The Trump administration’s chaotic overhaul of the federal government has seriously weakened the public-private partnerships that protect U.S. critical infrastructure from cyberattacks and physical disasters.
Massive workforce cuts, widespread mission uncertainty and a persistent leadership void have interrupted federal agencies’ efforts to collaborate with the businesses and local utilities that run and protect healthcare facilities, water treatment plants, energy companies and telecommunications networks, according to interviews with 14 representatives of those four critical infrastructure sectors, four former senior government cybersecurity officials and multiple infrastructure security experts.
Government leaders have canceled meetings with infrastructure operators, forced out their longtime points of contact, stopped attending key industry events and scrapped a coordination program that made companies feel comfortable holding sensitive talks about cyberattacks and other threats with federal agencies.
“The partnership is in suspended animation,” said a healthcare industry representative, who — like most others interviewed for this story — requested anonymity to discuss sensitive matters. “The partnership, at the end of last year, had reached a level of maturity that was promising, and now that’s all been pulled back.”
The result, experts and industry officials say, is reduced trust between the public and private sectors, a diminished understanding on each side of the other side’s needs and concerns, a declining capacity to plan for future attacks and a growing national vulnerability to debilitating hacking campaigns — all at a moment when the Trump administration’s intervention in Israel’s war with Iran has raised fears of retaliatory Iranian cyberattacks on U.S. critical infrastructure.
“We are seeing something unprecedented in cybersecurity — a government deliberately deciding to disinvest in its capabilities,” said Michael Daniel, the president of the Cyber Threat Alliance, who served as President Barack Obama’s cybersecurity adviser. “I don’t see how this retrenchment can do anything other than make us worse off.”
Lost cyber protections
Nation-state hackers and cybercriminals have repeatedly breached and sometimes disrupted U.S. critical infrastructure in recent years, including in the key sectors of healthcare, energy, water and telecommunications. These intrusions have heightened fears about companies’ readiness to withstand more serious attacks, as well as underscoring the urgency of government efforts to assist them.
But under the Trump administration, agencies’ engagements with their critical infrastructure partners have varied widely, with some conversations continuing while others have almost entirely stopped.
The Department of Homeland Security’s elimination of the Critical Infrastructure Partnership Advisory Council (CIPAC) framework in March has been the most seismic disruption. CIPAC allowed government and industry representatives to discuss sensitive cybersecurity information — including about companies’ security vulnerabilities — without meeting standard transparency requirements that would expose that information to the public. Without CIPAC, critical infrastructure operators have dramatically reduced their sensitive cyber conversations with the government, according to a wide range of industry representatives, all of whom described the dissolution of CIPAC as disastrous.
The absence of CIPAC “creates this big fear” and poses “a huge risk” for companies that want to share cyber threat information with the government, said an energy industry representative. “There's that doubt of, ‘Are we sharing too much?’”
CIPAC’s demise forced the telecommunications sector to suspend or modify several projects it was working on with the government, causing a significant impact, according to a communications sector representative. The sector had to take on more responsibility for an internet routing security initiative previously led by the White House, pause research on artificial intelligence–powered threat intelligence and freeze a collaboration with the National Security Agency on nation-state attacks. The interruptions come as telecom companies reel from China’s “Salt Typhoon” campaign of extensive and alarming intrusions into their networks.
Federal agencies are working on a replacement for CIPAC that would broaden the range of private-sector participants in meetings, according to multiple industry figures, who said it was urgent that the government launch that replacement as soon as possible.
The oil and natural gas industry is currently refusing to share the products of its cyber working groups with the government “until we are assured that we have those [CIPAC] protections,” according to an energy industry representative.
In the meantime, the industry canceled its spring meeting with the government because companies didn’t know what they’d be able to safely share. Sector leaders have scheduled another meeting in anticipation of a CIPAC replacement, but if that fails to materialize, the industry doesn’t expect cyber conversations with the government at the meeting to be very productive.
DHS declined an interview request for this story, and the department did not respond to a question about the CIPAC replacement.
Sharing has ‘tapered off’
The Trump administration’s changes have also undermined some cyber information sharing, the cornerstone of the public-private partnership keeping critical infrastructure safe from hackers.
Because the private sector operates most critical infrastructure, it knows more than the government does about how that infrastructure works, what cyberattacks are occurring against it and what the impact of a successful intrusion would be, according to John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association and a former FBI cyber partnerships official. The industry, in turn, relies on the government to supply both unique foreign intelligence and cyber threat information for which it would otherwise have to pay private firms. Small infrastructure operators with threadbare security budgets are especially dependent on this free information.
But information sharing “is taking a minor hit,” according to Errol Weiss, chief security officer at the Health-ISAC, the industry’s information sharing and analysis center. The pace of alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI “definitely looks like it's slowing down a bit,” Weiss said. Riggi described a delay in receiving threat intelligence from CISA “because of the leadership change,” though he said sharing with the FBI “continues to be very robust.”
Threat briefings are still occurring, industry figures said, but their frequency has become uneven as relationships with agencies have grown strained and federal workers have retired or been laid off. “They definitely tapered off,” a water industry representative said. (EPA press secretary Brigit Hirsch said the agency has continued to provide briefings “with the same cadence” as in the past.)
Trump’s federal travel restrictions have also made it harder for government employees to attend industry events and tour infrastructure facilities. “It's difficult … to get them to meetings,” Weiss said. It took a long time for government officials to get permission to attend the industry’s annual tabletop exercise on Thursday, which will game out how the country would respond to a major cyberattack on healthcare facilities.
At the same time, Trump has continued a project that former President Joe Biden launched last year to speed up the pace of briefings. The Critical Infrastructure Intelligence Initiative, run by CISA and the intelligence community, provides cleared industry officials with a classified readout on the threat landscape on the first Wednesday of every month. A second water industry representative called it an improvement over the briefings for smaller groups of industry leaders at biannual sector leadership meetings.
An unrecognizable CISA
No agency has seen more change under Trump than CISA, according to experts and industry figures.
Congress created CISA in 2018, during the first Trump administration, to serve as the hub of the government’s cybersecurity partnerships with U.S. infrastructure operators. But CISA’s efforts to counter misinformation during the 2020 election transformed it into a conservative bogeyman, and the second Trump administration quickly began targeting the agency, freezing its election security work, pushing out roughly one-third of its 3,300-person workforce, ending threat-hunting contracts and proposing even deeper cuts.
Now, infrastructure operators say they barely recognize the fledgling but ambitious agency they had gotten to know over the past six years.
“With CISA, there is no partnership. It’s gone,” said a second energy industry representative. “We can’t even seem to get meetings with the necessary folks there.”
CISA’s recent cuts “have severely affected the agency’s ability to engage meaningfully with industry stakeholders,” said Jen Sovada, general manager of the public sector at the operational technology security firm Claroty.
CISA spokesperson Marci McCarthy said the agency “remains fully committed to its core mission of securing the nation’s critical infrastructure and enhancing cybersecurity resilience,” adding that “public-private collaboration is defined by outcomes such as reduced risk, improved response, and strengthened trust, not by the number of meetings.”
But CISA employees say they’re deeply frustrated with the changes and reductions at their agency. “We are at a bit of a standstill,” said one CISA staffer, who requested anonymity to speak freely. “People are adjusting to having lost a good chunk of our workforce. … We are trying to find the new ‘normal’ given the departures and [changing] mission parameters.”
The Joint Cyber Defense Collaborative, which the agency launched in 2021 to make its public-private partnerships less conversational and more operational, has seemingly fallen dormant. “I have not heard a peep from JCDC the last few months,” said the first energy industry representative. The industry spent two years working with JCDC on a “multi-part” effort to address state-backed cyberattacks on midstream gas pipelines, this person said, but the nearly completed project hit bureaucratic snags toward the end of last year, “and now I have no idea the status of it.”
A public-private task force focused on securing technology supply chains, co-led by CISA and the IT and telecom sectors, has effectively shut down following the loss of CIPAC. The task force’s high-level meetings “have gotten canceled every week,” a telecom industry representative said.
Trump’s cuts have also forced out many of CISA’s regional advisers, who serve as field liaisons connecting infrastructure operators with the agency’s free guidance and services. As a result, CISA has “gone off the grid” in many states, the first water industry representative said. “If all your CISA folks leave in your state, who are you supposed to call? … Nobody's communicating that.”
The loss of CISA advisers undermines infrastructure operators’ readiness to fend off cyberattacks, according to industry representatives who recounted these advisers providing briefings, participating in tabletop exercises, advertising free CISA services like vulnerability scans and serving as emergency resources.
“Water system operators were trained to reach out to those CISA points of contact,” said the first water industry representative, “and now they don't know who to contact. So either information that needs to get to the government is not getting there, or it's taking longer.”
Hamstrung SRMAs
In addition to the struggles at CISA, infrastructure operators have also reported problems with the specialized Sector Risk Management Agencies (SRMAs) that help various industries deal with cyber and physical threats.
Around the time of the change in administrations, the EPA and CISA canceled a series of planned meetings with state water overseers, according to a third water industry representative. Hiccups like this have compounded what industry leaders said was the EPA’s already-anemic ability to help the sector withstand attacks.
Hirsch, the EPA press secretary, said the agency “will continue prioritizing staffing and resources” for cyber support, adding that EPA considers cybersecurity “one of its highest priorities.”
Meanwhile, the healthcare community is deeply concerned about the future of cyber aid from the Department of Health and Human Services.
The Trump administration is demoting and restructuring the HHS wing that handles the department’s SRMA work. “It seems like they’ve taken a step back,” a healthcare industry representative said. The sector used to meet regularly — sometimes weekly — with HHS to discuss critical infrastructure cybersecurity, Weiss said, “but since the new administration, all of that’s gone.”
HHS did not respond to multiple interview and comment requests for this story.
Members of the energy sector said their cyber partners at the Department of Energy and the Transportation Security Administration (which protects oil and gas pipelines) were trying their best but facing political headwinds. The second energy industry representative said “DOE is busting its butt” to help industry despite a lack of leadership support, while the remaining staffers at the TSA are “trying really hard to save the ship.”
DOE and TSA did not respond to requests for comment.
“There is a degradation of support that is happening,” said Caitlin Durkovich, who served as Biden’s deputy homeland security adviser for resilience and response.
‘Vacant seats’
As Trump appointees have pushed to shrink their agencies, key points of contact for infrastructure operators have left the government, leaving companies and their trade groups in the dark about who to call for cybersecurity help.
Those departures have eroded important trust relationships between the public and private sectors.
“If I get a phone call from somebody at CISA who's worked incident response efforts with me, I'll drop everything and take that call, because I know it's important … and likewise, if I call them, they’re going to answer my call,” Weiss said. “If we don’t have the ability to interact on a regular basis like this, [and] if the players change, we’re not going to have those relationships.”
And it isn’t just trust that takes time to build. Departing staffers “had built up substantial knowledge about the sectors they worked with,” said Daniel, the former White House cyber adviser, “and the government has now lost the benefit of that expertise, which will be difficult to replace.”
Worries over response to future cyberattacks
As they navigate canceled meetings and missing points of contact, industry officials say they’re not waiting around for the government to tell them how to protect their sectors.
“It's become even more evident that the private sector’s got to take an active role here because of all the cutbacks,” Weiss said.
Infrastructure operators proudly tout the fact that they, not government agencies, already have most of the technical experience necessary to operate and protect their systems. But they worry about filling any void in information sharing left by a shrinking government.
Some critical infrastructure communities are now worried about what would happen in the event of a devastating cyberattack.
“If there is a major sector incident, I worry about the response capability of the government,” Weiss said. With the current level of support from the government, one water industry representative said, a widespread intrusion into water systems “could be disastrous.” Asked about the government’s ability to help contain a major hack in the natural gas sector, the second energy industry representative said, “I no longer know.”
This industry pessimism has only exacerbated the alarm that many cyber experts feel about recent events.
“We really can’t afford to roll back the capabilities and strength that come from public-private collaboration,” said Phil Reitinger, president and CEO of the Global Cyber Alliance. “The risk is too great.”
