Cybersecurity veteran Nick Leiserson joins Cyber Focus this week to break down critical governance gaps in the Common Vulnerabilities and Exposures (CVE) system and what's at stake if they're not fixed. He and host Frank Cilluffo explore the risks of global fragmentation, the lingering fallout from the F5 breach, and why policy tools like Executive Order 14028 remain stalled. Leiserson warns that the U.S. court system faces an under-the-radar cyber crisis, and shares specific, actionable funding priorities Congress should tackle now. From software supply chain failures to operational coordination gaps, the episode provides a sharp look at what's missing in the federal cybersecurity response—and what can still be done to fix it.

Main Topics Covered

· Why CVE is the global "lingua franca" for vulnerabilities—and what happens if it fails

· How a near-shutdown exposed CVE's fragile funding and governance model

· The F5 breach and what it reveals about persistent risks in the software supply chain

· Missed opportunities in EO 14028 and regulatory inertia in implementation

· Why the U.S. court system breach is a cybersecurity crisis hiding in plain sight

· Urgent spending needs: water system grants, K-12 cybersecurity, and court system defense

Key Quotes

"CVE... It's the universal language that we can all look at and understand what we're talking about. And today in 2025, we totally take that for granted."

"The worst case is fragmentation. The second worst is [when] government comes in and says, we're going to supplant the expertise that's been built up over 25 years" —Nick Leiserson

"[Some ask] 'Didn't we put a bunch of policy in place to stop SolarWinds?' The answer is we did. If you look at Executive Order 14028… it came out in the immediate aftermath of SolarWinds, and it has not been implemented." —Nick Leiserson

"This is just one of those things that's vaguely terrifying, and it takes a lot to terrify me after 15 years in this space. But as best we can tell from public reporting, either there's been one continuous breach since 2020, or at least similar types of actors are continually being able to get into the federal court system." —Nick Leiserson

"[F5 is] one of these bits of technologies that most people would not immediately wake up and say that's essential to our economy, our national security, our public safety. But it is." —Frank Cilluffo

Relevant Links and Resources

Institute for Security + Technology report on CVE reform

Executive Order 14028 – Improving the Nation's Cybersecurity

CISA's Known Exploited Vulnerabilities (KEV) Catalog

FCC K–12 Cybersecurity Pilot Program

Guest Bio Nick Leiserson is Senior Vice President for Policy at the Institute for Security and Technology. He was a founding member of the Office of the National Cyber Director, where he led national cyber policy development and helped launch the National Cybersecurity Strategy Implementation Plan. Previously, he served as Chief of Staff to Rep. Jim Langevin and helped enact dozens of recommendations from the Cyberspace Solarium Commission. A longtime strategist on Capitol Hill and in the White House, Leiserson is known for translating complex tech policy into action on issues ranging from regulatory harmonization to software liability.