DHS to unveil replacement council for critical infrastructure cybersecurity

DHS to unveil replacement council for critical infrastructure cybersecurity The Department of Homeland Security is bringing back a key cybersecurity information sharing effort with critical infrastructure, more than a year after the Trump administration shuttered an existing nerve center between government and private sector. The Alliance of National Councils for Homeland Operational Resilience – Critical Infrastructure program, first reported by CyberScoop in January, is meant to replace the function of the Critical Infrastructure Partnership Advisory Council. CIPAC was a federal advisory body that allowed agencies like the FBI, the Cybersecurity and Infrastructure Security Agency and the intelligence community to interact with key owners and operators of water, power, internet and telecommunications to coordinate on cyberattacks and digital vulnerabilities. ANCHOR will fulfill a similar role. “ANCHOR-CI will provide forums through which cybersecurity, law enforcement, intelligence, national security, and other government representatives at the federal, state, local, tribal, and territorial levels may engage representatives of private sector entities and critical infrastructure owners and operators in reviewing the current threat environment, discussing potential vulnerabilities, and forming recommendations on securing a more resilient critical infrastructure and cyberspace,” DHS wrote in a federal register notice set to publish July 1. ANCHOR-CI will be managed by CISA, which will appoint members to the council from industry, trade associations, state and local governments and other sources. The body will consist of four types of different councils: one focused on federally designated critical infrastructure sectors, cross-sector councils to deal with emerging threats like cyber attacks or zero-day vulnerabilities, critical infrastructure industry councils and regional coordinating councils. As CyberScoop reported, a key difference between CIPAC and ANCHOR-CI will be the way key meetings will be exempt from public transparency laws. “In recognition of the sensitive nature of the subject matter involved regarding the assessment and mitigation of security and operational risks through whole-of government coordination, and strong partnership with the private sector that is required to ensure the security and resilience of critical infrastructure, the Secretary hereby exempts ANCHOR-CI from The Federal Advisory Committee Act,” the notice states. The disbanding of CIPAC under then-Secretary of Homeland Security Kristi Noem was part of a larger dismantling of DHS advisory bodies set up under previous presidential regimes. Critical infrastructure owners and operators felt blindsided by the move and many found themselves without access to the kind of federally-enabled threat intelligence and cybersecurity support that had become a staple of U.S. cyber defense over the past decade. A source told CyberScoop that new Secretary Markwayne Mullin was sympathetic to concerns from critical infrastructure owners and operators that they felt abandoned by DHS under Noem’s leadership, and was determined to make efforts to repair that relationship. The restoration of information sharing services under ANCHOR-AI is one part of that effort. According to a former CISA official, ANCHOR-CI gives the CISA director more authority over the makeup and direction of the organization than under CIPAC. Bob Kolasky, who ran the National Risk Management Agency at CISA, said the new organizational structure for ANCHOR “really puts CISA in the position of having authority over who participates,” a change from CIPAC, when the private sector and other sector risk management agencies were given autonomy to choose their representatives. “Previous iterations of CIPAC and the way it was operationalized leaned heavily on the idea that private sector coordinating councils were self-governed and self-organized, and the DHS Secretary and the CISA Director…managed the overall partnership structure,” said Kolasky, now senior vice president of critical infrastructure at Exiger. “They were not given the authority to make decisions on who would participate in that partnership structure.” Under previous administrations, CISA officials frequently partnered with industry to build trusted lines of communication and work on cross sectoral cybersecurity initiatives. Most of these efforts were voluntary – a reflection of the agency’s limited regulatory mandate but also of CISA’s view that they were the nation’s risk advisor, not its manager. Kolasky said some there remain unanswered questions from the information released so far in the Federal Register notice, including how the CISA director would choose representatives and what role other sector risk management agencies would play influencing ANCHOR. He said “what is important is consistent processes” that ensure membership isn’t dependent on being in the good graces of a particular agency or administration. “I want it to be a partnership structure between industry and government and not something that is completely operated and mandated by the government,” said Kolasky.