Critical infrastructure powers our daily lives – from energy and water to transportation and finance. These systems are essential to our economy, security, and safety, but they face cyber threats that cut across every sector.
At the 16th annual Billington CyberSecurity Summit, government and industry leaders underscored how rapidly evolving technologies – especially artificial intelligence (AI) and quantum computing – are reshaping the threat landscape. They emphasized the urgent need to operationalize Zero Trust, modernize legacy systems, and strengthen resilience by bridging IT and OT environments.
Workforce development, public-private partnerships, and international collaboration were also top of mind as adversaries leverage AI, deepfakes, and state-sponsored tools.
In the State of U.S. Cyber Infrastructure 2025 track, I joined leaders from academia, industry, and government to discuss the state of cybersecurity across critical sectors. One message rang clear: protecting infrastructure requires more than policies or technologies – it demands collective action.
Here are five key lessons I took away:
1. Collaboration Across Sectors is Non-Negotiable
While many sectors, like energy and finance, manage cybersecurity reasonably well, the biggest weakness is the lack of collaboration across industries. With about 85% of critical infrastructure privately owned, government and private operators cannot work in silos.
Reluctance to adopt new technologies – often due to fears of disrupting essential services – slows progress. That hesitation is understandable, but it shows why organizations need education, support, and well-designed policies to modernize safely. Collaboration must translate into action, or our most vital systems will remain vulnerable. At Fortinet Federal, we work with partners across government and industry to ensure modernization strengthens, not jeopardizes, mission success.
2. Secure-by-Design Must Become the Default
Security must be built in, not bolted on. Products should default to secure configurations – multi-factor authentication, strong encryption, and integrity checks – so organizations are protected from day one. This reduces the burden on resource-constrained teams and builds long-term resilience across sectors. This is why Fortinet Federal advocates for and designs solutions that prioritize secure-by-design principles as the baseline, not the afterthought.
3. AI Should Augment, Not Replace, the Basics
AI and advanced tools are transforming how we defend critical assets. But fundamentals like strong authentication, segmentation, and encryption remain the foundation of defense. Advanced tools must complement the basics, not distract from them. In our work with federal agencies, we emphasize that AI can be a force multiplier, but never a substitute, for good cyber hygiene.
4. Policy Momentum Can Drive Protection
Recent federal initiatives, from cyber funding programs to the AI Action Plan and efforts to reauthorize the Cybersecurity Information Sharing Act, show encouraging momentum. These efforts not only modernize infrastructure but also directly fund cybersecurity.
If executed well, they will help under-resourced sectors catch up and push vendors to integrate advanced protections into infrastructure. Done right, that means operators move beyond compliance and deploy smarter, stronger defenses that scale.
5. People and Incentives Are the Real Force Multiplier
Cybersecurity is not just a technological challenge; it’s a human one. Many organizations detect threats but hesitate to share them, fearing reputational damage. That delay can put entire sectors at risk.
We need to realign incentives so that quick, transparent collaboration is rewarded, not punished. At the end of the day, technology is only as strong as the people and decisions behind it. We know that when people, policies, and technology align, resilience multiplies.
Closing Thought
Adversaries are accelerating cyber threats to critical infrastructure. To protect what matters, we must double down on the basics – secure-by-design practices, segmentation, monitoring – and align human incentives so collaboration happens quickly and transparently. The Billington CyberSecurity Summit made clear that securing critical infrastructure isn’t optional, it’s urgent. At Fortinet Federal, we’re committed to helping government and industry partners modernize defenses, bridge IT and OT, and act collectively to stay ahead of evolving threats. The time to act is now.
