Sources: DHS finalizing replacement for disbanded critical infrastructure security council 

The Department of Homeland Security is finalizing plans for a new body that would replace the functions of the Critical Infrastructure Partnership Advisory Council (CIPAC) and serve as a communications hub between industry and government to discuss ongoing threats to U.S. critical infrastructure, including from cyber attacks.

Under previous administrations, CIPAC served as a nerve center for federal agencies, industry and other stakeholders. While industry widely praised its utility, the council was one of many DHS advisory bodies that were shuttered last year by Secretary of Homeland Security Kristi Noem when President Donald Trump returned to office.

Now, according to multiple sources, a proposed regulation for a new replacement council is in the final stages of review and approval from Noem’s office.

The new body will be called the Alliance of National Councils for Homeland Operational Resilience, or “ANCHOR,” and will also serve as an umbrella organization for other federal sector risk management agencies. Its goal is to restart conversations and planning around infrastructure security that took place under the previous CIPAC, according to a former DHS official.

The official, who requested anonymity to discuss the administration’s plans, said all 15 federal sector coordinating councils have been briefed on ANCHOR. One of the primary differences between CIPAC and ANCHOR will be in structural authorities and liability protections.

CIPAC was essentially “an advisory council that could be chartered to create other advisory councils” that needed Secretary-level approval and contained rigid rules requiring separate  charters for every new council that was then stood up.

This created “a waterfall effect” of bureaucracy that made CIPAC a poor vehicle for holding broad conversations between not just DHS and industry, but all other federal sector risk management agencies and sector coordinating councils.

“What DHS strived to do was to create a new framework for engaging on threat conversations and pre-deliberative policy conversations impacting security outcomes with sectors and the private sector, without having to create all these waterfall advisory councils or new charters and all that stuff,” the official said.

Under CIPAC, conversations between government and industry were also “closed by default” to the public, with mandatory liability protections for every conversation and setting. Often, the most the government could do was issue a press release or cite comments under Chatham House Rule.

Under ANCHOR, there is expected to be wider latitude for DHS or other councils to open certain meetings to the public, or provide transcripts of conversations they hold with stakeholders.

However, the official emphasized that liability protections remain one of the last unresolved issues. The administration is still determining when those protections would or would not apply to ANCHOR-related discussions between government and industry and further changes could be made to assuage industry.

Other federal laws, such as the Cybersecurity and Information Sharing Act of 2015, only provide liability coverage for “one to one” conversations between a company and the government. CIPAC, by contrast, provided a liability shield for “one-to-many” engagements, where a company may engage with federal, state and local agencies as well as other companies and entities.

“That was a very understood and very counted-on liability shield for allowing senior officials, all the way up to the CEO of private sector companies, to really openly communicate with each other,” the official said.

DHS did not respond to multiple requests for comment from CyberScoop about ANCHOR.

This week, Adrienne Lotto of the American Public Power Association told Congress that liability protections in CIPAC were critical to fostering open dialogue between industry and government around cybersecurity and infrastructure protection.

She also signaled that a new advisory council was forthcoming, saying industry “was apprised by DHS that the administration’s proposed CIPAC replacement is ready for publication in the Federal Register” while encouraging the administration to finalize the plans “quickly.”

Even with some uncertainty around ANCHOR’s structure and liability protections, many industry executives are likely to embrace the return of information-sharing partnerships that they believe were vital to understanding the digital and physical threat landscape facing their sectors.

Last year, industry groups lamented the disbanding of CIPAC to members of Congress, prompting Rep. Andrew Garbarino, now chair of the Homeland Security Committee, to pledge he would “look into this and hopefully speak to the administration to try to fix this.”

The former DHS official said they expected ANCHOR to be largely welcomed by many industries who have called for the restoration of CIPAC, even as they look to grapple with the Trump administration’s new approach.

“Everybody who wants to talk in groups is going to be excited because it’s back,” the official said. “Everybody that’s interested in the amount of risk that it opens up is going to want to see the details.”