Cyber council's demise shakes public-private sector trust

Driving the news: Earlier this month, DHS terminated the Critical Infrastructure Partnership Advisory Council (CIPAC) alongside additional "discretionary" advisory bodies as part of a broader effort to streamline operations.

• Unlike other advisory groups, CIPAC had unique legal standing within DHS, providing a protected forum for private sector and federal agencies to exchange threat intelligence, craft cybersecurity policies, and discuss risks to critical infrastructure.
• DHS spokesperson Tricia McLaughlin said the move aims to "eliminate redundancies to create a more efficient, streamlined department" and "minimize government waste, abuse, reduce inflation, and promote American freedom and innovation."
• A Cybersecurity and Infrastructure Security Agency spokesperson added that the agency is "taking this opportunity to review ways to improve information sharing and collaboration."

The big picture: At the heart of CIPAC's role was the long-standing public-private partnership model — which many argue is essential for cyber defense.

• The U.S. government has limited visibility into threats targeting critical infrastructure and often relies on the private sector to assess the feasibility of new security measures.
• But companies have long been wary of legal and regulatory scrutiny when sharing intelligence with the government. CIPAC helped ease those concerns.

Between the lines: CISA is still determining the long-term impact of CIPAC's termination.

• A regularly scheduled cross-sector coordination call, where industry groups representing different critical infrastructure sectors exchange intelligence, still happened Friday. The call is set to continue uninterrupted — despite being a byproduct of CIPAC— an industry source told Axios.
• CISA is also exploring ways to host legally protected discussions, with plans to roll out a replacement within the next quarter, according to the source, who was granted anonymity to share details from private discussions.

The intrigue: The impact of CIPAC's termination depends on what replaces it, said Scott Aaronson, senior vice president of energy security and industry operations at Edison Electric Institute, during a congressional hearing last week.

• Some industry leaders worry that without CIPAC, private companies will hesitate to share threat intelligence with the government — potentially leaving critical infrastructure more vulnerable.
• While CIPAC wasn't perfect, "it has continued to evolve in a positive direction over time," John Miller, senior vice president of policy, trust, data and technology at the Information Technology Industry Council, told Axios.

• "Information sharing is a powerful tool in protecting our critical infrastructure, and the trust required to do that sharing has been built over decades," Elizabeth Heathfield, chief corporate affairs officer at FS-ISAC, told Axios. "We hope that sharing continues."

Yes, but: Some industry stakeholders argue that while public-private collaboration is essential, CIPAC wasn't delivering on its promise.

• Larry Clinton, president of the Internet Security Alliance, told Axios that CIPAC's structure was fundamentally flawed and needs to be replaced.
• "If the new secretary at the Department of Homeland Security decides that she's going to take down the old structures so we can build some better ones, I say more power to her," Clinton told Axios. "We need to understand that what we are doing is not working at all."

What we're watching: Supporters of CIPAC are already pushing Congress to enshrine elements of the council into law, aiming to salvage its core functions.

• "We don't want industry not sharing information with us; we don't want industry not sharing information with each other, because when that happens it just increases the vulnerabilities that are out there," Rep. Andrew Garbarino (R-N.Y.), head of the House Homeland Security cyber subcommittee, said at the same congressional hearing.