Black Hat USA – Las Vegas – During a panel at Black Hat USA, Chris Butera, Acting Executive Assistant Director for the Cybersecurity Division, and Bob Costello, Chief Information Officer, reiterated their commitment to the Common Vulnerabilities and Exposures (CVE) program after industry fears it would be closed down back in April 2025.
“We are heavily invested in the CVE program,” Costello said. “We are going to continue to fund the CVE program and continue to improve the CVE program. It is really central to all of our cybersecurity operations.”
The Known Exploited Vulnerabilities (KEV) catalog prioritizes actively exploited vulnerabilities, using stakeholder-specific categorization to guide rapid patching.
“It really helps organizations prioritize the vulnerabilities that they need to patch the fastest,” Butera explained, referencing emergency directives for federal agencies to patch Citrix Bleed and SharePoint vulnerabilities within 24 hours.
Read on for more key takeaways from the panel.
AI: Enhancing Defense, Addressing Risks
CISA is also harnessing AI to shift the cybersecurity advantage to defenders while securing AI systems against misuse, the panellists said:
- AI for cybersecurity: Partnering with vendors, CISA integrates generative AI tools like Copilot to enhance threat hunting and vulnerability management. “AI is going to really enable us to do a lot more things faster,” Costello said, noting its role in simplifying data queries for analysts. Recent efforts include utilizing AI-driven automation for CISA’s cyber mission systems, to reduce reliance on multiple query languages.
- Securing AI systems: Through the Joint Cyber Defense Collaborative (JCDC), CISA collaborates with the wider industry to mitigate AI risks. A 2024 JCDC playbook guides AI incident response, and partnerships with DARPA address innovation gaps. “We are very involved in securing AI systems,” Butera emphasized, highlighting regular JCDC AI security group meetings.
Key Points From The Discussion
- Operational collaboration: CISA’s “team sport” approach relies on industry, ISACs, and interagency partners. The Cybersecurity Information Sharing Act of 2015, pending reauthorization, is vital for trust-building. “Trust is the coin of the realm,” Costello paraphrased, urging Congress to act to avoid setbacks.
- State and local support: A $100 million grant program supports state, local, tribal, and territorial cybersecurity. “We’re really excited that those state and local governments can help use those funds to secure their networks,” Butera said. A new portal will streamline access to cyber hygiene services, with 100+ advisors aiding 11,000 customers.
- Cultural resilience: CISA assumes breach daily, fostering a failure-tolerant culture. “We don’t assume blame when a breach happens. It’s how do we respond to it?” Costello said, emphasizing resilience over prevention.
- Industry engagement: A forthcoming industry engagement portal will simplify collaboration. “It’s imperative on us when we purchase a tool or solution to make sure we’re fully utilizing it,” Costello stressed, advocating for deep vendor rapport and fearless innovation.
- Eviction strategies tool: This open-source tool, released last week, maps intrusions to the MITRE ATT&CK framework for containment and recovery. “It builds an actual eviction and recovery plan for you,” Butera noted, encouraging its use for tabletop exercises to minimize blast radius.
- Critical infrastructure protection: CISA targets internet-exposed industrial control systems, contacting 3,000+ entities with an 80% success rate in disconnection. “We continue to try to remove control systems that are directly connected to the internet,” Butera highlighted, leveraging administrative subpoena authority.
- Evolving adversary tactics: Nation states (e.g., China’s pre-positioning in critical infrastructure) and groups like Scattered Spider leverage AI for social engineering and living-off-the-land techniques. “We continue to see the adversary exploit vulnerabilities faster than we’ve ever seen,” Butera warned, noting increased difficulty in detection.
- Rapid operational response: CISA issued an emergency directive for Microsoft Exchange and 10 industrial control system alerts during Black Hat week, responding to a SharePoint vulnerability within hours. “We had people who were called up on Saturday morning when we got these reports,” Butera recounted, underscoring close coordination with Microsoft and regional staff.
“We’re not retreating. We’re advancing in a new direction,” Costello said.
