Security Pros Push Back as Trump Orders Halt to Cyber Ops vs. Russia – Source: securityboulevard.com

The Trump Administration’s reported move to stop federal agencies from offensive cyber operations and investigations against Russia drew sharp rebuke from some within the cybersecurity community.

It also was another proof point of the sharp turn in U.S. policy regarding what for decades has been the country’s most significant foreign adversary and a top cyberthreat to the United States as well as the rest of the world.

Cybersecurity expert Brian Krebs said the reports about the administration telling the Defense Department (DoD) and CISA to pull back on Russia operations is shocking but not surprising.

“There is zero reason for the US to relax any offensive digital actions against Russia,” Krebs wrote on LinkedIn. “If anything, we should be applying 10x more. This is indefensible, but makes sense given the president’s embarrassing performance at the White House today browbeating [Ukraine] President Zelensky by continuously saying ‘World War III’ and again echoing Kremlin sabre rattling.”

Also on LinkedIn, Jacob Williams, an expert on enterprise risk management and part of cybersecurity consultancy IANS Research’s Faculty, wrote about the complex process of attributing cyberattacks to bad actors relies heavily on tracking cyberthreats and halting such operations against Russia creates a cascade of problems for the cybersecurity industry and businesses.

“Telegraphing who we are and aren’t tracking cyber threats from doesn’t benefit the US in any way,” Williams wrote. “This offers threat actors the opportunity to hide with false flag operations, creates huge logistical problems with threat intelligence, and will create distrust with all cyber attribution.”

Messages to the DoD, CISA

The Guardian over the weekend reported on a number of instances that illustrate the Trump Administration’s hands-off approach to Russia. The news organization pointed to a recent speech at the United Nations by Liesyl Franz, deputy assistant security for international cybersecurity at the State Department, in which Franz pointed to China and Iran as U.S. cybersecurity concerns, but didn’t mention Russia.

It also reported about an internal CISA memo that outlined new directions for the agency, which included defending against China-back cyberoperations but said nothing about Russia. An unnamed source told the Guardian that CISA was told verbally to stop following or reporting on Russian threats.

The Guardian story came amid reports from the likes of The Record and NBC News that Defense Secretary Pete Hegseth ordered the U.S. Cyber Command to pull back any plans against Russia, including offensive cyber operations. The memo reportedly didn’t mention the National Security Agency or its work regarding Russia.

Historically a Political Adversary

This is in sharp contrast to what for years has been the country’s position regarding Russia, particularly during the Biden Administration’s time, during which Russia and China was place at the top of a small list of critical nation-state threats that also included Iran and North Korea. Government agencies and cybersecurity threat intelligence groups have attributed a number of cyberattacks on U.S. government agencies and critical infrastructure and commercial organizations – such as software maker SolarWinds in 2020 – to groups backed by Russia’s security agencies, including the Foreign Intelligence Service (ISV) and Federal Security Service (FSB).

High-profile threats like the LockBit 3.0 ransomware-as-a-service (RaaS) also have been tracked back to Russia, if not the country’s government itself.

Wait and See

No reasons were given for the decisions, though there is speculation is has to do with negotiations means to end Russia’s war on Ukraine. Some cybersecurity pros were taking a guarded approach to the Trump Administration’s position. John Bambenek, president of Bambenek Consulting, told Security Boulevard that “like any major gamble, it depends on if it pays off.”

“If the end result months from now, for instance, is significantly reduced ransomware hitting hospitals, then it will be seen as a big win,” Bambenek said. “It will also depend on how long this guidance is in place. The good news is that it’s pretty immediate to rescind and go back to the status quo. Right now, it really depends on whether Russia views this as a ‘free hits’ policy or they use it for diplomatic rapprochement.”

Bugcrowd CISO Trey Ford told Security Boulevard that pausing any operation interrupts efforts that have consumed a lot of energy, investment, and human capital, noting that reconnaissance and operational monitoring are continuous efforts. What needs to be seen is reciprocal steps by Russia.

“Any cessation of CAN [computer network attack] and CNE [computer network exploitation] efforts is to be expected while diplomatic efforts are underway in the public sphere, and the hope is that those paused attack and exploitation efforts will be mirrored by our Russian counterparts,” Ford said. “That said, all public and private sector defensive and monitoring capabilities will be operating at full speed, and we will all be watching closely for shifts from our counterparts.”

Tim Mackey, head of software supply chain risk strategy at Black Duck, told Security Boulevard that “for those in industry, how the U.S. government prioritizes its cyber activities should be a lower priority than how your organization prioritizes your cybersecurity risk management efforts. Nation-state actors are always a potential – though unlikely – risk for most businesses.”

On the supply chain side, the need to mitigate risks to suppliers and their products and services doesn’t change, Mackey said. There remains the need to assess risks that come with outages and breaches and those due to design and implementation in the supply chain “remain largely consistent regardless of what the current nation-state cyber risk level might be.”

Only Russia Benefits

In his post, IANS Faculty member Williams detailed the multiple steps in reaching the point of attributing an attack to a source, collecting data and indicators of compromise from individual security incidents to finding overlaps with other events and eventually attribution. While the attribution may be made public, much of the underlying data isn’t to keep it away from the bad actors.

“The biggest procedural issue with ‘stop tracking Russian cyber threat actor groups’ (though there are many other issues) is that we don’t know until the end of the attribution lifecycle which data corresponds to which nations,” Williams wrote. “Another obvious issue … is that CISA doesn’t just collect on Russia. The data and indicators they get come from collection sources that typically target a broad range of threat actors – Russia among them. Will these collection sources be deemed ‘unauthorized’ in this scenario? If so, this is a huge win for threat actors everywhere – not just Russia.”

There are other concerns. Threat groups might make themselves appear to be Russian in falst-flag scenarios to keep the United States from investigating them. At the same time, analysts may want to attribute Russian incidents to China or Iran so they can continue investigating and not be punished. This could lead the industry to distribute any attribution by the government.

The responsibility could shift to commercial vendors, but many of those – like CrowdStrike and Google’s Mandiant unit – have significant contracts with the government, so how anxious would they be to risk those contracts by pursuing Russian threats.

“I could go on, but I’ll stop by asking the most obvious question: how is this supposed to help?” Williams wrote. “Other than Russia, who benefits when CISA stops tracking Russian cyber threats (notwithstanding the logistical issues of doing so already noted)? How is the US made safer when CYBERCOM stops planning for operations against Russia?”