The Department of Homeland Security is preparing to introduce a new system for holding sensitive discussions with critical infrastructure operators, replacing a framework that the Trump administration abruptly eliminated in its early days.
The new program, currently dubbed Alliance of National Councils for Homeland Operational Resilience (ANCHOR), will streamline the process through which federal agencies and infrastructure providers meet to discuss cyber and physical security threats, according to multiple people familiar with the matter, who requested anonymity to speak freely.
DHS eliminated the old framework for holding these meetings, known as the Critical Infrastructure Partnership Advisory Council (CIPAC), last March, effectively freezing many interactions between the agencies that oversee the security of critical infrastructure sectors and the private organizations that represent those sectors. CIPAC, created in 2006, provided the legal framework for companies and their trade groups to privately meet with government officials and discuss sensitive security issues, bypassing the transparency measures traditionally required for such meetings.
ANCHOR is expected to be more flexible than CIPAC in terms of its structure, according to people familiar with the plans. The government used CIPAC to create numerous other coordination councils for discussing infrastructure issues; ANCHOR will simplify the process of holding those meetings. ANCHOR will also allow for more transparency, letting the government and its partners hold some meetings publicly or release information about them.
It is unclear how closely DHS coordinated with infrastructure operators as it created ANCHOR. CyberScoop, which first reported details about the new program, said the Trump administration had briefed all 15 sector coordinating councils (SCCs) about its proposal. But multiple sources told Cybersecurity Dive that the administration had shared little information with industry.
“Despite what they say … they haven’t provided a lot of details to the SCCs,” said one person familiar with the matter. “It does seem that they are mainly keeping the SCC structure [in ANCHOR], though, just with more cross-sector touchpoints. That’s about all we know.”
When Cybersecurity Dive asked a representative of an infrastructure sector what DHS had told them about ANCHOR, they responded, “Not a word. We keep being told it’s under development.”
ANCHOR has been awaiting DHS Secretary Kristi Noem’s approval for weeks, according to two people familiar with the matter. One of the people, another infrastructure sector representative, said ANCHOR was on Noem’s desk when the sector’s SCC met in December, at which point DHS officials shared “an outline of the main features” with the council.
One of the biggest unresolved issues surrounding ANCHOR is whether — and if so, how — it will insulate companies from antitrust liability and other legal repercussions associated with the information they share in meetings. Corporate executives counted on CIPAC’s liability provision to candidly discuss their companies’ and sectors’ issues in group meetings, and industry leaders said future discussions would not be as productive if ANCHOR did not include a similar provision.
It remains unclear how close DHS is to publishing the regulation that will establish ANCHOR. The department did not respond to a request for comment.
