Experts Warn of Cybersecurity Lapses Endangering U.S. Infrastructure

In a recent discussion held at One World Trade Center, leading cybersecurity experts and former national security officials highlighted alarming vulnerabilities in U.S. critical infrastructure. Key figures, including former NSA Director General Paul Nakasone, former FBI Director Christopher Wray, and industry leaders such as Bill Fehrman, CEO of American Electric Power, and Robert M. Lee, CEO of Dragos, convened to address the growing threat posed by foreign adversaries and the inadequacies in current cybersecurity practices.

The panel convened on July 24, 2025, emphasized that the landscape of cyber threats has evolved significantly, with nation-state hackers increasingly targeting essential services, from power grids to water treatment facilities. General Nakasone remarked, "To make U.S. networks more ‘toxic’ to adversaries, we need to have an ability for authentication to have some meaning," underscoring the need for robust security measures that go beyond basic protocols.

The discussion revealed that many operators of critical infrastructure are neglecting fundamental cybersecurity practices, which leaves them exposed to sophisticated cyber threats. Bill Fehrman noted that simple steps like implementing firewalls and timely patching could mitigate up to 90% of risks. He stressed, "If everybody had a firewall, everybody patched on time, that eliminates 90% of the risk right there for most people."

Adding to the concern, Robert Lee pointed out that while there is a significant focus on emerging technologies such as artificial intelligence and quantum computing, many providers have yet to address basic security needs. "I would love to get some of the water companies a firewall," he said, indicating the critical gap in cybersecurity preparedness among essential service providers.

The experts warned that as technological advancements introduce more vulnerabilities, critical infrastructure owners and operators must prioritize foundational cybersecurity practices. Lee elaborated on the increased complexity of the energy grid, stating, "It used to be that if you talked about taking down the grid, anybody in electric power would say, ‘There’s not one grid, and you really can’t take down the entire country.’ But then we started having market organizers, automatic metering infrastructure, and cloud systems." This interconnectedness has created new potential points of failure that cyber adversaries could exploit.

To address these vulnerabilities, Nakasone emphasized the importance of establishing stronger authentication standards and fostering collaboration between the private and public sectors. He stated, "We need to have a series of different sharing agreements that allow the private and public sector to be much more effective — anything that we can do that just makes it much more difficult to operate in the United States."

Christopher Wray echoed this sentiment, advocating for enhanced information-sharing partnerships between governmental entities and private industry, particularly for smaller organizations that may lack the resources to implement robust cybersecurity measures. He remarked, "For every big, sophisticated company that absolutely gets it, there are countless other companies — smaller companies — that are suppliers, third-party investors, et cetera … who don’t get it. And so we need it at scale more."

The discussion served as a stark reminder that while the U.S. has shown resilience in recovering from physical attacks, the cybersecurity of critical infrastructure remains a pressing concern. With the digital landscape becoming more complex and adversaries becoming increasingly sophisticated, experts warn that immediate action is required to bolster defenses.

As Lee concluded, "We’re rapidly facing a world where we have to have a really good understanding of what execution is necessary, and get it done fast. We don’t have another ten years to have conferences like this." The implications of these warnings are profound, suggesting that without significant improvements in cybersecurity practices, the potential for catastrophic failures in critical infrastructure remains alarmingly high.