Defense Secretary Pete Hegseth has ordered U.S. Cyber Command to halt all planning against Russia, including offensive digital operations, The Record reports.
The directive, issued towards the end of last week to Cyber Command chief General Timothy Haugh, heralds a major shift in U.S. cyber strategy toward Moscow.
The order, which was subsequently relayed to the outgoing director of operations, Marine Corps Major General Ryan Heritage, does not extend to the National Security Agency (NSA) or its signals intelligence activities targeting Russia, sources said. However, the full extent of Hegseth’s directive remains unclear.
Policy Shift and Diplomatic Implications
Hegseth’s decision is seen as part of the White House’s broader efforts to improve relations with Moscow. The move follows a period in which the U.S. and its allies sought to isolate Russia over its 2022 invasion of Ukraine. President Donald Trump has previously made statements aligning with Russian President Vladimir Putin’s narrative, including falsely blaming Ukraine for the war and criticizing Ukrainian President Volodymyr Zelensky.
On Friday, Trump and Zelensky met in Washington to negotiate a deal granting the U.S. access to Ukraine’s mineral resources. However, the agreement fell apart after a heated exchange in the Oval Office.
Operational Uncertainty and Risk Assessment
The duration of this order remains unclear, though Cyber Command has been told it will remain in place for the foreseeable future. In response, the command has begun compiling a risk assessment outlining the halted missions and potential threats from Russia.
Heritage, who is nearing retirement, is expected to oversee the implementation of the stand-down order. His responsibilities likely include notifying operational units such as the 16th Air Force (Air Forces Cyber), which conducts digital operations under U.S. European Command.
Cyber Command’s workforce could also be affected by the directive, particularly its digital forces targeting Russia.
The Cyber National Mission Force and Cyber Mission Force, collectively comprising 5,800 personnel, are responsible for offensive and defensive cyber operations. It is estimated that a quarter of offensive units are dedicated to countering Russian cyber threats.
If Hegseth’s order extends beyond offensive operations to intelligence, analysis, or capabilities development, it could impact thousands of personnel at Cyber Command’s Fort Meade headquarters, as well as service components and NSA staff embedded within the organization.
Potential Fallout for Ukraine and Cybersecurity
Hegseth’s order could disrupt Cyber Command’s operations in Ukraine, where it has played a key role in strengthening digital defenses against Russian cyber threats. Before Russia’s 2022 invasion, the command deployed “hunt forward” teams to Kyiv to bolster Ukrainian cyber resilience.
Since then, it has closely monitored Moscow’s cyber activities, particularly those linked to intelligence gathering and espionage.
The stand-down order may also heighten cyber risks for private sector entities in the U.S. and globally. Russian state-backed hackers and criminal cyber groups have been linked to ransomware attacks and other malicious activities targeting critical infrastructure.
A Lack of Shared Confidence
Chris Gray, Field CTO at Deepwatch, believes there are two major areas of concern that would result from the motion – increases in global cyber threats and a lack of shared confidence in the US’s reliance as a defensive partner. There are a number of scenarios that could be playing out, and each would have a different focus.
“First, let’s take this at face value. The US no longer considers Russia to be a relevant cyberthreat. This would be a very large concern. Russia has shown, repeatedly, that it has little respect for national boundaries (do those even exist in cyberspace?) and is very willing to use the cyber platform as a relevant weapon of conflict, including influencing public opinion and global business. If we take our eyes off monitoring and opposing these activities, it would effectively give Russia a much broader capability for success. This gap would be addressed over time by those affected (at least to a degree), but the interim period would certainly expose a large swath of vulnerable scenarios.
“Next, let’s do the “Yeah, right” view. In this scenario, the States says that it is moving away from targeting Russian cyber-operations while continuing to do exactly what we have been doing. The rhetoric has cooled down significantly, in keeping with a lot of what has been happening under the current administration, but the effective outcomes remain more or less the same. In this case, the effect on us is minor, comparatively speaking, but the loss of confidence globally from less capable nations could be significant. The willingness to trust and share critical information might also be degraded, given the appearance of the United States’ withdrawal.”
Lastly, Gray says there is the possibility of lessened attention regarding Russia with a reappropriation of the cyber resources toward other targets. “The current administration is heavily focused on issues closer to home, including Mexican cartels, the drug trade in general, and other border issues. In this situation, we would still be affected regarding our nation’s ability to respond to Russian activities, but our visibility and ability to react to these other threats would increase.”
Let’s Hope Russia Follows Suit
Trey Ford, Chief Information Security Officer at Bugcrowd, adds that pausing any operation, by definition, is an interruption to efforts with mountains of energy, investment, and human capital flow halted. “Reconnaissance and operational monitoring is a continuous effort – where missed changes can have varying levels of impact on the mission. Changes in targets, shifts in infrastructure, or loss of access could lead to discovery or disruption of infrastructure.”
In the civilian sense, Ford says his understanding is that CISA is not impacted by this order. “I read this an offensively focused order. CISA’s mission, as I understand it, is defensive in nature. Private sector operations are almost 100% defensive and responsive in posture, so our supply chain security efforts will not be interrupted. I do see this as a frustrating request for public sector offensive operations teams. However, this is a natural and expected request in diplomatic efforts.”
Any cessation of CNA and CNE efforts is to be expected while diplomatic efforts are underway in the public sphere, Ford adds. “The hope is that those paused attack and exploitation efforts will be mirrored by our Russian counterparts. That said, all public and private sector defensive and monitoring capabilities will be operating at full speed, and we will all be watching closely for shifts from our counterparts.”
It Depends if it Pays Off
According to John Bambenek, President at Bambenek Consulting, much like any major gamble, it depends on whether it pays off. “For instance, if the end result months from now is significantly reduced ransomware hitting hospitals, then it will be seen as a big win. It will also depend on how long this guidance is in place. The good news is that it’s pretty immediate to rescind and go back to the status quo. Right now, it really depends on whether Russia views this as a “free hits” policy or they use it for diplomatic rapprochement.”
In the short term, Bambenek says this doesn’t put even more pressure on security vendors to trance and report on Russia-based cyber operations. “If this directive remains in place and Russia’s attack behavior doesn’t change (or gets worse), then absolutely commercial security vendors will need to pick up the slack here and, at least in the United States, there is a great deal of civilian APT researchers, so we have the talent and tools to do so, even if unideal.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
