Why Hegseth’s ‘stand-down’ order on Russia is a grave mistake

COMMENTARY: On Friday, Feb. 28, The Record reported that Defense Secretary Pete Hegseth directed U.S. Cyber Command (CYBERCOM) to stop conducting offensive cyber operations against Russia. The news has since been picked up by most mainstream news organizations, as well as the tech press.

Based on the original report, it was unclear whether this directive would also apply to the National Security Agency (NSA). Even if it only applies to CYBERCOM, there are numerous reasons why this directive creates significant issues for national security. Having worked as a hacker at the NSA, I understand these issues better than most people.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Let’s start by addressing that it’s not at all clear how this directive benefits the U.S. or any of its allies. Before we continue, I’ve heard the arguments in favor of Hegseth’s directive. I’ve heard that this move will help normalize relations with Russia, with no explanations for how this would actually work.

I’ve also heard that it was originally negotiated behind closed doors as part of the Ukraine deal, although it’s entirely unclear why the U.S. would make such a concession in a deal between Ukraine and Russia. Some have assured me that Hegseth and the administration are playing “four-dimensional chess” and this will somehow reduce the number of ransomware attacks inflicted on U.S. organizations.

However, the ransomware explanation conveniently ignores the fact that not all ransomware groups operate from Russia. But even assuming they do, if CYBERCOM suspending attacks against Russia can cause ransomware attacks to stop, why does it take that? And doesn’t that automatically create a nexus between the Russian government and ransomware attacks on U.S. organizations?

Offensive cyber operations require prepositioning so they can deliver an effect when stakeholders demand, usually some sort of impact on system availability. This prepositioning isn’t something we can just turn on and off. Unlike many Department of Defense (DoD) capabilities that let the U.S. quickly project power anywhere in the world in a matter of hours, prepositioning to deliver a cyberattack in any given network can require months to even years of preparation. The largest part of prepositioning requires getting implants (backdoors) into position on systems, often deep inside target networks.

A major complication with the “stand-down” order: this prepositioning against Russia has certainly already been happening. Suspending operations presents some real challenges. While it’s a simple order, the execution is not. So, do we leave prepositioned implants in place in case the policy later gets reversed? Or do we remove them? Both options have issues, and they also have serious operational security risks.

If we decide to remove existing implants, this will necessarily create a flurry of CYBERCOM activity in Russian target networks. Unfortunately for CYBERCOM, this additional activity will come at a time when Russia has been actively looking for it. The cost to replace any implants and other cyber warfare tools compromised during this heightened activity gets measured in multiples of seven and eight figures. CYBERCOM tools are not commodity malware, and they aren’t priced like it either.

A possible alternative: leave implants in place, but this too comes with significant operational security risks. Unlike the previous situation where there’s a spike in activity, this would lead to a corresponding decrease in activity in Russian networks. With the types of sophisticated network monitoring Russian government targets likely have in place, it’s entirely possible to compare traffic patterns before and after Hegseth’s CYBERCOM stand-down order. This analysis could easily identify command-and-control (C2) traffic patterns, leading Russia to both our infrastructure and our implants.

Some also argue that NSA has not been impacted by the Hegseth order and will continue conducting signals intelligence (SIGINT) against Russia using offensive cyber operations. I remain optimistic that NSA’s activities will continue, but they come with complications. From an adversary’s perspective, it’s impossible to tell when an opponent uses a given system for intelligence collection, prepositioning for an offensive cyber operation, or some combination of the two. The last option involves milking the system for intelligence until it’s needed as a launch point for an attack, referred to as “delivering an effect.”

Discovery of implants left behind in Russian networks could trigger accusations that the U.S. government has not been holding to its promises, especially if Hegseth’s directive emerges as part of some larger deal with Russia.

People who think these accusations are far-fetched should consider U.S. messaging on Volt Typhoon, a Chinese-linked group. After a number of Chinese implants were discovered in critical infrastructure networks in Guam last year, CISA reported that: “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.”

Of course, it’s just an assessment, and one that Russia would likely make if it found implants in its networks that it attributed to the U.S. It’s exceedingly unlikely that Russia would split hairs between prepositioning and planning for attacks conducted by CYBERCOM and intelligence gathering (SIGINT) activity performed by NSA. To be fair to Russia (and this is the only time I’ll say that), it’s frankly impossible for them to distinguish these activities with any certainty in the vast majority of cases.

As if all this wasn’t enough to explain why Hegseth’s directive represents a grave mistake, there’s also the question of how it impacts our relationships with our intelligence-sharing partners. The U.S. maintains a formal intelligence partnering relationship with the other English-speaking nations of the world (U.S., UK, Canada, Australia, and New Zealand), commonly referred to as “Five Eyes.” Sharing signals intelligence gained through passive collection, such as intercepting radio broadcasts, always presents complications. Cyber operations are active intelligence collection, increasing the risks of collaboration.

Given British Prime Minister Keir Starmer’s embrace of Zelensky following Vice President J.D. Vance’s frankly embarrassing ambush in the Oval Office, it’s clear that at least the UK isn’t aligned with the U.S.’s position on Russia. If the U.S., by far the largest member of the Five Eyes, stands-down against Russian threat actors, but the rest of the Five Eyes do not, we are in uncharted territory.

How could the rest of the Five Eyes partners fully trust the U.S. with information relevant to their own cyberattack planning and prepositioning? Could they? These are not hypothetical questions — partners must carefully coordinate cyber operations to ensure that the actions of one partner don’t inadvertently cause another to get exposed. The likely outcome of Hegseth’s directive: the end of Five Eyes coordination in offensive cyber operations in Russia, with likely ripple effects in other critical target areas.

I could write entire books about why it’s impossible to implement Hegseth’s directive without substantial second- and third-order effects that will hurt America’s national security. Hegseth doubtless has people in his own orbit bending his ear about why this directive makes no sense.

For all our sakes, I hope he starts listening to them.

Jake Williams (@MalwareJake), IANS faculty member

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.