Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia?
Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space.
Since publication, however, one of these stories has been disputed, and the second story has raised more questions than it answered. Additionally, a third story has published, which offers new details.
I thought it might be worth reviewing the stories to see where the information in them now stands – especially because so much of what is being reported in the early days of this administration is based on incomplete information that is subject to revision as more gets revealed.
In the first story, The Guardian reported that the Trump administration had begun to retreat from the nation's longstanding position that Russia represents a severe cyber threat to the country. It has done this both in what administration officials have said – or, rather, not said – about Russian cyber threats as well as through a recent memo at the Cybersecurity and Infrastructure Security Agency (CISA) that reportedly redirected analysts away from tracking Russian cyber threats. The Guardian stated that CISA analysts who focus on Russian threats had been ordered "not to follow or report" on these threats going forward.
About 90 minutes after the Guardian story published on Friday, The Record published a separate story revealing that U.S. Cyber Command had been recently told to stand down on all planning against Russia – including offensive cyber actions against the country.
Taken together, the two stories raised alarms that the policy changes would have a drastic impact on U.S. national security and make the country more vulnerable to cyberattacks from Vladimir Putin's hackers. The Record noted that the order to Cyber Command provided "evidence of the White House’s efforts to normalize ties with Moscow," and the Guardian quoted a source who said that the change at CISA represented a win for Russia. "Putin is on the inside now,” the source told the Guardian.
Although a number of people on social media seem to believe The Record story corroborates The Guardian story (I won't call anyone out here), the two stories are reporting different things and are based on different sources.
Cyber Command is a military unit under the Department of Defense and conducts both offensive and defensive cyber activity outside the U.S. This includes hunt-forward operations (assisting Ukraine and other nations in finding malicious activity on their networks, for example), conducting "effects" operations (cyber attacks that degrade, destroy or disrupt an adversary's electronic systems) and taking down infrastructure used for malicious purposes against the U.S. or its partners.
CISA, on the other hand, is entirely domestic and defensive in its mission. Its job is to help defend the federal government's civilian networks (the National Security Agency helps defend military networks) and it helps the owners of critical infrastructure – most of which is privately owned in the U.S. – defend these networks by conducting risk assessments, providing information about vulnerabilities and patching guidance, and assisting with incident response after a breach when needed.
Therefore, telling Cyber Command to stand down on Russia is very different from telling CISA to stand down, though the policy directives described in each story could potentially have similar effects in weakening U.S. security.
I'll first parse what the two stories said and didn't say and then look at what has changed since they published.
What the CISA Story Said
The Guardian story, reported by Stephanie Kirchgaessner, said that the Trump administration was "no longer characterizing Russia as a cybersecurity threat" – a move that marked a radical departure from previous administrations and U.S. policy. The story was based in part on omissions in statements made by government officials that indicate the administration doesn't consider Russia a chief threat in cyberspace. This included a speech made in late February by Liesyl Franz, deputy assistant secretary for international cybersecurity at the State Department. Franz told a United Nations working group that the U.S. was concerned about cyber threats from China and Iran – and specifically called out the so-called Salt and Volt Typhoon attacks that penetrated U.S. telecoms and other critical infrastructure – but did not mention Russia's attack against SolarWinds, its attempts to compromise U.S. election infrastructure in 2016 or any other Russian cyber operations.
The story then mentioned that a memo had recently been distributed at CISA that set new priorities for staff there. The memo reportedly mentioned China and addressing threats that it poses to the U.S., but it did not mention Russia. The story also said that analysts at the agency who focus on Russian threats "were verbally informed that they were not to follow or report on Russian threats" going forward. This information appeared to be attributed to a single anonymous source who told the Guardian that work being done at the agency on anything related to Russia had essentially been “nixed.”
Two days after the Guardian story published, however, CISA denied the report in a post published on X and in a statement given to reporters. "CISA’s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia," the agency wrote on X Sunday evening. "There has been no change in our posture. Any reporting to the contrary is fake and undermines our national security."
Additionally, DHS spokesperson Tricia McLaughlin told reporters that “CISA remains committed to addressing all cyberthreats to U.S. critical infrastructure, including from Russia. There has been no change in our posture or priority on this front.”
Calling news stories "fake" is common for the Trump administration (both Trump I and Trump II) when addressing articles published by mainstream media. But other reporters, including myself, have been unable so far to confirm the memo's existence or the verbal directive to Russian analysts. One source told me that a colleague at CISA had told them the memo does not exist while another colleague told them it does exist. But no one has provided proof of its existence yet.
What the Cyber Command Story Said
In The Record's subsequent story about Cyber Command, reporter Martin Matishak indicated that in late February, Defense Secretary Pete Hegseth ordered U.S. Cyber Command to stand down from all planning against Russia, which included offensive digital actions. The latter was underscored by the fact that Hegseth gave the order to Cyber Command chief Gen. Timothy Haugh, who oversees cyber operations. The order does not impact the National Security Agency, which Haugh also commands, which means that NSA cyber espionage activity against Russia remains intact.
I initially read the story as if it said that Cyber Command had been ordered to stand down on all currently active cyber operations against Russia, as well as on planning for future ones. Apparently I wasn't the only one who read the piece this way. But the story doesn't actually say that Hegseth ordered a halt to current cyber operations against Russia, only a halt to planning conducted for such operations. It acknowledges, however, that a halt to planning could result in halting some current operations or at least impact them.
It turns out, however, that my bad reading of The Record story was actually correct, since a subsequent story from the Washington Post mentions that Cyber Command was indeed told to halt current cyber operations. I discuss that story further below, but for now lets stick with The Record's story.
I've seen people online referring to Hegseth's "stand down" order as a "shut down" order. But standing down and shutting down are two different things. Standing down can mean a permanent end to a stance or activity, but it can also just be a pause in activity until further notice. Shutting down an operation or planning, on the other hand, refers to dismantling a program. This could include dismantling infrastructure currently being used for an offensive cyber operation, withdrawing from networks that operators have already penetrated, and even re-assigning personnel to other operations focused on non-Russian targets. The latter would obviously be more difficult to recover from should Hegseth subsequently reverse his order and tell Cyber Command to re-start planning and operations against Russia. So it's more likely that Hegseth meant to simply pause operations, not shut them down entirely. [This was later confirmed by the Post story.]
The Record didn't say what prompted the order to Cyber Command or how long it would last, just that the order was in place for the "foreseeable future." The story also didn't mention negotiations the Trump administration hopes to conduct with Russia to put an end to the war in Ukraine. But experts told me last week that this was the likely context for the order.
Jason Kikta, a former Cyber Command official, told me on Friday that halting offensive cyber operations and information operations against a country during negotiations with that country is normal. "Not exactly standard, but common enough," he said.
The U.S. would want to halt cyber operations against Russia during negotiations to avoid "pissing off the other side," he noted, but the halt would be temporary.
The Record said that Cyber Command had begun compiling a report for the secretary of defense that lists all "ongoing actions or missions" halted as a result of his stand-down order and that also details what potential threats still emanate from Russia. It would make sense for an incoming defense secretary to want to understand what operations are currently being conducted against Russia if the U.S. is preparing to enter negotiations with it. The secretary might want to halt all operations during negotiations with Russia or just halt ones that Russia would be more likely to trigger anger from Russia if detected. [A less charitable reading of this, however, would be that the Trump administration is looking to collect information on U.S. cyber offensive operations against Russia in order to share that information with Russia – especially operations that may be helping Ukraine in its war with Russia. But there is currently no evidence that this is the aim.]
If temporarily halting operations during negotiations is common, as Kikta noted, halting the planning of operations is not. This "would be wildly outside norms," he noted. "[Because] if you stop planning over a long period, things go stale and options aren't viable if you suddenly need them." Halting planning for a few days is not a problem. But halting them for a few weeks is "risky."
What he means is that networks and software can change suddenly and often. If an adversary simply applies a software patch to a system or changes a network configuration, for example, this can kick U.S. cyber warriors out of the system and make it difficult for them to get back in when they need it. If U.S. operators aren't actively monitoring changes to Russian systems and working to find alternative ways to enter them, they won't be in a position to take action against these systems if they suddenly need to do so. It's the same reason that nation-state hackers working for Russia and China try to maintain persistent access to, and presence inside, U.S. networks.
The Washington Post Story
The story published by The Record raised many more questions than it answered. Why did Hegseth issue the stand-down order to Cyber Command? Was it a permanent or temporary order? Did it apply to currently active cyber operations against Russia?
Some of these questions got answered the next day by a piece published by the Washington Post.
This story, written by Ellen Nakashima and Joe Menn, disputed The Record story in one regard. It revealed that planning for cyber operations against Russia had not been cancelled, but that Cyber Command had been ordered to halt currently active operations against Russia. It also noted that the pause is meant to last only as long as negotiations with Russia continue, as the sources I spoke with last week had surmised.
The Post story also confirmed what Kikta had told me – that halting operations during negotiations is common.
“I have seen many times when we are in some type of negotiation with another nation, especially if it’s one that is considered an adversary, that we stop operations, exercises, we even cancel speeches sometimes,” retired Lt. Gen. Charlie “Tuna” Moore, former deputy commander of U.S. Cyber Command, told the Post. “It’s fairly common to pause anything that could potentially derail the talks.”
So now we know, at least per the state of current reporting on this, that Cyber Command has been ordered to temporarily halt current offensive cyber operations against Russia, but that planning these operations and preparing for them continues.
What Kinds of Cyber Operations Are Impacted?
So what kinds of Cyber Command operations against Russia would be halted under the order from Hegseth? As noted above, NSA espionage operations against Russia are not impacted by the order. But one thing that could be impacted are operations Cyber Command has conducted on behalf of Ukraine during its war with Russia.
I wrote a story back in 2022 about the kinds of offensive cyber operations Cyber Command was likely conducting to assist Ukraine. These are actions that would not qualify as a use of force or an armed attack as defined by international law, since U.S. policy on Ukraine since the beginning of the war has been to not become directly involved in the conflict or engage in any activity that could trigger Russia to respond in a way that pulled the U.S. into the conflict. So what operations might Cyber Command be conducting against Russia that could be halted by this new order?
Under U.S. military doctrine — outlined in Cyberspace Operations Joint Publication 3-12 — offensive cyber operations are “missions intended to project power in and through foreign cyberspace” in support of combatant commanders or national objectives. This activity can include cyberattacks that target the cyber capabilities of an adversary or cause “carefully controlled cascading effects” in the physical realm — for example, to affect weapon systems, command-and-control capabilities, or logistical operations. These are the kinds of actions the U.S. is likely not doing against Russia because they would mean the U.S. is directly involved in the conflict – though it's possible the U.S. has provided Ukraine with information about vulnerabilities in Russian systems that could help it conduct such operations on its own.
But more likely the offensive operations the U.S. has been doing are cyber exploitation missions — these are operations to collect intelligence and to conduct other actions that do not create "effects” but may help prepare for future military operations that do produce effects. This could be reconnaissance, for example, aimed at mapping computer systems and architecture or probing systems to uncover vulnerabilities that might be used in a cyberattack against Russia. The operations could also include attacks intended to have an effect on Russian systems, without actually damaging them now.
I mentioned an example in my 2022 story. If Russia, for example, tried to undermine Ukrainian morale through information operations, the U.S. could conduct a cyber operation to thwart Russia's ability to send these messages. This wouldn't be a use of force, depending on the technique the U.S. used and the effect it had on Russian systems.
Gary Corn, general counsel for U.S. Cyber Command from 2014 to 2019 and now director of the Tech, Law and Security program at American University, also provided another example in that story. He described a situation in which Cyber Command might discover the username and password for a Russian administrator who is using a system to launch cyberattacks against Ukraine, and get into that system to change the password and lock Russian operators out of it.
“[S]o now you've... had a disruption effect, but you haven't done anything to harm the system whatsoever,” he said. “That’s eons away from destroying [or] causing damage that would begin to implicate use-of-force questions. “
A different source told me that a U.S. operation might also involve something more subtle, such as making sure that malware launched by Russia doesn’t work, either by manipulating the code on a Russian system before it's launched or doing something to block or divert the malware away from its intended target.
In its story, The Record suggested that Hegseth's stand-down order might impact so-called "hunt forward" operations conducted by the U.S. in support of Ukraine to help defend its networks. Hunt-forward operations are not "offensive" operations however. These involve threat-hunting activities inside U.S. government systems or inside the systems of a foreign government partner (such as Ukraine) to find hackers or evidence of a compromise in those networks. Such operations do not involve the U.S. hacking into Russian systems but they do provide Ukraine with an advantage.
U.S. Cyber Command operators worked in Kyiv alongside Ukrainian cyber defenders in the months preceding Russia's invasion of Ukraine, but since the war began, private companies like Cisco, Mandiant, Microsoft and Eset have largely taken over the role of helping to defend Ukrainian networks. So it's not clear to what extent Cyber Command is still active in helping Ukraine defend its networks. But if it were still doing this, it might halt its participation in this activity during negotiations to avoid angering Russia, even though these aren't offensive operations.
So as it stands now. we have U.S. Cyber Command halting some cyber operations against Russia temporarily, while the administration tries to launch negotiations over the war, and we have unanswered questions about whether CISA will alter the work it has been doing on Russian cyber threats or become less aggressive in pursuing those threats. Stay tuned. I'll update this story if more information becomes available.
See Also:
What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
When Russia Helped the U.S. Nab Cybercriminals
Former NSA Hacker Describes Being Recruited for UAE Spy Program