The United States has suspended offensive cyber efforts against Russia, according to a senior U.S. official. The official expressed concern over the suspension, claiming that it could make the U.S. more susceptible to cyberattacks from Russia.
For enterprises in the U.S., it is currently unclear how this halt in offensive operations may or may not affect them. However, many cyber experts assert that enterprises should remain alert.
Jason Soroko, Senior Fellow at Sectigo, states, “The pause in offensive cyber operations highlights the need for companies to double down on securing their supply chains, as adversaries will likely target any vulnerabilities, regardless of the origin.”
Below, more cyber leaders share their thoughts on this order and how organizations in the U.S. should respond.
Security leaders weigh in
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:
For those in industry, how the U.S. Government prioritizes its cyber activities should be a lower priority than how your organization prioritizes your cybersecurity risk management efforts. Nation-state actors are always a potential, though unlikely, risk for most businesses. From a software supply chain perspective, mitigating supplier and supplied product or service risks doesn’t really change. You still need to assess any risks posed due to outages and breaches, and your risks due to design and implementation risks within your supply chain remain largely consistent regardless of what the current nation-state cyber risk level might be.
Trey Ford, Chief Information Security Officer at Bugcrowd:
Pausing any operation, by definition, is an interruption to efforts with mountains of energy, investment, and human capital flow halted. Reconnaissance and operational monitoring is a continuous effort — where missed changes can have varying levels of impact to the mission. Changes in targets, shifts in infrastructure, or loss of access could lead to discovery or disruption of infrastructure.
In the civilian sense, my understanding is that CISA is not impacted by this order. I read this an offensively focused order. CISA’s mission, as I understand it, is defensive in nature. Private sector operations are almost 100% defensive and responsive in posture, so our supply chain security efforts will not be interrupted. I do see this as a frustrating request for public sector offensive operations teams; however, this is a natural and expected request in diplomatic efforts.
Any cessation of CNA and CNE efforts is to be expected while diplomatic efforts are underway in the public sphere, and the hope is that those paused attack and exploitation efforts will be mirrored by our Russian counterparts. That said, all public and private sector defensive and monitoring capabilities will be operating at full speed, and we will all be watching closely for shifts from our counterparts.
John Bambenek, President at Bambenek Consulting:
Like any major gamble, it depends on if it pays off. For instance, if the end result months from now is significantly reduced ransomware hitting hospitals, then it will be seen as a big win. It will also depend on how long this guidance is in place. The good news is that it’s pretty immediate to rescind and go back to the status quo. Right now, it really depends on whether Russia views this as a “free hits” policy or they use it for diplomatic rapprochement.
In the short term, this doesn’t put even more pressure on security vendors to trace and report on Russia-based cyber operations. If this directive remains in place and Russia’s attack behavior doesn’t change (or gets worse), then absolutely commercial security vendors will need to pick up the slack here and, at least in the U.S., there is a great deal of civilian APT researchers so we have the talent and tools to do so, even if unideal.
https://www.securitymagazine.com/articles/101438-cyber-operations-against-russia-halted-cyber-leaders-remain-alert