Despite its centrality in the national cyber security strategies of the US and the UK, the public–private partnership is a nebulous arrangement, which is especially problematic in the context of critical infrastructure protection. Privately owned and operated critical infrastructure that is regarded as a potential national security vulnerability raises questions about the allocation of responsibility and accountability in terms of cyber security. As with many aspects of cyber security, this issue is often discussed with little reference to previous scholarship that could provide conceptual scaffolding. This article draws on the extensive literature on public–private partnerships in order to assess the tensions and challenges of this arrangement in national cyber-security strategies. It finds that there is a serious disjuncture in expectations from both ‘partners’. The government regards privately owned and operated critical infrastructure as a key element of national security but is reluctant to claim a mandate to oversee network security. At the same time, the private sector is not inclined to accept responsibility or liability for national cyber security. This challenge for governments to manage national cyber security raises questions about how well equipped these states are to promote their own security in the information age. Acknowledging the flaws in the ‘partnership’ is an essential step towards addressing them.