The Last Channel

"The intelligence was genuine. That was the beauty of it."

Two days. On January 7, the United States withdrew from three international cyber cooperation organizations. On January 9, CISA closed ten Emergency Directives and consolidated everything into the KEV catalog. Calendar coincidence. Or doctrinal coherence.

The Official Explanation

CISA's narrative holds up. The Emergency Directives were point responses. SolarWinds, ProxyLogon, PrintNightmare, Zerologon. KEV is a permanent framework, more efficient. The targeted vulnerabilities are now in the catalog. Federal agencies have clear deadlines. Two weeks for recent CVEs, six months for older ones¹.

The catalog reached 1,484 entries by the end of 2025. Growth of 20% over the year, 245 additions². It's presented as maturation. A system rationalizing itself.

The numbers tell a different story.

What the Numbers Show

KEV grew 30% faster than the previous two years³. Meanwhile, CISA operated at 35% of its staff during the fall shutdown⁴. 43 days. Since then, the hemorrhage continues: about one-third of the workforce has left the agency in one year, five of six operational divisions have lost their leadership⁵. The NVD backlog exceeds 20,000 unprocessed CVEs⁶. The Cybersecurity Information Sharing Act expired without renewal⁷.

Closing ten directives in this context looks less like maturation than a constrained trade-off. Fewer resources to maintain active directives. Concentration on a single track.

The administration is adding one billion dollars for offensive cyber operations⁸. It's withdrawing the United States from cooperation forums. It's letting public defensive infrastructure degrade.

I interpret these elements as a doctrine, not as a series of isolated incidents. But other readings are possible.

The Pattern

The previous article in this series analyzed the withdrawal from multilateral organizations. The GFCE coordinated cyber capacity building in 100 countries. The Freedom Online Coalition aligned 42 democracies on digital freedoms. The Hybrid CoE organized responses to Russian hybrid threats with the EU and NATO.

Common thread: forums where Washington shared. Expertise, intelligence, influence. Cooperation costs.

What remains: the ITU, where Washington wants to "expand its influence" against Beijing⁹. ICANN, American private infrastructure. The Counter Ransomware Initiative, a US-led coalition.

And the KEV.

What the KEV Doesn't Say

The catalog is not a cooperation forum. CISA decides what goes in. CISA sets the deadlines. The world follows. 88% of KEV vulnerabilities have a CVSS score of high or critical¹⁰. Cyber insurers integrate it into their assessments. Auditors require it.

But how does CISA feed the catalog?

According to their own documentation: "intelligence feeds, incident data, public reporting, and interagency collaboration"¹¹. Translation: essentially American sources. NSA, FBI, US vendors, sensors deployed on American networks.

An exploitation specifically targeting European infrastructure, detected by a local CERT but not by US sensors, may not reach the KEV. Or with delay. The geographic bias is structural.

And there's what we don't see. The intelligence that probably circulates between US federal agencies in TLP:AMBER or RED, with full context, actor attribution, detailed TTPs. The public KEV is the declassified version. The minimal signal.

In intelligence, this is called a channel. A real, useful information flow that creates trust and dependency. The question is never the quality of what passes through. It's what doesn't pass through.

The channels through which richer intelligence could flow to allies? Hybrid CoE, GFCE, FOC. Closed.

Inherited Limitations

The KEV requires a CVE to exist¹². No CVE, no KEV. This means the catalog inherits all the limitations of the CVE system.

A 0-day actively exploited but without a CVE identifier? Invisible to KEV until attribution. A vulnerability in a product whose vendor refuses to issue a CVE? Out of catalog. The NVD backlog of 20,000 unprocessed entries? CVEs exist but context is missing.

The KEV covers about 0.5% of published CVEs¹³. And CVEs only cover a fraction of real vulnerabilities.

In the classic known/unknown matrix, KEV illuminates only one quadrant: known vulnerability AND known exploitation. Everything else—active 0-days, exploitations undetected by US sensors, vulnerabilities without CVEs—remains in shadow.

The Cognitive Trap

KEV offers a list. Organizations check the boxes. "KEV patched, compliance assured."

This approach rests on an implicit assumption: code is healthy by default, vulnerabilities are exceptions that can be identified and corrected. With 29,000 CVEs per year and 32% exploited on the day of their publication¹⁴, this assumption no longer holds.

The missing mental model: consider all code as potentially hostile. Design architectures that function even in the presence of compromised components. Move from "prevent the incident" to "operate despite the incident."

KEV doesn't enable this change. It delays it. By offering a control signal, it maintains the illusion that you can trust patched code. When the question lies elsewhere: how do I survive if my code is compromised tomorrow?

What This Means for Europe

The series data is known. 85% of European security solutions rely on the NVD. The EUVD launched in May 2025 automatically transposes the American KEV catalog¹⁵. Rational in the short term. Structural dependency in the medium term.

Europe has no KEV equivalent. The EUVD is a vulnerability database, not a confirmed exploitation catalog with its own intelligence sources. Building one would require European sensors, European intelligence, European coordination. The building blocks are missing.

Since January: the Hybrid CoE channel is closed. The GFCE is closed. The NVD is degrading. KEV becomes the only accessible signal. A signal that Washington controls, feeds according to its priorities, and shares in its minimal version.

What I Don't Know

Whether the consolidation is a chosen maturation, a constrained trade-off, or something else. Whether intelligence shared with Europe has already degraded since the January closures. Whether the KEV model can hold against the acceleration of exploitations, or whether it will drown in its own volume. With constrained CISA resources and leadership in permanent crisis—the agency is still waiting for a confirmed director, one year into the term—the catalog could even stagnate while exploitations increase, creating a false sense of stability.

What these events suggest: Washington is recalibrating its engagement toward real levers of power. Technical standards, infrastructure, offensive capabilities. And abandoning the costs of cooperation.

Back to the Anomaly

Two days apart. Three cooperation organizations closed. Ten directives absorbed into a single catalog. One billion for offense while defensive infrastructure runs at 35%.

KEV is what remains when everything else closes. A filtered flow, geographically biased, limited to vulnerabilities with CVEs, shared in its minimal version.

Europe can continue to consume this signal and check the compliance boxes. It can also start asking what's not on the list—and why.

This article is part of a series analysing the structural flaws of Western cybersecurity (articles 1-5 in French):

• Article 1 : La vulnérabilité de la gestion des vulnérabilités
• Article 2 : La dépendance européenne aux standards américains
• Article 3 : Les États, architectes cachés du marché noir des vulnérabilités
• Article 4 : L'IA ou l'effondrement du modèle défensif occidental
• Article 5 : Desert Power — survivre sans l'Empire
• Article 6: I Am Altering the Deal

References

¹ BleepingComputer, "CISA retires 10 emergency cyber orders in rare bulk closure", January 8, 2026 https://www.bleepingcomputer.com/news/security/cisa-retires-10-emergency-cyber-orders-in-rare-bulk-closure/

² Cyble, "2025 CISA KEV Catalog Hits 1,484 Exploited Vulnerabilities", January 2026 https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/

³ Cyble, ibid.: "an increase of more than 30% above the trend seen in 2023 and 2024"

⁴ GIS Reports, "U.S. cybersecurity policy under Trump", November 2025 https://www.gisreportsonline.com/r/trump-cyber/

⁵ Cybersecurity Dive, "CISA loses nearly all top officials as purge continues", May 27, 2025; Federal News Network, "CISA director void leaves cyber agency embroiled in uncertainty", January 13, 2026; Politico, "Acting CISA chief sought ouster of agency's chief information officer", January 18, 2026 https://www.cybersecuritydive.com/news/cisa-senior-official-departures/748992/ https://federalnewsnetwork.com/cybersecurity/2026/01/cisa-director-void-leaves-cyber-agency-embroiled-in-uncertainty/ https://www.politico.com/news/2026/01/18/acting-cisa-chief-sought-ouster-of-agencys-chief-information-officer-00735826

⁶ Socket.dev, "NVD Backlog Tops 20,000 CVEs Awaiting Analysis", November 2025 https://socket.dev/blog/nvd-backlog-tops-20-000-cves

⁷ GIS Reports, ibid.: "The expiration of CISA's 2015 legislation at the end of September"

⁸ Bloomberg, "Trump Administration Turning to Private Firms in Cyber Offensive", December 12, 2025 https://www.bloomberg.com/news/articles/2025-12-12/trump-administration-turning-to-private-firms-in-cyber-offensive

⁹ The Record, "CISA sunsets 10 emergency directives thanks to evolution of exploited vulnerabilities catalog", January 8, 2026 https://therecord.media/cisa-sunsets-10-emergency-directives

¹⁰ Nucleus Security, "Top Observations from CISA KEV Enrichment Dashboard": "88% of CISA KEV vulnerabilities have a CVSS rating of high or critical" https://nucleussec.com/blog/top-observations-from-cisa-kev-enrichment-dashboard/

¹¹ Picus Security, "CISA's Known Exploited Vulnerabilities (KEV) Explained", June 2025 https://www.picussecurity.com/resource/blog/cisas-known-exploited-vulnerabilities-kev-explained

¹² CISA, "KEV Catalog Reaches 1000, What Does That Mean and What Have We Learned": "Every candidate vulnerability needs to have a CVE ID" https://www.cisa.gov/news-events/news/kev-catalog-reaches-1000-what-does-mean-and-what-have-we-learned

¹³ Nucleus Security, "Guide to CISA KEV Enrichment": "CISA KEV catalog actively only having less than .5% of all identified CVE vulnerabilities" https://nucleussec.com/resources/guides/guide-to-cisa-kev-enrichment/

¹⁴ VulnCheck, "State of Exploitation - 1H 2025", July 2025: "32.1% of vulnerabilities being exploited on or before the day of the CVE disclosure" https://www.vulncheck.com/blog/state-of-exploitation-1h-2025

¹⁵ VulnCheck, "Does ENISA EUVD live up to all the hype?", May 2025 https://www.vulncheck.com/blog/enisa-euvd