With me to discuss these seismic shifts is Dominic Jainy, an IT professional whose work at the intersection of artificial intelligence and critical infrastructure gives him a unique vantage point on the year that was, and the more challenging one to come. We’ll explore how the very nature of cyber conflict has changed, with nation-states now targeting civilian confidence as much as data. We’ll examine the shocking fragility of the cloud and other core systems that buckled under pressure in 2025, the hidden dangers of the longest government shutdown in U.S. history, and how the long-awaited arrival of real CMMC enforcement on November 10th has permanently altered the landscape for any company doing business with the federal government.
The recap highlights the Salt Typhoon campaign and attacks on civilian infrastructure. How have nation-state tactics evolved beyond data theft, and what specific steps can a company in the logistics or energy sector take to defend against attacks designed to erode public confidence?
We’ve crossed a significant threshold. For years, the primary goal of nation-state campaigns was espionage—stealing intellectual property, defense secrets, or personal data. What we saw with the China-led Salt Typhoon campaign was different; it was so alarming that it forced the U.S. and its allies to publicly declare it a national defense crisis. The objective has expanded to include psychological and disruptive effects. When adversaries target a Midwestern city’s power grid or snarl airline and logistics systems, they aren’t just trying to steal something. They are deliberately trying to erode public confidence in our core institutions and test our political red lines. For a company in a critical sector, the defense playbook has to evolve. It’s no longer enough to just build a perimeter. You must assume a breach is possible and focus on operational resilience. This means aggressive network segmentation to contain an intrusion, developing robust, tested incident response plans that include crisis communications to manage public perception, and wargaming these scenarios until the response is muscle memory. The goal is to prove you can maintain trust and deliver your service even while under direct fire.
Considering the cascading outages at AWS and Azure, what does true operational resiliency look like for a company today? Can you outline a three-step process for an organization to map its dependencies on hyperscale providers and mitigate the risk of these massive service disruptions?
True operational resiliency today means accepting a painful truth: we have consolidated far too much dependency into a handful of hyperscale cloud platforms without building the necessary safeguards around them. We saw this with the Alaska Airlines grounding and then the massive AWS and Azure outages that rippled across banking, healthcare, and retail. It’s the stark realization that your entire business continuity plan might begin and end with the uptime of a provider you don’t control. A three-step process to begin unwinding this risk starts with radical transparency. First, you must conduct a granular dependency mapping. Don’t just say, “We use AWS.” You must identify every critical business process and map it to the specific cloud services it relies on, down to the region. Second, you must architect for failure. This means designing your systems with the assumption that a service or even an entire region will go dark. This involves building multi-region redundancy, ensuring you have accessible offline backups, and creating manual workarounds for essential functions. Third, you have to relentlessly test these failover plans. It’s not enough to have a plan on paper; you have to simulate these outages and drill your teams on the response until it is flawless. That’s the only way to find the gaps before a real crisis does.
The 43-day government shutdown reportedly created a “cyber blind spot.” Based on your experience, what are the most dangerous, long-lasting security gaps that emerge when patching and threat hunting are paused, and how can an organization measure and remediate that accumulated risk?
The danger of that 43-day shutdown was quiet, insidious, and will be with us for a long time. When federal agencies like CISA are forced into furloughs and hiring freezes, the routine security maintenance—the digital blocking and tackling—stops. The most immediate gap is the patching deficit. For 43 days, known vulnerabilities were left open across federal networks, which is an eternity for adversaries who are constantly scanning for those very flaws. The more dangerous, long-term threat, however, is the establishment of dormant persistence. With active threat hunting curtailed, adversaries could breach networks, install backdoors, and then simply wait. They could remain undetected for months or even years, long after funding was restored. Compounding this, the lapse of CISA’s information-sharing liability protections during the shutdown made private companies hesitant to report what they were seeing, further blinding our collective vision. Remediating this requires an “assume breach” mindset. It’s not a simple matter of catching up on patches. It demands an aggressive, enterprise-wide threat hunt, a deep forensic review of all logs from that period, and a complete re-validation of your security posture. You’re essentially treating your own network as a potential crime scene.
November 10th marked the start of real CMMC enforcement. For a defense contractor now facing this deadline, what are the first three critical actions they must take to align with NIST 800-171 and avoid the severe financial penalties associated with the False Claims Act?
November 10, 2025, was the day the music stopped for the Defense Industrial Base. For years, compliance with NIST 800-171 was treated as aspirational. After that date, it became a binding, enforceable condition of winning and keeping defense contracts. For any contractor scrambling to get aligned, the first action must be a brutally honest self-assessment. The days of checking a box because you’re “working on it” are over. You need to scrutinize your environment against every single control, because your attestation could be used against you in a False Claims Act case. The second critical action is to document everything in a System Security Plan, or SSP. This isn’t just paperwork; it’s the definitive blueprint of your security program and the first thing auditors and investigators will demand. It has to be detailed, accurate, and kept current. Third, for any control you don’t currently meet, you must create and maintain a robust Plan of Action & Milestones, or POA&M. This plan needs to be resourced, have concrete deadlines, and show demonstrable progress. A weak or neglected POA&M is a massive red flag that signals you aren’t taking your obligations seriously, and the Department of Justice is now actively looking for those signals.
The text states AI supercharged attackers with automated reconnaissance and phishing. Beyond simply deploying AI defensive tools, what specific changes in security team training or incident response playbooks are needed to counter these high-volume, automated threats effectively?
Attackers are now operating at an industrial scale thanks to AI, and we saw the consequences in breaches that exposed billions of passwords. Simply buying a defensive AI tool is not a strategy; it’s an arms race you can’t win on technology alone. The real shift has to be in your human processes. For security team training, the focus must move from spotting a single, poorly crafted phishing email to recognizing the patterns of a high-volume, automated campaign. Team members need to be trained to use your own AI-powered defensive tools to cut through the noise and identify the truly sophisticated threats that get through. Your incident response playbooks have to be re-engineered for speed and automation. You cannot have a human manually responding to thousands of AI-generated alerts. The playbook must trigger automated actions—like isolating a host, blocking a malicious IP address, or revoking credentials—within seconds of a credible threat detection. For example, a playbook could be designed to automatically detonate suspicious attachments in a sandbox and, if malicious, immediately push a rule to the email gateway to block any other instances of that file from entering the network, all before a human analyst even sees the first alert.
The Whole Foods supplier incident proved that supply chain security is a critical risk. How has the process of vetting a new vendor changed? Walk me through the key due diligence steps a company must now take before integrating a new third-party service into its operations.
The Whole Foods incident was a painful lesson that your own security is only as strong as your most vulnerable supplier. The old process of vetting—sending a spreadsheet questionnaire and hoping for honest answers—is completely broken. Today, due diligence is an active, ongoing process of verification, not just trust. The first step is to demand evidence. You don’t just ask if they have a security program; you ask to see their SOC 2 Type II report, their ISO 27001 certification, or the executive summary of their latest penetration test. You review these documents with the same level of scrutiny you apply to your own internal audits. The second step is to codify security into your contracts. Your legal agreements must include explicit security requirements, a clear right-to-audit clause, and mandatory breach notification timelines. This transforms security from a best practice into a contractual obligation with real consequences. Finally, vetting is no longer a one-time event at onboarding. You must continuously monitor your vendors’ security posture using external scanning services. Are they patching their systems? Have their credentials appeared in a public data dump? You have to operate as if any of your vendors could be compromised tomorrow, because as we saw in 2025, they often are.
The article notes that the workforce shortage became an operational reality, leading to incidents caused by a lack of basic “blocking and tackling.” What practical strategies, beyond just increasing salaries, can companies implement to attract and retain talent and upskill their existing teams?
In 2025, the cybersecurity talent shortage stopped being a talking point and became a direct cause of major security incidents. When you don’t have enough people to handle the basic “blocking and tackling”—reviewing logs, applying patches, triaging alerts—attackers will waltz right through the front door. Throwing more money at the problem isn’t a sustainable solution. The first strategy is to widen the aperture on hiring. Too many organizations are clinging to rigid checklists that filter out incredible talent. We need to actively create pathways for veterans, mid-career switchers, and people from diverse technical backgrounds who bring discipline and a mission-first focus. The second strategy is to fight burnout by investing in your culture and tools. Retain your best people by giving them a clear career path, a manageable workload, and modern tools that automate the drudgery so they can focus on meaningful work like threat hunting. Finally, you have to build your own talent. Create internal apprenticeship programs to upskill your existing IT staff. By identifying motivated people already in your organization and investing in their training, you create a loyal, effective security team that understands your unique environment from day one.
What is your forecast for regulatory enforcement in 2026?
My forecast for 2026 is unambiguous: the era of voluntary, “aspirational” cybersecurity is over. The enforcement we saw begin with the Department of Defense’s CMMC rule on November 10th was not an isolated event; it was the first domino to fall. In 2026, we will see this model proliferate rapidly across the federal government. Agencies will follow the DoD’s lead in making cybersecurity a mandatory, verifiable condition for federal contracts. We will see the Department of Justice become even more aggressive in using the False Claims Act to pursue contractors who misrepresent their security posture. The core story is the government is fundamentally shifting the burden of day-to-day national cyber defense onto the private sector, and it will use the full weight of its regulatory and enforcement power to ensure companies carry that burden. For any organization that touches federal data or critical infrastructure, compliance is no longer a checkbox; it is now directly tied to revenue, liability, and your very license to operate.