Cybersecurity’s global alarm system is breaking down

Stay Ahead, Stay ONMINE

Cybersecurity’s global alarm system is breaking down

Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable. Over the past eighteen months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration. Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalog, NVD entries provide the detailed review with context around severity, scope, and exploitability. In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data. “CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes that Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.” Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing – nearly 10 times the previous high in 2017, according to data from software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog. “Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog. The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.” As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time. Security haves and have-nots What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months. Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she notes, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains. Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.” The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.” NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday. The biggest vulnerability Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system. When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said. In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.” As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence. That leaves security professionals to navigate multiple, potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity. Resetting software liability As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse. For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print. “This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.” This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation. Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers. She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.” CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.” Avoiding a digital ‘dark age’ It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline. But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says. AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources. As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed. Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.

Over the past eighteen months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration.

Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalog, NVD entries provide the detailed review with context around severity, scope, and exploitability.

In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data.

“CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes that Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.”

Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing – nearly 10 times the previous high in 2017, according to data from software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog.

“Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog.

The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.”

As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time.

Security haves and have-nots

What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months.

Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she notes, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains.

Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.”

The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.”

NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday.

The biggest vulnerability

Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system.

When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said.

In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.”

As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence.

That leaves security professionals to navigate multiple, potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity.

Resetting software liability

As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse.

For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print.

“This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.”

This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation.

Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers.

She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.”

CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.”

Avoiding a digital ‘dark age’

It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline.

But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says.

AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources.

As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed.

Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.

Stay Ahead

Explore More Insights

Stay ahead with more perspectives on cutting-edge power, infrastructure, energy, bitcoin and AI solutions. Explore these articles to uncover strategies and insights shaping the future of industries.

PXGEO Wins Its First Seismic Acquisition Job in Malaysia

PXGEO Equipment Limited, a marine geophysical service provider, has secured its first offshore seismic data acquisition services deal in Malaysia. Under the two-year agreement, PXGEO will deliver a minimum of 365 days of acquisition activity, utilizing its PXGEO 2 seismic vessel, which will mobilize in August. The company said in

Kubernetes v1.34 brings networking refinements for cloud-native infrastructure

That’s one of the core challenges that KEP #3015 aims to help solve. Titled as ‘PreferSameZone and PreferSameNode Traffic Distribution’ the enhancement provides network operators with fine-grained control over traffic routing decisions within clusters. According to the KEP, the goals of the enhancement are to make traffic distribution less ambiguous.

Intel touts efficiency and performance in new 288-core Xeon processor

The processor packs 288 Efficiency cores and is the successor to the 144-core Sierra Forest chip currently on the market. In recent years, Intel has switched CPU design to Efficiency cores (E-cores) and Performance cores (P-cores). Their names are descriptors of what they are: E-cores are lower power and lower

Linux Foundation launches Essedum 1.0 to simplify AI integration in network operations

Essedum simplifies this entire workflow by providing a unified and comprehensive framework that contains all the necessary components in one place. Specifically, he noted that it offers networking teams: Easy access to AI building blocks: Essedum makes it simple to access and integrate the different layers required to build AI

EQT Offtakes 2 MMtpa for 20 Years from Port Arthur LNG Phase 2

EQT Corp. has committed to buying two million metric tons per annum (MMtpa) for 20 years from Sempra’s planned Port Arthur LNG Phase II project in Jefferson County, Texas. “EQT will purchase the LNG on a free-on-board basis at a price indexed to Henry Hub”, EQT and Sempra Infrastructure, part of San Diego, California-based energy infrastructure company Sempra, said in a joint statement. Sempra Infrastructure chief executive Justin Bird said, “This development project can help fortify America’s position as a leading energy exporter, which is a shared goal of EQT and Sempra Infrastructure”. Earlier this month ConocoPhillips signed an agreement to buy four MMtpa over 20 years on a free-on-board basis from Port Arthur LNG Phase II. ConocoPhillips had already signed up for five MMtpa over 20 years from the under-construction first phase, from which it has also agreed to acquire a 30 percent equity stake. “With continued momentum in the project’s development, Sempra Infrastructure continues to target making a final investment decision on the Port Arthur LNG Phase II project in 2025”, the statement said. “All major permits for the Port Arthur LNG Phase II development project have been secured”, it added. In July Sempra secured a 20-year agreement to supply 1.5 MMtpa from phase II to Japan’s JERA Co. Inc. on a free-on-board basis. In June Sempra and Saudi Arabian Oil Co. (Aramco) progressed a heads-of-agreement document on phase II into a memorandum of understanding (MOU) under which the state-owned oil giant plans to buy five MMtpa for 20 years. The MOU also provides for Aramco’s potential acquisition of a 25 percent interest. In May the Department of Energy (DOE) granted phase II a permit to export to countries without a free trade agreement (FTA) with the U.S., marking the resumption of federal permitting for LNG export to

Energy Department Issues Final Export Authorization to Commonwealth LNG

WASHINGTON— U.S. Secretary of Energy Chris Wright today announced the Department of Energy’s (DOE) final authorization for Commonwealth LNG, LLC to export up to 1.21 billion cubic feet per day (Bcf/d) of natural gas as liquefied natural gas (LNG) to non-free trade agreement (FTA) countries from its proposed project in Cameron Parish, Louisiana. Today’s action follows DOE’s conditional authorization to Commonwealth LNG, LLC in February 2025 and reflects the Federal Energy Regulatory Commission’s (FERC) June 2025 approval for the siting, construction, and operation of the facility. It also incorporates DOE’s May 2025 response to comments on the 2024 LNG Export Study that reaffirms that U.S. LNG exports strengthen America’s energy leadership, expand opportunities for American workers, and provide allies with secure access to reliable U.S. energy. “Finalizing this authorization moves us closer to delivering more American LNG to the world, advancing President Trump’s energy dominance agenda,” Secretary Wright said. “As DOE found earlier this year and affirms again in this order, expanding America’s LNG export capacity bolsters our economy, strengthens the energy security of our allies and trading partners and ensures the U.S. can continue to lead the world in the production of affordable, reliable and secure energy.” “We are glad to do our part in Commonwealth’s recent progress toward its final investment decision and look forward to its contribution to our nation’s success.” said Tala Goudarzi, Principal Deputy Assistant Secretary of the Office of Fossil Energy and Carbon Management. Commonwealth LNG, owned by Kimmeridge, has secured long-term off-take agreements for LNG with Malaysia’s PETRONAS, global energy commodities trading entity Glencore LTD, and Japan’s JERA, and recently announced an engineering, procurement, and construction contract with Technip Energies to advance the project. Background: The United States currently operates eight large-scale LNG export projects, with several more under construction or expansion. Under

Oil Posts First Monthly Loss Since April

Oil notched its first monthly loss since April, with trading dominated by concerns about a looming glut and geopolitical issues, including US-led efforts to end the war in Ukraine. West Texas Intermediate for October delivery slid 0.9% to settle near $64 a barrel, with the US benchmark down 7.6% this month. Brent closed above $68. Oil has lost ground in August on worries that global supplies will run ahead of demand in the coming quarters, boosting stockpiles. The commodity’s slump deepened on Friday after US consumer sentiment declined to a three-month low, reflecting concerns that tariffs will hurt the economy. Investors are also focused on Ukraine and potential shifts in crude flows from Russia. US President Donald Trump was “not happy” about Moscow’s recent strikes on Ukraine, White House Press Secretary Karoline Leavitt said. Washington has imposed a 50% levy on most Indian imports to punish the South Asian nation for buying Russian crude. Moscow unleashed a wave of drone and missile strikes on Kyiv earlier this week, in defiance of US calls for an end to the fighting, killing 18 people, Ukrainian authorities said. A meeting between Ukrainian President Volodymyr Zelenskiy and Russia’s Vladimir Putin was unlikely, according to German Chancellor Friedrich Merz. Trump has threatened “very big consequences” if Moscow doesn’t come to the negotiating table. Oil is down 11% this year on concerns that Trump’s trade war will hurt energy consumption at the same time that OPEC+ is working to restore idled capacity. “More OPEC+ oil is coming to the market amid worries over US economic growth, which keeps the market well-supplied,” said Jens Naervig Pedersen, a strategist at Danske Bank AS. Trading volumes on Friday were muted ahead of the Labor Day holiday weekend in the US, contributing to exaggerated price swings. Oil Prices WTI for

Namibia’s Ambition to Become Oil Hotspot Tested by Wildcatter

Searching for oil prospects in a block bigger than Rhode Island, Travis Smithard made a last-minute decision to send the Noble Venturer drillship twice as far as originally planned to spud a well off Namibia’s coast. The switch paid off. The 230-meter (750 feet) vessel’s journey through the Atlantic waters led to Rhino Resources Ltd. announcing a significant discovery in April. That put the privately owned company on the map in Namibia with majors like Shell Plc and TotalEnergies SE, whose finds in the past three years have made the southern African nation a new exploration hotspot. Now the spotlight is on the wildcatter again as it drills another well called Volans, which it bypassed earlier this year to focus on Capricornus about 15 kilometers (9 miles) away. The market is closely watching the fortunes of each new campaign to see if Namibia — a major supplier of commodities like uranium and diamonds, but which doesn’t yet produce any crude — really has the resources to match its oil ambitions. Rhino’s diversion to the Capricornus well was to “sort of broaden the aperture here a little bit” to understand a wider swath of the block, Chief Executive Officer Smithard said in an interview in the capital Windhoek. The decision was based on data that allowed for a quick change, he said. The area is poised to become a major African basin, with producers scrutinizing the best projects to hold as the energy transition moves the world closer to peak oil demand. Namibia aims to start output by 2030, and at one point there was optimism that it could become another Guyana — where a giant oil discovery has transformed the sparsely populated country’s economy. “We are currently very, very busy at a stage where we are now trying to cross over the path of moving Namibia from

Energy Department Announces Over $35 Million to Advance Emerging Energy Technologies

WASHINGTON— The U.S. Department of Energy (DOE) today announced more than $35 million for 42 projects through DOE’s Technology Commercialization Fund (TCF) to help move emerging energy technologies related to grid security, artificial intelligence, nuclear energy, and advanced manufacturing from DOE National Laboratories, plants, and sites to market. The selected projects will leverage over $21 million in cost share from private and public partners, bringing total funding to more than $57.5 million. The TCF program, managed through the Office of Technology Commercialization’s Core Laboratory Infrastructure for Market Readiness (CLIMR) Lab Call, strengthens America’s economic and national security by supporting public-private partnerships that maximize taxpayer investments, advance American innovation, and ensure the United States stays ahead in global competitiveness. “The Energy Department’s National Labs play an important role in ensuring the United States leads the world in innovation,” said Secretary Wright. “These projects have the potential to accelerate technological breakthroughs that will define the future of science and help secure America’s energy future.” This year’s selections span across 19 DOE National Labs, plants, and sites. Highlights include: Lawrence Berkeley National Laboratory will launch America’s Cradle to Commerce (AC2C), building on the Cradle to Commerce (C2C) program, providing wraparound support for lab-to-market innovation. In just 18 months, C2C has proven impact with more than $15M raised by participating startups and five commercial pilots launched. Pacific Northwest National Laboratory will strengthen and expand the free-to-use Visual Intellectual Property Search (VIPS) tool through a VIPS 2.0 project. The updated platform will provide seamless search capabilities across a comprehensive list of National Lab innovations available for licensing or open-source use. Argonne National Laboratory will advance commercialization of the OpenMC Monte Carlo particle transport code through the Exascale Computing Project, supporting nuclear safety and analysis code, addressing remaining barriers to market readiness and helping accelerate

Daenerys Discovery Is a Game Changer for Talos

The Daenerys discovery is a game changer for Talos in the Gulf of America (GoA). That’s what Wood Mackenzie said in a note sent to Rigzone by the Wood Mackenzie team this week, adding that the find could add more than 50 million barrels of oil equivalent to Talos’ net proved reserves. “For Talos, the discovery is a game changer,” Miles Sasser, Wood Mackenzie Upstream Senior Research Analyst, said in the note. “The company’s GoA portfolio was ageing, but Daenerys could add more than 50 million… barrels of oil equivalent [to] net proved reserves. That would increase its YE2024 proved reserves of 194 million barrels of oil equivalent more than 25 percent,” he added. “This is the company’s largest discovery to date in the GoA. While Talos has not released volumes, a 200 million barrel of oil equivalent discovery would make Daenerys GoA’s biggest find since Shell’s Whale in 2017,” he continued. In the note, Wood Mackenzie highlighted that the discovery well was drilled to a total vertical depth of 33,228 feet and pointed out that it was finished 12 days early and $16 million under budget, “demonstrating strong operational execution by the Talos-led consortium”. Wood Mackenzie stated in the note that its preliminary prospect valuation suggests peak production could reach 65,000 barrels per day. The company added in the note that the discovery “marks a strategic shift for Talos, which has traditionally focused on lower-risk infrastructure-led exploration (ILX) projects”. “Beyond Daenerys, the company has two additional large exploration projects in its pipeline – Enterprise and Hershey – both with pre-drill estimates exceeding 100 million barrels of oil equivalent each, signaling Talos’ embrace of a more aggressive high-impact exploration strategy,” Wood Mackenzie said in the note. Combined with BP’s Far South discovery in April, 2025 is the best year for

AI networking success requires deep, real-time observability

Most research participants also told us they need to improve visibility into their data center network fabrics and WAN edge connectivity services. (See also: 10 network observability certifications to boost IT operations skills) The need for real-time data Observability of AI networks will require many enterprises to optimize how their tools collect network data. For instance, most observability tools rely on SNMP polling to pull metrics from network infrastructure, and these tools typically poll devices at five minute intervals. Shorter polling intervals can adversely impact network performance and tool performance. Sixty-nine percent of survey participants told EMA that AI networks require real-time infrastructure monitoring that SNMP simply cannot support. Real-time telemetry closes visibility gaps. For instance, AI traffic bursts that create congestion and packet drops may last only seconds, an issue that a five-minute polling interval would miss entirely. To achieve this level of metric granularity, network teams will have to adopt streaming network telemetry. Unfortunately, support of such technology is still uneven among network infrastructure and network observability vendors due to a lack of industry standardization and a perception among vendors that customers simply don’t need it. Well, AI is about to create a lot of demand for it. In parallel to the need for granular infrastructure metrics, 51% of respondents told EMA that they need more real-time network flow monitoring. In general, network flow technologies such as NetFlow and IPFIX can deliver data nearly in real-time, with delays of seconds or a couple minutes depending on the implementation. However, other technologies are less timely. In particular, the VPC flow logs generated by cloud providers are do not offer the same data granularity. Network teams may need to turn to real-time packet monitoring to close cloud visibility gaps. Smarter analysis for smarter networks Network teams also need their network

Equinix Bets on Nuclear and Fuel Cells to Meet Exploding Data Center Energy Demand

A New Chapter in Data Center Energy Strategy Equinix’s strategic investments in advanced nuclear and fuel cell technologies mark a pivotal moment in the evolution of data center energy infrastructure. By proactively securing power sources like Oklo’s fast reactors and Radiant’s microreactors, Equinix is not merely adapting to the industry’s growing energy demands but is actively shaping the future of sustainable, resilient power solutions. This forward-thinking approach is mirrored across the tech sector. Google, for instance, has partnered with Kairos Power to develop small modular reactors (SMRs) in Tennessee, aiming to supply power to its data centers by 2030 . Similarly, Amazon has committed to deploying 5 gigawatts of nuclear energy through partnerships with Dominion Energy and X-energy, underscoring the industry’s collective shift towards nuclear energy as a viable solution to meet escalating power needs . The urgency of these initiatives is underscored by projections from the U.S. Department of Energy, which anticipates data center electricity demand could rise to 6.7%–12% of total U.S. production by 2028, up from 4.4% in 2023. This surge, primarily driven by AI technologies, is straining existing grid infrastructure and prompting both public and private sectors to explore innovative solutions. Equinix’s approach, i.e. investing in both immediate and long-term energy solutions, sets a precedent for the industry. By integrating fuel cells for near-term needs and committing to advanced nuclear projects for future scalability, Equinix exemplifies a balanced strategy that addresses current challenges while preparing for future demands. As the industry moves forward, the collaboration between data center operators, energy providers, and policymakers will be crucial. The path to a sustainable, resilient energy future for data centers lies in continued innovation, strategic partnerships, and a shared commitment to meeting the digital economy’s power needs responsibly.

Evolving to Meet AI-Era Data Center Power Demands: A Conversation with Rehlko CEO Brian Melka

On the latest episode of the Data Center Frontier Show Podcast, we sat down with Brian Melka, CEO of Rehlko, to explore how the century-old mission-critical power provider is reinventing itself to support the new realities of AI-driven data center growth. Rehlko, formerly known as Kohler Energy, rebranded a year ago but continues to draw on more than a century of experience in power generation and backup systems. Melka emphasized that while the name has changed, the mission has not: delivering reliable, scalable, and flexible energy solutions to support always-on digital infrastructure. Meeting Surging AI Power Demands Asked how Rehlko is evolving to support the next wave of data center development, Melka pointed to two major dynamics shaping the market: Unprecedented capacity needs driven by AI training and inference. New, “spiky” usage patterns that strain traditional backup systems. “Power generation is something we’ve been doing longer than anyone else, starting in 1920,” Melka noted. “As we look forward, it’s not just about the scale of backup power required — it’s about responsiveness. AI has very large short-duration power demands that put real strain on traditional systems.” To address this, Rehlko is scaling its production capacity fourfold over the next three to four years, while also leveraging its global in-house EPC (engineering, procurement, construction) capabilities to design and deliver hybrid systems. These combine diesel or gas generation with battery storage and short-duration modulation, creating a more responsive power backbone for AI data centers. “We’re the only ones out there that can deliver that breadth of capability on a full turnkey basis,” Melka said. “It positions us to support customers as they navigate these new patterns of energy demand.” Speed to Power Becomes a Priority In today’s market, “speed to power” has become the defining theme. Developers and operators are increasingly considering

Data Center Chip Giants Negotiate Political Moves, Tariffs, and Corporate Strategies

And with the current restrictions being placed on US manufacturers selling AI parts to China, reporting says NVIDIA is developing a Blackwell-based China chip, more capable than the current H20 but still structured to comply with U.S. export rules. Reuters reported that it would be a single-die design (roughly half the compute of the dual-die B300), with HBM and NVLink, sampling as soon as next month. A second compliant workstation/inference product (RTX6000D) is also in development. Chinese agencies have reportedly discouraged use of NVIDIA H20 in government work, favoring Huawei Ascend. However, there have been reports describing AI training using the Ascend to be “challenging”, forcing some AI firms to revert to NVIDIA for large-scale training while using Ascend for inference. This keeps China demand alive for compliant NVIDIA/AMD parts—hence the U.S. interest in revenue-sharing. Meanwhile, AMD made its announcements at June’s “Advancing AI 2025” to set MI350 (CDNA 4) expectations and a yearly rollout rhythm that’s designed to erase NVIDIA’s time lead as much as fight on absolute perf/Watt. If MI350 systems ramp aligns with major cloud designs in 2026, AMD’s near-term objective is defending MI300X momentum while converting large customers to multi-vendor strategies (often pairing MI clusters with NVIDIA estates for redundancy and price leverage). The 15% China license fee will shape how AMD prices MI-series export SKUs and whether Chinese hyperscalers still prefer them to the domestic alternative (Huawei Ascend), which continue to face software/toolchain challenges. If Chinese buyers balk or Beijing discourages purchases, the revenue-share may be moot; if they don’t, AMD has a path to keep seats warm in China while building MI350 demand elsewhere. Beyond China export licenses, the U.S. and EU recently averted a larger trade war by settling near 15% on certain sectors, which included semiconductors, as opposed to the far more

Johnson Controls Brings Data Center Cooling into the “As-a-Service” Era

Cooling Without the Risk Johnson Controls’ Data Center Cooling as a Service (DCCaaS) approach is designed to take cooling risk off the operator’s shoulders. The company doesn’t just provide the technology—it delivers a comprehensive, long-term service package that covers design, build, operation, maintenance, and life cycle management. The model shifts cooling from a capital expense to an operating expense, providing financial flexibility at a time when operators are pouring billions into AI-ready infrastructure. “We take on the risk of performance and uptime,” Renkis explained. “If we don’t meet the agreed-upon KPIs, there are financial consequences for us—not the customer.” The AI Advantage A key differentiator in Johnson Controls’ approach is its integration of AI, machine learning, and advanced analytics. Through its OpenBlue and Metasys platforms—supplemented by partnerships with three to four external AI providers—the company is able to continuously optimize cooling system performance. These AI-driven systems not only extend the life of equipment but also deliver financially guaranteed outcomes. “We tie our results to customer-defined KPIs,” said Renkis. “If we miss, we pay. That accountability drives everything we do.” Modularity with Flexibility While the industry is trending toward modularity and prefabricated builds, Renkis stressed that every DCCaaS project remains unique. Johnson Controls designs contracts with “detour functionality”—flexible pathways to upgrade and adapt as technology shifts. That flexibility is crucial given the rapid emergence of AI factory-scale demands. New chip architectures and ultra-dense racks—600kW, 1MW, even 1.5MW—are reshaping expectations for cooling and power. “Nobody knows exactly how this will evolve,” Renkis noted. “That uncertainty makes the as-a-service model the most prudent path forward.” Beyond Traditional Facilities Management Cooling-as-a-service is distinct from conventional facilities management in both scope and financial muscle. Johnson Controls brings to the table its own capital arm—Johnson Controls Capital—and a joint venture with Apollo Group, known as Ionic

Meta’s Dual-Track Data Center Strategy: Owning AI Campuses, Leasing Cloud, and Expanding Nationwide

Provisioning the Power is a Major Project All its Own Powering a data center campus on this scale in an area like rural Louisiana is not a simple task. News reports and a utility commission filing by power company Entergy are starting to reveal the scope of project preparation already in process to get the site the power it will need. To bring in outside power, Entergy plans a 100-mile, 500kV transmission project (at an approximate cost of $1.2 billion) to move bulk power into the area. Substations & lines tied to the site will include a new “Smalling” 500/230kV substation, a new “Car Gas Road” 500kV switchyard, six customer substations on Meta’s property, two 30-mile 500kV lines, and multiple 230kV feeders into the campus. Additionally, Entergy has sought approval for three combined-cycle gas plants generating abou 2.25 GW of power and associated lines to meet the immediate load while broader transmission is built out; state hearings are underway with a vote on this part of the project expected before the end of August 2025. Approval is being sought from the Louisiana Public Service Commision to build these three new gas plants and their associated infrastructure at a cost of just under $4 billion. Concerns are being raised by local community groups as well as the Union of Concerned Scientists (UCS) and Louisiana-based Alliance for Affordable Energy (AAE) not just about how much of the initial costs will be passed on to Louisiana ratepayers, but also on issues related to what happens as the first series of contracts for power begin to expire in 15 years. The plans being presented were initially scheduled to be voted on in October 2025 and the fast tracking of project approval has highlighted the concerns of the opposition. Both the short- and long-term

Microsoft will invest $80B in AI data centers in fiscal 2025

And Microsoft isn’t the only one that is ramping up its investments into AI-enabled data centers. Rival cloud service providers are all investing in either upgrading or opening new data centers to capture a larger chunk of business from developers and users of large language models (LLMs). In a report published in October 2024, Bloomberg Intelligence estimated that demand for generative AI would push Microsoft, AWS, Google, Oracle, Meta, and Apple would between them devote $200 billion to capex in 2025, up from $110 billion in 2023. Microsoft is one of the biggest spenders, followed closely by Google and AWS, Bloomberg Intelligence said. Its estimate of Microsoft’s capital spending on AI, at $62.4 billion for calendar 2025, is lower than Smith’s claim that the company will invest $80 billion in the fiscal year to June 30, 2025. Both figures, though, are way higher than Microsoft’s 2020 capital expenditure of “just” $17.6 billion. The majority of the increased spending is tied to cloud services and the expansion of AI infrastructure needed to provide compute capacity for OpenAI workloads. Separately, last October Amazon CEO Andy Jassy said his company planned total capex spend of $75 billion in 2024 and even more in 2025, with much of it going to AWS, its cloud computing division.

John Deere unveils more autonomous farm machines to address skill labor shortage

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More Self-driving tractors might be the path to self-driving cars. John Deere has revealed a new line of autonomous machines and tech across agriculture, construction and commercial landscaping. The Moline, Illinois-based John Deere has been in business for 187 years, yet it’s been a regular as a non-tech company showing off technology at the big tech trade show in Las Vegas and is back at CES 2025 with more autonomous tractors and other vehicles. This is not something we usually cover, but John Deere has a lot of data that is interesting in the big picture of tech. The message from the company is that there aren’t enough skilled farm laborers to do the work that its customers need. It’s been a challenge for most of the last two decades, said Jahmy Hindman, CTO at John Deere, in a briefing. Much of the tech will come this fall and after that. He noted that the average farmer in the U.S. is over 58 and works 12 to 18 hours a day to grow food for us. And he said the American Farm Bureau Federation estimates there are roughly 2.4 million farm jobs that need to be filled annually; and the agricultural work force continues to shrink. (This is my hint to the anti-immigration crowd). John Deere’s autonomous 9RX Tractor. Farmers can oversee it using an app. While each of these industries experiences their own set of challenges, a commonality across all is skilled labor availability. In construction, about 80% percent of contractors struggle to find skilled labor. And in commercial landscaping, 86% of landscaping business owners can’t find labor to fill open positions, he said. “They have to figure out how to do

2025 playbook for enterprise AI success, from agents to evals

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More 2025 is poised to be a pivotal year for enterprise AI. The past year has seen rapid innovation, and this year will see the same. This has made it more critical than ever to revisit your AI strategy to stay competitive and create value for your customers. From scaling AI agents to optimizing costs, here are the five critical areas enterprises should prioritize for their AI strategy this year. 1. Agents: the next generation of automation AI agents are no longer theoretical. In 2025, they’re indispensable tools for enterprises looking to streamline operations and enhance customer interactions. Unlike traditional software, agents powered by large language models (LLMs) can make nuanced decisions, navigate complex multi-step tasks, and integrate seamlessly with tools and APIs. At the start of 2024, agents were not ready for prime time, making frustrating mistakes like hallucinating URLs. They started getting better as frontier large language models themselves improved. “Let me put it this way,” said Sam Witteveen, cofounder of Red Dragon, a company that develops agents for companies, and that recently reviewed the 48 agents it built last year. “Interestingly, the ones that we built at the start of the year, a lot of those worked way better at the end of the year just because the models got better.” Witteveen shared this in the video podcast we filmed to discuss these five big trends in detail. Models are getting better and hallucinating less, and they’re also being trained to do agentic tasks. Another feature that the model providers are researching is a way to use the LLM as a judge, and as models get cheaper (something we’ll cover below), companies can use three or more models to

OpenAI’s red teaming innovations define new essentials for security leaders in the AI era

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More OpenAI has taken a more aggressive approach to red teaming than its AI competitors, demonstrating its security teams’ advanced capabilities in two areas: multi-step reinforcement and external red teaming. OpenAI recently released two papers that set a new competitive standard for improving the quality, reliability and safety of AI models in these two techniques and more. The first paper, “OpenAI’s Approach to External Red Teaming for AI Models and Systems,” reports that specialized teams outside the company have proven effective in uncovering vulnerabilities that might otherwise have made it into a released model because in-house testing techniques may have missed them. In the second paper, “Diverse and Effective Red Teaming with Auto-Generated Rewards and Multi-Step Reinforcement Learning,” OpenAI introduces an automated framework that relies on iterative reinforcement learning to generate a broad spectrum of novel, wide-ranging attacks. Going all-in on red teaming pays practical, competitive dividends It’s encouraging to see competitive intensity in red teaming growing among AI companies. When Anthropic released its AI red team guidelines in June of last year, it joined AI providers including Google, Microsoft, Nvidia, OpenAI, and even the U.S.’s National Institute of Standards and Technology (NIST), which all had released red teaming frameworks. Investing heavily in red teaming yields tangible benefits for security leaders in any organization. OpenAI’s paper on external red teaming provides a detailed analysis of how the company strives to create specialized external teams that include cybersecurity and subject matter experts. The goal is to see if knowledgeable external teams can defeat models’ security perimeters and find gaps in their security, biases and controls that prompt-based testing couldn’t find. What makes OpenAI’s recent papers noteworthy is how well they define using human-in-the-middle

Stay Ahead, Stay ONMINE