The Building Blocks of a Better CISA Partnership: IT-ISAC Executive Director Testifies Before the House Homeland Committee

On April 29, 2026, Scott Algeier, Executive Director of the IT-ISAC, testified before the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee on the importance of CISA’s partnerships with private industry. His message was clear: When CISA succeeds, the country succeeds.

However, CISA cannot succeed in a vacuum. True partnership requires government engaging industry as an equal partner and recognizes the economic constraints companies operate with.  When successful, partnerships enable industry and government to allocate scarce security resources to maximum effect. 

Unfortunately, not enough attention is being paid to effective resource allocation. At the same time when industry is navigating a complex threat environment, it must also navigate an increasingly complex regulatory landscape. No organization has unlimited resources–time, money and people are all in limited supply.  The growing compliance burden can pull security resources away from defensive priorities without improved security outcomes. 

To understand why public-private partnerships are so important, we simply need to look at the sheer volume of adversaries the United States is up against. The IT-ISAC is monitoring over 330 individual threat actors.  These include sophisticated nation-states and aggressive cyber criminals.

Russian-based actors account for nearly half of all observed threat actors, displaying highly sophisticated technical capabilities and an increasing tendency to amplify operations from other states, like Iran. Meanwhile, Chinese-based actors continue to play the long game — specializing in stealth and blending into networks undetected for months or even years to establish a foothold.

Beyond the Nation State actors, cyber criminal gangs and ransomware actors are active and effective.  IT-ISAC tracked a nearly 80% growth in ransomware incidents from 2024 to 2025. The IT sector accounted for over 11% of observed ransomware incidents.  In short, the technology powering our global economy is frequently at risk.

In the short term, at least, Artificial Intelligence is tilting the scales even further in favor of the attackers. AI enables threat actors to work faster and to scale their attacks. The recent news that details how AI models are able to discover and issue zero day exploits for previously unknown vulnerabilities suggests we are reaching a breaking point where traditional, human-speed vulnerability disclosure and patching management policies cannot keep up with AI-speed exploitation. There is hope that AI will be a net benefit to network defenders–it is possible that we will experience short-term pain for long-term gain–but in the short-term AI continues to be a challenge for network defenders.

Given this environment, an effective partnership between industry and government is essential.  However, the partnership is experiencing some turbulent weather. Operational defense is being stalled by legal uncertainty, federal friction, and compliance complexity.

A major roadblock occurred when the Critical Infrastructure Partnership Advisory Council (CIPAC) was disbanded. By removing this crucial legal framework, DHS stripped away the protections that allowed CISA and industry leaders to collaborate strategically. As a result, critical working groups have ground to a halt. This, combined with funding reductions and prolonged shutdowns has caused considerable disruptions to the partnership.  

Scott laid out 10 recommendations to establish a more resilient public-private partnership.

1. Implement a CIPAC Replacement: CISA must urgently deploy a new protective legal framework. Industry leaders need a structured, legally safe environment to engage with government to develop strategy and share risk insights.

2. Extend CISA 2015 Protections: Passing a long-term extension of the Cybersecurity Information Sharing Act of 2015 will provide essential liability and FOIA protections. Without it, private companies cannot safely share sensitive, voluntary threat data with the government.

3. Confirm a Full-Time CISA Director: While Acting Director Nick Andersen is doing an admirable job, the lack of a Senate-confirmed Director creates a leadership gap. CISA needs a permanent leader to advocate its budget, resource allocation, and strategic priorities.

4. Prioritize Resources Collaboratively: The list of potential cyber defenses is infinite, but budgets and resources are finite. Government and industry must sit down together to decide how to allocate limited resources to maximum effect.

5. Enhance Analytic Engagement with Industry: CISA needs to build better analyst to analyst relationships within the Critical Infrastructure Community.  CISA should assign dedicated cybersecurity analysts to specific critical sectors.

6. Create Common Situational Awareness: CISA should pivot toward building a real-time, shared threat intelligence dashboard that provides a unified view of the threat landscape in near real time.

7. Assess the Impact of Budget Cutbacks: CISA must transparently evaluate the impacts of its funding reductions to ensure defensive capabilities have not been compromised.

8. Modernize the Vulnerability Disclosure and Patching Management Models: Combating AI-driven exploits will require a move toward automated, machine-speed verification models.  CISA can serve as a convening authority and thought leader to help drive this change.

9. Fine-Tune CIRCIA Regulations: As CISA refines its CIRCIA mandates, it must narrow the reporting scope. Flooding CISA with a tidal wave of low-level data will only distract analysts and overburden compliance teams.

10. Implement Effective Partnership Principles: We don't need to reinvent the wheel. CISA should formally adopt and promote the 12 core partnership practices established by the IT Sector Coordinating Council in 2012.

When it comes to cybersecurity, the truth is that there never will be a silver bullet that will solve our cybersecurity challenges. Neither the federal government nor private organizations alone possess the full toolset to defend the nation's networks.  The challenge will not be solved from mandates from the top down, and it will not be solved by companies disengaged from government. It will only be solved from the ground up through cooperative relationships that promote trust, incentivize voluntary collaboration and enables informed and effective collaboration between industry and government.

Want to read Scott’s full testimony? Download it here.