It is now possible to make a clear, dispassionate observation about the state of US civilian cybersecurity coordination, and the observation is uncomfortable. CISA, the agency that has spent the last several years building the public-private threat-sharing apparatus that critical-infrastructure operators rely on, is operating with roughly a third less workforce than it had in January 2025 and a narrower operational mandate. At the same moment, AI agents are reducing the cost and increasing the volume of offensive cyber operations by orders of magnitude.
The two trend lines are now intersecting. The reduced agency is not in a position to fill the coordination role that critical-infrastructure operators have built their incident-response playbooks around. Recent reporting has documented several specific gaps: slower turnaround on threat-intelligence sharing, reduced staffing at the cyber emergency response team, fewer joint exercises with sector ISACs, and a noticeable degradation in the agency’s capacity to coordinate response across multiple sectors during simultaneous events. Former agency officials have been increasingly willing to say publicly what private-sector CISOs have been saying internally for months: the agency cannot do what it was doing 18 months ago.
Advertisement
300 × 250
The private-sector response is starting to take shape. Sector-specific ISACs — the threat-sharing organizations for financial services, water, electricity, healthcare — are taking on more coordination work that used to flow through CISA. Several large enterprises are explicitly funding ISAC capacity expansions because the math has changed. The investment is not philanthropic. The companies making it have calculated that the cost of a coordination failure during a multi-sector AI-driven incident is meaningfully higher than the cost of underwriting the ISAC infrastructure.
The asymmetry of the moment is what makes it dangerous. AI agents are reducing the marginal cost of running a campaign across many targets simultaneously. Where a sophisticated state actor in 2022 could maintain perhaps a dozen simultaneous intrusions, the same actor in 2026 can run hundreds. The defender’s coordination apparatus, in normal times, would scale with that. In the current moment, the defender’s coordination apparatus is shrinking. The result is a widening gap between the volume of incidents that require cross-sector visibility and the institutional capacity to provide it.
What CISOs can do in the meantime is not abstract. Three concrete actions. First, invest in your sector ISAC even if you have not historically. The marginal funding goes further now than it did a year ago, and the returns compound. Second, build direct, named relationships with the security leadership of your two or three most important counterpart organizations — your critical suppliers, your largest customers, your peer enterprises. The coordination that CISA used to facilitate is going to need to flow through these relationships instead. Third, expand your assumed-compromise posture to account for the fact that the public coordination signals you used to rely on are slower and less complete. The threat intelligence will arrive later. Plan your detection and response work accordingly.
None of this is a solution to the underlying problem. It is a posture for surviving the next 24 months while the underlying problem either resolves itself politically or does not. Either way, the private-sector CISOs who treat this moment as routine will be the ones who get caught flat-footed when it stops being routine.