Scope, Sophistication and Speed: Gen. Paul Nakasone Charts the Future of Security at GSX 2025
Key Highlights
- The separation between physical and cybersecurity is obsolete. From Colonial Pipeline to Ukraine's use of Starlink, operational and digital security are now inseparable components of resilience and national defense.
- AI has accelerated both opportunity and risk. Its rapid evolution enables adversaries to automate deception, exploit personal data, and weaponize information at unprecedented speed.
- Tomorrow's professionals must combine technical fluency with ethical leadership. Agility, resilience, and integrity, paired with partnerships across sectors, are now essential to maintaining trust and effectiveness.
On the final day of this year's Global Security Exchange (GSX) conference, attendees filed into Ernest N. Morial Convention Center's massive New Orleans Theater for a rare honor: a keynote speech delivered by a retired four-star U.S. Army General—and former head of both the National Security Agency and U.S. Cyber Command—Paul Nakasone.
Nakasone opened his keynote with three words that framed everything that followed: scope, sophistication, and speed.
"These," he said, "are the defining characteristics of our time, and they're only accelerating."
Nakasone recalled leading the NSA and Cyber Command, two of the nation's most powerful organizations, where, as he put it, "you make code and you break code." The NSA designs the encryption that protects America's most sensitive communications while simultaneously breaking adversarial encryption to understand intent.
"Bringing those two together gives you an incredible view of how technology, intelligence, and defense all operate at speed," he said.
Late-night calls and early warnings
Nakasone described the early days of his tenure at NSA, when he implemented a list of "wake-up criteria," conditions so critical his staff was instructed to call him anytime, anywhere. "They never call at nine in the morning," he said. "It's always two or three a.m."
He fielded three of these calls in his first year of service. By his last month in command, those calls had come eleven times. His wife began answering the phone with, "It's for you. It's them. Good luck."
"That's how much the world had changed," Nakasone said.
The cause, he explained, lies in the widening reach of four nation-state actors: China, Russia, North Korea, and Iran. Each has matured into a capable, persistent cyber power. Russia, once the leading aggressor, now harbors the world's largest concentration of ransomware criminals. North Korea funds its weapons programs through cryptocurrency theft, stealing over $1.3 billion in 2024 alone.
While Russia was once the poster child for targeted cyberattacks on the U.S., however, China has since usurped its throne.
"China is the most powerful operator in cyberspace today," Nakasone said, recalling the 2015 OPM data breach that exposed information on 15 million Americans. Operations like Salt Typhoon, he noted, have infiltrated multiple U.S. telecom networks, intercepting unencrypted calls and messages. "Almost every American," he continued, "has been touched by Chinese cyber operations."
Almost every American has been touched by Chinese cyber operations.
When cyber and physical collide
Nakasone's second message was one that has been dominating industry conversations for years: cyber-physical convergence.
"Physical security and cybersecurity can no longer be divorced," he said. One of the best examples of this, he noted, was the 2020 ransomware attack on Colonial Pipeline. What began as a breach of corporate IT systems nearly crippled U.S. fuel supply, with the company shutting down fuel distribution across the East Coast.
"They didn't hit the operational systems; they hit the business network," Nakasone continued. "We were within three days of losing diesel production for our economy."
Nakasone recalled receiving calls from his father—who was 95 at the time—calling him about whether, as Director of the NSA, he could do anything about the dizzyingly high gas prices he was seeing on the news. This in particular, Nakasone said, demonstrated the immediate physical and economic impact of a cyber incident: convergence stops being theoretical when the public gets hit in the wallet.
Nakasone then turned to Ukraine. Within 48 hours of Russia's invasion, the loss of the country's satellite communications was reversed by Starlink. "There is no President Zelensky without Starlink," he said. "There's no way to coordinate resistance or counter Russian influence operations without it."
He pointed to Ukraine's naval successes as an illustration of convergence at war. "They sank over 25 Russian ships in the Black Sea Fleet using a laptop, a Starlink connection, and a semi-submersible platform," Nakasone continued. "That's cyber and physical security operating together."
A final case study, the 2024 beeper and walkie-talkie explosions targeting Hezbollah leadership, illustrated how supply chain manipulation in the digital realm can yield kinetic consequences. "That," he said, "is convergence at its most lethal."
They sank over 25 Russian ships in the Black Sea Fleet using a laptop, a Starlink connection, and a semi-submersible platform. That's cyber and physical security operating together.
AI and the acceleration of threats
Turning to technology's next frontier, Nakasone identified artificial intelligence as the most disruptive force in modern security. "It has been less than three years since ChatGPT's release," he said. "Today there are over 700 million weekly users."
He recited the progression almost like a checklist: "It started as a mediocre high school student with hallucinations. Now it's passing the bar exam, the MCAT, and doing PhD-level research."
Nakasone warned that adversaries are already leveraging AI to automate phishing campaigns and replicate voices. "Fifteen seconds of your voice, and someone can call your family asking for money. They'll believe it’s you," he explained. "That is the new reality of social engineering."
He compared the AI moment to another technological inflection point: the iPhone's debut in 2007.
"Some adapted. Some avoided. You know which ones survived," Nakasone said.
Some adapted. Some avoided. You know which ones survived.
Lessons from the second oldest profession
As his keynote came to a close, Nakasone outlined what he called "leadership lessons from the second oldest profession." Security, he said, now demands three enduring qualities: technical fluency, collaboration, and adaptability.
"The future security professional must have a degree of tech savvy," he said. "If I say Python, you shouldn’t think snake; you should think programming language."
He also stressed the importance of broad partnerships between government, private industry, and academia. "No single sector can manage these challenges alone," Nakasone said.
Finally, he identified agility and resilience as the qualities that will define effective leadership in the years ahead. "Those traits sustained both NSA and U.S. Cyber Command during the pandemic," he said. "Resilience is best learned before the crisis."
He left the audience with three leadership constants: critical thinking, communication, and character. "Character," he said, "is what you are in the dark."
Don’t be the gazelle
In closing, Nakasone turned briefly to practical cybersecurity measures: use strong, unique passwords; enable multi-factor authentication; keep systems updated; and reboot mobile devices daily to clear malicious code from memory.
"You don't want to be the gazelle who gets caught," he said. "You want to be the one that's just a bit faster."
His final message underscored the urgency of adaptation. The pace of change, he reminded attendees, is not slowing.
"Scope, sophistication, and speed," he said, "define the environment we operate in today, and they will define the future we must be prepared to secure."
