Sweden's digital defense threatened by US whims

Although the U.S. cybersecurity authority has now temporarily secured continued operation, the course of events shows how extremely vulnerable the system is when it rests on the arbitrariness of a single nation, writes Jonas Hasselberg, CEO of Omegapoint.

This article was first published in Industry Today May 6, 2025.

At the last minute, the US has temporarily extended support for the world's most important cybersecurity database, the CVE, which is crucial for managing vulnerabilities worldwide. Sweden and the EU must urgently build their own system to protect us against digital vulnerabilities," writes Jonas Hasselberg, CEO of Omegapoint.

CVE (Common Vulnerabilities and Exposures) is an open, centralized database of discovered security holes in software and systems. It enables IT security companies, organizations and developers to quickly identify, fix and share information about vulnerabilities - before they are exploited. CVE has been instrumental in addressing vulnerabilities such as Heartbleed and Log4Shell, which threatened critical infrastructure, healthcare, financial systems and millions of users worldwide. CVE has been a pillar of digital protection, as fundamental as the fire brigade in physical security.

Sweden's digital systems are deeply integrated with US technologies. In practice, we are dependent on real-time data from CVE to respond quickly to security threats. Without the database, we are blind to the threats. The risk of CVE disappearing completely in the next US budget decision is not just theoretical - it is real.

Although the US cybersecurity authority has now temporarily secured continued operation, the sequence of events shows how extremely vulnerable the system is when it rests on the arbitrary will of a single nation - especially one where political will can swing sharply overnight. The fact that such a key global tool as CVE was almost lost due to a bureaucratic or ideological retreat in the United States shows that we can no longer trust that our digital protection systems are in safe hands. The extension of funding now implemented is normally for 6-12 months and should not be seen as a commitment to long-term funding.

We need a robust alternative. One possible framework to draw inspiration from is the DNS system, which is currently the backbone of how internet addresses are managed globally. The Domain Name System (DNS) is the structure that translates web addresses into IP addresses and is operated by ICANN, a neutral non-profit foundation. ICANN's robust model is funded by membership fees from domain registrars, governed by broad representation from the technology industry, academia, civil society and government, and operated openly and transparently.

In a similar way CVE management could be transferred to a global, independent entity - a Global Vulnerability Identifier Authority (GVIA). The GVIA would be funded through membership and contributions from security companies, cloud platforms and public actors such as the EU and the US, governed transparently by a broad-based board of directors, and operated technically in close cooperation with, for example, ENISA (the EU's cybersecurity authority) and CISA (the US cybersecurity and infrastructure security authority). This would reduce vulnerability to political volatility and ensure a long-term stable and impartial response to global cybersecurity threats.

With an unstable US administration, where decisions on cybersecurity risk being made on the basis of domestic political gamesmanship rather than global accountability, it is clear that we cannot continue to hope that the US will 'fix it'. When the same administration recently took out the data protection watchdog, the GDPR and our right to digital privacy were threatened. Now it risks happening again - this time to our ability to defend ourselves against cyberattacks.

MSB must now take the lead, together with its European counterpart ENISA, to ensure that we build a European CVE - or better yet, take a leading role in building a global solution that is robust, open and free from the whims of individual states.

Jonas Hasselberg, CEO Omegapoint