Cybersecurity’s global alarm system is breaking down

Stay Ahead, Stay ONMINE

Cybersecurity’s global alarm system is breaking down

Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable. Over the past eighteen months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration. Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalog, NVD entries provide the detailed review with context around severity, scope, and exploitability. In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data. “CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes that Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.” Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing – nearly 10 times the previous high in 2017, according to data from software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog. “Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog. The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.” As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time. Security haves and have-nots What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months. Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she notes, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains. Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.” The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.” NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday. The biggest vulnerability Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system. When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said. In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.” As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence. That leaves security professionals to navigate multiple, potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity. Resetting software liability As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse. For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print. “This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.” This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation. Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers. She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.” CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.” Avoiding a digital ‘dark age’ It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline. But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says. AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources. As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed. Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.

Over the past eighteen months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration.

Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalog, NVD entries provide the detailed review with context around severity, scope, and exploitability.

In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data.

“CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes that Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.”

Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing – nearly 10 times the previous high in 2017, according to data from software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog.

“Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog.

The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.”

As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time.

Security haves and have-nots

What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months.

Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she notes, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains.

Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.”

The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.”

NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday.

The biggest vulnerability

Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system.

When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said.

In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.”

As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence.

That leaves security professionals to navigate multiple, potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity.

Resetting software liability

As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse.

For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print.

“This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.”

This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation.

Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers.

She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.”

CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.”

Avoiding a digital ‘dark age’

It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline.

But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says.

AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources.

As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed.

Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.

Stay Ahead

Explore More Insights

Stay ahead with more perspectives on cutting-edge power, infrastructure, energy, bitcoin and AI solutions. Explore these articles to uncover strategies and insights shaping the future of industries.

OpenAI-led consortium seeks to address AI processing bottlenecks

“Network congestion, link, and device failures are the most common sources of delay and jitter in transfers,” OpenAI wrote in a blog post announcing the project. “These problems get more frequent, and harder to solve, as the size of the cluster increases.” It went on to note that a single

Gluware’s Titan rises to meet Mythos network vulnerability challenge

The consequence is that many CVEs go unremediated. CVEs (Common Vulnerabilities and Exposures) are identified vulnerabilities that have been publicly disclosed. The CVE framework also does not account for vulnerabilities detected directly by AI models, which may never appear in any advisory or bulletin. “Every model is just going to

AMD launches AI-targeted PCIe cards for current servers

Instinct MI350P PCIe cards are available in air-cooled systems with up to eight accelerator cards, which makes them ideal for small, medium, and large AI models for inference and RAG pipelines. It has 144GB of high bandwidth memory 3e (HBM3E) running at up to 4TB/s. Performance is estimated at 2,299

Supply constraints, optical advances dominate Arista’s Q1

“While the industry has been talking a lot about co-packaged optics, these are still science experiments, and they’re very proprietary with individual vendors doing their own thing. We’ll embrace open CPO a few years from now, but we think XPO has a 10-year run, especially at 1.6T and 3.2T where

Energy Department to Invest $36 Million in Enhanced Oil Recovery Program at the University of North Dakota

WASHINGTON—The U.S. Department of Energy’s (DOE) Hydrocarbons and Geothermal Energy Office (HGEO) today announced the selection of a new project with $36 million in federal funding for the University of North Dakota’s Energy & Environmental Research Center to advance the commercial deployment of enhanced oil recovery (EOR) technologies in the Bakken shale formation. Through an integration of laboratory, modeling, artificial intelligence (AI), and field-based activities, the Bakken Enhanced Oil Recovery–Cracking the Code (Bakken EOR-CC) program will generate critical data and insights to enable efficient, large-scale implementation of carbon dioxide-based EOR. These efforts support President Trump’s commitment to American energy dominance by advancing technologies that increase domestic energy production and deliver affordable, reliable, and secure energy for the American people. “North Dakota has proven itself to be a leader in energy innovation, and the Bakken Enhanced Oil Recovery initiative builds on that legacy,” said DOE Assistant Secretary for the Hydrocarbons and Geothermal Energy Office Kyle Haustveit. “This program is essential to maximize the full potential of our valuable hydrocarbon resources in the Bakken. By ‘cracking the code,’ these integrated pilot projects will help establish a clear path for the broad commercial deployment of enhanced energy recovery across the nation. The Bakken formation holds the potential to unlock billions of barrels of oil—resources that can power energy independence for generations to come.” The Bakken, a key unconventional tight oil play in North Dakota, holds substantial potential for increased oil recovery. Currently, only about 10% of the oil in unconventional shale formations is typically recovered. The Bakken EOR-CC program is designed to evaluate EOR strategies, potentially unlocking billions of additional barrels of incremental oil and extending the life of the state’s coal-fired power plants by utilizing their captured carbon dioxide for EOR. The program is uniquely positioned to capitalize on knowledge generated through six EOR pilot projects,

OTC speakers say Venezuela reopening hinges on stability, legal clarity

The conversation comes as the Trump administration continues easing sanctions and encouraging American operators to re-engage with Venezuela’s oil and gas sector. Signs are growing that major international energy companies are reassessing opportunities in the country. ExxonMobil and ConocoPhillips have recently dispatched technical teams to evaluate oilfield infrastructure and upstream prospects, while Gulf Coast refiners have already increased imports of Venezuelan heavy crude. Panelists said the central question facing US energy companies is no longer whether Venezuela will reopen, but whether the conditions, pace, and overall risk profile of that reopening are sufficient to support large-scale, long-term capital investment. Speakers noted that Venezuela’s appeal extends far beyond short-term political change. The country holds one of the world’s largest and most diverse hydrocarbon resource bases, including extra-heavy crude in the Orinoco Belt, conventional light and medium oil, and significant offshore natural gas resources. The opportunity lies not only in the size of the resource base, but also in the long-term development potential, the panelists said. However, years of underinvestment, deteriorating infrastructure, and labor losses mean rebuilding the sector will require significant technical expertise and sustained capital commitments. Oilfield service companies are expected to play an important role if activity accelerates, particularly in offshore gas, heavy oil upgrading, drilling services, and infrastructure rehabilitation. Recent reports indicate service providers have already begun reactivating rigs and equipment stored in Venezuela in anticipation of renewed activity. Speakers emphasized that investors are seeking stable policies and durable legal frameworks before committing capital at scale. Trust in Venezuela’s legal and regulatory system remains weak following years of expropriations and contract disputes. Companies must evaluate not only Venezuela’s domestic political outlook, but also the broader geopolitical dynamics involving the US and China, Borrego noted. China’s long-standing investments and influence in Venezuela’s energy sector were referenced as an important

NNPC advances rehab, expansion plans for idled refineries

Nigeria National Petroleum Corp. Ltd. (NNPC) has entered a memorandum of understanding (MOU) with China-based Sanjiang Chemical Co. Ltd. and Xinganchen (Fuzhou) Industrial Park Operation and Management Co. Ltd. for collaboration via a potential technical equity partnership to support ongoing rehabilitation and expansion plans at two of its currently idled in-country refining complexes. Announced in early May, the MOU’s proposed framework covers unspecified remaining rehabilitation works at subsidiary Warri Refining & Petrochemical Co. Ltd.’s (WRPC) 125,000-b/sd refinery in Nigeria’s Delta State and Port Harcourt Refining Co. Ltd.’s (PHRC) 60,000-b/sd hydroskimming refinery at Alesa-Eleme near Port Harcourt in Rivers State, NNPC said. Alongside operating and maintenance activities to help the sites achieve best-in-class, sustainable performance, the MOU also outlines proposed expansions and upgrades at both refineries to enable production of cleaner, higher-valued products, according to the company. While NNPC did not clarify the nature of expansion and upgrading plans for either of the refining sections of the sites, the operator said the potential collaboration with Sanjiang Chemical and and Xinganchen (Fuzhou) Industrial Park also would weigh options for expanding the two complex’s petrochemical capabilities, as well as future development of co-located, gas-based industrial hubs at the two locations. NNPC said formal signing of the MOU follows more than 6 months of technical and management discussions with the two Chinese firms to develop a roadmap for restoring sustained, high-performance manufacturing operations at both sites. The MOU comes as part of NNPC’s broader mission to identify potential privately held technical equity partners to help support rehabilitation and expansion of its existing but nonoperational refining infrastructure, which ideally would include a willingness to evaluate opportunities for adding co-located petrochemical production and gas-based industries at the sites, the operator said. The agreement with Sanjiang Chemical and and Xinganchen (Fuzhou) Industrial Park follows NNPC’s announcement earlier

Oil prices touch 4-year high as Iran crisis continues

Brent crude briefly surged above $126/bbl on Apr. 30, marking a 4-year high, as escalating tensions surrounding the Iran conflict intensified concerns over prolonged disruptions to Middle East oil flows. Stay updated on oil price volatility, shipping disruptions, LNG market analysis, and production output at OGJ’s Iran war content hub. The price spike reflects a market increasingly driven by geopolitical risk. The ongoing US–Iran standoff has effectively curtailed shipping activity through the Strait of Hormuz, a critical artery for global crude trade, with negotiations showing little progress toward reopening the route. President Donald Trump reiterated that a US naval blockade of Iran would remain in place until Tehran abandons its nuclear ambitions, reinforcing expectations of a prolonged supply disruption. Amid these disruptions, US crude exports have surged, highlighting the country’s growing role as a global swing supplier. According to the US Energy Information Administration (EIA), US crude exports rose to a record 6.44 million b/d in the latest reporting week, driving the US to become a net crude exporter on a weekly basis for the first time since World War II. The shift was accompanied by a 6.2 million-bbl draw in US commercial crude inventories, underscoring the tightness in global supply as buyers in Europe and Asia turn to US barrels to offset Middle East disruptions. Meanwhile, policy and macroeconomic signals added another layer of complexity. The Federal Reserve held interest rates steady in its Apr. 29 meeting, citing persistent uncertainty around inflation and growth, particularly as higher energy prices threaten to feed into broader economic conditions. US gasoline prices have followed crude higher, rising to $4.30/gal on Apr. 30, reflecting tightening refined product balances ahead of the summer driving season.

Expand Energy prepared to slow completion work if prices weaken further

Expand produced nearly 7.44 bcfed during the first quarter (93% natural gas), which was up nearly 10% from the first three months of 2025. Of that production, 46% came from assets in the Haynesville basin (up from about 39% a year earlier), 37% from Northeast Appalachia and the remainder from Southwest Appalachia. Wichterich, who in February replaced Nick Dell’Osso while Expand’s directors search for a new permanent leader, is looking to have full-year 2026 production average about 7.5 bcfed while deploying between 11 and 12 rigs and six to seven completion crews. The current quarter will feature some seasonal curtailments, executives said, and production is expected to remain flat from early this year. “We are in the right place at the right time,” Wichterich said on the conference call. “Our assets are reaching 90% of the expected demand growth in this country and our Haynesville [operation] is sitting at the epicenter of growth because of the LNG market. We think we are in the best position to take advantage of that.” On the LNG front, Expand executives this week signed a 20-year sales and purchase agreement with Delfin FLNG Vessel 1 that calls for Expand to supply about 1.15 million tpa. That contract replaces previous deals with Delfin and Gunvor Group and calls for the gas to be sold at a Henry Hub price and to start flowing in 2031. Expand produced a first-quarter net profit of $1.16 billion on total revenues of $4.4 billion. Those numbers were an improvement from early 2025, when the company lost $249 million on $2.2 billion in sales, the latter figure hampered by $1 billion loss on derivatives. Shares of Expand (Ticker: EXE) were up nearly 3% to about $99.50 in afternoon trading on April 29. Over the last six months, they’re essentially flat

Woodside appoints Lonnie as EVP, COO Australia

@import url(‘https://fonts.googleapis.com/css2?family=Inter:[email protected]&display=swap’); .ebm-page__main h1, .ebm-page__main h2, .ebm-page__main h3, .ebm-page__main h4, .ebm-page__main h5, .ebm-page__main h6 { font-family: Inter; } body { line-height: 150%; letter-spacing: 0.025em; } button, .ebm-button-wrapper { font-family: Inter; } .label-style { text-transform: uppercase; color: var(–color-grey); font-weight: 600; font-size: 0.75rem; } .caption-style { font-size: 0.75rem; opacity: .6; } #onetrust-pc-sdk [id*=btn-handler], #onetrust-pc-sdk [class*=btn-handler] { background-color: #c19a06 !important; border-color: #c19a06 !important; } #onetrust-policy a, #onetrust-pc-sdk a, #ot-pc-content a { color: #c19a06 !important; } #onetrust-consent-sdk #onetrust-pc-sdk .ot-active-menu { border-color: #c19a06 !important; } #onetrust-consent-sdk #onetrust-accept-btn-handler, #onetrust-banner-sdk #onetrust-reject-all-handler, #onetrust-consent-sdk #onetrust-pc-btn-handler.cookie-setting-link { background-color: #c19a06 !important; border-color: #c19a06 !important; } #onetrust-consent-sdk .onetrust-pc-btn-handler { color: #c19a06 !important; border-color: #c19a06 !important; } Woodside Energy has appointed Breyden Lonnie as executive vice-president and chief operating officer Australia. Lonnie has acted in the role since December 2025, with responsibility for Woodside’s portfolio of operations and projects in Western Australia and the Bass Strait. He joined the company in 2005. Prior, Lonnie—who has 24 years of industry experience in engineering, operations, planning, and management roles in Australia and internationally—served as Woodside’s vice-president North West Shelf. He joined Woodside in 2005. In a post to his LinkedIn account, Lonnie said “2026 will be an important year for [Woodside’s] Australian business, with a strong focus on disciplined operations, progressing Scarborough toward first LNG and taking operatorship of the Gippsland Basin Joint Venture.”

AWS hit by US-East-1 outage after data center thermal event

AWS shifted traffic away from the affected zone for most services and warned of longer-than-usual provisioning times. As the evening progressed, the company struggled to bring temperatures down. By 6:47 PM PDT, AWS warned that “Other AWS services that depend on the affected EC2 instances and EBS volumes in this Availability Zone may also experience impairments,” and at 8:06 PM PDT, it conceded that “progress is slower than originally anticipated,” recommending that customers needing immediate recovery restore from EBS snapshots or launch resources in unaffected zones. By 10:11 PM PDT, AWS reported “incremental progress to restore cooling systems” but said users were still “experiencing elevated error rates and latencies for some workflows.” The May 7 incident is not the first time US-EAST-1 has gone down. The region suffered two outages in October 2025, including a 15-hour disruption on October 19 and 20 caused by a race condition in DynamoDB’s automated DNS management system that affected over 70 AWS services and produced cascading failures across Slack, Atlassian, Snapchat, and other dependent services. AWS regions in Ohio have also experienced power-related outages tied to EC2 instances in past years.

Lumen advances cloud networking vision with $475M Alkira buy

Lumen puts its total addressable market at approximately $70 billion once Alkira’s international and cloud-to-cloud coverage is included. “Alkira is a bull’s eye in terms of strategic alignment and value creation,” Johnson said. “For Lumen, we expect it to dramatically accelerate our road map execution from years to months.” How the architecture works Alkira operates as a cloud-native, carrier-agnostic control plane. Rather than relying on physical hardware at each interconnection point, it uses a virtual port model that lets enterprises design, deploy and manage network connectivity across clouds, data centers and on-premises environments through a single interface. Alkira is distinct from Lumen’s existing Project Berkeley, which introduces fabric ports for building-to-cloud on-ramp connectivity. “Fabric ports is about enabling building on-prem to be able to connect to the cloud and to be able to grow those services in a cloud economic way,” Johnson said. “The Alkira platform really focuses on the East-West interconnect. So that’s data center-to-data center, cloud-to-cloud, so they operate with more of a virtual port kind of a model, and it’s better together.” Lumen’s Multi-Cloud Gateway bridges the two domains, enabling customers to connect any cloud and any data center over Lumen’s private network. After close, Multi-Cloud Gateway and Alkira together are intended to give customers a single control plane for routing, policy and security across both north-south and east-west connectivity.

Data Center Jobs: Engineering, Construction, Commissioning, Sales, Field Service and Facility Tech Jobs Available in Major Data Center Hotspots

Each month Data Center Frontier, in partnership with Pkaza, posts some of the hottest data center career opportunities in the market. Here’s a look at some of the latest data center jobs posted on the Data Center Frontier jobs board, powered by Pkaza Critical Facilities Recruiting. Looking for Data Center Candidates? Check out Pkaza’s Active Candidate / Featured Candidate Hotlist Power Applications Engineer Pittsburgh, PA This position is also available in: Denver, CO; Andrews, SC and remotely. Our client is a leading provider and manufacturer of industrial electrical power equipment used in industrial applications for mission critical operations. They help their customers save money by reducing energy and operating costs and provide solutions for modernizing their customer’s existing electrical infrastructure. This company provides cooling solutions to many of the world’s largest organizations and government facilities and enterprise clients, colocation providers and hyperscale companies. This career-growth minded opportunity offers exciting projects with leading-edge technology and innovation as well as competitive salaries and benefits. Electrical Commissioning Engineer New Albany, OH This traveling position is also available in: New York, NY; White Plains, NY; Dallas, TX; Richmond, VA; Ashburn, VA; Montvale, NJ; Charlotte, NC; Atlanta, GA; Hampton, GA; Cedar Rapids, IA; Phoenix, AZ; Salt Lake City, UT; Kansas City, MO; Omaha, NE; Chesterton, IN or Chicago, IL. *** ALSO looking for a LEAD EE and ME CxA Agents and CxA PMs. *** Our client is an engineering design and commissioning company that has a national footprint and specializes in MEP critical facilities design. They provide design, commissioning, consulting and management expertise in the critical facilities space. They have a mindset to provide reliability, energy efficiency, sustainable design and LEED expertise when providing these consulting services for enterprise, colocation and hyperscale companies. This career-growth minded opportunity offers exciting projects with leading-edge technology and innovation as well as

Switch storm coming: Gartner forecasts price hikes, long lead times for enterprise data center switches

“If you’re a vendor and you’re doing what you’re supposed to do, you want to capture the growth,” he says. Zeus Kerravala, founder and principal analyst with ZK Research, agrees. “Cisco, Arista, Juniper and those companies that build data center equipment, make no mistake, their resources are directed towards AI first because they want to be part of those big buildouts,” he says. “There’s a lot of money being poured into neoclouds, things like that. They’ve reprioritized the resources based on where market demand is.” Price hikes, long lead times, sketchy support The repercussions for companies with traditional data centers include higher prices, long lead times, and perhaps subpar support. Gartner predicts switch price increases of 15% to 40%, largely the result of resource constraints, and lead times of three to nine months, up from one to two months in mid-2025. Constraints should ease by around the middle of next year, but don’t expect prices to come down. “Generally speaking, vendors have no consistent track record of reducing prices in these networking markets,” Lerner says. At the same time, with vendors dedicating scarce engineering talent to AI, they likely won’t invest in significant innovations for non-AI switch families. The same goes for support.

Build Fast, Pay Your Way: Washington’s AI Infrastructure Doctrine

In the first quarter of 2026, the U.S. government made one point unmistakable. Washington wants more data center capacity, more AI infrastructure, and more domestic power. But it no longer views these projects as conventional commercial real estate. Across the White House, DOE, FERC, EPA, EIA, and the federal permitting apparatus, data centers are now being treated as strategic infrastructure. That designation brings tangible support in the form of faster permitting, access to federal land, and a more explicit embrace of large-scale power development. It also comes with conditions: stricter expectations around who funds transmission upgrades, who provides new generation, how water is managed, and how much operational data operators must disclose. This is the new federal posture: accelerate the buildout, but impose discipline on its consequences. Washington is not pulling back in the face of local opposition. It is pushing forward, while making clear that the next phase of data center growth must carry its own infrastructure burden. Who Will Pay? The question is no longer whether the United States will support the next wave of hyperscale and AI campus construction. The question is under what terms, and whether utilities, communities, and ratepayers will be asked to subsidize it. The outcome of that debate will be set less by local politics than by the federal rules now taking shape. The clearest signal came on March 4, when President Trump announced the “Ratepayer Protection Pledge.” Amazon, Google, Meta, Microsoft, OpenAI, Oracle, and xAI committed to “build, bring, or buy” new generation for their data centers and to fund the full cost of required grid and transmission upgrades. The administration also said those companies would coordinate with grid operators to provide backup generation in emergencies. The message was direct: data centers can grow, but the costs and reliability risks tied to

300 MW Hyperscaler Lease Validates Applied Digital’s AI Infrastructure Financing Model

The Model Behind the Lease Applied Digital is packaging a full development solution for AI infrastructure: site, utility access, power distribution, cooling systems, and a financing framework capable of supporting multi-hundred-megawatt deployments. The approach reduces the integration burden on hyperscale customers and aligns delivery with the scale and timelines of AI demand. The Delta Forge 1 lease indicates that at least one major hyperscaler is willing to commit to that model on a long-term basis. The scale of the agreement reinforces that point. The lease accounts for 300 MW within a 430 MW campus, with capacity structured across two 150 MW buildings. The agreement spans two leases and includes three five-year renewal options, establishing a long-duration footprint at the site. This level of commitment effectively anchors the first phase of Delta Forge 1 and provides a clear validation of the campus’s initial buildout. Financing Follows the Lease Applied Digital paired the Delta Forge 1 tenant announcement with a financing update that underscores the link between signed demand and capital formation. The company expects to secure up to $600 million in additional funding, including a senior secured bridge facility of up to $300 million to support continued development at Polaris Forge 1, along with a $300 million revolving credit facility for development, working capital, and transaction expenses. The structure highlights how hyperscaler commitments can be translated into financing capacity across a broader platform. The Delta Forge 1 lease functions as a catalyst for the next phase of capital deployment. That momentum builds on a financing-heavy stretch. In its April 8 fiscal third-quarter results, Applied Digital disclosed a $2.15 billion private offering of 6.750% senior secured notes due 2031 to support Polaris Forge 2. The company also detailed credit enhancements tied to CoreWeave leases at Polaris Forge 1 following an investment-grade A3

Microsoft will invest $80B in AI data centers in fiscal 2025

And Microsoft isn’t the only one that is ramping up its investments into AI-enabled data centers. Rival cloud service providers are all investing in either upgrading or opening new data centers to capture a larger chunk of business from developers and users of large language models (LLMs). In a report published in October 2024, Bloomberg Intelligence estimated that demand for generative AI would push Microsoft, AWS, Google, Oracle, Meta, and Apple would between them devote $200 billion to capex in 2025, up from $110 billion in 2023. Microsoft is one of the biggest spenders, followed closely by Google and AWS, Bloomberg Intelligence said. Its estimate of Microsoft’s capital spending on AI, at $62.4 billion for calendar 2025, is lower than Smith’s claim that the company will invest $80 billion in the fiscal year to June 30, 2025. Both figures, though, are way higher than Microsoft’s 2020 capital expenditure of “just” $17.6 billion. The majority of the increased spending is tied to cloud services and the expansion of AI infrastructure needed to provide compute capacity for OpenAI workloads. Separately, last October Amazon CEO Andy Jassy said his company planned total capex spend of $75 billion in 2024 and even more in 2025, with much of it going to AWS, its cloud computing division.

John Deere unveils more autonomous farm machines to address skill labor shortage

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More Self-driving tractors might be the path to self-driving cars. John Deere has revealed a new line of autonomous machines and tech across agriculture, construction and commercial landscaping. The Moline, Illinois-based John Deere has been in business for 187 years, yet it’s been a regular as a non-tech company showing off technology at the big tech trade show in Las Vegas and is back at CES 2025 with more autonomous tractors and other vehicles. This is not something we usually cover, but John Deere has a lot of data that is interesting in the big picture of tech. The message from the company is that there aren’t enough skilled farm laborers to do the work that its customers need. It’s been a challenge for most of the last two decades, said Jahmy Hindman, CTO at John Deere, in a briefing. Much of the tech will come this fall and after that. He noted that the average farmer in the U.S. is over 58 and works 12 to 18 hours a day to grow food for us. And he said the American Farm Bureau Federation estimates there are roughly 2.4 million farm jobs that need to be filled annually; and the agricultural work force continues to shrink. (This is my hint to the anti-immigration crowd). John Deere’s autonomous 9RX Tractor. Farmers can oversee it using an app. While each of these industries experiences their own set of challenges, a commonality across all is skilled labor availability. In construction, about 80% percent of contractors struggle to find skilled labor. And in commercial landscaping, 86% of landscaping business owners can’t find labor to fill open positions, he said. “They have to figure out how to do

2025 playbook for enterprise AI success, from agents to evals

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More 2025 is poised to be a pivotal year for enterprise AI. The past year has seen rapid innovation, and this year will see the same. This has made it more critical than ever to revisit your AI strategy to stay competitive and create value for your customers. From scaling AI agents to optimizing costs, here are the five critical areas enterprises should prioritize for their AI strategy this year. 1. Agents: the next generation of automation AI agents are no longer theoretical. In 2025, they’re indispensable tools for enterprises looking to streamline operations and enhance customer interactions. Unlike traditional software, agents powered by large language models (LLMs) can make nuanced decisions, navigate complex multi-step tasks, and integrate seamlessly with tools and APIs. At the start of 2024, agents were not ready for prime time, making frustrating mistakes like hallucinating URLs. They started getting better as frontier large language models themselves improved. “Let me put it this way,” said Sam Witteveen, cofounder of Red Dragon, a company that develops agents for companies, and that recently reviewed the 48 agents it built last year. “Interestingly, the ones that we built at the start of the year, a lot of those worked way better at the end of the year just because the models got better.” Witteveen shared this in the video podcast we filmed to discuss these five big trends in detail. Models are getting better and hallucinating less, and they’re also being trained to do agentic tasks. Another feature that the model providers are researching is a way to use the LLM as a judge, and as models get cheaper (something we’ll cover below), companies can use three or more models to

OpenAI’s red teaming innovations define new essentials for security leaders in the AI era

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More OpenAI has taken a more aggressive approach to red teaming than its AI competitors, demonstrating its security teams’ advanced capabilities in two areas: multi-step reinforcement and external red teaming. OpenAI recently released two papers that set a new competitive standard for improving the quality, reliability and safety of AI models in these two techniques and more. The first paper, “OpenAI’s Approach to External Red Teaming for AI Models and Systems,” reports that specialized teams outside the company have proven effective in uncovering vulnerabilities that might otherwise have made it into a released model because in-house testing techniques may have missed them. In the second paper, “Diverse and Effective Red Teaming with Auto-Generated Rewards and Multi-Step Reinforcement Learning,” OpenAI introduces an automated framework that relies on iterative reinforcement learning to generate a broad spectrum of novel, wide-ranging attacks. Going all-in on red teaming pays practical, competitive dividends It’s encouraging to see competitive intensity in red teaming growing among AI companies. When Anthropic released its AI red team guidelines in June of last year, it joined AI providers including Google, Microsoft, Nvidia, OpenAI, and even the U.S.’s National Institute of Standards and Technology (NIST), which all had released red teaming frameworks. Investing heavily in red teaming yields tangible benefits for security leaders in any organization. OpenAI’s paper on external red teaming provides a detailed analysis of how the company strives to create specialized external teams that include cybersecurity and subject matter experts. The goal is to see if knowledgeable external teams can defeat models’ security perimeters and find gaps in their security, biases and controls that prompt-based testing couldn’t find. What makes OpenAI’s recent papers noteworthy is how well they define using human-in-the-middle

Stay Ahead, Stay ONMINE