The longest-serving director of the National Security Agency and U.S. Cyber Command delivered a message to security leaders across the private and public sector: “Our adversaries are ahead of where we're at today, and we have to catch up.”

Retired Gen. Paul Nakasone, who led the NSA and USCYBERCOM from 2018 to 2024 and now serves on the boards of OpenAI and WitnessAI, sat down for a fireside chat on Day 2 of the Secureframe National Cybersecurity Summit 2026.

He covered everything from foreign adversaries’ cyber capabilities to the future of AI-driven cybersecurity and how to communicate incidents to non-technical stakeholders (including two presidents) in 90 seconds.

The threat is already inside the perimeter

Nakasone didn't soften his assessment of where the DIB and critical infrastructure sectors stand against adversaries, particularly state-sponsored hackers from China. The Volt Typhoon intrusions three years ago, he noted, demonstrated a level of sophistication the private sector should take as a baseline assumption going forward, not an outlier.

"There are likely adversaries in your network and you probably don't know it," he said.

The implications for CSOs are immediate and practical. Nakasone laid out the questions every security leader needs to be able to answer: “First, how good is your incident response? How good is your resilience? If you have to turn off a portion of your network, do you know what portions you can continue to operate without bringing your company to its knees?”

Second, he said, how quickly can you discover and remediate threats that may have been dormant for years? This is the more challenging part for the public sector.

“We've known about Volt Typhoon for three-plus years, but we still haven't been able to remediate, for the large part, where they're at in our critical infrastructure,” he acknowledged. 

China's approach is distinct from other adversaries because of its combination of scale, sophistication, and speed. The sheer number of operators, hackers, and proxies it can leverage is different from any other country, he explained, and provides a tremendous amount of capability. But AI is empowering all adversaries to launch more sophisticated attacks faster and at greater scale.

The private sector should take Volt Typhoon as a lesson, he said, and try to do a much better job at incident response and remediation.

Nakasone outlined three concrete starting points for private sector organizations:

• First, know your network and your data. Understand how your network, architecture, and surface area are laid out before anything else. 
• Second, identify the highest-return investments that will “raise the bar of cybersecurity.” Endpoint detection, vulnerability scanning, secure DNS, a review of remote access practices are all examples that can “help make you a much more difficult target than you are today,” he explained.
• Third, build and strengthen your incident response muscle and don't overlook the communication piece. When something happens, can you explain it clearly and quickly to the people who need to act?

Threats are changing rapidly and are today's problem, not tomorrow’s

When asked whether CSOs should be thinking about quantum cryptography, Nakasone's answer was unambiguous: yes because the horizon is shorter than most people think.

"We used to say that a quantum computer would probably hit the market in the mid-2030s. I think that timeline is shorter," he said, predicting a potential executive order on quantum-resistant encryption within the next year.

The challenge won’t be lack of guidance, he argued, it’ll be implementation.

“We're an innovative nation so I don't doubt that we're going to be able to develop these algorithms. The question is, how do we integrate it? Innovation is one thing, but you have to integrate it.”

What CSOs should be thinking about now, he said, is how will we be able to integrate these new algorithms into our networks, and at unprecedented speed?

This urgency isn’t limited to quantum cryptography either. Zero-day vulnerabilities, supply chain attacks, ransomware, and other threats are all accelerating and continuously evolving. In response, leaders must re-assess how they identify, define, mitigate, and communicate risk. 

“These are things that leaders are going to increasingly have to do with less information and a much greater degree of complexity,” Nakasone said.

AI is at an inflection point for attackers and defenders

Nakasone described AI as the most significant technology shift he witnessed during his six years leading the NSA and U.S. Cyber Command, and how that change was seen clearly in adversary dwell times. 

“When I took over in 2018, the average time for a breakout for an adversary was about 9 hours and some odd minutes. When I left in 2024, it was less than a minute.”

The most immediate threat AI poses isn't a novel attack vector, like quantum attacks. It's the speed and scale it brings to what adversaries were already doing. AI models can now scan entire codebases for known vulnerabilities, including vulnerabilities in systems like Linux that went undetected for more than 25 years.

"Think of what we've done for so many years: spotting a vulnerability, testing it, patching it," he said. "These cycles aren't going to hold up in the future."

But the defensive opportunity of AI is equally significant, as long as CSOs and other cybersecurity professionals start thinking about how AI can change the way they do business. 

For example, Nakasone predicted that AI will transform pen testing and red teaming, not by replacing them, but dramatically changing how they’re executed. 

“My sense is that a lot of penetration testing and red teaming will be done by large language models. They're just too capable, and they'll be even more capable in the future.”

These models can analyze anomalous behavioral patterns, review huge amounts of code at depth, and simulate how last year's intrusions would play out on today's networks. “This is going to be the future of penetration testing,” he said, and expects it’ll be realized in the next couple years.

AI pen testing is just one example of how cybersecurity has to evolve and the rapid pace of change we have to get accustomed to, according to Nakasone.

The broader imperative is that we have to stop accepting the same outcomes.

“We've got to operate at a different speed than we have in the past and we've got to think differently,” he said. “What we've done in the past isn't measuring up to where our nation needs to be.”

This will require a proactive approach to cybersecurity that harnesses the power of our large language models and the innovation of the private sector.

Talk like a human, think like an attacker

Some of Nakasone's most pointed advice had nothing to do with technology. It was about communication and culture.

He described how, in his roles as NSA and U.S. Cyber Command, he had to brief two different presidents: no slides, no jargon, and under two minutes. 

“In 90 seconds, I had to say this is what occurred. This is why it's important. And this is what we're going to do about it.”

He explains that this simple formula—“subject, verb, direct object”—should be used by CSOs when communicating with their board, CEO, and other stakeholders. 

He urged CSOs to approach conversations with their board, CEO, and other stakeholders using the same “subject, verb, direct object” formula. 

"If you can't have that conversation with someone who doesn’t operate in the same technical environment we operate in, you'll be lost," he said. 

On talent, he said the two qualities he consistently saw in the most successful people at the NSA were relentless curiosity and an inability to leave a problem unsolved. The best leaders, he added, don't just master their stated responsibilities, they identify the implied ones.

"Really good people set the culture of the organization," he said. "If you're a CSO, how do you set the right culture…not just in terms of what we're doing now but, more importantly, what we're going to do in the future?”