In recent days, the world has been shaken by an argument in the Oval Office between Donald Trump and Volodymyr Zelensky, which may indicate a radical change in the direction of US policy towards Ukraine. But while a sharp exchange of words does not always have to translate into the outcome of negotiations, journalists report that two disturbing changes have already occurred in the cyber sphere. The Record reportedthat Defense Secretary Pete Hegseth has ordered Cyber Command to cease operations against Russia. Meanwhile, according to The Guardian CISA is abandoning its monitoring of Russian activity, as it is no longer perceived as a threat to the US. Naturally, for most of the infosec community, such changes are a big shock. The scale of Russian group activity is widely known. Both private companies and government agencies have published many reports over the years describing the intelligence and destructive side of operations. Here, we can mention, for example, intrusion against the Democratic Party' before the 2016 US elections, attack on the Olympic Games, or the activities of Sandworm. It is all the more shocking how a country so active in cyber operations can lose its priority place on the threat list. Discussing the reasons for this state of affairs is a topic for a separate post, or a whole series of them. Here, let us try to focus on the consequences and significance of these events.
Let's start with Cyber Command and the decision to suspend operations against Russia. According to The Record, Pete Hegseth ordered the cessation of planning operations against the Russian Federation, including offensive cyber operations. The guidelines are to cover only Cyber Command and not affect NSA's SIGINT activities. The Record journalists also indicate that the full scope of the guidelines is not known. More specifically, whether it is to apply only strictly to units dealing with offensive operations or also to intelligence analysis and prepositioning for offensive operations, such as preparing tools and capabilities. And here we come to the heart of the problem, namely how harmful this move can be to US operations in cyberspace. One of the biggest problems with cyber operations is how much they depend on thorough preparations. Gaining access to the target's environment and ensuring long-term access that will translate into effective data collection often requires many months of preparation, including reconnaissance and a thorough understanding of the technologies used or the topography of the network.
In the case of offensive operations that are to result in, for example, disruption of communication or interruption of power supply, the situation becomes even more complicated. Attackers must not only gain access to the infrastructure but also understand the principles of operation of telecommunications networks or industrial processes as well as the engineers operating them. That is why Stuxnet or Trisis are such complex programs. In addition to the standard malware functionalities such as avoiding detection or surviving system restarts, they had to precisely interact with the software controlling industrial devices in order to achieve the intended effect. At the same time, they could not arouse premature interest of system operators or cause the entire facility to fail. Carrying out such actions is simply not possible through months or even years of planning, which means that the US is now effectively losing the opportunity to conduct offensive operations, e.g. in response to hostile Russian actions or as an element of pressure within the framework of negotiations to end the war in Ukraine.
It is not entirely clear whether the cessation of planning will also include the withdrawal of capabilities already introduced, such as implants placed in strategic systems. However, in both cases, this situation sets back American capabilities by years. If the implants are left without further action such as their replacement or update, they will probably eventually be discovered, which will have consequences for both operational security and future attempts to gain access. The adversary will be able to analyze their code and artifacts left behind, and post-crack analysis may also reveal the method of gaining access or the C2 infrastructure. The withdrawal of implants, on the other hand, means returning to square one in terms of the possibilities of action and wasted years of man-hours devoted to planning, selecting targets, analyzing the effects of attacks, and preparing scenarios that can be used in the event of the need to exert pressure, respond to an attack, or open conflict with NATO.
Interestingly, just recently, a campaign aimed at preparing the ground for potential offensive operations has gained wide publicity. I am of course talking about Volt Typhoon and how, from 2021, it has been targeting telecommunications and energy infrastructure in the United States, in particular the island of Guam. Its scale, the use of a number of measures to conceal traces of the breach, and the way the C2 infrastructure was built are a good illustration of the degree of complexity of preparations for offensive operations. We can emphasize, for example, the C2 infrastructure based on a network of seized consumer devices or the strong emphasis on using only built-in system tools when moving around the environment. Considering that the campaign is still ongoing and assuming a dozen or so months of preparations, we are looking at a project of over five years aimed at a specific region and intended to pursue a strictly defined goal. By multiplying such an operation by the number of potential goals that the US armed forces would like to achieve during the conflict, we can imagine the scale of lost opportunities.
As for CISA and its alleged cessation of treating Russia as a source of threats, the matter is equally serious. Here, for the sake of formality, let us note that shortly after the publication in The Guardian, the Trump administration denied the alleged memo changing the scope of CISA's focus and stated that CISA would adequately deal with all threats. But what if the information obtained by The Guardian is true? Here, too, a number of problems arise. First of all, the very "tracking of Russian groups" is easy only in the context of advertising materials from threat intelligence providers. In practice activity attribution occurs only at the very end of the analytical process, when we have enough data to at least assign activities to a given group with moderate certainty.
So how would such guidelines be applied in practice? Should analysts abandon tracking groups after possible attribution to Russia? What about artifacts and indicators that have already been disseminated among cybersecurity teams, such as: via Automated Indicator Sharing? At the level of analytical methodology, orders to avoid Russian activity will almost certainly lead to a tendency to assign groups that are more interesting to the analyst to other countries, or to leave the attribution unspecified so as not to abandon the investigation. False flag operations will become an even bigger problem, as other countries gain an obvious motivation to impersonate Russian groups. After all, what exactly is the scope of “Russian activity”? Does it include criminal groups operating from Russian territory and with its implicit consent? After all, this is how many ransomware groups operate, evading arrest precisely because they are inaccessible to Western jurisdictions.
As we can see, there are many unknowns. One thing is certain, however – both of these changes will negatively affect the US ability to counter Russian activity in cyberspace. And in the context of the US as part of NATO, this translates into lower capabilities of the entire alliance. Let's imagine that Russia begins to test the possibilities of sending sabotage forces to the Baltic countries – the inability of Cyber Command to respond with operations below the threshold of war significantly limits the range of possibilities. And from the perspective of systemic resilience of critical infrastructure, changes in CISA will narrow the visibility of hostile activity and make the work of analysts more difficult. It is difficult to find any practical arguments for such a change in attitude. And it is probably scary to think what ultimately led to such decisions.
English 
Polish