The growth of data centers — and adversaries’ targeting of them — left lawmakers at a hearing Wednesday contemplating whether the federal government has the right setup for defending them.

Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection testified that the answer might be to give data centers their own standalone designation as a critical infrastructure sector.

The question of how to secure data centers against cyber and physical attacks coincides with artificial intelligence fuelling a boom in the building of such facilities across the United States. Last month, Iranian drones targeted two Amazon data centers in response to the U.S.-Israel bombing campaign on Iran, and a third data center in Bahrain was struck as well.

“If a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector,” Rep. Andy Ogles, R-Tenn., said in prepared opening remarks. “Yet our current framework does not provide a clear, unified approach to data center security. It does not clearly answer which federal agency is responsible for understanding the risk, coordinating with industry, or leading the response when this infrastructure is targeted.”

Three providers account for 63 percent of the market share of data centers: Amazon Web Services, Microsoft Azure and Google Cloud Platform. 

The United Kingdom already has deemed data centers as a standalone critical infrastructure sector. Reps. Vince Fong, R-Calif., and LaMonica McIver, D-N.J., asked panel witnesses Wednesday about federal protection of them.

“Given the scrutiny that is required to make sure that those data centers are secure, there would be a benefit in having them work together as a unique coordinating council,” said Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, an industry group.

The Foundation for Defense of Democracies’ Mark Montgomery suggested a sector that combines data centers and cloud providers, given the overlap in ownership. The 2024 rewrite of a White House national security memo left some experts disappointed that it didn’t designate cloud computing as a critical infrastructure sector. 

Samuel Visner, chair of the board of directors of the Space Information Sharing and Analysis Center, said he agreed, given the role data centers are playing in the U.S. economy, military and other dependencies. “Finding a way to regard them as part of our critical infrastructure and protect them accordingly is sine qua non, absolutely necessary,” he said.

A fourth witness didn’t weigh in on the need for a separate critical infrastructure designation. But Scott Algeier, executive director of Information Technology Information Sharing and Analysis Center, said his organization had created a “special interest group” for data center providers.

“The data centers are integrated already into the critical infrastructure discussions,” he told the panel.

The post Congress, industry ponder government posture for protecting data centers appeared first on CyberScoop.

Illinois Rep. Delia Ramirez is taking over as the top Democrat on the House Homeland Security panel’s cybersecurity subcommittee, replacing former Rep. Eric Swalwell after his resignation.

Committee Democrats approved the change Tuesday at a meeting prior to a “shadow hearing” without the GOP majority, focused on protecting elections from Trump administration interference.

Ramirez first won election to Congress in 2022 and was reelected in 2024. She has served as the vice ranking member of the committee since 2023. She is now the ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection.

She has leveled criticisms during committee hearings about the Trump administration’s personnel cutbacks at the Cybersecurity and Infrastructure Security Agency, and was critical of how data was secured under the administration’s Department of Government Efficiency initiative led by Elon Musk.

“Under a Musk and Trump presidency, it’s clear that the security of Americans’ information is not a priority. I mean, a private civilian with no security clearance bullied his way into the Treasury, set up private servers, and stole sensitive information from an agency. If that isn’t a national security crisis, a cybersecurity  crisis –then I don’t know what is,” Ramirez said at an early 2025 hearing. “The true threat to our homeland security is ‘fElon’ Musk, Trump, and their blatant misuse of power to steal information and coerce employees to leave agencies.”

She cosponsored legislation last year meant to strengthen the cybersecurity workforce by promoting measures to help workers from underrepresented and disadvantaged communities to join the field.

But she also had criticisms of U.S. cybersecurity under the Biden administration, including of Microsoft’s role in the SolarWinds breach.

In a statement about her appointment Tuesday, Ramirez took aim at at Trump, Vice President JD Vance, Department of Homeland Security Secretary Markwayne Mullin and White House homeland security adviser Stephen Miller.

“It’s clear that the security of our communities’ information, federal networks, and critical infrastructure have not been priorities” under them, she said. “Between the security failures of DOGE, the abuses of immigrant families’ data, and the decimation of CISA’s workforce and resources, Republicans have demonstrated a lack of interest in safeguarding our nation’s cybersecurity and our residents’ civil rights and privacy. In neglecting necessary oversight, Republicans have deregulated emerging technologies, allowed bad actors to profit from violations of our civil rights, and consented to the weaponization of government systems. It is more critical than ever that we assert our Congressional authority and disrupt the blatant corruption making us all less safe.”

Swalwell left the position following his resignation from Congress as a representative from California amid allegations of sexual misconduct.

Her ascension completes a full leadership turnover for the subcommittee. Rep. Andy Ogles, R-Tenn., took over the gavel late last year after former chairman Andrew Garbarino, R-N.Y., took over as chairman of the full committee.

The subcommittee is set to hold a hearing Wednesday on CISA and its role as the sector risk management agency for a number of critical infrastructure sectors.

Updated 4/28/26: to include comment from Ramirez.

The post Rep. Delia Ramirez takes over as top House cybersecurity Dem appeared first on CyberScoop.

The U.S. government shouldn’t rigidly stick to traditional designations about which agency takes the lead on engaging with critical infrastructure sectors, the acting director of the Cybersecurity and Infrastructure Security Agency said Tuesday.

Sector risk management agency designations have long governed which agency is at the forefront of government efforts to protect each of the 16 critical infrastructure sectors, with CISA responsible for eight of them.

“When we look at our sector risk management agency construct, that’s important for a lot of reasons, It’s less important to abide by that strictly and say ‘CISA is the Sector Risk Management Agency for telecommunications,’” CISA’s Nick Andersen said at an event hosted by Auburn University’s McCrary Institute.

Rather, when responding to cyber incidents or undertaking other engagements with the private sector, the question should be who has the best relationship with a certain sector.

“We may have some owner-operators within a certain critical infrastructure sector that maybe the person they’re best positioned to receive resources from is us, or maybe it’s [Department of] Energy, or maybe it’s EPA, or maybe it’s FBI or NSA, or so forth and so on,” he said. “We just have to be comfortable with taking off those blinders and saying, ‘I don’t necessarily need to be in charge all the time no matter who I am. I just need to make sure that this owner-operator has the best partner teed up to lead that engagement.’”

The goal is to avoid another “Guam situation,” where “everybody was racing to Guam the last couple of years like kids chasing a soccer ball,” Andersen said. Guam was the site of critical infrastructure attacks on U.S. military bases that Microsoft pinned on the Chinese hacking group Volt Typhoon in 2023.

An attack on the telecommunications sector from another “Typhoon” group, Salt Typhoon, prompted questions about whether CISA’s hands are too full with all of its sector risk management agency responsibilities. House Homeland Security Chairman Andrew Garbarino, R-N.Y., raised concerns last year about how CISA handled its sector risk management agency role for the telecommunications sector after the Salt Typhoon campaign was uncovered.

The post CISA official advises agencies not to get too hung up on who takes lead in critical infrastructure sectors appeared first on CyberScoop.

The Department of Homeland Security is finalizing plans for a new body that would replace the functions of the Critical Infrastructure Partnership Advisory Council (CIPAC) and serve as a communications hub between industry and government to discuss ongoing threats to U.S. critical infrastructure, including from cyber attacks.

Under previous administrations, CIPAC served as a nerve center for federal agencies, industry and other stakeholders. While industry widely praised its utility, the council was one of many DHS advisory bodies that were shuttered last year by Secretary of Homeland Security Kristi Noem when President Donald Trump returned to office.

Now, according to multiple sources, a proposed regulation for a new replacement council is in the final stages of review and approval from Noem’s office.

The new body will be called the Alliance of National Councils for Homeland Operational Resilience, or “ANCHOR,” and will also serve as an umbrella organization for other federal sector risk management agencies. Its goal is to restart conversations and planning around infrastructure security that took place under the previous CIPAC, according to a former DHS official.

The official, who requested anonymity to discuss the administration’s plans, said all 15 federal sector coordinating councils have been briefed on ANCHOR. One of the primary differences between CIPAC and ANCHOR will be in structural authorities and liability protections.

CIPAC was essentially “an advisory council that could be chartered to create other advisory councils” that needed Secretary-level approval and contained rigid rules requiring separate  charters for every new council that was then stood up.

This created “a waterfall effect” of bureaucracy that made CIPAC a poor vehicle for holding broad conversations between not just DHS and industry, but all other federal sector risk management agencies and sector coordinating councils.

“What DHS strived to do was to create a new framework for engaging on threat conversations and pre-deliberative policy conversations impacting security outcomes with sectors and the private sector, without having to create all these waterfall advisory councils or new charters and all that stuff,” the official said.

Under CIPAC, conversations between government and industry were also “closed by default” to the public, with mandatory liability protections for every conversation and setting. Often, the most the government could do was issue a press release or cite comments under Chatham House Rule.

Under ANCHOR, there is expected to be wider latitude for DHS or other councils to open certain meetings to the public, or provide transcripts of conversations they hold with stakeholders.

However, the official emphasized that liability protections remain one of the last unresolved issues. The administration is still determining when those protections would or would not apply to ANCHOR-related discussions between government and industry and further changes could be made to assuage industry.

Other federal laws, such as the Cybersecurity and Information Sharing Act of 2015, only provide liability coverage for “one to one” conversations between a company and the government. CIPAC, by contrast, provided a liability shield for “one-to-many” engagements, where a company may engage with federal, state and local agencies as well as other companies and entities.

“That was a very understood and very counted-on liability shield for allowing senior officials, all the way up to the CEO of private sector companies, to really openly communicate with each other,” the official said.

Following publication, a DHS spokesperson in a statement did not dispute a description of ANCHOR provided by CyberScoop but called discussions of an imminent regulation release “premature.”

“We look forward to sharing more details once we have something to announce,” the spokesperson said.

This week, Adrienne Lotto of the American Public Power Association told Congress that liability protections in CIPAC were critical to fostering open dialogue between industry and government around cybersecurity and infrastructure protection.

She also signaled that a new advisory council was forthcoming, saying industry “was apprised by DHS that the administration’s proposed CIPAC replacement is ready for publication in the Federal Register” while encouraging the administration to finalize the plans “quickly.”

Even with some uncertainty around ANCHOR’s structure and liability protections, many industry executives are likely to embrace the return of information-sharing partnerships that they believe were vital to understanding the digital and physical threat landscape facing their sectors.

Last year, industry groups lamented the disbanding of CIPAC to members of Congress, prompting Rep. Andrew Garbarino, now chair of the Homeland Security Committee, to pledge he would “look into this and hopefully speak to the administration to try to fix this.”

The former DHS official said they expected ANCHOR to be largely welcomed by many industries who have called for the restoration of CIPAC, even as they look to grapple with the Trump administration’s new approach.

“Everybody who wants to talk in groups is going to be excited because it’s back,” the official said. “Everybody that’s interested in the amount of risk that it opens up is going to want to see the details.”

1/15/2026: This story was updated Jan. 15 with a DHS statement sent to CyberScoop in response to questions about ANCHOR.

The post Sources: DHS finalizing replacement for disbanded critical infrastructure security council  appeared first on CyberScoop.