Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security’s cyber subcommittee, is seeking answers from the Cybersecurity and Infrastructure Security Agency about its relationship with outside information sharing organizations.
In particular, Garbarino posed a series of questions in a letter addressed to CISA Director Jen Easterly this week about whether the agency is effectively collaborating with two groups: the Analysis & Resilience Center for Systemic Risk (ARC), a coalition of private banks and financial organizations; and the Energy Threat Analysis Center (ETAC), a public-private partnership between the Department of Energy and the energy sector.
Both groups have established themselves as key conduits for the federal government and industry to share information around cyber threats and other systemic risks within their own sectors, while steadily expanding to bring in a greater group of industry stakeholders.
However, Garbarino expressed concerns that they may be getting squeezed out of those leading roles by agency leadership in favor of the Joint Cyber Defense Collaborative, an industry/government collaboration hub that was created in 2021 and is run by CISA.
“Despite ample engagement and participation in the ARC by the owners and operators of cross-sector critical infrastructure entities, and a history of engaging with the ARC since its inception, I understand that CISA may adopt a different sector-specific approach,” Garbarino wrote Wednesday.
Among the concerns: CISA leaders sent a letter to financial services organizations communicating their intent to alter its facility clearance for ARC members (although the agency has apparently “reconsidered” and reversed course since then), while at the end of last year a number electricity sector members of ARC left the organization to began participating in ETAC.
“The ARC model has proven effective and I encourage CISA to continue bolstering established partnerships. These partnerships will be crucial for the agency’s broader public-private partnership strategy, at a time when threats from adversarial nations are unrelenting,” he wrote.
A request for comment sent to CISA has not been returned at press time.
While there have been and continue to be a robust number of industry-specific information sharing and analysis centers like ARC and ETAC, past efforts at information sharing and collaboration between government and industry have suffered from low adoption by the private sector, or complaints from companies that they often aren’t given sufficient context to actually do something with the information they receive.
The JCDC was established two years ago and has been touted by CISA officials as a foundational pillar of the agency’s work engaging with industry around cyber threats, acting as a nerve center that was capable of not just sharing information, but providing “operational collaboration” between government and the industry players who prop up much of the nation’s technology and critical infrastructure.
But Garbarino requested a briefing from the agency no later Sept. 28, writing that a nascent agency like CISA with few regulatory powers must rely on voluntary cooperation and its relationships with the private sector to remain effective.
Among the questions he’s seeking to have answered are whether CISA has plans to absorb ETAC and ARC as a “spoke” of the JCDC, if the agency is appropriately resourced or budgeted to manage expansions around the JCDC, whether it played any role in establishing the ETAC and if the agency, as it moves towards a model of sector-specific approaches, it has a plan for managing risks and threats that cut across multiple industries and sectors of the economy.
CISA also houses another organization, the National Risk Management Center, that does focus on managing and lowering systemic and interconnected risks in many aspects of American society and critical infrastructure.
