Update: According to other media reports and a Twitter account, the U.S. Secretary of Defense has not ordered the withdrawal of US Cyber Command. A post from the “Official Rapid Response Account For The DOD” on X states: “TO BE CLEAR: @SecDef has neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”
Given these conflicting reports, it is difficult to determine which tasks the US Cyber Command is really allowed to continue to perform, and how it relates to sharing intelligence information. Either way, the signal to the EU and NATO partners – if there was one and not simply incompetence on the part of the political actors – as well as the lessons to be learned should be clear. The analyses below therefore remain valid.
In a major shift in U.S. cybersecurity policy, Defense Secretary Pete Hegseth has ordered U.S. Cyber Command to halt all planning against Russia, including offensive cyber operations. This policy change, made behind closed doors, represents a significant reversal of the approach taken under the Biden administration, which had identified Russia and China as the most significant intelligence threats to the United States. The decision aligns with the broader foreign policy direction of the Trump administration, which aims to “de-escalate” tensions with Russia, though it seems to be more of an appeasement. And this policy shift obviously comes at the expense of national and allied security, as has become frighteningly clear in recent days with the example of the – one can hardly call it anything else – ‘blackmail’ of Ukraine, which was temporarily denied military and intelligence support by the US.
The Policy Change: What Happened?
The order to halt all cyber operations against Russia was issued behind closed doors, marking a stark departure from the previous administration’s cybersecurity strategy. Under President Biden, the U.S. maintained a strong cyber posture, actively engaging Russian and Chinese networks to prevent cyber threats before they could materialize. The National Counterintelligence Strategy of 2024, signed by Biden, identified Moscow and Beijing as the most significant intelligence threats to the United States. This document underscored the importance of proactive cyber defense in countering these threats by collecting intelligence. Adding to the confusion that followed this drastic step is the ambiguity surrounding whether this policy also applies to the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security (DHS) and is responsible for monitoring and protecting U.S. critical infrastructure from cyber threats. While some reports suggested that CISA might still be active in countering Russian cyber threats, an official statement posted on X (formerly Twitter) from CISA’s official account appeared to walk back this assertion, leaving the extent of U.S. cyber defenses against Russian threats uncertain.
Why This Matters: The Importance of U.S. Cyber Command
The implications of this decision are far-reaching, affecting not only U.S. cybersecurity posture but also the security of European allies and Ukraine.
So far, no official document has been released yet by the US Department of Defense on the decision, so any assessment is based on a shaky foundation, while the exact wording counts. For one, this relates to the exact nature of what is meant by the reported order to pause all “offensive operations against Russia”. Most reports state that this does not affect NSA’s intelligence and cybersecurity efforts to monitor and counter Russian cyber threats. But how might this work when the U.S. Cyber Command, headquartered at Fort Meade, Maryland, operates under the same leadership as the National Security Agency (NSA)? This close integration has been a crucial aspect of U.S. cyber defense for the last two decades, allowing for seamless intelligence sharing, coordinated cyber operations and most likely also the pooled know-how and technical expertise. Given this interconnected structure, it is highly questionable whether the NSA’s activities will remain unaffected by the new directive. If the U.S. is indeed seeking to improve relations with Russia, intelligence-gathering activities targeting Russian networks may also be curtailed.
Additionally, it is important to highlight that over the past few years U.S. cybersecurity policy has evolved from a primarily defensive strategy – focused on securing its own networks – to a more proactive “defend forward” approach. This strategy involved engaging adversaries within their own networks, collecting intelligence, preparing leverage and disrupting potential cyber threats before they could impact U.S. infrastructure. So, from a practical perspective, there is no actual difference between “just intelligence gathering” and “offensive” operations, as both required hacking foreign IT systems, breaking or circumventing security measures, and planting one’s own code – that either penetrates the systems or collects data. Just as a burglar in a house, once the door has been forcefully opened, can either steal valuables or set fire to the sofa. This figurative open door in the foreign IT system is a disruption and destabilization in any case, and as such, adversary cyber units cannot distinguish if it’s “just spying”. On the contrary, they must assume that US forces have planted even more code that has not been detected, installed more backdoors, or hidden more destructive suprises.
It’s this approach of creating “friction”, that has been proven effectively in preventing cyberattacks on the US and for supporting allies, particularly in Europe, where Russian cyber operations have been a persistent threat. With the freeze on operations against Russia, all such activities have ceased. Furthermore, U.S. intelligence activities and threat-sharing mechanisms have been vital for allies, with U.S. Cyber Command and the NSA serving as some of the most important sources of intelligence on Russian cyber activities. By stepping back from these operations, the U.S. may be inadvertently weakening the cybersecurity posture of its allies, particularly those belonging to NATO and the European Union.
The Consequences of the Policy Shift
1. Increased Vulnerability of U.S. Infrastructure
By withdrawing from offensive cyber operations against Russia, the Trump government removes not only a critical layer from its cyber defenses but also from U.S. national security. The “defend forward” strategy was designed to disrupt adversaries before they could launch cyberattacks against U.S. critical infrastructure. It is also unclear whether the pause on offensive operations requires U.S. cyber operators to completely withdraw from adversary networks and suspend all ongoing or long-term activities. In other words, must they fully exit Russian networks or are they required to “just” halt further “effects-based” actions while maintaining their current access and presence without further activities? This distinction is significant for future operations – if a complete withdrawal is mandated, any future penetration efforts would need to start from scratch. Additionally, such a pause would grant Russian cyber defenders ample time to analyze past activity, conduct forensic investigations on U.S. trade craft, and refine their defenses without the challenge of active U.S. counterintelligence deception or other counter-forensic measures.
In any case, without these proactive measures, Russian cyber actors may find it easier to target American government agencies, financial institutions, and energy grids. Congressional officials and cybersecurity experts have expressed concern that this decision exposes critical U.S. infrastructure to an increased risk of cyberattacks.
2. Empowerment of Russian Cyber Operations
The US Cyber Command withdrawal can, on the one hand, be interpreted as a diplomatic signal that Russian offensive operations will have few or no negative retaliating consequences for their own networks. This would be a very worrying development as Russia has long been identified as one of the most active cyber threat actors in the world. Groups linked to Russian intelligence, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), have conducted espionage, hacking, and disinformation campaigns targeting governments, businesses, and media outlets across the globe.
Additionally, Russia is a major hub for cybercrime, with ransomware groups like LockBit and Conti operating from Russian territory with little interference – and likely with active backing – from the Kremlin. By halting its cyber activities against Russia, the U.S. may be unintentionally emboldening these groups, providing them with a freer operational environment. This could have devastating consequences, not only for the U.S. but also for European allies that have been frequent targets of Russian cyber aggression.
3. Consequences for Ukraine
One of the most immediate and severe consequences of this policy shift has already felt in Ukraine, where the U.S. Cyber Command has deployed “hunt forward” teams to Ukraine, actively identifying and countering Russian cyber threats within Ukrainian systems. This support has been crucial in helping Ukraine defend its critical infrastructure, including energy grids, military networks, and government agencies.
In addition to direct cyber defense, U.S. intelligence gathered through cyber activities has been a major decision-making resource for Ukraine. Companies like Palantir have provided AI-driven intelligence analysis that has helped Ukraine respond to battlefield developments. Even though it seems that the U.S. will continue sharing intelligence with Ukraine, this assurance is undermined by the broader shift in U.S. policy and the US demonstrated willingness to use dependencies for negotiating leverage – which is a harmless-sounding euphemism for a situation that could only be understood by the Ukrainians as a blatant threat to throw their country “under the bus”. And there are even more dependencies, like Starlink, a vital source for Ukrainian military communication and tactical defense planing, that must be considered as shaky, given the strongly mixed–messages from Elon Musk.
4. The Impact on European Allies
European nations have relied heavily on U.S. cyber intelligence to counter Russian cyber threats. The decision to scale back U.S. Cyber Command’s activities reduces the visibility of Russian threat actors and could leave European allies more vulnerable to Russian cyberattacks, creating a security vacuum that Moscow may exploit.
More broadly, the U.S. decision to halt cyber operations against Russia may foreshadow a larger U.S. retreat from European security commitments. Cyber troops are often seen as the digital equivalent of military presence, so pulling them back could be interpreted as an early sign of a withdrawal of U.S. troops from Europe. If the U.S. continues to shift its focus toward China, Russia may be granted a freer hand in Europe.
This concern is further reinforced by the fact that U.S. officials have stopped publicly naming Russia as a primary cyber threat. A key signal of this shift came when Liesyl Franz, deputy assistant secretary for international cybersecurity at the State Department, recently addressed a United Nations working group on cybersecurity. In her speech, she discussed cyber threats posed by nation-states but notably omitted any mention of Russia, instead focusing solely on threats from China and Iran.
Conclusion: A Dangerous Shift in Cybersecurity Policy
This shift in U.S. cyber policy must be understood as an attempt to normalize relations with Russia, despite the ongoing cyber threats posed by Moscow to the U.S. and its allies. Officially, Russia is no longer seen as a cyber adversary – a dramatic departure from previous U.S. intelligence assessments. A possible outcome of this shift is that Russia, no longer needing to fend off U.S. cyber operations, will redirect its full cyber capabilities toward European targets. Meanwhile, the U.S. may be positioning itself for strategic trade deals with Russia, potentially securing raw materials deliveries or economic concessions in exchange for cyber and military restraint – something that US president Trump will probably describe as “making a deal”.
Facing these threats, the EU and its NATO allies need to develop a system for coordinated intelligence-sharing, cyber defense, and the collaborative development of offensive capabilities. A valuable partner for this is Ukraine, which has extensive experience countering Russian cyber threats. Europe must impose stronger cyber sanctions on Russia, targeting major hacking groups like APT28, cutting off their funding, and working with tech companies to disrupt Russian cyber infrastructure by legally compelling these companies to cooperate (many of which are US based and have recently been made kneel before Trump) in order to sustain economic participation in the EU.
With the U.S. effectively abandoning its cyber front against Russia, Europe stands at a turning point. The choice is clear: either step up and build a cyber force capable of countering Russian aggression or remain vulnerable to the unchecked rise of Moscow’s digital warfare machine.
Disclaimer: Special thanks to my colleague Sam Forsythe for sharing his ideas and thoughts, which helped to improve this text. Your input was much appreciated.
Thomas Reinhold
Latest posts by Thomas Reinhold (see all)
- US Halts Defensive Cyber Activities Against Russia: A Digital ‘Withdrawal’ from Europe - 13. März 2025
- Cybersicherheitspolitische Positionen zur Bundestagswahl 2025 - 30. Januar 2025
- Frieden im Cyberspace – ein langer Weg - 14. Januar 2025
