Following the much-discussed meeting between Donald Trump and Ukraine president Volodymyr Zelensky on February 28, reporting by The Record indicates that the United States government has formally put a pause on offensive cyber operations against Russia.
The order was issued by Defense Secretary Pete Hegseth as part of new guidance provided to the US Cyber Command sometime in February, though reports of it did not appear in the media until three days after the row at the White House. The Trump administration has not provided a clear reason for the order, which was reportedly issued before the public falling-out between Zelensky and the tandem of Trump and vice president JD Vance and amidst other measures issued in response to the incident (such as a freeze on military aid to Ukraine). The order appears to only apply to cyber operations against state-backed actors, and the Cybersecurity and Infrastructure Security Agency (CISA) has issued a statement indicating that it has not changed its posture with regards to defending from threats coming from Russia.
Cyber operations halted as Trump administration pushes for peace talks
Given that the order was reportedly issued prior to Trump and Zelensky’s now-infamous meeting in the Oval Office, it does not appear that it was a retaliatory measure or a sign of any further alignment shift toward Russia. The mineral deal that was supposed to be signed on February 28 had been in the works for some time prior to the meeting, and had focused on a means of Ukraine repaying the military aid it has received from the US during the war while also receiving a boost to its national security. But Trump has also long been vocal about changing tack from the Biden administration’s approach to handling the war, pressing for a near-term diplomatic solution and opening up communication with Moscow.
Since offensive cyber operations in Russia are by nature a classified and secret measure, there is not much detail available to the public about what this entails. A safe assumption is that it at least means a temporary pause to offensive operations against the country’s advanced persistent threat (APT) groups backed by its intelligence agencies, but it is unclear if this extends to active measures against ransomware gangs and other criminal groups in Russia that do not necessarily have any affiliation with the national government. This does not appear to include espionage operations, as the National Security Agency (NSA) and signals intelligence operations were excluded from the order. CISA has said that it continues its normal program of defending the US against attacks from APT groups and criminals.
The move appears to be tied to plans to draw president Putin to the negotiating table. This has been indirectly supported by statements to the media by Secretary of State Marco Rubio, who has said that “calling names” and “being antagonistic” would be detrimental to this strategy.
Length of order unclear, cyber operations paused for “foreseeable future”
The impact of the order on cyber operations appears to still be playing out, as the sources say that Hegseth has asked for a risk assessment report that documents the missions to be halted and what potential active threats there are from Russia. The Record reporting notes that the order could ultimately impact several thousand to tens of thousands of personnel at the Cyber National Mission Force, Cyber Mission Force and in intelligence agencies.
The order may also have something to do with a switch in focus to operations against drug cartels based in Mexico, pursuant to Trump’s campaign promises of shutting down fentanyl smuggling and human trafficking across the national borders. The administration has formally labeled eight of the largest cartels as terrorist organizations Inside sources have said that the CIA has been greatly expanding its flights of MQ-9 Reaper drones over parts of Mexico to gather intelligence on cartel fentanyl labs since Trump came into office, a program that began during the Biden administration.
While the order pauses current cyber operations against Russia, the sources say that it does not put a stop to planning for future operations. Pauses of current operations of this type are not unprecedented, having taken place under prior Republican and Democrat administrations. When questioned about the media reports, national security adviser Mike Waltz told CNN that he would not confirm or provide any further insight on the order but that the administration has a package of “carrots and sticks” meant to bring the Ukraine war to an end.
Given the current lack of specifics, Chris Gray (Field CTO at Deepwatch) notes that there are several possible ways to interpret the cyber operations order: “There really become two major areas of concern that would result from the motion – increases in global cyberthreats and a lack of shared confidence in the United States’ reliance as a defensive partner. We have a number of scenarios that could be playing out, and each would have a different focus. First, let’s take this at face value. The US is no longer considering Russia to be a relevant cyberthreat. This would be a very large concern. Russia has shown, repeatedly, that it has little respect for national boundaries (do those even exist in cyberspace?) and is very willing to use the cyber platform as a relevant weapon of conflict, to include influencing public opinion and global business. If we take our eyes off of monitoring and opposing these activities, it would effectively give Russia a much broader capability for success. This gap would be addressed over time by those affected (at least to a degree), but the interim period would certainly expose a large swath of vulnerable scenarios.”
“Next, let’s do the “Yeah, right” view. In this scenario, the United States says that it is moving away from targeting Russian cyberoperations while continuing to do exactly what we have been doing. The rhetoric has cooled down significantly, in keeping with a lot of what has been happening under the current administration, but the effective outcomes remain more or less the same. In this case, the effect on us is minor, comparatively speaking, but the loss of confidence globally from less capable nations could be significant. The willingness to trust and share critical information might also be degraded given the appearance of the United States’ withdrawal. Lastly, there is the possibility of lessened attention regarding Russia with a reappropriation of the cyber resources toward other targets. The current administration is heavily focused on issues closer to home, including Mexican cartels, the drug trade in general, and other border issues. In this situation, we would still be affected regarding our nation’s ability to respond to Russian activities, but our visibility and ability to react to these other threats would increase,” added Gray.
But Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck), notes that the cyber operations change will probably not translate into any necessary defensive changes for most organizations: “For those in industry, how the US Government prioritizes its cyber activities should be a lower priority than how your organization prioritizes your cybersecurity risk management efforts. Nation-state actors are always a potential, though unlikely, risk for most businesses. From a software supply chain perspective, mitigating supplier and supplied product or service risks doesn’t really change. You still need to assess any risks posed due to outages and breaches, and your risks due to design and implementation risks within your supply chain remain largely consistent regardless of what the current nation-state cyber risk level might be.”
Trey Ford, Chief Information Security Officer at Bugcrowd, expands on why this move is not likely to impact CISA’s regular mission and activities in this area: “In the civilian sense, my understanding is that CISA is not impacted by this order. I read this an offensively focused order. CISA’s mission, as I understand it, is defensive in nature. Private sector operations are almost 100% defensive and responsive in posture, so our supply chain security efforts will not be interrupted. I do see this as a frustrating request for public sector offensive operations teams, however, this is a natural and expected request in diplomatic efforts. Any cessation of CNA and CNE efforts is to be expected while diplomatic efforts are underway in the public sphere, and the hope is that those paused attack and exploitation efforts will be mirrored by our Russian counterparts. That said, all public and private sector defensive and monitoring capabilities will be operating at full speed, and we will all be watching closely for shifts from our counterparts.”
And Jared Smith, Distinguished Engineer & R&D Strategy at SecurityScorecard, notes that the wording of the order may not even fully shut down offensive cyber operations against Russia and that the reporting may have primarily been arranged as a part of the ongoing negotiations: “Keep in mind that the order does not seem to affect anything the NSA is doing, and we know from operations like the offensive STUXNET malware that set Iran’s nuclear program back a decade that the NSA does conduct offensive cyber operations separate of CYBERCOM.”
