Cyber information sharing must be fixed – or our adversaries reap the benefits

Over the past year America’s public-private cybersecurity partnerships have been damaged by a double whammy of administration and legislative lethargy. In March, the Department of Homeland Security (DHS) dismantled a key collaboration forum – the Critical Infrastructure Partnership Advisory Council (CIPAC) – and in September Congress allowed the law establishing liability protections for private-sector information sharing to lapse. 

For the past year, DHS has insisted that it is working on a replacement but nothing has emerged, and Congress has scurried to apply short-term extension bandages to the information sharing laws, but nothing permanent. As a result, America’s partnership on critical infrastructure defenses has suffered. And all this comes in the wake of a public acknowledgement that China –  through its Volt Typhoon operations – has been aggressively probing, penetrating and placing our critical infrastructures at risk.

At a January House Energy and Commerce Committee hearing, two witnesses from industry associations urged DHS to finalize the replacement and release information publicly about the Alliance of National Councils for Homeland Operational Resilience (ANCHOR), the intended replacement for CIPAC. The following day, unnamed officials told the press that the proposal is on Homeland Security Secretary Kristi Noem’s desk for approval. A DHS spokesperson denied the proposal is close to finalization, and weeks later the public is still awaiting more information. Meanwhile, if Congress does not enact long-term authorities providing legal protections for information sharing, the federal government cannot rebuild the trust necessary for cyber collaboration with private industry. 

As part of the Trump administration’s general purge of Biden-era advisory councils across the federal government, DHS shuttered CIPAC. Created by DHS in 2006, CIPAC was a convening authority that gave federal agencies and critical infrastructure companies and trade groups a way to hold strategic conversations on sensitive information about cyber and physical vulnerabilities. Since CIPAC was exempt from the Federal Advisory Committee Act’s open-meeting and public-records requirements, those discussions were not automatically subject to public disclosure and helped participants share candidly without fear of Freedom of Information Act exposure or antitrust risk.

Industry representatives have said that these protections were essential: After DHS dismantled CIPAC, oil and gas leaders refused to share findings from a cyber working group with the government and canceled a spring meeting because they no longer knew what they could safely share. Other industry and former officials warned that CIPAC’s elimination has meant fewer frank conversations even as foreign adversaries continue to probe critical U.S. infrastructure.

But details on ANCHOR remain limited, and accounts differ on industry involvement. While one official said all 15 sector coordinating councils have been briefed on the proposal, several sector representatives say they have received little to no concrete information. Meanwhile, the private sector has not received confirmation on whether ANCHOR will provide the same legal protections that CIPAC provided. That uncertainty risks weakening the trust ANCHOR is supposed to rebuild. 

While CIPAC provided protection for joint conversations between multiple private companies and the federal government, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) provided a legal shield to allow companies to share cyber threat indicators between companies and the federal government. When the law temporarily expired in September 2025, experts warned that information sharing would cease. While some companies said that they would continue sharing, others demurred when asked. As part of the October funding bill, Congress briefly extended the bill’s authorization to Jan. 30, 2026, and the House of Representatives included another short-term extension as part of its appropriations package, extending the law’s protections through Sept. 30, 2026. 

While developments last month provided hope that the Trump administration will eventually address its side of public-private collaboration, more work must be done, and quickly. 

First, DHS should finalize and launch ANCHOR, explain how its protections compare to CIPAC’s, and give sector coordinating councils and critical infrastructure operators a clear picture of how it will function. Second, the administration should ensure robust industry involvement in ANCHOR’s implementation so that the new framework genuinely reflects critical infrastructure operators’ information-sharing needs. 

Separately, Congress should pass a long‑term reauthorization of CISA 2015 that maintains strong liability and confidentiality protections so that ANCHOR’s fixes rest on a durable legal foundation. While ANCHOR sets the table for collaboration, without CISA 2015’s statutory protections lawyers will still restrict what gets shared. Cyber defense is a team sport, but teams don’t win when they cannot pass the ball. If Congress lets CISA 2015 languish and DHS can’t guarantee CIPAC-like protections, the only ones who benefit are our adversaries who are probing and penetrating our vital networks and critical infrastructures.

RADM Mark Montgomery (ret.) is the Senior Director of the Center on Cyber and Technology Innovation and a Senior Fellow at the Foundation for Defense of Democracies, where Aarushi Garg is an intern.