DOD to cut back on mandatory cybersecurity training
Defense Secretary Pete Hegseth issued a new edict this week to reduce the time personnel spend on cybersecurity training, among other reforms.
The directive came in a Sept. 30 memo to senior Pentagon leadership and DOD agency and field activity directors, ordering the military departments, in coordination with the Pentagon’s chief information officer, to “Relax the mandatory frequency for Cybersecurity training.”
Hegseth also called for narrowly tailoring records management training to service member roles and allowing flexibility in training delivery, as well as automating information management systems to eliminate training requirements.
Additionally, Hegseth directed the military departments and other Pentagon leaders to “relax” the mandatory frequency for controlled unclassified information (CUI) training; remove Privacy Act Training from the Common Military Training (CMT) list; eliminate the mandatory frequency for “Combating Trafficking in Persons” refresher training after appropriate legislation is enacted; consolidate mandatory training topics, “as appropriate”; and develop an integrated CMT program plan.
The changes are to be “implemented expeditiously,” per Hegseth’s directive.
The edict came after the Trump administration recently rebranded the Department of Defense as the Department of War.
“The Department of War is committed to enabling our warfighters to focus on their core mission of fighting and winning our Nation’s wars without distraction. Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated,” Hegseth wrote in the new memo.
“These critical efforts to eliminate, reduce, and consolidate focus topics advances my emphasis on warfighting. The Department will prioritize these actions and execute with urgency to strengthen the lethality of our Nation’s fighting Force,” he added.
The relaxing of cybersecurity training mandates — as well as other changes directed by Hegseth — will undoubtedly be welcomed by many in the ranks who have been forced to dedicate time to those types of activities, which they may not see as essential to their job roles.
However, some analysts and cybersecurity experts said there are risks involved in scaling back.
“As annoying and unpopular as the cyber training sessions are, they do serve a purpose, which is to protect our networks and troops against proven enemy cyber threats. Rather than ‘relax’ cybersecurity training, it would have been better for our warfighting capability to ‘update’ the training, both to enhance its effectiveness and defend against the new wave of both cyber and cognitive warfare threats that foes like Russia, China, N. Korea, and Iran have been very clear they intend to use against US forces,” Peter W. Singer, a strategist and senior fellow at New America, said in an email to DefenseScoop. Singer is the author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,” and other books that have been widely read in the national security community, such as “Ghost Fleet: A Novel of the Next World War.”
Lauryn Williams, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, said relaxing mandatory cybersecurity training weakens the Pentagon’s overall cyber posture.
“Cybersecurity training is essential for any mature organization, especially one as large as the Pentagon. Military personnel handle sensitive information daily, which U.S. adversaries are eager to penetrate. We only need to look at Chinese-linked hackers’ demonstrated ability to gain access to U.S. government officials’ and citizens’ telephone data and their efforts to maintain persistent access to U.S. critical infrastructure in recent years,” she told DefenseScoop.
Williams served as chief of staff to the assistant secretary of defense for industrial base policy during the Biden administration. Previously, she was director for strategy in the White House Office of the National Cyber Director.
“Annual cyber awareness training is critical to inform personnel of cyber risks and how to spot common adversary tactics, such as suspicious email addresses or links designed to trick them into giving attackers network access. In addition to cybersecurity, these trainings often include important information on how to observe insider threats and ensure classified spaces and information are secure,” she said.
In her view, the benefits of mandatory cybersecurity training for the military far outweigh the costs.
“This training requirement usually takes no more than one hour in an entire year to complete. Eliminating it is certain to decrease the Department’s overall cybersecurity. With AI-enabled impersonations and deepfakes on the rise, the Pentagon should be investing in updating cyber training based on the latest threats and tactics, not eliminating them altogether and reducing overall readiness,” Williams said, adding that cybersecurity is essential to overall warfighter readiness and is “a core element” of the department’s ability to win the nation’s wars.
Retired Rear Adm. Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said: “I am not sure that a reduction in cybersecurity training is going to save much time, maybe 1 or 2 hours a year per person. On the other hand, I do know that the cyber domain is the number one attack surface being used by the [Chinese Communist Party] against the US and specifically the U.S. military today. This policy seems more like theatrics and less like readiness.”
The Defense Department did not respond to a request for information about how frequent mandatory cybersecurity training was for DOD personnel prior to the issuance of Hegseth’s memo.
Senior defense officials recently highlighted the importance of good cyber hygiene and threat awareness.
“The cyber domain is no longer just for … cyber and IT professionals, right? We all touch the domain daily in the data we use, the systems we operate and the decisions that we make,” Charleen Laughlin, the Space Force’s deputy chief of space operations for cyber and data, said last week at AFA’s Air, Space and Cyber conference, prior to the issuance of Hegseth’s memo.
“One, understand the mission impact of cyber hygiene; every patch, every click that you make, matters. And understand what the operational impact of a cyber breach would be on your system and think through how you would respond if that ever happened to you. That way, you’re just not caught flat-footed. Because … it is going to happen more and more frequently,” Laughlin said. “I know we make fun of the Cyber Awareness Challenge, but awareness really is a readiness issue, right? And the more you know, the better you can do your job.”
Brig. Gen. Joy Kaczor, Air Force assistant deputy chief of staff for warfighter communications and cyber systems, said all airmen need to be mindful of digital threats.
“I tell my airmen, be the bolt. But it’s not just our comm and cyber airmen. It’s everything … understanding that, understanding the mission, understanding what’s required to get after the mission. And what I’d tell you is we often think of insider threats as someone bad, someone intentionally doing something bad. It’s not. It is the clicking on the things, it’s plugging things where you’re not supposed to, it’s not being aware,” Kaczor said during the panel at the AFA conference. “What’s required for your mission? I don’t care what your agency is … map that out, understand your PACE [primary, alternate, contingency, emergency] plan and be ready to execute.”
