Major Telecoms Form Private Cybersecurity Intelligence Center, Sidelining CISA

Eight of the largest U.S. telecommunications carriers announced Tuesday the formation of the Communications Cybersecurity Information Sharing and Analysis Center, a private, nonprofit entity designed to facilitate real-time threat intelligence sharing exclusively among industry peers. The founding members are AT&T, Charter, Comcast, Cox, Lumen Technologies, T-Mobile, Verizon, and Zayo. Operations are expected to begin in June 2026. The center's structure and timing reflect two intersecting pressures on the sector: accelerating AI-enabled attack sophistication and the contraction of the federal government's primary civilian cybersecurity agency.

Rich Baich, chief information security officer at AT&T, will serve as inaugural chair of the C2 ISAC's board. Valerie Moon, a former official at both the Cybersecurity and Infrastructure Security Agency and the FBI's Cyber Division, who currently serves as executive director of the Institute for Critical Infrastructure Technology, will lead the group as executive director. The eight founding companies will constitute the initial board of directors, composed of the chief information security officers from each carrier. The founding members have been explicit that the center is a private construct. According to POLITICO, Baich stated that within C2 ISAC "there will be no government representation; there is only private industry," while adding that the group would coordinate closely with federal agencies on threat intelligence and that C2 ISAC's leadership informed CISA of the organization "well in advance" of the public announcement [POLITICO].

The C2 ISAC is a deliberate structural departure from the existing government-industry framework. The telecom industry already shares threat intelligence under the auspices of the Communications ISAC, also known as the National Coordinating Center for Communications. That group, created in 1984, is unique among ISACs in that it sits within the federal government, at CISA, rather than being a private entity. That arrangement has discouraged some companies from sharing sensitive data through the group. Telecom companies came to believe they were being too restrictive in what they shared, including withholding data about seemingly low-level threat activity that was tied to broader adversary campaigns. The C2 ISAC will coexist with the existing COMM-ISAC rather than replace it, with the new center focused exclusively on cybersecurity, leaving physical infrastructure hazards to the older body [POLITICO].

The immediate backdrop is the Salt Typhoon espionage campaign, attributed to People's Republic of China state-sponsored actors. In 2024, investigators uncovered a sweeping Chinese hack tied to a group known as Salt Typhoon that compromised telecom providers in the U.S. and abroad, including multiple firms now belonging to C2 ISAC, and breached U.S. lawful intercept systems used for court-ordered surveillance. Salt Typhoon breached the lawful intercept systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for wiretapping under the Communications Assistance for Law Enforcement Act, known as CALEA, which passed in 1994. The Salt Typhoon intrusions have been underway since at least 2019, according to the FBI, and there is no clear public indication that the hackers have been fully evicted from communications networks. The FCC responded to the breach in January 2025 with a Declaratory Ruling asserting that Section 105 of CALEA affirmatively obligates carriers to secure their networks, and simultaneously issued a Notice of Proposed Rulemaking to codify specific cybersecurity requirements, but the current FCC has since rescinded both the ruling and the proposed rulemaking in favor of voluntary industry commitments. The FCC's January 2025 Declaratory Ruling claimed that CALEA requires carriers to secure networks against unlawful access, and it was accompanied by a Notice of Proposed Rulemaking seeking comment on specific cybersecurity requirements. The Order on Reconsideration subsequently rescinded the Declaratory Ruling and withdrew the NPRM. The establishment of C2 ISAC was specifically cited by industry associations in FCC proceedings as evidence of voluntary sector action sufficient to justify that regulatory rollback. The industry associations identified the establishment of C2 ISAC for real-time threat intelligence sharing as part of their voluntary commitments, which they argued enabled communications providers to respond to Salt Typhoon and bolster network cyber defenses.

The C2 ISAC's formation also responds to a diminished federal partner. CISA, the designated Sector Risk Management Agency for the communications sector under the critical infrastructure framework established by Presidential Policy Directive 21, has shed substantial capacity since January 2025. Roughly 1,000 people have already left the nation's top cybersecurity agency during the second Trump administration, cutting the agency's total workforce by nearly a third. The Department of Homeland Security has spent months sending Management Directed Reassignment orders to CISA staffers, redirecting them to U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, the Federal Emergency Management Agency, and the Federal Protective Service. CISA has been without a permanent director since Trump entered office in 2025. The agency is said to be currently operating at around 38% staff levels. After years of aggressive growth and regulatory expansion under previous administrations, the workforce and mission of CISA are rapidly shrinking. As nation-state attacks on critical infrastructure intensify, states and private companies lack the capacity to fill the gaps left by CISA's retreat, former officials say. CISA did not respond to press inquiries regarding the C2 ISAC launch, according to POLITICO [POLITICO].

The legal framework underpinning voluntary information sharing among private firms derives primarily from the Cybersecurity Information Sharing Act of 2015, which provides liability protections for companies that share cyber threat indicators and defensive measures with other private entities and with the federal government. The C2 ISAC's industry-only governance model is calibrated to maximize those protections while minimizing the friction that companies have historically associated with sharing sensitive data through a government-hosted channel. Whether the new ISAC will expand into coordinated offensive or disruptive operations, such as botnet takedowns, remains undetermined, as the organization is in its nascent stages and some of its goals are yet to be defined. Membership beyond the eight founding carriers is also unresolved. There are more than eight companies in the communications sector, and the group will not be fully effective until it broadens its membership base, though no formal timeline has been established.

—