DHS Unveils ANCHOR-CI to Secure Critical Infrastructure

DHS Unveils ANCHOR-CI to Secure Critical Infrastructure

Christopher Hailstone joins us today to navigate the complex landscape of the newly proposed ANCHOR-CI framework. With a career rooted in the high-stakes world of energy management and grid reliability, Christopher has seen firsthand how a single vulnerability can ripple through our national power systems. As we discuss the Department of Homeland Security’s shift from the long-standing CIPAC model to this new collaboration system, we will explore the structural shifts in public-private partnerships, the anxieties surrounding local government readiness, and the critical missing pieces that have industry veterans feeling uneasy. This conversation delves into how the federal government plans to rebuild the bridges burned in early 2025, the mechanics of the four new council types, and why the lack of liability protections remains a significant hurdle for the cybersecurity community.

The transition to the ANCHOR-CI system follows a period where previous coordination frameworks were dissolved; how did the sudden termination of the old framework in March 2025 impact the trust between the government and infrastructure operators?

The decision to abruptly terminate the Critical Infrastructure Partnership Advisory Council in March 2025 sent a shockwave through the entire utility and cybersecurity sector. For nearly two decades—stretching back to its inception in 2006—CIPAC was the bedrock of our collaborative defense, and seeing it dismantled with little explanation beyond vague claims of a lack of flexibility felt like a betrayal of that long-term commitment. Many operators felt a sense of profound alarm as they watched their established partnerships with federal agencies begin to deteriorate almost immediately. Without the established forums for reviewing the current threat environment, the industry saw a “stark coordination void” where sectors simply stopped discussing sensitive security issues with their government counterparts. It created a chilling effect where the silence was palpable, leaving experts worried that national security was being actively endangered while leadership turmoil at DHS delayed any real replacement for nearly a year.

With the introduction of ANCHOR-CI as an umbrella system, what are the most significant structural changes in the four types of councils compared to the systems we relied on for the past twenty years?

The new framework is structured around four distinct pillars: sector-specific councils, cross-sector councils, industry councils, and regional councils. The sector-specific councils continue the legacy of the Sector Coordinating Councils and Government Coordinating Councils, but the “umbrella” approach of ANCHOR-CI aims to be more inclusive of organizations with direct responsibility for resilience. I find the addition of cross-sector councils particularly vital because they are designed to address the deep-seated interdependencies between different categories of infrastructure, such as how a failure in the water sector might cripple energy production. The industry councils are also a pragmatic addition for those businesses that span multiple sectors and previously had to navigate redundant reporting lines. While it looks similar on the surface to the 2006 model, the July 1 filing in the federal register suggests a more complex web of oversight that CISA will have to manage with extreme precision to avoid the bureaucracy that critics once complained about.

There is a notable emphasis on regional councils and pushing responsibility to the state and local levels; what risks do you see for infrastructure operators in rural or less-resourced areas under this decentralized approach?

This shift toward regional management is one of the most polarizing aspects of the July 1 proposal, as it reflects an administration-wide push to make security a state-level responsibility. While the DHS argues that resilience is most effectively “owned” at the local level, the reality is that many local governments are fundamentally unprepared to face the sophisticated hacking threats that we see targeting our grids today. There is a legitimate fear among infrastructure operators that rural areas will be left behind or that regional councils will lack the technical expertise found at the federal level. The mandate that these councils must ensure access and representation for rural entities is a good start, but without significant federal support, these local bodies may struggle to provide the “accessible and efficient” partnership the government is promising. It feels a bit like asking a local fire department to handle a national wildfire—they have the heart and the local knowledge, but they often lack the heavy equipment and specialized training needed for a high-intensity crisis.

Industry leaders have pointed out that ANCHOR-CI lacks the liability protections found in previous frameworks; how does this absence affect the willingness of private companies to share information about sensitive cyber incidents?

This is the “elephant in the room” that could potentially derail the entire ANCHOR-CI initiative before it even gets off the ground. Under the old system, the exemption from federal transparency rules allowed for candid, strategic conversations about sensitive vulnerabilities without the fear of regulatory blowback or legal exposure. Without those explicit liability protections, many chief security officers are going to be extremely hesitant to share the “nitty-gritty” details of a cyber incident, fearing it might be used against them in future litigation. We are already hearing from sector representatives that companies have stopped discussing certain high-risk topics because the legal risks simply outweigh the benefits of government collaboration. If the government wants robust risk mitigation, they have to realize that trust isn’t just about a seat at the table; it’s about knowing that sharing a weakness won’t lead to a corporate death sentence or a PR nightmare.

The new framework is established for an initial two-year period with the possibility of renewal; how does this limited timeframe impact the long-term planning and stability of our national cybersecurity strategy?

Establishing a system for only two years at a time creates a sense of “wait-and-see” that is the enemy of long-term infrastructure planning. In the utility world, we plan in decades, not two-year increments, so this limited term makes some industry veterans question if this is a permanent solution or just a temporary fix until the next political shift. While the system can be renewed for unlimited additional terms, the administrative burden of those renewals and the potential for the system to be “non-renewed” adds a layer of uncertainty that we don’t need right now. We saw how quickly the progress of the last 20 years was erased in March 2025, and having a “sunset clause” hanging over the new framework feels like we are building on shifting sands. For ANCHOR-CI to truly succeed, it needs to prove itself quickly and demonstrate a level of stability that convinces the private sector this isn’t just another fleeting bureaucratic experiment.

What is your forecast for the ANCHOR-CI framework?

I believe that while ANCHOR-CI provides a necessary bridge to fill the “stark coordination void” left by the previous administration, its success will ultimately hinge on whether the government adds the missing liability protections in late 2026 or early 2027. We will likely see a flurry of activity as the four types of councils are stood up and CISA begins the process of appointing members, but the depth of information sharing will remain shallow until companies feel legally safe. If the DHS can address these legal exposures and stabilize the leadership turmoil that delayed the rollout, this could become a more flexible and modern version of the 2006 framework. However, if the regional councils fail to provide rural areas with the support they need against sophisticated hackers, we may see a fragmented security landscape where our national resilience is only as strong as its weakest local link. In the short term, expect a period of “renewed level of collaboration” that is overshadowed by a cautious “time will tell” attitude from the industry’s most experienced leaders.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later