In a significant policy reversal, U.S. Cyber Command has been ordered to halt all planning against Russia, including offensive digital actions, under the direction of Defense Secretary Pete Hegseth. This shift marks a dramatic change from the last decade, where Russia was consistently viewed as one of the top cybersecurity threats. According to reports from cybersecurity outlet The Record, three anonymous sources familiar with the situation confirmed the order, which reportedly does not affect the National Security Agency. As recent memos circulated within the Cybersecurity and Infrastructure Security Agency indicated new priorities, they notably omitted any mention of Russian threats, focusing instead on threats from China and other adversaries. Sources expressed concerns that the U.S. may be vulnerable, with one stating, “People are saying Russia is winning.” Meanwhile, the new Director of National Intelligence, Tulsi Gabbard, recently dismissed around 100 employees from the National Security Agency for misconduct, further complicating the landscape of U.S. cybersecurity efforts.
The Cybersecurity and Infrastructure Security Agency, known as CISA, has denied recent reports suggesting changes to its approach regarding cyber threats from Russia. CISA reaffirmed its commitment to defending against all cyber threats to U.S. critical infrastructure, stating that any claims to the contrary are false and jeopardize national security. This comes after allegations from The Guardian that CISA analysts were instructed not to report on Russian threats, which CISA refuted. Additionally, a memo cited by The Guardian reportedly lacked mention of Russian cyber threats. Concerns have also been raised regarding a recent order from Defense Secretary Pete Hegseth for the U.S. Cyber Command to halt planning against Russia, although this directive does not apply to the National Security Agency and is said to be temporary. Lawmakers from both parties have reacted strongly, with Senate Minority Leader Chuck Schumer criticizing the administration for potentially weakening the nation’s cyber defenses against Russia amidst ongoing ransomware attacks attributed to Russian cybercriminals.
The founder of the National Society of IT Solution Providers, Karl Palachuk, voiced strong objections to recent changes made by the Trump administration to the Cybersecurity and Infrastructure Security Agency, or CISA. Speaking at the XChange March 2025 event in Orlando, Florida, Palachuk emphasized four critical requests: to reinstate CISA advisory committees, limit cuts to CISA that ensure user security, maintain the agency’s focus on client safety, and prevent the transfer of CISA responsibilities to the Department of Transportation. Palachuk warned that the changes could compromise the security of technology users. He also highlighted the growing inevitability of federal and state regulations for solution providers, stating that current oversight is minimal. He urged industry participants to engage in the legislative process, suggesting that clearer guidelines are necessary for Managed Service Providers and Managed Security Service Providers. Palachuk noted that about twenty states have already implemented privacy regulations impacting solution providers and their customers. He anticipates further regulations in the future, particularly regarding consumer rights in the era of artificial intelligence.
Why do we care?
I think Karl spelled out why we care – this all impacts the cybersecurity of customers. Consider for a moment this. You want to secure your customers… not sell them more tools. This is real balance to trike. If federal policy shifts away from prioritizing Russian cyber threats, the industry may have to adapt independently.
From an IT service provider’s perspective, the implications are twofold. First, if the government deprioritizes certain threats, MSPs and MSSPs may have to step in and fill the gap. Russian cybercriminal groups remain highly active, and if federal agencies scale back focus, private sector defenses become even more critical. Second, regulatory changes are coming, whether solution providers are ready or not. Palachuk is right—state-level privacy laws are already in play, and more are inevitable.
So, what’s the takeaway? If you’re an IT service provider, be proactive. Stay ahead of threats regardless of shifting government priorities, and engage with legislative processes that will shape how you do business. The days of passive compliance are over—security and regulation are becoming defining factors in IT services.