Patch Like Liberty Depends on It (Because It Does)

I spent part of last night in the usual American cathedral: the laptop glow, the dusty civics habit, and that faint scent of bureaucratic paper cuts. Somewhere, someone was probably saying “national security” like a magic word and hoping nobody checks the trap door.

But the trap door is not theoretical. It is patched, unpatched, and exploited in the wild.

CISA updated the “patch this now” list

On April 13, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog, the government’s running ledger of flaws attackers are actually using. Multiple reports describe the update as a batch of six vulnerabilities across Microsoft, Adobe, and Fortinet, with a remediation deadline of April 27 for federal civilian agencies.

Two details matter for anyone who likes their systems stable and their liberties intact:

• Some of this is old. One vulnerability cited in coverage dates back to 2012.
• Some of this is everyday infrastructure. Coverage points to issues tied to Windows and Exchange Server, plus Adobe Acrobat/Reader, and Fortinet software used to manage endpoints.

There is also a small but telling disagreement in public reporting about the count: some outlets describe a seventh CVE (an Adobe Acrobat/Reader issue) in addition to the six listed elsewhere. Inside baseball, sure. But it is also a snapshot of the broader problem: the vulnerability ecosystem is noisy, and patch discipline is uneven enough that even counting the fires can become an argument.

The tradeoff: fewer breaches now, or more surveillance later

When basic cyber hygiene fails, the political sequel is predictable: emergency purchases, expanded monitoring, broader logging, more data sharing, and “temporary” authorities that stick around like glitter after a parade.

Patching is boring. It is also the cheapest civil-liberties policy you can buy, because the pressure after a breach rarely lands on the neglected patch queue first. It lands on the public’s privacy, with new proposals to scan more, retain more, and watch more “for safety.”

The Orwell check

Watch the language. “Visibility” can mean sensible asset inventory. It can also mean permanent inspection. “Threat hunting” can be narrow, measured, and audited. It can also become a polite euphemism for fishing expeditions once the tools exist and the fear is fresh.

The liberty ledger (and one nuance)

Who pays when exploited vulnerabilities linger? Regular people: their medical records, tax data, credentials, small businesses, and privacy. Who wins? Attackers, and the folks who treat security like a quarterly mood.

One nuance: CISA’s KEV process is a prioritization tool, not a crystal ball. CISA has emphasized that adding a vulnerability to KEV does not always mean it is seeing active exploitation at that exact moment.

The Paine test and the guardrails

Do we want a future where preventable cyber failures concentrate more power in centralized monitoring, or one where institutions do the basics well enough that they stop asking for new powers every time the roof leaks?

Guardrails that help without building a digital panopticon:

• Mandatory, public, plain-English patch performance reporting against KEV items.
• Procurement muscle: demand secure defaults, long support windows, and rapid fixes, or stop buying repeat offenders.
• Defensive monitoring tied to due process: scoped, audited, access-controlled, and retention-limited. No forever logs “just in case.”

Liberty loves boring. What would it take for your organization, or your government, to treat patching exploited vulnerabilities as a civil-liberties obligation instead of an IT chore?