Shock: US No Longer Sees Russia as a Cybersecurity Threat
BLOG – After the United States sided with Russia in a UN Security Council vote—going against its own allies—the Western world was hit with another blow this weekend: the Trump administration has instructed CISA (Cybersecurity & Infrastructure Security Agency) to no longer consider Russia a cybersecurity threat. The reactions to this decision have been strong.
“Putin is on the inside now,” said a source familiar with the sudden shift in US policy, speaking to The Guardian. This comment followed an order from US Secretary of Defense Pete Hegseth last week, instructing US Cyber Command to halt all plans against Russia, including offensive digital operations. The news—confirmed by three anonymous sources to The Record—raises serious questions about not only the US’s reliability as a partner but also the security and trustworthiness of American tech infrastructure.
The directive reportedly does not apply to the National Security Agency (NSA) or its signals intelligence operations targeting Russia. The full extent of Hegseth’s order remains unclear, but it appears to be an effort by the White House to normalize relations with Moscow following Russia’s isolation due to its 2022 invasion of Ukraine. The duration of the directive is unknown, but it will remain in effect for the foreseeable future.
How Can the US Reach Such a Radically Different Conclusion?
Among the US security organizations affected by this order is likely the 16th Air Force (Air Forces Cyber), the unit responsible for planning and executing digital operations within United States European Command (EUCOM). When asked for comment, a EUCOM spokesperson referred inquiries to the Pentagon. A senior defense official responded:
“Due to concerns over operational security, we do not comment on or discuss cyber intelligence, plans, or operations. Secretary Hegseth’s top priority remains the security of personnel across all operations, including cyberspace.”
The Netherlands and Europe: A Breach of Trust?
The consequences of this policy shift extend far beyond the US. Governments and businesses rely on third-party providers for critical IT infrastructure, but such outsourcing is based on trust. European nations—including the Netherlands—have entrusted large portions of their tech infrastructure to American companies. Every CISO and security expert in the West knows how active Russian government-linked cybercriminal groups are. This decision by the Trump administration significantly undermines that trust.
How can the US arrive at such a radically different threat assessment?
Cybersecurity expert Martijn Dekker, CISO at ABN Amro and professor at INSEAD, wrote on LinkedIn:
“This affects our security assessment of American infrastructure as well. Are they now more vulnerable due to dismissals and the lack of protection against Russian threats? Should we start considering major tech providers not as ‘American clouds’ but as ‘Russian clouds’? How would that change your risk assessment?”
Similar concerns are voiced by Michiel Steltman, former Managing Director of Digital Infrastructure Netherlands (DINL) and now Project Lead at ECP. He wrote:
“CISA, which is responsible for protecting critical US infrastructure from cyber threats, is no longer monitoring Russia as a priority. What’s next? Will the FSB and CIA start collaborating?”
Security expert Jean-Paul van Hamond (GouwIT) also warns on LinkedIn:
“If you’re still relying on American cloud services, you should be seriously concerned. And for companies that operate exclusively on US cloud providers? Your entire business model is now on shaky ground. What capable CISO would still choose American cloud solutions after these developments?”
Urgency: Europe’s Digital Sovereignty in Question
The revelation that the US no longer considers Russia a cybersecurity threat underscores how urgent the debate over Europe’s digital sovereignty has become.
Since Trump’s election, numerous IT managers, security professionals, and analysts have sounded the alarm, warning about Europe’s deep dependence on US tech services. Until recently, it seemed unthinkable that a Trump administration could use Microsoft Azure as a geopolitical weapon. But the past few days have shown that nothing is unthinkable anymore.
Despite repeated calls for Europe to reduce its dependency, no decisive action has been taken to build an independent, sovereign European tech infrastructure. Banning American AI tools alone is not enough.
The Call for a European Cloud Grows Louder
The past few days have made it clear: the push for a European tech infrastructure and the storage of critical data in European data centers needs no further explanation.
Yet, the discussion too often stops at problem identification. Perhaps the complexity of migration is to blame.
A positive development is that EuroStack appears to be making progress. In contrast, Germany’s Sovereign Cloud Stack project remains relatively unknown. There are also serious open-source alternatives to Office 365, proving that the building blocks for a truly independent European cloud infrastructure already exist.
