.png)
1 month ago
7
Cybersecurity training, beards, and body fat have something in common, according to the Pentagon. They're not helping the US military fight and win wars.
Defense Secretary Pete Hegseth directed the department's chief information officer to "relax the mandatory frequency for cybersecurity training," in a September 30 memo, one of 11 that Hegseth referenced during the now infamous speech at Quantico on the same day.
"The Department of War is committed to enabling our warfighters to focus on their core mission of fighting and winning our Nation's wars without distraction," the memo [PDF] reads, using the unofficial but Trump-approved new name for the Defense Department. "Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated."
A Pentagon spokesperson declined to answer The Register's questions about the directive, including policy rationale for the change, how often cybersecurity training used to occur, and what the new frequency would be. "We have nothing additional to announce at this time," the spokesperson said.
Despite Hegseth’s stated focus on improving readiness for battle, the policy change isn’t likely to help the military win any wars, according to retired US Navy Rear Admiral Mark Montgomery.
"I am not sure that a reduction in cybersecurity training is going to save much time, maybe one or two hours a year per person," Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, told The Register.
"On the other hand, I do know that the cyber domain is the number one attack surface being used by the CCP against the US - and specifically the US military - today," he said. "This policy seems more like theatrics and less like readiness."
Additionally, the memo directs the Defense Department's CIO to automate information management systems, and thus eliminate training requirements for these, and instructs the under secretary to "relax the mandatory frequency for Controlled Unclassified Information (CUI) training."
It is a relief not to see classified information training on the cull list, considering recent cases involving servicemembers leaking - or trying to sell - sensitive information to China, Russia, and even online lovers, but it's hard to imagine how cutting back any type of instruction on handling controlled data is going to help the military win wars.
On top of all this, Privacy Act training, which educates service members on what constitutes personally identifiable information (PII) and legal requirements around collecting it, will be completely eliminated from the Common Military Training list.
"These critical efforts to eliminate, reduce, and consolidate focus topics advances my emphasis on warfighting," Hegseth wrote. "The Department will prioritize these actions and execute with urgency to strengthen the lethality of our Nation's fighting Force."
This directive undermines our national security
However, considering the cyber component of recent conflicts between Iran and Israel and Russia and Ukraine, as well as the growing number of digital intrusions targeting US military and government agencies, cybersecurity experts argue America's fighting forces should receive training around this subject.
"This represents an extremely shortsighted action by the DOD, especially when the US military is facing a cyber insurgency within its infrastructure by China and Russia. We have seen an exponential increase in supply chain attacks, therefore cyber vigilance is fundamental," Tom Kellermann, VP of cyber risk at security assurance and certification company Hitrust, told The Register.
- Defense Dept didn't protect social media accounts, left stream keys out in public
- Hegseth signs flying memo to expand military use of cheap drones in oddball video
- Signalgate lessons learned: If creating a culture of security is the goal, America is screwed
- Air Force admits SharePoint privacy issue as reports trickle out of possible breach
"Training is essential when defending the US in an ever changing cyberthreat environment," he said. "This directive undermines our national security."
It also makes service members less prepared for cyber conflict, according to Bruce Jenkins, chief information security officer at app-security shop Black Duck and former US Air Force systems security director.
"There is a substantial amount of research supporting the idea that more frequent exposure to concepts - i.e., training - creates stronger connections than less frequent exposure," Jenkins told The Register. "While I did not always immediately appreciate the training I received while I served in the military, without a doubt that training improved my preparedness for high-risk, high-intensity situations and made risk management, whether in the context of driving a military vehicle, handling a weapon, or accessing computer systems, relatively routine."
This directive to make mandatory cybersecurity training less frequent, "may be an invitation to increased risk that will be felt months and years after the new policy becomes effective," he added. "It also will not help us 'win wars'." ®
Updated on Oct 3 at 1632 to include a quote from retired Navy Rear Admiral Mark Montgomery.
