The founding membership list is the first thing worth examining carefully. These are not small players looking for safety in numbers. They are the organizations that collectively carry the majority of American voice, data, and internet traffic the infrastructure that American businesses, government agencies, emergency services, and hundreds of millions of consumers depend on every day. When this group decides that the threat environment requires a fundamentally different approach to collective defense, that judgment deserves to be taken seriously.

Why the Threat Environment Made This Necessary Now

The C2 ISAC announcement builds on a foundation that is nearly four decades old. The National Coordinating Center for Communications the Communications ISAC, or COMM-ISAC was established in 1984 to promote resilience and intelligence sharing among government agencies and private communications companies. That infrastructure has been functioning for forty years. The decision to create something new alongside it reflects a specific assessment that the current threat environment requires capabilities that the existing framework was not designed to provide.

The assessment is well-grounded in what the past several years have demonstrated about the communications sector’s threat landscape.

The Salt Typhoon campaign attributed to Chinese state-sponsored actors and disclosed in late 2024 represented one of the most significant telecommunications security incidents in American history. The campaign achieved persistent access to the infrastructure of multiple major US telecommunications providers, enabling surveillance of sensitive communications over an extended period. The scale, the sophistication, and the duration of the intrusion reflected a level of adversary capability and patience that challenged security assumptions across the industry simultaneously.

Salt Typhoon was not an isolated event. It was the most visible manifestation of a sustained, sophisticated campaign against telecommunications infrastructure by nation-state actors who understand that controlling communications infrastructure provides strategic intelligence advantages that justify significant investment in attack capability. The actors behind these campaigns are not looking for opportunistic financial gain. They are pursuing persistent access to the infrastructure that carries sensitive communications and they are willing to operate inside that infrastructure quietly for months or years before their presence is detected.

AI has added a new dimension to this threat environment that the founding members specifically identified as accelerating the need for stronger, more unified defenses. AI-enabled adversaries can develop and deploy attack capabilities faster, at greater scale, and with more automation than the threat actors that the existing information-sharing frameworks were designed to address. The speed advantage that AI provides to attackers in vulnerability discovery, in attack tool development, in lateral movement through compromised networks compresses the detection and response windows that defenders need to contain incidents before they cause significant damage.

No single communications company, regardless of the sophistication of its internal security program, has full visibility into every threat vector targeting the sector or the resources to address every risk independently. The threat intelligence that AT&T sees in its network is different from the intelligence that Verizon sees in its network, which is different from what Comcast and T-Mobile and the other founding members observe in theirs. When those observations remain siloed within individual companies, the collective picture of the threat landscape that the sector is actually facing remains fragmented and adversaries who understand that fragmentation can exploit the gaps between what each company knows independently. C2 ISAC exists to close those gaps.

What C2 ISAC Actually Does And Why the Structure Matters

The C2 ISAC model is built around a specific insight about how threat intelligence sharing needs to work to be genuinely useful rather than nominally functional: the sharing has to happen fast enough and at a technical level of specificity that enables actual defensive action rather than retrospective awareness.

The distinction matters because intelligence sharing programs can fail in a specific way they produce reports and summaries that describe threats at a level of abstraction that is informative but not immediately actionable, distributed on timescales that lag the threat by enough that the specific indicators have already been exploited or rotated by the time they reach the defenders who need them. That kind of sharing satisfies the organizational requirement to participate in information exchange without delivering the operational value that effective collective defense requires.

C2 ISAC is designed around the alternative model: a trusted environment where technical experts not communications officers, not policy teams, not external consultants, but the security engineers and analysts who are actually managing network defenses can share specific threat intelligence in real time and coordinate defensive responses while the information is still actionable.

The governance structure reflects this technical orientation. The Board of Directors is composed of the chief information security officers of the eight founding companies the executives who are directly accountable for the security posture of their organizations and who understand the technical threat environment at the level of specificity that effective intelligence sharing requires. Rich Baich, the inaugural chairperson, brings the board leadership perspective to an organization whose value is ultimately delivered by the technical exchange that happens among members rather than by the governance structure itself.

Valerie Moon’s appointment as executive director brings a leadership profile specifically suited to the public-private coordination function that C2 ISAC needs to perform effectively. Her background spans CISA, the FBI, and other key cybersecurity organizations experience that reflects deep understanding of how threat intelligence flows between government and private sector, how public-private cooperation works in practice in the national security context, and what the federal cybersecurity community needs from private sector partners to mount effective collective defenses against sophisticated nation-state actors.

That government-facing expertise is not incidental. The communications sector sits at the intersection of private sector infrastructure and national security the networks that carry sensitive government communications, that support military and intelligence community connectivity, and that enable the emergency services coordination that public safety depends on. Effective defense of that infrastructure requires not just coordination among private sector companies but integration with the government threat intelligence and incident response capabilities that CISA, the FBI, and the intelligence community can provide.

The Intelligence Sharing Architecture That Produces Collective Defense

The practical mechanics of how C2 ISAC will operate deserve attention because they determine whether the organization delivers on the collective defense promise or becomes another information-sharing forum that participants attend without finding transformative value.

The model that effective ISACs have demonstrated works involves three distinct but interconnected functions that together produce the coordinated threat response that individual company programs cannot achieve independently.

Real-time indicator sharing is the foundation. When one member identifies a threat indicator a malicious IP address, a novel attack technique, a previously unknown vulnerability being actively exploited that indicator reaches every other member’s security team fast enough for them to update their defenses before the same threat vector reaches their networks. The value compounds directly with membership diversity: the broader the range of network environments represented in the sharing pool, the more complete the indicator set that each member receives, and the more of the threat landscape each member can see through the collective intelligence rather than only through their own network telemetry.

Coordinated incident response provides the collective action capability that individual response cannot replicate when threats target multiple sector participants simultaneously. The Salt Typhoon campaign was notable not just for its sophistication but for the degree to which it targeted multiple major telecommunications providers as part of a coordinated campaign. When the same threat actor is active across multiple member organizations at the same time, coordinated response sharing specific technical indicators about the campaign, coordinating containment actions that prevent the actor from pivoting between member networks, and coordinating with federal agencies on attribution and remediation produces outcomes that fragmented individual responses cannot.

Proactive threat analysis gives members the forward-looking intelligence that enables defensive investment decisions to be made on the basis of where threats are heading rather than only where they have already been. The dark web and underground market intelligence that effective sector ISACs develop understanding what attack tools are being developed and traded, what new vulnerability classes are being researched, what specific infrastructure targets are being discussed in adversary forums provides the lead time that prevention requires rather than the after-the-fact analysis that post-incident reviews produce.

Building on Four Decades of Public-Private Collaboration

The relationship between C2 ISAC and the existing COMM-ISAC infrastructure established in 1984 is worth clarifying because it reflects an important continuity rather than a replacement.

COMM-ISAC has operated for forty years as the foundational public-private collaboration framework for communications sector resilience connecting government agencies and private companies through the National Coordinating Center for Communications infrastructure that has served as the backbone of sector coordination through multiple generations of technology change and threat evolution.

C2 ISAC builds on that foundation rather than displacing it. The institutional knowledge, the government relationships, and the sector coordination experience accumulated over four decades of COMM-ISAC operation provide the context within which C2 ISAC’s more specifically cybersecurity-focused intelligence sharing can be most effective. The two organizations serve complementary functions COMM-ISAC addressing the broader resilience and continuity-of-communications mission, C2 ISAC focusing specifically on the cybersecurity threat intelligence sharing and coordinated defense function that the current threat environment requires at a level of speed and technical specificity that the older framework was not designed to provide.

The founding members’ decision to establish C2 ISAC as a new non-profit rather than simply expanding the existing COMM-ISAC mandate reflects a judgment about what the current threat environment requires structurally. A dedicated organization with a governance structure built around CISOs, an executive director with deep public-private cybersecurity experience, and a specific mandate focused on real-time threat intelligence sharing is better positioned to deliver the rapid, technically specific coordination that the Salt Typhoon era demands than an expansion of a broader resilience framework whose mission encompasses much more than cybersecurity specifically.

Why Telecom Infrastructure Is a National Security Asset

The communications sector occupies a position in the national security architecture that distinguishes it from most other critical infrastructure sectors and understanding that position clarifies why a sector-wide collective defense organization matters beyond the commercial interests of the founding members.

The networks that AT&T, Verizon, T-Mobile, Comcast, and their C2 ISAC co-founders operate are not just commercial telecommunications infrastructure. They carry the communications of federal agencies, military organizations, intelligence community personnel, emergency services, and the classified and sensitive-but-unclassified government traffic that national security depends on. When nation-state actors compromise telecommunications infrastructure, they gain visibility into communications that no other attack vector provides which is why telecommunications networks have been primary targets for sophisticated state-sponsored intrusions consistently across the past decade.

The Salt Typhoon campaign demonstrated that this targeting is not hypothetical. It is active, sustained, and sophisticated enough to achieve persistent access to major carrier infrastructure over extended periods. The national security implications of that access for the counterintelligence mission, for the protection of sensitive government communications, for the integrity of the information channels that government decision-making depends on extend well beyond the cybersecurity incident response question and into the national security policy domain.

C2 ISAC’s positioning at the intersection of private sector communications infrastructure and government cybersecurity reflected in Valerie Moon’s background and in the organization’s explicit relationship with the CISA and federal law enforcement partnerships that effective public-private cybersecurity coordination requires reflects an accurate understanding of what defending this infrastructure at the national security level actually demands.

What This Signals for the Broader Critical Infrastructure Security Market

The establishment of C2 ISAC sends a signal to the broader critical infrastructure security community that extends beyond the telecommunications sector specifically.

Eight of the largest companies in a highly competitive sector organizations that compete aggressively for customers, spectrum, market share, and talent have concluded that the cybersecurity threat environment is serious enough to justify the organizational investment, the information-sharing commitments, and the governance structures required to establish a formal collective defense organization. That conclusion, reached by CISOs who have direct visibility into the sophistication of the threats their organizations are facing, is a meaningful data point about the current state of the threat landscape.

The sectors watching the C2 ISAC launch energy, financial services, healthcare, transportation, water systems all face similar dynamics: sophisticated nation-state and criminal adversaries, AI-accelerated attack capabilities, and threat intelligence that is fragmented across individual organizations that each see a partial picture of the complete threat landscape. The communications sector’s decision to address that fragmentation through a dedicated collective defense organization will be studied by sector leaders in adjacent critical infrastructure domains who are making similar assessments about whether their current information-sharing frameworks are adequate for the threat environment they are actually operating in.

The answer that the eight founding members of C2 ISAC have provided for their sector is clear: the current frameworks are not adequate, the threat environment is serious enough to require something more, and the competitive costs of establishing a collective defense organization are lower than the security costs of continuing to defend individually against adversaries who benefit from the fragmentation.

That calculus will look familiar to security leaders across every sector that nation-state actors have identified as high-value infrastructure worth persistent targeting. The C2 ISAC launch is not just a telecommunications story. It is a signal about where critical infrastructure collective defense is heading and how long the sectors that have not yet made similar organizational commitments can afford to wait.

Research and Intelligence Sources: AT&T

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com