Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Black Hat 2025: CISA’s Playbook for Defending Critical Systems with Chris Butera and Bob Costello

Season 2 Episode 31 •

Show Notes

In this special Cyber Focus episode recorded at Black Hat 2025, host Frank Cilluffo sits down with two senior leaders from the Cybersecurity and Infrastructure Security Agency (CISA): Chris Butera, a more than decade-long CISA veteran currently serving as Acting Director of the Cybersecurity Division, and Bob Costello, the agency’s Chief Information Officer. They discuss how CISA is adapting its mission in the face of evolving threats, budget pressures, and leadership changes, while maintaining a rapid operational tempo. Topics include the agency’s fast-turn vulnerability response through the Known Exploited Vulnerabilities (KEV) catalog, expansion and quality focus of the Common Vulnerabilities and Exposures (CVE) program, and the push to strengthen operational technology (OT) security. The conversation also explores resilience strategies like CISA’s new eviction tool, deepening public-private operational collaboration, securing supply chains, and the importance of reauthorizing the Cybersecurity and Information Sharing Act.

Main Topics Covered

  • CISA’s mission, workforce, and adapting to leadership and budget changes
  • Rapid vulnerability response and the Known Exploited Vulnerabilities (KEV) catalog
  • Threat landscape, including nation-state actors and OT security
  • Operational collaboration with industry, JCDC, and new IT platforms
  • CVE program growth and automation for vulnerability management
  • Resilience strategies, eviction tool, and micro-segmentation
  • Supply chain security and Secure by Demand guidance
  • SLTT cybersecurity grants and field support
  • Importance of reauthorizing the Cybersecurity and Information Sharing Act (2015)

Key Quotes:

  • “I’m really honored to work with some of the most experienced cyber professionals I think that exists anywhere in the world… We’re seeing people step up into new roles, leadership positions, work on new technical projects that maybe they weren’t before. And we’re just hitting grand slams every day.” – Bob Costello
  • “[I ask organizations] ‘How can you continue your mission without access to some of your critical systems? Whether these are your billing systems, your IT systems, your even just access to the Internet.’ And I think a lot of organizations don’t have those kind of plans in place or can’t function in those cases.” – Chris Butera
  • “One of the things that we are trying to do every single day is remove some of those OT systems from the Internet. That is a very critical step that we think that there are very few business cases where you should have an OT system connected directly to the Internet.” – Chris Butera
  • “We absolutely support reauthorization of [CISA 2015 authorities]… collaboration is what we’re all about. We talk about cyber being a team sport and this helps make all the teams play a lot better together.” – Bob Costello
  • “I think we all need to think about [supply chains] a lot differently. And it’s across the board, whether it’s open source, closed source, or hardware, everything is kind of linked together, and often we don’t know where those linkages are.” – Bob Costello

Relevant Links and Resources:

Guest Bios:

  • Chris Butera is Associate Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), where he oversees operational efforts to protect the nation’s critical infrastructure from cyber threats.
  • Bob Costello is Chief Information Officer at CISA, leading the agency’s enterprise IT systems, collaboration platforms, and secure information-sharing initiatives with public and private sector partners.

Transcript

1
00:00:00,000 –> 00:00:01,000
Frank Cilluffo [00:00:01]:
Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo and this week we are on the sidelines of Black Hat. Have the pleasure to sit down with two leaders at the Cybersecurity and Infrastructure Security Agency. And this episode is audio only. Just wanted to make it available to everyone because we’re all here together. So I have Chris Butera, who is the acting director of the Cybersecurity Division at CISA, and Bob Costello, who is the CIO, the Chief Information Officer. So, gentlemen, we just got off the stage, great discussion. Wanted to make it available to our listeners back at home and thought we’d start with sort of lots of reporting of late on the future of CISA, the mission today, where it’s going, and I thought it would be helpful to sort of put some context around this and any shifts you’ve seen and what does it mean for the future.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:01:06]:
We’ll start with you, Bob.

3
00:00:02,000 –> 00:00:03,000
Bob Costello [00:01:07]:
All right, Frank, thanks for being here. It was a great panel with you moderating and Chris, I think it’s always great to get off stage and reflect a little bit. I think what I am most excited about, we talked about it a little bit, just our amazing workforce. The technical depth that is at CISA is very deep. And I’m really honored to work with some of the, you know, the most experienced cyber professionals I think that exists anywhere in the world. I think where I really see us going, you know, I talked a little bit about this when we were there. We’re seeing people, you know, step up into new roles, leadership positions, work on new technical projects that maybe they weren’t before. And we’re just hitting, you know, grand slams every day.

4
00:00:03,000 –> 00:00:04,000
Bob Costello [00:01:53]:
Chris is gonna hit on a number of the things we’ve worked, I think just in the last three weeks, Chris. And I think what I’m excited about is we talked a little bit about it before that alumni committee that we’re building here at CISA. People have left CISA voluntarily through various programs, but they’re out there doing great things, rooting for us. And we have people here every day that are working 24 by 7 to advance the mission.

5
00:00:04,000 –> 00:00:05,000
Frank Cilluffo [00:02:17]:
You know, and I was remiss. And Chris, I’m going to pull you into that as well. Remiss to mention that you’re both battle tested veterans of CISA for quite some time. So just worth maybe giving a little bit of your backgrounds as well, Chris, if you want to do that.

6
00:00:05,000 –> 00:00:06,000
Chris Butera [00:02:32]:
Yeah, sure. So I’ve been at CISA for 11 years. I’ve really seen the agency grow and mature and the mission really grow and expand and the need for our agency continue to grow and expand. It’s been an amazing ride. You know, to Bob’s point, we have amazing talented workforce that I’m lucky to lead every single day and we continue to lean into our operational mission. To Bob’s point, we had a stream of significant vulnerabilities we’ve had to respond to recently and we’re trying to move faster. So like a few examples is when the Citrix bleed 2 vulnerability we found out that was being exploited. We did add that to our Known Exploited Vulnerabilities catalog which we call the kev.

7
00:00:06,000 –> 00:00:07,000
Chris Butera [00:03:13]:
The KEV is a tool to help organizations really prioritize their vulnerability management and specifically remediation for these vulnerabilities we know are being used by adversaries every single day for that specific vulnerability. It was the first time we had a 24 hour deadline for the federal agencies to patch. A few weeks later for the SharePoint vulnerabilities that some are calling Tool shell. We also added those to the kev with the 24 hour patch cycle as well. And then just today actually on the heels of vulnerability disclosure at Black Hat, we released an emergency directive to the federal agencies giving them until Monday to actually remediate some of the issues. If you have an exchange hybrid scenario with exchange on prem. And so we are really trying to move faster to stay to keep pace where we see the adversary moving even faster today as well.

8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:04:05]:
Awesome. And I think you both reaffirmed the commitment to the mission and the bottom line is the mission continues and the women and men at CISA are contributing to all of that. That said, it comes against a backdrop where there have been some significant budget cuts. There has been a lot of discussion about some leadership moving on from CISA. From both of your perspectives, I’d be curious how are you addressing some of that and what does it mean kind of going forward to ensure that CISIN can deliver on its mission?

9
00:00:08,000 –> 00:00:09,000
Bob Costello [00:04:41]:
Well, I think before discussing anything related to the budget, I think what I am seeing, sure there are people in acting positions, I’m acting in a position on one hat, Chris on the other, I think that this creates amazing opportunities for the next generation to get some experience and do different things. Like it’s never a hallmark of an organization of greatness if nobody leaves. And I think, you know, an opportunity right now that I’m seeing is we’re still working with some of those people that, that maybe have left as they’re moving on and doing, you know, great things or new positions, sometimes in government, sometimes externally. And that’s, you know, pretty darn exciting. And, you know, nothing is ever in life super uniform. We didn’t lose as many people in the cyber side. And I think that, you know, me and Chris had really good retention numbers .

10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:05:37]:
Actually, that’s really important to underscore.

11
00:00:10,000 –> 00:00:11,000
Bob Costello [00:05:39]:
Yeah, you know, nothing is uniform in life. And while those numbers might be out there and big, it wasn’t those same levels of percentages. You know, Chris maybe pivot to you on some of the other aspects.

12
00:00:11,000 –> 00:00:12,000
Chris Butera [00:05:56]:
So I think one of the most important things for us is how we can actually lean into help other partners helping us. And so we’re really reliant on industry to help us in this space, whether it’s sharing information with us, whether it’s them helping develop tooling that we are implementing in our networks or with some of our protections that we offer to other agencies and then also with our federal and international partners as well. And so I think we really, you’ll see a lot more. We continue to publish a lot of joint publications and guidance. We are the authors of a lot of those documents. But we also reliance on some of our partners to provide some of that expertise, deep technical expertise, to help make sure we’re providing the best recommendations and guidance for people to both better architect their networks to be secure as well as mitigate specific threats that we see from our adversaries.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:06:46]:
Excellent. And to put this sort of into context, you can’t do it without understanding the why. The bad guy has a vote in all of this. And I’d be curious what your thoughts are given the span of your time at both DHS and CISA. What surprised you most in terms of tactics, techniques and procedures you’re seeing, whether from the threat perspective, actor perspective, or vulnerability perspective. So anything come to mind? And then I want to make sure what should our infrastructure owner operators take away from this? What do they need to be most focused on?

14
00:00:13,000 –> 00:00:14,000
Chris Butera [00:07:24]:
Yeah, I can start with that. I think the biggest change I’ve seen is the complexity of networks that we are trying to defend. When I started in 2014, most of the entities I was working with had fully on prem networks. They had a perimeter defense setup, they had good telemetry, good monitoring at the perimeter. A lot of network traffic wasn’t even encrypted back then, so it was easier to defend those networks. One of the most effective tools back then was phishing and trying to defend against phishing was a big kind of thing that we focused on. Today we really see the adversary pivoting to attack both things like edge devices, other things that are on that attack surface, and then quickly pivot into the networks from there. And so I think what we have to do is really focus.

15
00:00:14,000 –> 00:00:15,000
Chris Butera [00:08:12]:
Again, what I was talking about earlier is how can we as defenders utilize automation to, to remediate faster to strengthen our defenses? We have to be using automation, artificial intelligence, kind of as defenders to help close some of those gaps that we have with the offense right now.

16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:08:31]:
Awesome. Bob, anything you want to add to that?

17
00:00:16,000 –> 00:00:17,000
Bob Costello [00:08:33]:
Yeah, I was just thinking, boy, me and Chris have been at this a long time, going back a few years and our landscape has changed on how we design systems and how we defend them. I think when we think of critical infrastructure, it is very important to remember that CISA is here to partner with them, help them defend their networks and understand them. We still see a lot of. My prior life at dhs, I worked with a lot of OT systems at the border and a lot of them don’t have those built in minimal things that we expect of things that would connect to the Internet or connect to any network. Sometimes you have to defend them or secure them differently. And I think we’re really committed to doing that here at CISA and we have a great field force out there that can help some of the critical infrastructure owners and operators. I think on the other aspect that I’m thinking about, you said the adversary gets a vote. I don’t know that I fully agree with that.

18
00:00:17,000 –> 00:00:18,000
Bob Costello [00:09:35]:
People that want to do us harm, whether it’s in our personal life or elsewhere, they only get a vote if we let it influence our decision. CISA is actively every day working to counter the adversary, but also allow us to recover from it and operate it in the event when a breach happens. And I think that’s something that I try and do internally at CISA is you asked me earlier on the stage what gets me up in the morning. It’s actually my dog, but.

19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:10:07]:
What kind of a dog?

20
00:00:19,000 –> 00:00:20,000
Bob Costello [00:10:08]:
He’s a half Chihuahua Terrier rescue. But we have to assume each day that we were breached, how do we micro segment our environment so that that blast radius should they get in is limited? And how do we normalize to a degree that it’s often not one person’s fault. They didn’t leave the door open, they didn’t leave a trail of breadcrumbs for the adversary to come in. How do we respond to that? How do we work together as a team to make sure that should someone get into your environment, as Chris mentioned too, we’re a lot more interconnected than we were years ago. We talk a lot about micro segmentation and zero trust, making sure that we’re constantly authenticating the devices on our networks. And the people who has access, do they need access to that? Is this access anomalous? Are they doing something that that device or person never has before? So I agree they get a vote. But I think it’s very important that people work with us to understand the threat and the harm that could happen should the adversary get in and work to limit that

21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:11:24]:
And assume and minimize the impact and consequence.

22
00:00:21,000 –> 00:00:22,000
Bob Costello [00:11:28]:
Exactly.

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:11:29]:
And that gets to the resilience question. I mean, some similar analogies in the counterterrorism environment. They only have to be right once. We have to be right all the time. And the reality is we’re not going to ever be in a position where we can protect everything, everywhere, all the time, from every perpetrator and every modality of attack, but we can ameliorate the risk and we can minimize the consequence and impact. And I think that gets to a mission that most people aren’t fully aware that CISA takes near and dear. And that’s around resilience. Anything Chris, you want to add to that?

24
00:00:23,000 –> 00:00:24,000
Chris Butera [00:12:04]:
Yeah, I mean, we are the national coordinator for, for cybersecurity and resilience for critical infrastructure. It’s a big focus for, for us. And I think to Bob’s point, we are trying to do as much as possible to have people shift, not to take away focus from prevention, but we put a lot of resources there and to start investing more on the resilience side. So one of the things I always do when I’m talking to organizations is asking them questions about how can you continue your mission, whether you’re a company, whether you’re critical infrastructure owner or operator, how can you continue your mission without access to some of your critical systems, Whether these are your billing systems, your IT systems, your even just access to the Internet. And I think a lot of organizations don’t have those kind of plans in place or can’t function in those cases. And so it’s how can you build some of that resilience in ahead of time? And then the other piece I think I’d like to talk about is how do you actually, Bob talked about containment and how do we talk about eviction and recovery? So you have to assume that you will be a target, the adversary will get in, and how do you actually minimize the impact that they will have on your organization. So one of the great resources that we just released last week, we released an eviction strategies tool. The first that we know of the kind that someone can actually log onto our website and actually map either an actual incident that they’ve had and the techniques the threat actor used to get into their network and achieve their objectives, or even to utilize specific ttps that we publish in some of our advisories that we are aware of that threat actors are using.

25
00:00:24,000 –> 00:00:25,000
Chris Butera [00:13:38]:
And then what that tool will do is it will build a eviction and recovery playbook for our owners and operators to utilize for an actual incident. But you can also use it for planning, which is really great. So you can use that for a tabletop exercise to make sure your teams know how to do that. But you can also look at your IT infrastructure and say, am I ready to actually do these recovery exercises and eviction exercises? Because a lot of people aren’t ready to take those steps in both a synchronized and efficient way. We see recovery taking a very long time and being very expensive for a lot of organizations. So we hope this tool can help people be more ready for cyber incidents.

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:14:16]:
Great. And Bob, I mean, as a CIO, do you heed your own advice?

27
00:00:26,000 –> 00:00:27,000
Bob Costello [00:14:21]:
We do. And you know, just to double tap on the eviction tool, it’s really good. You know, I don’t get a lot of time to be hands on keyboard anymore, but I went through it, I’m like, this is amazing. You know, this is something that CIS has delivered that’s usable, actionable at any really organization large and small. And we do in my office, our teams really want to make sure that CISA is seen as doing the right thing. Heeding our own advice, but also kind of modeling that behavior. If there is an incident, how we recover from it, how we operate in an environment where maybe one of our systems is down, how do we respond to that and then how do we recover from it? Because it is really hard sometimes when you’re in the heat of battle to understand who’s on first. Little Abbott and Costello there.

28
00:00:27,000 –> 00:00:28,000
Bob Costello [00:15:17]:
But I think what Chris is talking about too is like you have to practice, you have to build playbooks. It can’t sit on the shelf.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:15:25]:
Who’s Abbott, me or Chris? [laughter]

30
00:00:29,000 –> 00:00:30,000
Bob Costello [00:15:28]:
I’ll let the audience decide that. But I think it’s really hard sometimes to find the time to practice. And I think one of the things that we’ve talked about a the IT teams, whether it’s a CISO, CIO doesn’t matter out There they need the resources to do their jobs effectively and also the understanding that we have to balance the requirements of the users against the business or the mission and make sure that those things can continue. In the event of a ransomware out there in the commercial side or the critical infrastructure or a full blown DC attack, you know, how do we respond from that if our system

31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:16:15]:
Or combined.

32
00:00:31,000 –> 00:00:32,000
Bob Costello [00:16:16]:
Or combined. Absolutely.

33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:16:18]:
Which you’re seeing more and more.

34
00:00:33,000 –> 00:00:34,000
Bob Costello [00:16:19]:
And what I really love about the eviction tool, we released a decider tool on MITRE ATT&CK I think a couple years ago. It really helps. You don’t have to be an expert in ATT&CK to use the tool and then understand what’s happening in your environment.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:16:37]:
Awesome. And before we leave the threat landscape discussion, if you had to rack and stack nation states, China, Russia, Iran, North Korea, criminal enterprises, ransomware gangs or organizations or whatever you want to call them, how, how, how would you rack and stack that?

36
00:00:35,000 –> 00:00:36,000
Chris Butera [00:16:59]:
Yeah, I mean, I think we continue to follow all the threats. It is our job to and duty to follow all the threats and make sure that we are responding in, you know, efficient time to all of them and making sure we’re providing the right guidance to critical infrastructure owners and operators to, to mitigate those threat we can. I think the one that we are always hyper concerned about, especially the last few years, has been China specifically and I think with the Volt typhoon campaign has been something that we really focused on and did a ton of work in. We were responding directly to incidents where we found Chinese actors in critical infrastructure owners and operators networks and specifically targeting industrial control systems and operational technology. Control systems has been a huge priority for our agency for a very long time and will continue to be a really high priority for our agency. And so for us, we want to make sure that we are continuing to provide the right guidance and support for critical infrastructure owners and operators to secure their OT networks to make sure that they’re again trying to minimize the effect that a specific attack on their networks can have and how that can affect the different processes down in the control center systems networks.

37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:18:12]:
I’m really glad you brought up OT and you can’t escape this podcast without a little double tap there because it is the IT/OT. It’s hard for me to discern sometimes. Sort of like physical cyber is becoming pretty blurred, but at the end of the day you’ve got legacy technologies that are sometimes 20, 30 years old, but are being fielded by IoT devices and the like. And that just brings about a whole new attack surface, doesn’t it?

38
00:00:37,000 –> 00:00:38,000
Chris Butera [00:18:40]:
Absolutely. I Think one of the things that we are trying to do every single day is remove some of those OT systems from the Internet. That is a very critical step that we think that there are very few business cases where you should have an OT system connected directly to the Internet. Many of these systems don’t require authentication or they don’t use encryption. A lot of the legacy systems. And so one of the things that we are able to do, and we’re very thankful for Congress for actually giving us this authority, is our administrative subpoena authority. And so when we, as part of our attack surface management team, they go out and look for these devices across critical infrastructure. And when we find them and we can’t identify who the owner is, we work with the ISPs and then we actually notify the owners that, hey, please get your OT systems off the Internet.

39
00:00:38,000 –> 00:00:39,000
Chris Butera [00:19:30]:
And we’ve had some really good success in that program as well. Today we’ve already notified over 3,000 entities specifically for these OT systems and we’ve had an 80% success rate in them. Actually removing the systems from the Internet.

40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:19:43]:
That’s great. I mean, and as Volt Typhoon made loud and clear, and not to put too fine a point on it, but from a public safety, emergency management perspective and kinetic effect, OT matters and starting to see how it converges with it, I think CISA is ideally situated to take that issue on. Fair.

41
00:00:40,000 –> 00:00:41,000
Chris Butera [00:20:07]:
Absolutely.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:20:08]:
Good. So going on that public private partnership, which, if I’m being honest, for years I’ve said long on nouns, short on verbs, but we’re starting to see some traction here. And I think we’ve moved beyond the information sharing discussion to the operational collaboration discussion. And I’d be curious, maybe Bob will start with you or Chris, either one, to sort of jump in. But. But how are we building out some of that operational collaboration?

43
00:00:42,000 –> 00:00:43,000
Bob Costello [00:20:40]:
I think on my front it’s ensuring that we have the systems that allow that to happen. So my group is in charge of bringing online and building the joint collaborative environment, which is envisioned to be a place where government and industry can collaborate and share information back and forth rapidly and securely. So I’m excited for that and I’m very appreciative of the funding that we received from Congress to build that system out. My other role is to make sure that on the IT side that we’re a good collaborator with industry and bringing them in, seeing new solutions, being able to deploy and pathfind on technologies that are maybe on the horizon or that we just don’t know about. And I think that that’s really important because my goal is to make sure that Chris’s teams don’t have to worry that their systems will work the way that they need them to work with their partners. They shouldn’t have to worry that their laptop works or has low battery life. So my role in that is just ensuring that it is as frictionless as possible for Chris’s operators to do their mission and for industry to work with us through our IT systems.

44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:21:55]:
Chris, anything to add there and, and foot stomp the importance if you think it’s there with our industry partners, we’re expecting more of the private sector right now as well as sltt. And I think we talk a lot about one team, one fight within the interagency, but that’s a very small part of the equation. It’s really with our industry partners.

45
00:00:44,000 –> 00:00:45,000
Chris Butera [00:22:18]:
Absolutely, yeah. I mean, we say every day that cybersecurity is a team sport and absolutely we have to be playing together to be effective in this, in this arena. I think I can give an example of one of the recent operational collaborations that I think we had a good success in. Responding to an emerging vulnerability or emerging set of vulnerabilities was the Microsoft SharePoint vulnerabilities that some people are calling tool shell. This was a few weeks ago. We were notified very late in the evening on a Friday night by a researcher. All these things happen on Friday nights, by the way. Our team loves to work weekends.

46
00:00:45,000 –> 00:00:46,000
Chris Butera [00:22:52]:
And so we got the whole team spun up over the weekend. Our joint cyber defense collaborator, our JCDC team, was reaching out to partners very quickly, got in touch with Microsoft very rapidly. And in these situations there’s really kind of a fog of war at the beginning because we were told by a researcher we see exploitation on SharePoint. We didn’t know exactly what vulnerability was being exploited, whether it was already one that we knew about or whether it was a new set of vulnerabilities. It takes a while to understand. And so for us to be able to work directly with industry as well as security researchers in that space and then we bring in our federal partners and our international partners as well and ask them what they’re seeing in this space. And so we jointly build this collective picture, it starts becoming more clear. And we went back and forth all weekend long to try to get the best guidance and clear picture of what was happening so that we could provide as much guidance as possible.

47
00:00:46,000 –> 00:00:47,000
Chris Butera [00:23:46]:
And then once we were able to confirm the specific vulnerabilities, we added those vulnerabilities to the known exploited vulnerabilities catalog, which then again kicks for the federal agencies a very fast remediation rate. We gave them 24 hours, but we also hope that industry is paying attention both to the catalog, but also the dates and how fast we want people to patch. And we’re really thankful too for industry who’s really adopted the KEV catalog. They’ve put it and they’ve integrated it into their tooling. So if you have a vulnerability scanner, many of the commercial vulnerability scanners have ingested the KEV catalog and can help the critical infrastructure owners and operators actually prioritize the patching of those vulnerabilities that we see being actively exploited.

48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:24:28]:
And seeing more of that in real time, hand in glove is the future, right? There’s just too much mission and not enough people. So I think that that’s essential and I hope that you redouble down on some of those efforts. You brought up KEV a couple times. I think the broader CVE sets of questions and the critical role your team and CISA writ large plays in that. Can you shed a little bit of light there and maybe a little context too?

49
00:00:48,000 –> 00:00:49,000
Chris Butera [00:24:57]:
Yeah, sure. So CVE stands for the Common Vulnerabilities and exposures. This is a way to uniquely identify a specific vulnerability. Usually starts with a specific year and then there’s a five digit number that follows with that. And so when you look at the number, it doesn’t mean a lot to most people, but you click down through and you can see the record of what that actually means. We’ve been a sponsor of the CVE program for some time now, and it’s really foundational to the cybersecurity work that we do both tactically and operationally as well as strategically. And I would love to give like a little history of kind of where we’ve gone with the program and where we want to go. We really started in 2016 trying to focus on the growth of the program to make sure we’re getting more data into the program.

50
00:00:49,000 –> 00:00:50,000
Chris Butera [00:25:40]:
Not everyone was filing records for their vulnerabilities and trying to get more people to actually file the vulnerabilities. So CISA was doing a lot of work, MITRE was doing a lot of the work back then to actually do the filing of the vulnerabilities. There are specific. The people that file them are called cnas or CVE numbering authorities. So the people that actually put the numbers out and file the records into this catalog or database. So back in 2016, we had 24 of those CVE numbering authorities, the CNAs, by 2024. We had grown that number to 460 CNAs around the world. So that’s a huge amount of growth.

51
00:00:50,000 –> 00:00:51,000
Chris Butera [00:26:16]:
Many technology companies are taking ownership for filing their own CVEs and becoming a CNA as well. As we worked with international governments that are partners with us to kind of be that CNA for their country. If there isn’t a specific technology company that is a CNA and needs help with those records. Similar growth from the CNA records piece, we went from 6,400 vulnerabilities that were filed in 2016 to more than 40,000 last year. And we expect that number to continue to increase so that, you know, we really kind of focused on that growth piece to federate this model out so that we can do more. And all of the CVE is actually this whole program is foundational for the automation of the vulnerability ecosystem. So we really kind of focused those eight years on the growth of the program. I like to call it the growth era.

52
00:00:51,000 –> 00:00:52,000
Chris Butera [00:27:06]:
And now we’re shifting really to the quality era where we’re asking the technology vendors to do more to have better data quality that they’re putting into the record records. There are specific fields in the records that can help with us understanding classes of weaknesses. It’s called common weakness enumeration and what that will allow us to do again now moving from operational to strategic. So on our Secure by Design initiative, we can better understand what are the commonalities and the classes of weaknesses, the same types of vulnerabilities that are being found in all these different technology systems. So we can better drive innovation to remove these from software developments, these entire classes of weaknesses. So really excited to partner again. This is a government sponsored and funded program, but we work very closely with industry to continue to improve this program. And it’s so foundational to the work that we do in our mission and I think the entire cybersecurity ecosystem.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:28:03]:
And it’s in business and it’s ongoing and it’s going to not only grow, but the fidelity is going to improve as we move forward.

54
00:00:53,000 –> 00:00:54,000
Chris Butera [00:28:10]:
Absolutely, yeah. So we are continuing to fund the program. There’s no questions around the importance of the funding this program for us. And again, we want to have as much engagement with the community as possible to continue to improve the quality of the data and I think even the tooling and automation that goes with it.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:28:27]:
And not to put too fine a point on it, but I mean, Sun Tzu said, know yourself, know your enemy. This is both.

56
00:00:55,000 –> 00:00:56,000
Chris Butera [00:28:33]:
Yeah. So like CIS is not only, you know, an operator and sponsor of this program. We’re also like probably the biggest consumer of this program. We actually enrich all the records that we think are relevant, that we actually have a specific categorization that talks about exploitability of that. For example, there are different categorization elements and we fill in some of that categorization so that people can make better decisions about which ones to prioritize. The KEV is another prioritization mechanism, but there are other ways for people to prioritize vulnerabilities within their ecosystem. And we continue to try to give people as much data as possible, both for automation but also for decision making.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:29:14]:
Chris, that was great. That was a master class, I think on something that really is important, Bob, I mean automation in particular. How is it you are taking advantage and exploiting innovation, automation and the like?

58
00:00:57,000 –> 00:00:58,000
Bob Costello [00:29:29]:
Well, I think as Chris and that was awesome, but I think what you’re hearing is too just the volume has increased over the years and it’s hard to keep up with it. You cannot do it without automation. So the work that industry has done to ingest either the KEV or CVs or some of these other vulnerabilities databases into their tools really enables us on the IT front to understand what’s in our environments, what do we need to patch that day or configurations to change. And we couldn’t do that without the great work that’s happening on the CVE program. I can’t say enough like how critical it is to help us make decisions on our side. Like we use this every day in every IT shop, probably all over the world. And Chris, really well highlighted there. It’s a worldwide initiative on automation fronts.

59
00:00:58,000 –> 00:00:59,000
Bob Costello [00:30:23]:
We’ve worked on several different initiatives. Cyber hygiene program has 11,000 customers that CISA supports. We’re working to automate not just the signups of that, but so that they can go in, see their prior week’s results, prior day’s results, how are you tracking against that? And that’s really their Internet facing attack surface. And I think that those upcoming releases from CISA are going to be really, in a lot of ways for us, groundbreaking. It allows us to take people off of receiving an email, sign up, merging that between multiple systems so that they’re concentrating directly on the mission each day and it’s lowering the barrier to interface with us, that waiting period to sign up. So I’m excited about that. We’re going to release before the end of the fiscal year an industry engagement portal to make it easier to schedule meetings with us. Tell us about what you’re doing upload information to us so that when it gets to the right teams in CISO, we’re ready for that meeting.

60
00:00:59,000 –> 00:01:00,000
Bob Costello [00:31:23]:
And also that you get positive confirmation that we’re seeing with your presenting to us.

61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:31:31]:
No, that’s great. And again, more heeding your own advice as well. And truth is, things are moving fast and you pull the best ideas that are not only coming from your own shop, but the rest of industry. Right. That I think is important. And I want to build on that public private partnership discussion in a different kind of way. And there is a statutory authority with the same name as CISA, but it’s actually the Cybersecurity and Information Sharing act that was initially authorized in 2015. It sunsets at the end of September.

62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:32:13]:
It provides some liability protection for industry to be able to share information with government and even with other industry partners. And I’d be curious, I know that Sean Planky made a very strong statement in his confirmation hearing to support a reauthorization. I’d be curious from your perspectives, both Chris and Bob, is that something you’re supportive of, I would imagine, but also advocating for?

63
00:01:02,000 –> 00:01:03,000
Chris Butera [00:32:44]:
Yeah. So, I mean, I think I was lucky enough to be at the agency right before this authorization was given to us. And we’re very thankful for this authority that Congress gave us, us and the uptick of information sharing. And to your point, operational collaboration, real time collaboration that’s been happening is a lot of that is the result of this fantastic authority that we have. So we are, you know, I think a lot of people would say too, this is why our agency exists, to be really kind of this center point for information sharing. When you look at the cyber threat landscape, no single entity has that kind of full picture. You know, we have a lot of visibility in the federal space, for example, but in critical infrastructure, we really rely on industry to give us kind of an understanding of what they’re seeing to build that threat picture. And then together with our federal agencies and with our international partners and industry, we can pull together that information, synthesize it, and try to produce those insights back out to the community to make everyone more secure.

64
00:01:03,000 –> 00:01:04,000
Chris Butera [00:33:40]:
And CISA 2015 is a huge tool for us to do that. So we’re very hopeful that Congress will reauthorize that for us.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:33:46]:
Bob, anything you want to add, and I don’t want to put words in your mouth, my opinion, at the end of the day, we can’t slip backwards 10 years if we lose that reauthorization. So I think it could have significant implications, at least from an industry perspective. I know, because they’re all sounding the alarm. Anything to add on that, Bob?

66
00:01:05,000 –> 00:01:06,000
Bob Costello [00:34:07]:
No. I mean, we absolutely support reauthorization of it and I think just in my space, collaboration is what we’re all about. Like, we talk about cyber being a team sport and this helps make all the teams play a lot better together.

67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:34:23]:
And there was another bit of news recently coming out of CISA, which I am a big proponent of, to be very transparent here. But it’s the notice of funding for continued funding for our state, local, tribal, territorial, our SLCGP grants. And at the end of the day, you’re starting to see a little bit of an onus of responsibility going to those on the front lines, whether state, local, tribal, territorial or industry. They can’t do it without the resources. So I’d be curious what some of your thoughts are there.

68
00:01:07,000 –> 00:01:08,000
Chris Butera [00:34:56]:
Yeah, so we’re very excited to put out $100 million in grants. I believe this was late last week for those state, local, tribal and territorial governments to apply for to better secure their networks. And I think the other thing that I want to note is we continue to support them in various different ways. One of the is we have over 100 cybersecurity advisors in the field engaging with those state and local governments and tribal and territorial governments every single day. We want them to be there to support, you know, understand where their network weaknesses are and helping them kind of implement some of the services and technologies that they’ll be procuring through these grants to help better secure their networks as well.

69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:35:37]:
Because at the end of the day, that’s where most Americans live in and we have hard enough of a challenge inside D.C. that has maybe more resources than our state and local partners are. So I think that that is essential going forward. Bob, another thing is, and both you and Chris have highlighted some of the recent innovative alerts and products. Anything else you want to add here? Because a lot has happened in the past few weeks.

70
00:01:09,000 –> 00:01:10,000
Bob Costello [00:36:08]:
Yeah. You know, kind of looking back, I think Chris and I’s teams have been super busy and I think, you know, we are moving really fast to get information to the people that need it. I think Chris talked about we had our first two, you know, Kevs in 24 hours or less. I think that’s a really big deal. I think because we’re seeing more and more each day. Vulnerabilities, malware, it doesn’t matter where you are, you see it in the news every day. Chris talked about our scattered spider re release which was co sealed with a Number I believe the FBI and a few others. We have to continue to move fast, but we need new tools and technologies to enable our people to understand the data that’s coming in.

71
00:01:10,000 –> 00:01:11,000
Bob Costello [00:36:53]:
There’s so much data right now. Like, gone are the days when you’re the lone network engineer going through what’s called a PCAP and seeing activity. Me and Chris had a lot of fun doing that. We now need to be able to sift through volumes of data just alone from the fseb. The systems that I support, actually my team support for Chris’s operators, we take in over 20 terabytes a day, and that’s after we normalize some of it. That’s a lot of data to be able to work through. So I’m excited for some of our deployments on generative AI and other technologies just to help us enable the operators to understand the data they’re looking at and the data that’s important and be able to just help everyone respond a lot faster.

72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:37:42]:
Chris? Bob, what questions didn’t I ask that I should have?

73
00:01:12,000 –> 00:01:13,000
Chris Butera [00:37:45]:
I mean, I think one of the things we didn’t talk about was supply chain. And so I think everyone needs to be thinking. I think we are all super reliant increasingly every single day on our different technology supply chains and physical supply chains. But like specifically for the

74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:38:00]:
Hardware, software, firmware. All across the board.

75
00:01:14,000 –> 00:01:15,000
Chris Butera [00:38:02]:
All across the board, right. And so there’s a few things there. I think we want people to really take, you know, close eye on what they’re actually procuring. We put out some guidance last year called Secure by Demand. It is really kind of how we take our security by design work and make people have informed procurement decisions, you know, asking a lot of questions from your vendors to make sure that they are developing their software securely as well as being a good steward and citizen of the, of the cybersecurity ecosystem. So like, you know, to that latter point, making sure that your vendors are, you know, producing a coordinated vulnerability disclosure, a CVD policy publicly on their website so they can work with security researchers, making sure that they are signing up to be a CVE numbering authority and producing complete CVE records and, you know, things like software transparency, where they will fill out a software bill of materials and such to make sure that they’re being transparent about what the building blocks of their software is. So we really think that, you know, making sure that you’re also taking care of your supply chain, and that’s from the procurement standpoint, but also if you’re the big business and you’re relying on other businesses, maybe not from a technology standpoint, but for your other supply chain piece, making sure you’re helping them with their cybersecurity as well.

76
00:01:15,000 –> 00:01:16,000
Chris Butera [00:39:21]:
Because if, if they get hit by a breach, it’s going to affect you, your business as well. Right, so

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:39:25]:
Most are still third party breaches anyway.

78
00:01:17,000 –> 00:01:18,000
Chris Butera [00:39:27]:
A lot of them are third party breaches as well. So you, maybe you’re, you have technology connections, but either way, whether it’s you have the technology connection or it’s just a resource that they’re giving you and then they won’t be able to give that resource to your company anymore to fulfill your mission. You know, we want to make sure that, that you are helping those entities do better cyber security. And so CISA has a ton of free resources that we, we have available. We encourage you to engage with your supply chain to make available those free resources. Bob talked about our cyber hygiene Vulnerability Scanning service. That’s a free service that we offer to over 11,000 organizations today. It’s a very scalable service.

79
00:01:18,000 –> 00:01:19,000
Chris Butera [00:40:05]:
Another one is we, we said, we released a set of what we call the cyber performance goals. This is the minimum security requirements, kind of a baseline for cross sector organizations to meet the meet this minimum set of standards for cybersecurity. And they’re meant to be very implementable and we have created an assessment for that that Bob’s team is working to kind of automate the ingestion of data if people want to share with us. But also, you know, for people to easily fill out that questionnaire and maybe have their supply chain, you know, fill out that questionnaire and then focus on the areas where they need help and making use of our people in the field to get that help .

80
00:01:19,000 –> 00:01:20,000
Frank Cilluffo [00:40:43]:
And just getting visibility across supply chains is really tough. And for those startups that are out there, being able to light up your systems would be a pretty good set of issues to go. And there’s some great tools now that I think have to be utilized by. But taking SBOM from an analog to a digital is where I hope we see things going there. Bob, what questions didn’t I ask that I should have?

81
00:01:20,000 –> 00:01:21,000
Bob Costello [00:41:08]:
Oh, I think you hit a lot. Supply chain is something I didn’t typically think about in any of my roles until probably the last five or six years. I think we didn’t ask a lot of the questions of where our software was coming from and just or hardware as well. So I think that’s something that I think we all need to think about a lot differently. And it’s across the board, Whether it’s open source, closed source, or hardware, everything is kind of linked together, and often we don’t know where those linkages are.

82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:41:40]:
There’s those connections.

83
00:01:22,000 –> 00:01:23,000
Bob Costello [00:41:41]:
And I think that’s something we do across the whole department as well. Over in the customs world, we were very interested is this transiting countries and then masking where this hardware is coming from or, you know, where that material to make our clothes is coming from. And this can affect, you know, worldwide, how we think of what goes into our products, the people that are manufacturing it. And I’m really concerned because, as Chris said, it can be very difficult to kind of ascertain the Provence of our software.

84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:42:20]:
Gentlemen, thank you. There’s an old adage, technology will change. Human nature remains consistent. And I’m excited that you have the good guys fighting the good fight, and the women and men you lead at CISA are essential to this future. So thank you both.

85
00:01:24,000 –> 00:01:25,000
Chris Butera [00:42:35]:
Yeah, thanks for having us on the show. We’re very excited to be here in Las Vegas this week to engage with industry and the community and really appreciate your partnership.

86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:42:43]:
Thank you. Bob, last word.

87
00:01:26,000 –> 00:01:27,000
Bob Costello [00:42:45]:
Frank, thank you for doing this with us. I think me and Chris are just deeply committed, not just to the mission, but every day working with industry, industry and our partners out in sltt, you know, to push forward cyber security each and every day.

88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:42:59]:
Thank you both. Onward and upward.

Related Content