The Trump administration reportedly is ordering the Department of Defense (DoD) and CISA to stop offensive cyber operations against Russia in move that will not only reverberate through the cybersecurity industry but ripple into the MSSP community.
Defense Security Pete Hegseth over the weekend ordered the U.S. Cyber Command to halt both offensive cyber programs aimed at Russia and investigations into the country’s own operations. At the same time, reports surfaced that CISA officials were given new directions to protect U.S. interests against China’s cyber capabilities but didn’t mention Russia.
In addition, in a recent United States speech, Liesyl Franz, deputy assistant secretary for international cybersecurity at the State Department, said the administration was concerned about the cyberthreat posed by China and Iran but, again, didn’t mention Russia.
The moves represent a marked shift in U.S. policy regarding Russia, which previous presidential administrations have viewed for decades as the top foreign adversary. The Biden administration viewed Russia as a significant threat to the United States in cyberspace, along with China, Iran, and North Korea, and pushed programs and executive orders designed to harden U.S. cyber protections.
It accused Russia of cyber intrusions that threatened U.S. government agencies and critical infrastructure environments.
Cybersecurity Community Weighs In
No reasons were given for the Trump Administration decisions, though there was some thought that they were related to ongoing negotiations to end Russia’s war against neighboring Ukraine. Still, there was pushback by some in the cybersecurity and tech industry.
Speaking to the Guardian, James Lewis, a veteran cyber expert formerly of the Center for Strategic and International Studies think tank in Washington, said, “It’s delusional to think this will turn Russia and the FSB into our friends. They hate the U.S. and are still mad about losing the Cold War. Pretending otherwise won’t change this.”
Jack Gold, principal analyst with J. Gold Associates, wrote on LinkedIn that “with all of the cyberthreats coming in from around the world, and especially from our adversaries, this is basically not only leaving the doors unlocked but leaving the doors wide open and putting out a welcome mat! Security will suffer!”
In another LinkedIn post, Grant Geyer, chief strategy officer at Claroty, an industrial security platform vendor, wrote that “given that Russia has targeted critical infrastructure, U.S. elections, and provides safe haven to ransomware groups that have impacted the U.S. economy and have literally led to loss of life, this move by the administration is insulting to the American public, reckless, and nonsensical.”
MSSPs Won't Go Untouched
MSSPs will feel the impact, including by the effect the decisions will have on threat intelligence organizations they rely on, according to some cybersecurity pros.
“MSSPs are absolutely reliant upon various threat intelligence sources, many of which leverage available government cybersecurity resources,” Chris Gray, field CTO at managed security platform vendor Deepwatch, told MSSP Alert. “Much of this impact would be second-hand and downstream, as numerous other threat intel sources are in place to provide needed information. The MSSPs would suffer from a lack of intelligence that these providers were affected by.”
Gray added that “such organizations have their own adversarial threat and tactics teams, so the impact might be significantly blunted.”
That trickle-down of government-generated threat intelligence through the private sector and the work commercial security vendors do themselves likely will blunt the impact on MSSPs to a degree. John Bambenek, president of Bambenek Consulting, said MSSPs are more concerned about the tactics threat adversaries are using and how to protect their customers.
“CISA, from time to time, does give this kind of guidance,” Bambenek told MSSP Alert. “The big question is whether the government can still produce defensive guidance and comply with these new directives.”
Commercial Vendors Will Fille the Void
However, in most instances in the civilian sector, most of the threat intelligence comes from commercial vendors.
“For MSSPs with government customers, they’d likely have access to classified information to protect their constituents,” he said. “I sincerely doubt any civilian cybersecurity vendor is going to be changing their research focus. Not until the behavior of threat actors changes.”
The private sector’s relationship with the government regarding information sharing has been strained historically, with commercial firms sending information and tactics, techniques, and procedures (TTPs) of bad actors to agencies and little coming back, aside from major takedowns of threat groups or communications about tips for keeping protected, according to Bugcrowd CISO Trey Ford.
“The promise of MSSPs is in their offering of a force multiplication level of visibility, detection, and alerting thanks to their monitoring across variety of organizational targets, systems, and surface area,” Ford told MSSP Alert. “I see no change in private sector MSSP offerings. The shift created by this order is focused on offensive operations to a portion of the U.S. cyber capability. MSSPs will continue to drive defensive-focused monitoring and responsive capabilities and should continue to prioritize monitoring on Russian TTPs.”
Bambenek said that, with the United States’s change in its stance regarding Russia, it’s unlikely that threat actors will significantly change their tactics or behaviors, though they may feel they have immunity to ramp up their attacks.
Given that, “the defenses [from commercial security vendors and MSSPs] that worked last week will still work this week,” he said. “Over the long term, however, if this guidance remains in effect, it will put the pressure on civilian cybersecurity vendors to research these threats and come up with countermeasures.”
