China is a “ruthless” adversary that poses by far the greatest cybersecurity threat to the United States, according to Bob Skinner, chairman of the board of Axonius Federal Systems.
In his closing keynote at the Axonius Adapt in Action conference in Washington, D.C., Skinner said China “is the threat.”
“Yes, we have Russia and Ukraine going on, and things going on in Iran and the Middle East, but strategically, China is the threat,” he said.
Skinner, a former director of the Defense Information Systems Agency (DISA), told the crowd that China is “ruthless in what they are trying to do.”
“I’m a firm believer that in all of your lifetimes, China will do something that will impact your daily life, whether that is disrupting your power at some point in time, whether that is disrupting trains or metro, [or] whether that’s disrupting water supplies,” he said. “It can be a mom-and-pop shop in the middle of nowhere, or it can be a water filtration plant in the middle of nowhere. It is going to happen, and we’ve got to be prepared.”
Skinner, who has more than 25 years of experience in cybersecurity, national defense, and digital modernization, was named to the Axonius board in April 2025 and became chairman in November.
His comments about China echo numerous government warnings about Chinese cyber activities in recent years. In April, a cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) said that China-linked groups are shifting tactics and using “covert networks” to target home office routers, along with internet of things (IoT) and smart devices.
Skinner said the Chinese threat has evolved from focusing on ransomware and intellectual property to “pre-positioning” cyber assets to strike at a time and place of Beijing’s choosing.
To fight the growing threat, he said, U.S. defenders should focus – but not overly focus – on gaining visibility into rival networks. “Visibility gets you into the dance, but it doesn’t mean you are going to dance,” he said. “That’s not enough.”
Most important, Skinner said, is tracking data flows and verifying identity.
“Identity is your center of gravity,” he said. “In all of the discussions that I’ve had with boards, and all discussions I’ve had with companies, there hasn’t been one that has a full accounting of identities – not one.”
Notably, Skinner was skeptical of a cybersecurity best practice the government has strongly pushed: zero trust.
“I think it’s a big marketing scheme. That’s what zero trust is,” he said. “At least until a few years ago … if you wanted money, you had to talk about zero trust.”
Skinner said he preferred the term “continuously validated trust, because if you truly have zero trust, you don’t have an issue because there’s trust going on everywhere.”
In the end, he concluded that cyber defenders should focus on the basics: critical thinking skills.
“I think the number one issue within our education system is critical thinking and curiosity,” he said. “How do we build within the curriculum critical thinking skills for the hard problems that we have and are looking to have? If you think today’s environment is the most complex you’ve ever seen, two or three years from now is going to be worse. It’s going to be more complex with the technology.”
Answering his own question, Skinner said: “Invest in people, invest in their ability to understand the technology, to understand the mission, to bring it all together, so that we can have a solution.”