The risks of standing down: Why halting US cyber ops against Russia erodes deterrence

The recent order directing US Cyber Command to halt all planning of offensive cyber operations against Russia is more than a tactical shift — it is an outright retreat from deterrence at a time when Russian cyber aggression shows no signs of slowing.

In an era where cyber conflict is constant and adversaries push boundaries wherever they sense weakness, this decision signals to Russian hackers, intelligence services, and affiliated criminal groups that the US is no longer actively contesting their operations.

Cyber deterrence is not theoretical; it is a tangible outcome of the threat, both real and perceived, of American cyber power. It is what prevents Russian ransomware gangs from paralyzing US infrastructure with impunity and what stops state-sponsored hackers from breaching energy grids or election systems.

By stepping back from active cyber planning against Russia, the US risks giving adversaries exactly what they want: fewer obstacles, less pressure, and more freedom to escalate their cyber operations. And the loss of federal efforts, particularly means something new for Western private industry: breathing space in which Russia can more fully evolve its interference toolkit.

Cyber deterrence plays a practical role in defense

For years, US Cyber Command has relied on persistent engagement to keep adversaries off balance. This strategy does not simply wait for cyberattacks to happen; it actively works to degrade adversarial capabilities before they can strike. Since 2018, this is what deterrence has looked like in cyberspace– not a Cold War-style standoff but a continuous effort to make cyber operations against the US harder, costlier, and less effective.

Recent history shows how this approach works. In 2018, US cyber forces took direct action against Russia’s Internet Research Agency, disrupting its disinformation operations during the midterm elections. In 2020, Cyber Command and private-sector partners dismantled the TrickBot botnet, a key enabler of Russian ransomware and espionage campaigns.

Similarly, the campaign against the Russian ransomware group REvil in 2021 significantly reduced the group’s ability to launch disruptive attacks on US businesses. Each of these actions imposed real costs on Russian cyber actors, forcing them to rebuild infrastructure, rethink strategies, and hesitate before launching new operations. Ongoing operations in Ukraine by US and aligned hunt-forward teams extend this effect.

Halting offensive planning removes this critical pressure. It gives Russian cyber units and affiliated criminals a breathing room they have not had in years, allowing them to refine techniques, develop new attack vectors, and prepare more aggressive campaigns. This is not speculation—it is how adversaries operate. Cyber campaigns are iterative, and when defenses weaken, attacks increase.

How Russia will exploit US inaction

Moscow has never viewed cyberspace as a domain of restraint in the way multiple US administrations have. It has consistently used cyber operations to disrupt elections, cripple infrastructure, steal sensitive data, and wage influence campaigns designed to destabilize Western institutions for more than four decades. In this moment, where the US is showing every sign of easing its cyber pushback against such activities, we should expect an acceleration of three key threat areas.

Firstly, we will almost certainly see increased critical infrastructure targeting. Russia has repeatedly demonstrated a willingness to sabotage power grids, industrial systems, and supply chains. A decade ago in Ukraine, Russian hackers shut down electricity for hundreds of thousands through targeted cyberattacks.

The US has thus far avoided a similar large-scale attack, but if Russian cyber operatives believe they no longer face offensive retaliation, they may be emboldened to escalate their probing of US energy, water, and transportation systems to mirror recent actions linked to actors like China’s Volt Typhoon.

Secondly, we should expect escalatory Russian ransomware and other criminal activity. Russian ransomware groups have always functioned as de facto cyber mercenaries, generating billions in illicit profits while undermining Western businesses and public services in ways that align with Moscow’s political interests.

Groups like LockBit and Conti have been temporarily weakened by law enforcement crackdowns and Cyber Command’s efforts, but with the US pulling back, we must expect these actors to reorganize and intensify attacks. Schools, hospitals, and corporations could once again find themselves at the mercy of ransomware operators who no longer fear US disruption efforts.

Finally, it seems certain that the next few years will be characterized by expanding cyber-economic and influence warfare operations. If US Cyber Command is not planning countermeasures against Russian state-sponsored cyber campaigns, Russia’s intelligence agencies will take full advantage. Increases in supply-chain attacks, phishing campaigns against government and corporate networks, and covert data exfiltration from technology and defense sectors seem inevitable.

Likewise, the online disinformation apparatus that has long targeted US elections may become more aggressive in the absence of active counter-operations and the ascendance of President Trump’s disruptive narrative politicking.

In short, Russian cyber actors always test the limits of what they can get away with. But, by removing offensive cyber planning from the equation, the US forfeits the opportunity to shape adversary behavior and thus actively invites escalation and threat evolution.

Private-sector leadership: Is alternative deterrence possible?

If the present US government won’t lead in cyber deterrence, the private sector must obviously take up the mantle. Security executives, CISOs, and industry leaders must assume that Russian cyber actors will grow more aggressive — not to mention willing to experiment — in the coming months and prepare accordingly.

While private companies do not have the authority to launch offensive cyber operations, they can still implement alternative deterrence mechanisms that raise the cost of cyber aggression and reduce the rewards for attackers.

At the higher end, large enterprises should expand active cyber defense strategies, including deception technologies, adversary engagement tools, and more aggressive intelligence-sharing. Deploying cyber deception tactics—honey tokens, canary files, decoy systems, etc. — forces adversaries to expend greater resources on reconnaissance, increasing their risk of exposure and failure. By embedding deceptive elements within networks, companies can slow down Russian hackers, confuse their tactics, and create uncertainty about which targets are real.

Private-sector players should also prioritize any opportunity that takes them beyond siloed security efforts. Cross-industry intelligence-sharing alliances should go beyond reporting indicators of compromise and instead coordinate active threat hunting and joint mitigation efforts.

The private sector has already shown it can operate at this level — Microsoft and Google have taken down state-backed cybercriminal infrastructure in the past. Now, security teams must formalize joint response frameworks that can neutralize threats before they escalate into major breaches.

At the same time, while private-sector actors cannot legally conduct retaliatory cyber operations, they can work within existing legal and technical frameworks to disrupt adversary infrastructure.

This includes:

1. Aggressively dismantling command-and-control servers used by known Russian malware through legal takedowns and court orders;
2. Deploying synthetic environments to lure and exhaust adversary resources, forcing them to waste time and effort on decoys; and
3. Leveraging AI-driven threat analysis to proactively blacklist known adversary tactics, techniques, and procedures before they are used in live operations.

Finally, if deterrence through retaliation is off the table, then the only alternative is deterrence by denial — making successful attacks so difficult and costly that adversaries are discouraged from trying. This re-affirms a need for more than the basics of cybers defense as a standard across industry to, among other things: (1) implement zero-trust security models to compartmentalize access and prevent large-scale breaches; (2) deploy automated response capabilities that can isolate and neutralize intrusions within minutes rather than hours or days; and (3) regularly run live-fire cyberattack simulations to stress-test defenses, specifically against Russian TTPs.

Deterrence must continue, with or without government support

Halting offensive cyber planning against Russia does not de-escalate tensions—it creates an opening for adversaries to exploit. Security professionals across government and industry must recognize that Russia will take advantage of this policy shift to ramp up cyber operations. While the US government’s decision may remove what many see as the country’s primary tool of deterrence, it does not remove the necessity of deterrence itself.

If government leadership is unwilling to act, private industry and security professionals must develop their own deterrence strategies. Active cyber defense, intelligence collaboration, preemptive disruption, and resilience-driven deterrence are not just theoretical responses; they are now essential survival strategies. The cybersecurity community must not wait for the next wave of Russian cyber aggression –because it is already on the way.