What CISOs Should Fear From a US-Russia Détente

An end to hostilities in Ukraine may free up Russian resources to focus elsewhere. Phil Muncaster investigates how CISOs should prepare

The post-1945 rules-based order is in tatters. In its place is a “might-makes-right” world where great powers vie over spheres of influence. This new world order, ushered in by the 47^th President of the United States, is one in which nothing is off the table, if a deal can be done. At the time of writing, this transactional style of diplomacy looks set to herald a chaotic period of geopolitics.

If the defense secretary’s order to stand down all US Cyber Command operations against Russia is a taste of things to come, should CISOs be concerned? Expert Assured Intelligence spoke to believe so.

The Pentagon stands down

The order from former Fox News presenter and new Pentagon boss, Pete Hegseth, apparently covers all offensive digital actions against Russia and lasts for the foreseeable future, although its scope is still unclear. Given the extent of Russian state-sponsored activity against US targets over recent years, and the growing threat from cybercrime groups operating from within its borders, the decision is breathtaking.

Russian state hackers were responsible for a major cyber-espionage operation that compromised at least nine US government departments via infected SolarWinds updates in 2020. They continue to probe relentlessly for further openings.

“Russia engages in malicious cyber activities to enable widespread cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” notes the US Cybersecurity and Infrastructure Security Agency (CISA).

“While détente may ease geopolitical tensions, the cyber battlefield remains active.”Andrew Obadiaru

Just as damaging are offensive cyber activities condoned by the Kremlin. A major ransomware attack by likely Russian cybercriminals led to petrol shortages up and down the east coast in 2021. And just a few months ago, the US authorities released evidence of sustained attacks on critical infrastructure by “pro-Russia cyber actors”. Many Russian cybercrime actors remain on US sanctions lists.

Reports at the time of Hegseth’s order suggest that CISA was also told to de-prioritise Russia. Although the agency responded that there had been “no change in our posture”, separate reports point to a dismantling of investigations into foreign influence operations which would benefit the Kremlin. A former NSA official has testified to Congress that the Trump administration’s attempts to fire probationary federal employees will be “devastating” for US cybersecurity.

The direction of travel seems clear. A State Department official’s speech at a United Nations working group on cybersecurity mentioned China and Iran but not Russia. And during an infamous Munich Security Conference speech, vice president JD Vance claimed that the biggest threat to Europe was not Russia, or China, but the “enemy within”. In his telling, this enemy is nations that supposedly supress ‘free speech’ by shackling extremist political parties.

It’s not hard not to see détente coming. Contrast Trump’s White House tirade against Ukrainian President Zelensky with the formal bilateral US-Russia negotiations in Saudi Arabia over the future of the country, made over the heads of Ukrainians. The US also took the remarkable step of voting with Russia against an EU-Ukrainian resolution condemning Russia on the third anniversary of its invasion.

Where do we go from here?

There are some reasons to be cautiously optimistic about what happens next. For one, the NSA is not included in the Pentagon order to stand down operations against Russia. It’s believed the agency was involved in the infamous, and highly sophisticated, Stuxnet campaign that disrupted Iran’s nuclear programme back in 2010. So there is theoretically still some firepower to draw on. It’s also unclear just how easily all US Cyber Command operations could simply be dropped.

“Russia benefits from cybercriminals and will only crack down when convenient.”George Gerchow

“Certain cyber operations are conducted in strict secrecy and there is no central register or repository of such operations for obvious reasons. Even the director of an agency may be unaware of all of them,” says British Computer Society (BCS) fellow and cybersecurity expert Ilia Kolochenko. “Moreover, the very nature of some operations, like taking control of remote infrastructure to stealthily exfiltrate some data, simply cannot be stopped immediately without causing damage to the infrastructure in question or eventually exposing the entire operation.”

What Russia does next

However, the combination of a deal-making commander-in-chief, an inexperienced Cabinet, sidelined career diplomats and MAGA Kremlin sympathisers is a dream come true for Putin. The key to how this impacts CISOs going forward is how he will play his hand. If Trump and his team follow the US Cyber Command order with a relaxing of Russian sanctions and force a peace or ceasefire on Ukraine, it could have dangerous consequences for CISOs in the West.

Finnish security and intelligence service Supo warns that an end to the war will free up Russian resources to direct elsewhere.

“Russia is an aggressive, expansionist state that is prepared to use all means to achieve its political goals,” it notes in its annual report. “The end of the war in Ukraine will improve the ability of Russia to engage in hostile activity elsewhere in Europe as it pursues its political objectives by means both fair and foul.”

Experts agree that friendlier relations between the US and Russia will not make America or its nominal allies safer.

“The key to how this impacts CISOs going forward is how Putin will play his hand.”

“Diplomacy won’t stop Russian cyber threats; it will just change the playbook. Expect fewer direct state attacks but more espionage, supply chain breaches, and AI-powered threats via cybercriminal proxies,” argues IANS Research faculty advisor and MongoDB interim CISO, George Gerchow. “With CISA cuts and shifting US cyber priorities, CISOs must assume critical infrastructure remains a top target.”

He’s also sceptical of any suggestion that détente may signal a long-term Russian policy shift on ransomware.

“Russia benefits from cybercriminals and will only crack down when convenient. AI is making ransomware more adaptive – automated reconnaissance, AI-written phishing, and real-time evasion are the next wave,” Gerchow tells Assured Intelligence.

“CISOs need to prepare for more sophisticated, scalable attacks. Russian ransomware groups like LockBit and Evil Corp continue to pose significant threats to critical infrastructure.”

Cobalt CISO, Andrew Obadiaru, largely agrees.

“Russia may use détente as a cover to expand intelligence-gathering operations under the guise of improved relations,” he tells Assured Intelligence. “But even if state-sponsored cyber attacks decline, ransomware groups and cybercriminals operating within Russia could continue their activities with less oversight and accountability.”

SecurityScorecard distinguished engineer, Jared Smith, also expresses scepticism about any possible Russian dialling down of cyber hostilities.

“There is little reason to believe that Russian-based cybercriminal and ransomware groups will stop targeting US and US-aligned countries and their private and public sector organisations,” he tells Assured Intelligence.

“For years, across multiple presidential administrations, Russia has maintained a ‘hands-off’ approach to non-state-affiliated threat actors operating within its borders. It is crucial that both public and private sector organisations maintain a strong cybersecurity posture. Continued vigilance and defensive measures remain essential regardless of potential shifts in international relations or diplomatic developments.”

CISOs beware

Against this backdrop, the only sensible CISO strategy is to change nothing, according to Cobalt’s Obadiaru.

“Nation-state threats will persist, and new tactics may emerge. I would recommend CISOs stay vigilant, proactive and continue to collaborate with government agencies like CISA in identifying and evaluating cyber threats,” he argues. “While détente may ease geopolitical tensions, the cyber battlefield remains active, requiring constant preparedness and resilience.”

“Against this backdrop, the only sensible CISO strategy is to change nothing.”

BCS fellow Kolochenko tells Assured Intelligence “the overall strategy must remain the same”, including “a zero trust architecture, multilayered defences, continuous security monitoring and security testing, dedicated incident response, robust third-party risk management, and ongoing cybersecurity training and awareness for all employees.”

IANS Research’s Gerchow also points to AI-powered security, immutable backups, enhance OT protection and improve industry intelligence sharing as key.

“Cyber threats from Russia, whether state-backed or criminal, aren’t going away, regardless of diplomacy. The best move for CISOs is to strengthen their organisation’s cyber resilience, assume threats will persist, and build security strategies that don’t depend on government intervention,” he concludes.

“AI-assisted nation-state attacks are also raising the stakes. CISOs must think faster, automate defences, and assume attacks will come from both human and machine-driven adversaries.”