For three days each September in Washington, D.C., the people who run federal cyber defense sit across conference tables from the executives who build the tools they depend on. The Billington CyberSecurity Summit is the venue where that transaction has happened for the better part of two decades, and the 2025 edition made clear why it still matters: the National Cyber Director used it as his first major policy stage, an expiring information-sharing law hung over every panel, and the Salt Typhoon telecom intrusions were still fresh enough that attendees swapped notes on who got hit and how badly.
This is not a trade show in the conventional sense. Attendance is free for government and military personnel, which draws the agency CISOs and program managers who rarely appear at commercial vendor events. Industry pays its way in — through tickets, sponsorships, and exhibit booths — because the pipeline of federal contracts, clearances, and partnerships runs through rooms like these. Understanding what Billington is, how it works, and what got said in 2025 is the cleanest way to read the current state of the U.S. government–enterprise cyber relationship.
What the Billington Summit Actually Is
Billington CyberSecurity was founded in 2010 as an executive education company, and its flagship event has grown into what the organizers describe as the premier gathering for federal cybersecurity leadership. The 16th Annual Summit, held September 9–12, 2025, at the Walter E. Washington Convention Center, drew more than 2,500 attendees by one count — the company’s own figure was 3,000-plus — with 250 speakers and over 50 panel sessions, breakouts, and fireside chats. The 17th Annual Summit is scheduled for September 8–10, 2026.
The event’s structure reflects its dual audience. Government officials speak from the main stage with few filters; a handful of sessions run under Chatham House Rule with press excluded. Vendor booths — more than 150 of them — line the exhibit hall, and the receptions are where business development actually happens. Lead underwriters for 2025 were Amazon Web Services, Cisco, and Leidos, which tells you something about which companies consider federal cyber a strategic market.
Billington also runs a parallel State and Local CyberSecurity Summit, which held its third annual event in 2025 and drew 950-plus attendees from 42 states. The fourth edition is scheduled for March 17–19, 2027, with the conversation expanding to federal, state, local, and tribal government integration — a recognition that ransomware actors have been hitting county governments, school districts, and municipal utilities at a pace federal agencies alone cannot answer.
The 2025 Keynote: A New National Cyber Director and an “America First” Cyber Doctrine
The opening keynote on September 9, 2025 was the first major public address by Sean Cairncross, whom the Senate had confirmed as National Cyber Director in August. Cairncross — a former CEO of the Millennium Challenge Corporation and Republican National Committee official — does not come from a technical cybersecurity background, a fact noted by several outlets covering the speech. What he offered instead was a policy frame.
Cairncross argued that the United States needs to shift the burden of risk in cyberspace from Americans to adversaries, identifying China as the country’s most aggressive and capable adversary and naming Volt Typhoon and Salt Typhoon — two Chinese state-backed campaigns — as cases where Beijing’s tolerance for detection signals a need for U.S. cost imposition. His call was for a “whole-of-nation approach” that aligns federal agencies, private industry, state and local government, and allied nations behind a coordinated strategy.
Three immediate priorities framed the speech. First: reauthorize the Cybersecurity Information Sharing Act of 2015 before its September 30 sunset. Second: get federal systems’ own security in order through rapid modernization, network hardening, and post-quantum readiness. Third: build the cybersecurity workforce through a pipeline drawing on academia, vocational training, corporations, and venture capital.
He also gave industry a clear ask and a clear offer. The ask: uphold standards like security and privacy by design. The offer: streamline federal regulations and reduce compliance burdens. Cairncross told the audience the administration knows that American companies are accountable first to their shareholders and boards of directors, which reads as a deliberate signal that the second Trump administration will treat cyber mandates more lightly than its predecessor while expecting more from the private sector on baseline hygiene.
Whether that trade-off holds is the open question. Independent analysts noted the apparent tension between calling for better government cyber defenses and the administration’s concurrent moves to reduce personnel and funding at the Cybersecurity and Infrastructure Security Agency (CISA) — the federal agency, not the 2015 law of the same acronym. The shared name has caused genuine confusion in the policy debate, which Cairncross himself has acknowledged as a fluke of nomenclature.
Who Spoke and Why It Matters
The speaker roster at a Billington summit is less a program than a directory of who currently holds decision authority. In 2025 that list included Gen. Dan Caine, Chairman of the Joint Chiefs of Staff; Jennifer Link, CISO of the CIA; Katherine Arrington, acting CIO at the Department of Defense; Gen. Michael A. Guetlein of the U.S. Space Force; and Alexei Bulazel from the White House.
The allied contingent was equally pointed. Lt. Gen. Michelle McGuinness of Australia’s Department of Home Affairs, Richard Horne, CEO of the UK’s National Cyber Security Centre, and Maj. Gen. Karol Molenda of Poland’s Cyber Defense Forces appeared alongside representatives from Ukraine’s Security Service, Canada’s Cyber Centre, and the Australian Signals Directorate. This is Five Eyes plus frontline Europe — the exact cohort Cairncross cited when he said the U.S. wants to help international allies combat Chinese cyber operations.
The dynamic this creates inside panels is distinctive. A federal CISO describes the operational problem. A vendor CTO pitches an architectural response. An allied official explains how a peer government has tackled the same problem under different legal constraints. And somewhere in the same room, a congressional staffer is taking notes for a markup the following week. At its best, this compression is why Billington produces policy movement that trade shows don’t.
What the Conversation Was Actually About
Strip away the keynote theatrics and the 2025 summit concentrated on four live problems:
Zero Trust is now operational, not aspirational. The shift in federal Zero Trust discourse — from strategic goal to implementation standard — was visible across multiple sessions. Vice Adm. Frank Whitworth of the National Geospatial-Intelligence Agency stressed continuous access audits, strict network segmentation, and universal multi-factor authentication. The centerpiece is identity — for users and machines — rather than network perimeter.
Post-quantum cryptography is no longer a future problem. Cairncross cited post-quantum readiness as an active federal priority, not a planning horizon. Agencies are inventorying cryptographic dependencies now because NIST‘s finalized post-quantum standards are in force and the migration is years of work even under optimistic assumptions.
AI is both attack surface and defense tool. Federal panels treated AI integration as dual-natured: adversaries are already operationalizing generative models for social engineering and vulnerability discovery, while agencies are wiring AI into threat detection, triage, and response. The unresolved tension is governance — who approves which model for which mission, and what happens when the model hallucinates a false positive into an incident response queue.
Salt Typhoon set the threat baseline. The Chinese-linked Salt Typhoon intrusions into U.S. telecommunications carriers were discussed on multiple panels as the live example of what prepositioning looks like at scale. The campaign, disclosed over the preceding year, became the most-cited reference point for why nation-state threat activity demands the information-sharing frameworks the keynote emphasized.
The CISA 2015 Sunset That Happened Anyway
Cairncross told the Billington audience to press Congress on reauthorization of the Cybersecurity Information Sharing Act of 2015 — the law that gives companies liability and privacy protections for sharing cyber threat indicators with the federal government. One of Cairncross’ immediate priorities is pushing Congress to reauthorize the Cybersecurity Information Sharing Act of 2015. The law expires Sept. 30.
Three weeks later, on September 30, 2025, the law expired anyway. Congress missed the deadline. A continuing resolution had carried a short-term extension, but the Senate failed to pass it, and the government entered a shutdown beginning October 1.
The consequences showed up fast. Federal agencies and private companies scaled back voluntary threat intelligence sharing in the weeks after expiration. Reporting from CyberScoop cited more than a 70% decline in shared threat indicators, with Information Sharing and Analysis Centers (ISACs) reporting 24 to 48-hour delays in alert dissemination and a 12% increase in detected healthcare ransomware activity in the month that followed. These figures come from industry advocacy sources pressing for reauthorization and should be read with that lens, but the direction of travel — less sharing, slower coordination — was consistent across multiple independent legal and policy analyses.
Congress passed a temporary extension on November 12, 2025, bringing the law back online through January 30, 2026. A further extension in the FY2026 continuing resolution pushed the sunset into later in 2026. The House bill with momentum is the Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act, introduced by Rep. Andrew Garbarino, which would reauthorize CISA 2015 for ten years with updates accounting for AI use in threat data processing. The block in the Senate is Sen. Rand Paul, who has conditioned his support on anti-censorship limits on the Cybersecurity and Infrastructure Security Agency — a separate entity from the law that happens to share the acronym.
The Billington speeches landed with particular weight in retrospect. Cairncross had told the room what was at stake, the room largely agreed, and the legislative machinery failed to act. That gap between what federal cyber leadership says it needs and what Congress delivers is a consistent feature of the public-private cyber terrain, and it is the single most important thing the summit reveals about how U.S. cybersecurity policy actually works.
How Enterprise Reads the Signal
For vendors and enterprise CISOs, Billington is less about announcements than about triangulation. Three signals from 2025 matter.
FedRAMP and compliance are the price of admission, not a differentiator. The federal market rewards products authorized for use in federal environments. Sponsor positioning from companies like Absolute Security, whose Chief Product Officer John Herrema spoke on a vulnerability crisis panel, emphasized FedRAMP authorization as baseline rather than selling point. New entrants should assume authorization is table stakes.
Secure-by-design language is becoming enforceable expectation. Cairncross’s call for industry to uphold security-by-design standards tracks with multi-administration policy continuity. The specific mechanisms — procurement requirements, software bill of materials, liability reform for negligent software — are where the fight moves next. Enterprises selling into federal markets should assume increasing scrutiny of their development lifecycle evidence.
Partnership, not vendor, is the posture. The “whole-of-nation” language is substantively about enlisting private sector capabilities into operations historically reserved for government. Reading between Cairncross’s lines — we’ll explore concepts of operation to enable our extremely capable private sector, from exposing malign actions to shifting adversaries’ risk calculus — companies with offensive cyber capabilities, threat intelligence platforms, or attribution tooling should expect government-industry joint operational models to expand, along with the legal complexity that comes with them.
Frequently Asked Questions
Who can attend the Billington CyberSecurity Summit?
Attendance is complimentary for U.S. government and military professionals. Corporate, small business, nonprofit, and academic attendees pay tiered registration fees. Credentialed working media register separately and may be excluded from Chatham House Rule sessions.
How does Billington differ from RSA or Black Hat?
RSA and Black Hat are primarily commercial events with global audiences and a research/product focus. Billington is specifically a government cybersecurity summit — the speaker roster skews heavily toward federal officials, allied government representatives, and executives at companies doing federal business. The register is policy and operational, not vulnerability research or product launches.
What is the State and Local CyberSecurity Summit?
A separate Billington event focused on state, local, tribal, and territorial government cyber leadership, held in the spring. The third annual summit in March 2025 drew roughly 950 attendees from 42 states; the fourth is scheduled for March 17–19, 2027.
What is the difference between CISA the law and CISA the agency?
The Cybersecurity Information Sharing Act of 2015 is a statute giving companies liability protections for sharing threat data. The Cybersecurity and Infrastructure Security Agency is a component of the Department of Homeland Security stood up in 2018. They share an acronym by coincidence. The 2015 law expired on September 30, 2025, and has since been extended on short-term renewals; the agency continues operating but has faced personnel and funding reductions under the second Trump administration.
The Bottom Line
Billington’s durability as a convening comes from one fact: in U.S. cybersecurity, the boundary between government mission and enterprise product is blurry and getting blurrier, and people on both sides need a place to talk about that honestly. The 2025 summit captured a federal cyber policy in visible transition — a new director with a new doctrine, a foundational information-sharing law about to lapse, and an allied community recalibrating around Chinese prepositioning threats.
The 17th Annual Summit in September 2026 will reveal whether the Cairncross doctrine produced results or rhetoric. The tests are concrete: did CISA 2015 get a clean long-term reauthorization, did federal network modernization pick up pace, did the workforce pipeline actually widen, and did U.S. responses to Salt Typhoon–class operations impose costs visible enough to shift adversary behavior. The room will know. Whether anything gets said about it in public depends on how many sessions run under Chatham House Rule.
