🚨As I’ve said repeatedly, China’s cyber program presents the most serious & immediate threat to US national security. The PRC’s objective is unambiguous: it is preparing for war by holding at risk America’s critical infrastructure. Its goals are to prevent the US from defending our allies by deterring our ability to project power into the Pacific, and to weaken America’s resolve by inciting societal chaos through disruptive attacks against ports, rail, comms, power, water, & more. While our response must be clear-eyed, resolute, and aggressive, we must not fool ourselves into believing that a “gloves off” approach overly focused on offensive cyber operations will ultimately deter Xi Jinping. Here’s why:

1. Xi frames suffering as necessary to achieve China’s revolutionary mission. In a recent speech, Xi concluded by invoking a historically loaded phrase: “the Kingdom of Freedom.” He was deliberately channeling Mao Zedong, who used the same expression to justify the Great Leap Famine—an event that killed 36 million people.

2. Economic pain doesn’t faze Xi—it validates his purpose. He has presided over the destruction of $18 trillion in real estate wealth without blinking. Like Mao, he views hardship not as a failure but as proof of commitment to a higher ideological goal: “Chinese-style modernization.”

3. US offensive cyber operations, including disruption of Chinese infrastructure, likely won’t change Xi’s behavior. He anticipates struggle and sees disruption as part of the process.

4. The deterrence equation is asymmetric. While China targets America’s open society to erode trust and sow chaos, Xi’s regime is shielded by censorship, authoritarian control, and a nationalistic narrative that glorifies sacrifice. While we should make it clear that we have the capability and resolve to hold China’s critical infrastructure at risk, and, if necessary, impose costs, our strategy must continue to include a strong focus on deterrence by denial and resilience:

1. Congress should prevent any serious cuts to the Cybersecurity and Infrastructure Security Agency that reduce its ability to defend the nation in cyberspace. CISA’s collaboration with industry was critical in detecting & evicting PRC cyber actors from US networks.

2. Corporate America must treat cyber risk for what it is—existential business risk. CEOs & boards should invest in cyber hygiene, integrate cyber resilience into corporate governance, conduct rigorous continuity testing, and prepare for & exercise against crisis scenarios. If businesses are not already planning for disruption, they are behind.

3. We must all demand more from tech vendors. PRC hackers are not for the most part deploying cutting-edge cyber weapons—they are exploiting known defects in widely used products. Technology companies must build & deliver products that are secure by design; technology consumers must loudly demand it. Congress should establish a software liability regime to incentivize both.