New cybersecurity industry alliance aims to lead US critical infrastructure protection

As some of the organizations that run essential services in the U.S. lose faith in the federal government’s willingness and ability to help them, a few of the biggest critical infrastructure operators are taking matters into their own hands to improve coordination — and prepare for a major crisis.

In February, a coalition that includes corporate titans JPMorgan Chase, Mastercard, AT&T and Berkshire Hathaway Energy launched the Alliance for Critical Infrastructure (ACI), vowing to take the lead in helping infrastructure sectors work more closely together to understand and mitigate the shared cybersecurity risks they face. Reading between the lines, the message was clear: The critical infrastructure community, increasingly alarmed at the Trump administration’s retreat from decades-long partnerships, is trying to fill the growing void of coordination and leadership.

Government budget cuts and personnel losses have made it much harder for agencies to support and advise infrastructure operators, and the White House has encouraged states to take over historically federal responsibilities for protecting local utilities. Amid those changes, infrastructure firms like the ones that founded the ACI say the private sector must step up.

Ben Flatgard, the ACI’s chairman, noted that the private sector manages the vast majority of U.S. infrastructure. “We can’t outsource that responsibility or the risk management practices that come along with it,” he said in an interview with Cybersecurity Dive. “We need to own the solution for that as well.”

Many experts say that while the government must retain a leadership role in protecting critical infrastructure, it’s a good sign that private companies want to assume more of the burden.

“If the private sector does not step up to self-organize,” said Brian Harrell, a former assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency (CISA), “the nation faces a period of unprecedented visibility gaps in its most vital systems.”

‘Changing landscape’ after government cutbacks

The ACI is an evolution of the Tri-Sector Executive Working Group, which united energy, financial services and telecommunications industry leaders and served as a key private sector voice during both the Biden and first Trump administrations. Tri-sector leaders shaped executive-branch policies and legislation, including the influential recommendations of the congressionally chartered Cyberspace Solarium Commission. But despite helping Washington make progress, the companies continually fretted over the fact that infrastructure protection remained heavily siloed.

“We still weren’t getting to the cross-sector component, and we were [just] in our verticals,” Michele Guido, the ACI’s executive director, said in an interview.

Many infrastructure operators, especially the best-resourced ones, have “gotten really good within our silos,” said Flatgard, who leads cybersecurity policy for JPMorgan Chase. But individual corporate efforts won’t be enough to confront a truly wide-ranging crisis, he added.

The ACI was formed “to start building those bridges between our sectors,” Flatgard said, because “there’s serious dependencies that we have on the others to operate our essential services.”

The second Trump administration’s changes to longstanding public-private partnerships also helped spur the companies to build something new.

Throughout 2025, the Trump administration purged CISA, eliminated a public-private coordination channel known as the Critical Infrastructure Partnership Advisory Council and considered shutting down the Federal Emergency Management Agency. “You just had a changing landscape,” said Guido, the strategic security policy director at the energy giant Southern Company.

Infrastructure operators saw the government stepping back and felt a new sense of urgency to move from a supporting role to a leading one.

To that end, the companies in the tri-sector restructured their group as a nonprofit that could recruit more members. The ACI is now creating working groups, defining pilot projects and reviewing membership applications. In addition to its formal members, the group will collaborate with government agencies, sector coordinating councils (SCCs), information sharing and analysis centers (ISACs) and cybersecurity think tanks.

The ACI won’t be a sprawling organization, however. Its leaders want to carefully choose a selection of infrastructure operators with the resources to contribute to its projects. At the same time, the group wants to consult with a wide range of organizations, including small utilities that may have something to teach the bigger players.

“Some of them may be less sophisticated in cyber,” Flatgard said, “but most of them are really good at responding to crises within their business and within their area of expertise. I think we have a lot to learn from those.”

“Who’s making key decisions on that bad day, from the critical infrastructure perspective? We have continuity of government, but what does continuity of critical infrastructure look like?”

Michele Guido

Executive Director, Alliance for Critical Infrastructure

Four-part strategy

Over the next 18 months, ACI members will dive into activities that support the four pillars of the group’s strategic plan.

The first pillar will focus on analyzing cross-sector dependencies — the organizations that support essential services in multiple sectors. “Within the verticals, you have all these plans, but no plans really come together to understand the cross-sector component,” Guido said. The ACI plans to publish a white paper offering a high-level overview of how each sector operates and how multiple sectors can work together, which will help infrastructure operators better understand each others’ needs.

The strategy’s second pillar will test ways to unite infrastructure sectors in responding to a “polycrisis” — a national-level emergency that simultaneously threatens a wide range of infrastructure, with both physical and digital consequences. “We want to develop an operational national response event protocol,” Guido said. “Who's making key decisions on that bad day, from the critical infrastructure perspective? We have continuity of government, but what does continuity of critical infrastructure look like?”

Success in this area would mean that infrastructure operators could “work through the fog of war” and smoothly take steps to maintain, rebuild and restart vital services, Flatgard said.

As part of this pillar, Guido said, the ACI is working with CISA to expand the agency’s cybersecurity incident-response playbooks to reflect cross-sector cooperation.

The third pillar addresses the private sector’s operational support to the government on countering adversaries’ malicious activities, including through expanded information-sharing. The fourth pillar deals with advising policymakers on legislation and regulation, which the ACI’s leaders said will remain important even as companies do more on their own.

JPMorgan Chase is a founding member of the ACI.

Michael M. Santiago via Getty Images

‘That’s not how we plan’

The emphasis on cross-sector dependencies — areas of risk that no sector can fully understand or mitigate alone — distinguishes the ACI from other groups. ACI members will focus on evaluating the technologies that invisibly underpin multiple aspects of daily life, from the GPS satellites essential to smartphones, airplanes and tractors, to the undersea cables that connect AI and cloud computing data centers around the world.

The resulting analyses could help businesses across the critical infrastructure community better prepare for major cybersecurity incidents.

Natnael Habtesion, the chief security officer at ACI founding member Lumen Technologies, said the new group’s “recognition that threats to one sector rarely stay contained and can have adjacent impacts” is its unique value.

The ACI is especially focused on collaborative planning for a polycrisis. Guido conjured the image of a natural disaster that affects a region of the U.S. at the same time that it’s hit with a major cyberattack. “That's not how we plan,” she said.

In the tri-sector’s annual exercises over the past few years, infrastructure operators realized that the same strategies they used to prepare for, say, a geographically limited Category 5 hurricane weren’t very useful in a polycrisis. An environment of multiple simultaneous emergencies “stretches our capacity really thin,” Flatgard said.

Taking initiative, with allies and limitations

While the ACI is still in its infancy, it’s already thinking about how to test the ideas its members come up with. That could include regional pilot programs — on topics such as incident response, information sharing and service restoration — involving the most important organizations in a specified area, from water treatment plants to health clinics to military bases.

Partnerships with sector-specific groups will be critical to the ACI’s success. The group has already been talking to ISACs and SCCs to reassure them that it understands their role. “We don’t want this to be duplicative of existing sector functions and apparati,” Flatgard said.

Errol Weiss, the Health-ISAC’s chief security officer, said it was essential for the ACI to integrate with information-sharing groups like his. ISACs “already provide operational threat intelligence and sector‑specific context,” he said. “Duplicating or bypassing that ecosystem would risk confusion for operators.”

“This is a great time for this conversation about the resilience of the technology infrastructure that underpins all of the sectors that the country relies upon.”

Ben Flatgard

Chairman, Alliance for Critical Infrastructure

The ACI’s leaders also want a strong relationship with federal agencies. “We need the government’s help to be successful,” Flatgard said.

CISA recently published guidance to infrastructure operators on maintaining services during a crisis. The agency also plans to assess operators’ resilience through targeted engagements, but CISA’s staffing cuts may limit the scale of that work.

In addition, broader government-industry relationships are currently suffering in the absence of the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, which let government and industry leaders meet privately without antitrust concerns. The Trump administration abruptly eliminated CIPAC with little explanation, and while DHS is developing a replacement, the government isn’t answering infrastructure operators’ questions about it.

“We still have to keep marching forward,” Guido said. The ACI wants a CIPAC replacement, “but I don’t think we can let it deter us at this point.”

The absence of strong federal partnerships will inevitably hamper companies’ work, experts said.

“Independent industry alliances could theoretically move faster than federal bureaucracy, addressing interconnected risks,” Harrell said, but “without federal oversight, these groups lack the sovereign intelligence feeds and antitrust immunity that once anchored their operations.”

ACI leaders said they recognized those challenges. But as their group gets off the ground, they also said they saw lots of opportunities to play a productive role.

“This is a great time for this conversation about the resilience of the technology infrastructure that underpins all of the sectors that the country relies upon,” Flatgard said. “There’s gonna be some hard truths within our own companies as well in terms of what this means, but that’s why we're forming this group.”