Key takeaways
- The Department of Defense will cut back cybersecurity training in a range of different ways.
- Defense Secretary Pete Hegseth’s memo on the issues says all mandatory training must be “directly linked to warfighting” or will be “consolidated, reduced in frequency, or eliminated.”
- One expert says that annual training is “critical” and eliminating it “is certain to decrease the Department’s overall cybersecurity.”
The US Department of Defense (also known as the Department of War) has been directed to “relax the mandatory frequency for cybersecurity training” in a recent memo from Defense Secretary Pete Hegseth.
The memo, issued to top officials on September 30th, also details a range of other cybersecurity changes and cutbacks for the United States’ military departments.
The memo appears to frame the current level of cybersecurity training as a distraction from the departments’ core mission.
What Types of Cybersecurity Training Are Being Reduced?
The memo calls for reducing records management training frequency and automating information management systems with the goal of stopping training requirements.
The news site Defense Scoop found a handful of related cybersecurity concerns that were also issued in the recent memo. Here are those additional directives:
This just in! View
the top business tech deals for 2025 👨💻
- Relax the mandatory frequency for controlled unclassified information (CUI) training
- Remove Privacy Act Training from the Common Military Training (CMT) list
- Eliminate the mandatory frequency for “Combating Trafficking in Persons” refresher training after appropriate legislation is enacted
- Consolidate mandatory training topics “as appropriate”
- Develop an integrated CMT program plan
What’s the Reasoning?
Judging from Hegseth’s memo, the reasoning for the change appears to be a belief that the current amount of cybersecurity training adds up to a “distraction” from the “core mission” of warfare.
“The Department of War is committed to enabling our warfighters to focus on their core mission of fighting and winning our Nation’s wars without distraction. Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated. […] These critical efforts to eliminate, reduce, and consolidate focus topics advances my emphasis on warfighting. The Department will prioritize these actions and execute with urgency to strengthen the lethality of our Nation’s fighting Force.” -Defense Secretary Pete Hegseth
Hegseth also adds that his changes should be “implemented expeditiously.”
However, experts say that cutting back on security training risks opening up US networks and troops to enemy cyber threats.
Experts Warn of Increased Security Risks
Peter W. Singer, a strategist and senior fellow at New America, tells Defense Scoop that “rather than ‘relax’ cybersecurity training, it would have been better for our warfighting capability to ‘update’ the training, both to enhance its effectiveness and defend against the new wave of both cyber and cognitive warfare threats that foes like Russia, China, N. Korea, and Iran have been very clear they intend to use against US forces.”
Lauryn Williams, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, raises similar concerns, saying “Cybersecurity training is essential for any mature organization, especially one as large as the Pentagon. Military personnel handle sensitive information daily, which U.S. adversaries are eager to penetrate.”
“Annual cyber awareness training is critical to inform personnel of cyber risks and how to spot common adversary tactics,” Williams adds, citing phishing attempts that could give attackers network access if successful. “This training requirement usually takes no more than one hour in an entire year to complete. Eliminating it is certain to decrease the Department’s overall cybersecurity.”