He's talking about TAO and nation state attackers. He knows what both use. His recommendations ignore entire categories of risk and assurance activities TAO relies upon per their catalog. That's misleading.