate images into their reasoning process, allowing them to think with visual data such as sketches and whiteboards. Additionally, these models will be equipped with all ChatGPT tools, including web browsing and image generation.

[00:09:28] Users of ChatGPT+, Pro, and Team can access these features immediately, with plans for broader access to come in the following weeks. OpenAI also launched its new AI model, GPT 4.1, but notably did not release a safety report, which is typically provided with new model releases. This omission has raised concerns in the AI community, as these reports are crucial for transparency and safety evaluations.

[00:09:52] According to Stephen Adler, a former OpenAI safety researcher, safety reports are voluntary but have been positioned as essential for accountability. The lack of a system card for GPT 4.1 comes amid criticisms of OpenAI safety practices, particularly as employees express worries about resource allocation for safety testing. Despite not being the highest-performing model, GPT 4.1 reportedly shows improvements in efficiency and response time.

[00:10:21] And OpenAI is set to phase out its GPT 4 model from ChatGPT by April 30th of 2025, replacing it with the newer GPT 4.0, which has shown superior performance in various evaluations, including writing and problem-solving. The company asserts that GPT 4.0 outperforms its predecessor consistently, thanks to recent upgrades that enhance instruction following and conversational flow. Why do we care?

[00:10:49] OpenAI's release of the 03 and 04 mini reasoning models and the transition to GPT 4.0 marks a meaningful evolution, not just in model capability, but in how AI systems are operationalized in everyday tools. But the headline that should matter just as much, if not more, for IT services firms? There's no safety report for GPT 4.1, and that signals deeper transparency issues even as AI becomes more embedded in client-facing tools.

[00:11:15] On yesterday's live show, dropping in the podcast feed this weekend and available now on YouTube, we discussed how accountability is the key to AI success in an organization. To have that accountability, one also needs transparency. Smart providers will double down on governance, track models, document behaviors, insist on clarity from vendors. Because when thinking machines are making decisions for your clients, you'd better know how and why they're reasoning the way they do.

[00:11:46] Turner of a Capital has successfully completed its acquisition of SolarWinds Corporation in a deal valued at approximately $4.4 billion. As part of the acquisition, SolarWinds stockholders will receive $18.50 per share in cash. Following the closure of the transaction, SolarWinds common stock has ceased trading and is no longer listed on the New York Stock Exchange. Why do we care? Well, final time I need to do this disclosure. I was a shareholder in SolarWinds.

[00:12:16] MSPs should take this as a strategic review moment. Re-evaluate your SolarWinds dependencies. Ask tough questions on product roadmap and support guarantees. Watch for signs of integration, rebranding, or sunset plans. And only move when you have insights based on actions. This episode is supported by Comet Backup. As IT providers, we've all been there. The phone rings, your largest client is absolutely panicked.

[00:12:44] They need you to restore their data as soon as possible. That's where Comet Backup comes in. Comet is an all-in-one backup solution designed specifically for IT professionals. Whether you need to protect computers, servers, virtual environments, emails, or databases, Comet Backup empowers you to manage backups on your terms. You choose where the data is stored. Backup to local on-prem storage or any of the leading cloud providers. Visit cometbackup.com to start your free 30-day trial today.

[00:13:13] Get $100 free credit when you sign up with the promo code MSPRADIO. Comet Backup. The backup solution that MSPs trust. Thanks for listening. Today is National Cheeseball Day, International Bat Appreciation Day, and apparently International Pizza Cake Day. Is it a stack of pizzas or a cake made like a pizza? Could be anything. I'll be speaking on a webinar on April 22nd next week

[00:13:41] about inbound marketing in the AI era with the author of a new book. Link in the show notes and description to sign up. I'm looking forward to seeing you there. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too.

[00:14:07] If you want to support the show, visit patreon.com slash MSPRADIO, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSPRADIO.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story,

[00:14:36] put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSPRADIO.COM slash engage. Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSP Radio Network.