Amongst the steps taken by the new US Administration, one news item is noteworthy for anyone interested in cybersecurity, cyber operations, and Russia—i.e., an order by US Secretary of Defense (SecDef) Pete Hegseth resulting in (depending on a definition) a standdown, pause, suspension, stop, or halt the Pentagon’s (offensive) cyber operations against the Kremlin.
While headlines vary, the primary message suggests a strategic shift in US cyber power projection, potentially scaling back its cyber posture against Russia. This move could, at first glance, mark a watershed moment in cyber conflict history and grant Russia—and other adversarial states like China, North Korea, and Iran—greater freedom of manoeuvre in cyberspace.
Before drawing conclusions about the risks to global cyber stability—especially with some sources noting “Putin being on the inside now“—it is essential to clarify which capabilities and entities this decision affects, as well as to assess any possible implications for NATO, allies in Europe, and their cyber postures.
US Unmatched Capabilities
First, the US’ cyber capability—spanning military (U.S. Cyber Command’s Cyber National Mission Force and Cyber Mission Force), intelligence (CIA, FBI, NSA), and civilian agencies (like the Cybersecurity and Infrastructure Security Agency, CISA, under DHS)—is unmatched among Allies and rivals alike, except perhaps China. Reports suggesting that the SecDef’s decision means manpower cuts in the thousands highlight both the vast scale and scope of US cyber operations, though the full extent of the (digital) operational theatre remains difficult to quantify.
Second, the US Cyber Command (USCC) falls directly under the SecDef’s chain of command. Its establishment in 2010 marked a turning point, integrating cyber defence into military command structures—years before European Allies followed suit. The Netherlands signalled relevant intent in its 2013 strategy, and Estonia formally launched its Cyber Command in 2018, despite having earlier capabilities. Even today, there is no standardised model for national cyber commands, with each country adopting its own approach.
The ‘defending forward’ capability and offensive cyber operations would likely be kept or even expanded under the current Administration.
To date, the USCC has remained under a dual-hatted command together with the National Security Agency, where one person (currently General Timothy D Haugh) is simultaneously Commander of the USCC, Director of the National Security Agency, and Chief of the Central Security Service therein. The USCC’s posture strengthened when in fact the previous Trump Administration raised its status from a division to a unified military command in 2017. It has also been anticipated by academics and as well as the media that the ‘defending forward’ capability and offensive cyber operations would likely be kept or even expanded under the current Administration.[1]
Third, the purpose of having offensive cyber operations capability. The USCC’s initial objectives were “first, to protect U.S. and Allied freedom of action in cyberspace” and “second, when directed, to deny freedom of action in cyberspace for our adversaries.” In other words, having the respective capability as “America’s first line of defence” is necessary for defending the national interest in cyberspace, whilst offensive cyber operations are its essential element. Although nations once avoided openly acknowledging such capabilities in their cyber strategies, this stance has gradually shifted as offensive operations have become more mainstream—though they remain highly clandestine.
Deciphering the Order
There has been a bit of a fog of war as to who in the US cyber security and defence ecosystem does what and to whom the SecDef’s decision concerns. The main narrative revolves around suspending operations and planning for offensive cyber operations yet does not specify what this means in practice.
It is actually “not unusual to pause operations.” Rather, what the story starts with is the striking overall context of the new Administration’s counter-intuitive warming of relations with Russia which has been waging its war of aggression against Ukraine despite the latter’s hitherto US support. It likewise goes against common sense: Russia maintains the capability, the will, and the habit of attacking the US via cyberspace to steal information and data about its capabilities, conduct influence operations, target its critical infrastructure, meddle with elections, extort businesses etc. The USCC is seen as the one capability that can both deter Russia and collect information on it. Adding to these concerns are recent US policy shifts, including statements at the UN that downplay Russia as a national security threat.
Deception is inherent in cyberspace operations, but according to The Record, there is no denying that SecDef’s order is valid and will remain in force, particularly in the Russia-Ukraine context.[2] A risk assessment is underway, though its details remain unclear. A standdown could mean dismantling offensive cyberinfrastructure, withdrawing from infiltrated networks, or re-assigning personnel to non-Russian targets. It is also possible that the USCC and other US cyber assets, including those at U.S. European Command, may be required to halt support for Ukraine’s cyber forces.
CISA will reportedly maintain its operations, with the agency confirming no change in its posture toward Russia. This ensures continued protection of US critical infrastructure and no expected shifts in information-sharing efforts, such as updates to the Known Exploited Vulnerabilities catalogue or the CISA International Strategic Plan. Additionally, the SecDef’s order does not apply to the NSA or its signals intelligence operations against Russia, despite the USCC and NSA sharing a commander, General Haugh.
The Implications for NATO and US allies
The Alliance has addressed the strengthening of cyber defence following Russia’s 2007 attacks on Estonia, and noticeable progress toward an operational NATO cyber command has been made recently. Today, it relies on two key organisations: the NATO Integrated Cyber Defence Centre (NICC) at the Supreme Headquarters Allied Powers Europe (SHAPE), staffed by Allies under a burden-sharing model, and the NCI Agency’s NATO Cyber Security Centre (NCSC), which employs its own personnel.
The US SecDef’s decision does not affect either’s mission, as NATO’s cyber roles and staffing require Alliance-wide consensus.
The US SecDef’s decision does not affect either’s mission, as NATO’s cyber roles and staffing require Alliance-wide consensus. While any Russia expert departing the USCC because of the order could benefit the NCSC, intelligence-sharing protocols inside NATO remain unchanged, and the US is not NATO’s sole cyber security provider. It is a different story, nevertheless, when it comes to Ukraine where other recent US decisions—like the pause in sharing of intelligence with Ukraine—have encouraged Russia to intensify its aggression.
Potential impacts may arise in bilateral assistance. NATO’s cyber defence focus remains on protecting its networks, enhancing national resilience, and facilitating political consultation. In a crisis where an Ally faces cyber-induced collapse, NATO discussions would follow, but counter-offensive responses depend on capable nations—not a centralised NATO resource. Limiting such capabilities is in no one’s interest.
Finally, in the broader context, the SecDef’s decision should not be assessed independently of decisions in other parts of the US Government such as the cuts to the US commitment to the Tallinn Mechanism, a key international effort to bolster Ukraine’s civilian cyber capabilities, worth an estimated 100 million EUR.
Endnotes
[1] Defending forward’ (also ‘hunt forward’) can broadly be interpreted as threat-hunting activities inside own systems or inside foreign systems, dividing into partnership-based (i.e. legal) and intelligence activities, to find hackers or evidence of a compromise in those networks. System ownership-wise, however, it should be noted that already in 2011, most of the US military’s information was being transferred via privately owned commercial infrastructure.
[2]. An interesting new change to the overall topic, however, has been the claim by an X user DOD Rapid Response (“the Official Rapid Response Account For The DOD“ [Department of Defense], an account to support the mission of [SecDef] and fight against fake news that joined the platform only in February 2025) that said: “TO BE CLEAR: [SecDef] has neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”