The foreign policy establishment is having a collective panic attack because Donald Trump just stated the most obvious, unclassified truth in the history of global espionage.
Fresh off his Air Force One flight from Beijing, Trump didn't stick to the scripted, pearl-clutching narrative about Chinese hacking. When grilled about confronting Xi Jinping over state-sponsored cyberattacks like Volt Typhoon, he skipped the usual diplomatic theater. "We spy like hell on them, too," Trump said. "You know, what they do, we do too."
Queue the immediate, synchronized fainting couches from the beltway crowd. The media is painting this as a terrifying security gaffe, a dangerous breach of protocol, and a blow to American moral authority.
They are completely wrong.
The lazy consensus in tech policy and mainstream media loves to frame international cybersecurity as a comic book movie. In their narrative, the West is a helpless, squeaky-clean victim, and China is an unprovoked cyber villain breaching our utilities just out of pure malice. By admitting the United States plays the exact same game with equal ferocity, Trump didn't weaken the American position. He dismantled a useless corporate myth that has kept Western enterprise security weak, lazy, and dependent on empty government promises for over two decades.
The Hypocrisy of "Rules-Based" Cyber Order
For years, I have watched multi-billion-dollar enterprise infrastructure operations hide behind the shield of government condemnation. Every time a major corporation gets breached by an Advanced Persistent Threat (APT) group out of Shanghai or Shenzhen, the response is identical: run to the press, blame state-backed actors, and wait for the Department of Justice to issue symbolic, un-enforceable indictments against foreign military officers who will never see the inside of an American courtroom.
This entire strategy relies on pretending that the United States does not possess an offensive cyber apparatus. It assumes that if we complain loudly enough about "norms" and the "rules-based international order," our adversaries will magically lay down their keyboards.
It is a fantasy.
Let's look at the actual mechanics of global signal intelligence. The National Security Agency (NSA) and Cyber Command do not spend their multi-billion-dollar budgets just defending domestic networks. To pretend that the U.S. is not actively infiltrating foreign telecommunications, implanting beacons in foreign critical infrastructure, or conducting industrial espionage under the banner of national security is a deliberate refusal of reality.
Think about the Equation Group. Look at the leaks from the past decade that exposed Tailored Access Operations (TAO). The United States invented the modern offensive cyber playbook.
When Trump looked at reporters and said, "I told him, 'we do a lot of stuff to you that you don't know about,'" he dropped the facade. He acknowledged that cyber space is not a courtroom; it is an active, permanent war zone where every major power operates with absolute ruthlessness.
Why Corporate America’s Victim Complex Is Killing Security
The real danger to American security isn't Trump's candor. It is the corporate victim mentality that the standard diplomatic theater fosters.
When C-suite executives believe that cyber warfare is an asymmetrical problem where only the bad guys attack, they treat defense as a compliance checkbox. They build security strategies around the assumption that someone else—namely, the federal government—is going to penalize the attacker or deter them through sanctions.
Here is the brutal truth: No one is coming to save your network.
China's Volt Typhoon campaigns, which target U.S. water treatment facilities, power grids, and transportation hubs, are not going to stop because of a sternly worded press release from the State Department. They are going to stop when those networks become too difficult, too expensive, and too painful to penetrate.
By framing cyber operations as a mutual, hyper-aggressive reality ("what they do, we do too"), the conversation shifts from geopolitical whining to operational resilience. It forces private sector infrastructure operators to realize they cannot rely on a fictional geopolitical truce. If the U.S. government is actively "spying like hell" on adversaries, those adversaries have every structural incentive to do the same to us.
Dismantling the Definitives: The Real Nature of Deterrence
The establishment argues that admitting to offensive operations legitimizes China’s behavior. They think that by saying "we do it too," we lose the right to demand that Beijing stops.
This is a profound misunderstanding of how deterrence actually works.
In the real world, adversaries do not respect clean hands; they respect capability. Xi Jinping is entirely aware that the United States is targeting Chinese networks. Pretending otherwise during bilateral summits does not earn the U.S. any diplomatic leverage; it just makes American negotiators look naive or hypocritical.
Imagine a scenario where two corporate rivals are actively poaching each other’s top engineers. If one CEO pretends poaching doesn't exist while losing their best talent, they look weak. If that CEO looks the rival in the eye and says, "I know you're targeting my staff, and I am actively raiding yours," the dynamic shifts from moral posturing to raw negotiation.
Trump’s bluntness changes the leverage dynamic. He openly stated that Washington possesses offensive cyber capabilities that Beijing may not even be able to detect yet. That creates strategic ambiguity. It forces Chinese intelligence to spend more time hunting for American implants inside their own networks rather than focusing entirely on projecting outward force.
The Downside of Truth: The Costs of a Realist Cyber Policy
Admitting the truth has a distinct, painful downside that most contrarians refuse to acknowledge: it kills the easy excuses.
If we accept that cyber espionage is a permanent, two-way street, then we have to stop treating domestic data breaches as acts of God or foreign acts of war that could not be prevented.
When a major utility provider or tech company allows an adversary to dwell inside its directory services for nine months undetected, that is no longer just a "sophisticated nation-state attack." It is a fundamental operational failure. It means the target failed to secure its perimeter, failed to monitor lateral movement, and failed to implement basic zero-trust architecture.
If the game is "spy like hell," then the only metric that matters is who secures their house better. The victim card is officially off the table.
Drop the Playbook and Protect the Stack
Stop waiting for international treaties on cyber warfare. They do not exist, and they will never work. The current administration's move toward offensive cyber capabilities within its counterterrorism and national security strategies is simply an acknowledgment of what has always been true behind closed doors.
For technology leaders, enterprise executives, and security architects, the lesson from this bilateral transparency is simple:
Build your architecture under the absolute certainty that your network is an active target in a lawless conflict. Assume that your perimeter is already breached, because the state actors targeting you are operating under the exact same "spy like hell" mandate that the Western intelligence apparatus deploys abroad.
The era of geopolitical finger-pointing as a substitute for real infrastructure hardening is over. Trump just said the quiet part out loud, and it’s about time everyone else started acting like they heard it.
