The US Cybersecurity and Infrastructure Agency (CISA) leadership is expecting the US Congress to renew a soon-to-expire US law that provides safeguards for companies that voluntarily share threat intelligence data with the government or each other.
The law in question, the Cybersecurity Information Sharing Act, was adopted and signed by then-President Barack Obama in December 2015. It is expected to expire on September 30, 2025.
Christopher Butera, the active executive assistant director at CISA, and Robert Costello, the agency’s CIO, spoke about the state of the America’s cybersecurity agency at Black Hat USA 2025 on August 7.
The agency’s acting director, Madhu Gottumukkala, was scheduled to attend the event but had to cancel due to “a personal matter.”
Butera and Costello said they are “really hopeful that Congress will reauthorize” the Cybersecurity Information Sharing Act before the deadline, suggesting it would be extended for a few more years.
“Information becomes dated very quickly, because the adversaries are pivoting so quickly, which makes rapid sharing even more important,” Costello added.
Speaking to Infosecurity, Cynthia Kaiser, SVP at Halcyon, head of the newly launched Ransomware Researcher Center and former deputy assistant director of the FBI’s Cyber Division, said she “strongly believes” the law should be renewed.
CISA to Continue Funding the CVE Program
At Black Hat, Butera and Costello also assured that funding for the CISA-sponsored, MITRE-run Common Vulnerabilities and Exposures (CVE) program will be maintained by the agency.
“We at CISA are heavily invested in this program. We are going to continue to fund and improve the CVE program,” Butera said.
Costello commented, "The CVE is an extremely powerful tool and it works very well.”
Butera also stated the program needs to focus on automation: "We have to have automation built into the ecosystem to remediate faster. And we've continued to build that. We are now moving from the growth era to the quality era."
CISA Leaders Push Back on Layoff Concerns, Highlighting New Initiatives
Asked about recent layoffs at CISA and the reported loss of a third of its workforce under the Trump administration, Costello said he believes reports of CISA's demise are greatly exaggerated.
He quoted Ernest Hemingway: "We're not retrieving, we're advancing to a new direction."
Butera added: "We did lose some people that took voluntary separation from the government, but we also have a very talented workforce still at CISA.”
They CISA leaders mentioned the work the agency has done around helping government agencies and companies mitigate the 'ToolShell' SharePoint vulnerability exploit campaigns, saying it was "a good example" of the agency's continuing capabilities and "how we work with security researchers and industry."
They also mentioned the work of current CISA staff members to launch Thorium, a new malware and forensic analysis platform that was released a few days before Black Hat.
Butera highlighted the recent release of $100m in state and local cyber grant funding, calling it "a really important tool" that CISA is "really excited" for those entities to use.
Finally, Costello said that CISA is "on the cusp, in the next couple of months, [of] releasing some IT services to make it easier to sign up to our Cyber Hygiene services.”
Cyber Hygiene (CyHy) is a service offered by CISA to scan public-facing endpoints for vulnerabilities. Butera and Costello claimed the service now has over 11,000 users.
No tags.
