Rob Joyce

We are a rule of law country, and there is an effort in the law of armed conflict where you need to be differentiating military targets from civilian targets. You need to have proportionality. The things you do must impact the military effects more than the civilian effects. And so when people say we ought to turn the lights off and shut off the water and stop the planes or crash trains,

We don't do that because it's disproportionate on the civilian population. And that's where the differences arise. We would never get through the lawyers the ability to hold them at risk the way they're currently in some of our infrastructure. And that's the differentiator.

When I said don't use cyber against cyber, I don't mean don't use it. It's got to be part of a whole portfolio of things. There's got to be from the very top a strategy and aggressive messaging that we won't tolerate this. There's got to be diplomatic law enforcement. There's got to be some of the naming and shaming, some cyber. We've got to use that whole portfolio and in very aggressive

ways so i'll ask this question right when we get annoyed by the actions of another government what do we often do we expel their diplomats right we expel their spies i have never seen us expel somebody because of a hack they're in our infrastructure and there has been no diplomatic repercussion for that those are the kind of things that you know we've got to turn the knob up and use all of that portfolio

Yeah, so the first thing I'd point out, Nicole, is I am a firm believer that cyber doesn't stop cyber, right? You don't get a bigger cyber bat and hit somebody hard and they just go away, right? We had the salt typhoon intrusions into our telco, pretty heinous intrusions. We've had the pre-positioning in critical infrastructure, pretty heinous strategic advantage for China.

And we didn't curl up and say, we're going away, we're getting out of the cyber business, right? You now have congressmen and even administration people pounding on the table saying, we need more cyber, right? And so I don't see the effect that they've brought deterring us. So why do you assume if we bring something, it will deter them? I think there is a strong assumption we're doing the same.

We certainly have amazing, very capable cyber operators between CyberCom, NSA, CIA, the defensive capabilities of CISA, the FBI. We are well-resourced and large, not as large as the Chinese assets, but we have impressive capabilities that hasn't deterred China. It's motivated them. in some sense, right, to be better and bigger.

But the thing that really differentiates us is we are a rule of law country. And there is an effort in the law of armed conflict where you need to be differentiating military targets from civilian targets. You need to have proportionality. The things you do must impact the military effects more than the civilian effects.

And so when people say we ought to turn the lights off and shut off the water and stop the planes or crash trains, We don't do that because it's disproportionate on the civilian population. And that's where the differences arise. We would never get through the lawyers the ability to hold them at risk the way they're currently in some of our infrastructure. And that's the differentiator.

But I say all of that, and now you've got a new administration. that is willing to put the dial on 11. And if you talk to folks in the administration, you talk to folks on the Hill, there's certainly a strong desire to have more capability in the cyber offensive arena unleashed. So we'll see where that goes.

It's exponential growth. And now they have these routers in all of our homes that the software is maintained and updated out of China.

Whether TP-Link is complicit in these hacks or not today, at any point, the Chinese government can go under their intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the internet if they want to attack,

or makes them even better bounces and redirectors for them to do their operations through. It's a huge problem, Nicole.

One of the things China's doing in their operation today is a type of hacking called living off the land, where they don't bring malware, they don't bring code into the environment, they use the stuff that's part of the operating system already. And that makes it hard because antivirus doesn't work. There's nothing to signature on and alert that there's somebody in your computer.

How do they do living off the land? One of the ways is they assume an identity of somebody who already has access in that system. And with AI, there's the opportunity to look at massive amounts of data and understand What does David do every day in his cyber persona? And is he now starting to do different things?

And so AI lets you look at scope, scale, and detail about these trends and flag the things that are unusual anomalies. It may be that you block it at that point or you just put extra eyes on so that you can stop it and curtail it and cauterize that intrusion.

It comes at us in a couple dimensions. DeepSeek is software that is run in China. They're offering a service so your data goes to China. I think we all understand why that would be a bad thing to have any of the questions or intellectual property you give to the AI be housed in China.

There's a second way where they've open weighted the model so that you can move it here to the US and run it on your own infrastructure. There's still an inherent bias inside that AI and people were famously asking it about Tiananmen Square and other things. So I want to make sure that the AI I'm using isn't biased. against free and open society. So those are the two big things that worry me.

And how did they create it? They distilled out of the investment of open AI, right? And literally trained their model off the US frontier models. And so, you know, export control doesn't stop that. It is the American innovation that's going to keep moving ahead of it.

If you look at the operational way that China comes at us, it is scope and scale and now sophistication. In the early days of China hacking, the US kind of left it off. They weren't very sophisticated. They were easily detected. It was blunt force. And now over time, they continue to come and come and come.

And they have such quantities around their ecosystem that does this hacking, whether it be the military government assets, the intelligence service government assets, and increasingly the commercial assets. assets who support these activities by writing malware, by providing the infrastructure that the governments hack through.

But now they even do independent hacking operations themselves, where they choose the target, they grab the data, and then they offer it back to CCP government officials to see if there's a profit in that space.

So they have grown in scope and scale, sophistication on a level nobody else has seen and is, quite frankly, becoming a huge problem for us because of the critical infrastructure threat, because of the pervasive nature they've gotten into things like our telcos and our ISPs. The way that they're able to operate at scale is just monumental.

How have they achieved this miraculous growth? They appear to be selling at price points below profitability to drive out our Western competition. TP-Link routers were among the various brands exploited by Chinese state-sponsored hackers in the massive Volt, Flax, and Salt typhoon attacks.

Imagine these routers in the homes and businesses across America as a PRC platform to launch society-panicking cyber attacks This is a threat we cannot ignore. The company is selling them at unprofitable levels and they're driving out the Western and US manufacturers. It's exponential growth.

And now they have these routers in all of our homes that the software is maintained and updated out of China.

Whether TP-Link is complicit in these hacks or not today, at any point, the Chinese government can go under their intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the internet if they want to attack, or makes them even better bounces and redirectors for them to do their operations through.

It's a huge problem, Nicole.