Combat Over Cyber: Pentagon Rewrites Training Priorities

In a controversial move that has raised alarms among cybersecurity experts, the Department of War (formerly known as the Department of Defense) recently announced that it will reduce the frequency of cybersecurity and information management training across the armed forces. 

The decision comes amid a surge in cyberattacks targeting US military and infrastructure systems worldwide.

“The Department of War is committed to enabling our warfighters to focus on their core mission of fighting and winning our Nation’s wars without distraction,” said Secretary of War Pete Hegseth in a Sept. 30 memo to senior Pentagon leadership. “Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated.” 

Pentagon eases cyber training amid rising foreign threats

The directive instructs military departments to “relax” the frequency of cybersecurity and Controlled Unclassified Information (CUI) training and to automate administrative systems to reduce training requirements altogether. 

It also removes Privacy Act Training from the Common Military Training list and directs other mandatory training areas to be consolidated.

While the move is intended to free soldiers from administrative burdens and focus their time on combat readiness, critics argue it weakens the nation’s cyber defense posture at a critical moment.

The US Air Force is currently investigating a suspected Chinese-linked data breach, and adversaries such as Russia, North Korea, and Iran continue to develop advanced cyber and cognitive warfare capabilities.

Growing concerns over cyber readiness

Several national security experts have condemned the decision as short-sighted. 

“As annoying and unpopular as the cyber training sessions are, they do serve a purpose, which is to protect our networks and troops against proven enemy cyber threats,” said Peter W. Singer, strategist and senior fellow at New America, in an email to DefenseScoop. 

He added: “Rather than ‘relax’ cybersecurity training, it would have been better for our warfighting capability to ‘update’ the training, both to enhance its effectiveness and defend against the new wave of both cyber and cognitive warfare threats that foes like Russia, China, N. Korea, and Iran have been very clear they intend to use against US forces.”

Lauryn Williams, deputy director of the Strategic Technologies Program at the Center for Strategic and International Studies, echoed that concern, stating that “cybersecurity training is essential for any mature organization, especially one as large as the Pentagon.”

Williams warned that scaling back on training “weakens the Pentagon’s overall cyber posture” and comes at a time when Chinese-linked hackers have repeatedly targeted US critical infrastructure and military networks.

According to Williams, these training programs usually require less than an hour per year to complete. Yet, they provide essential awareness of phishing tactics, insider threats, and the handling of classified data.   

The risk behind reducing cyber training

Defense officials have repeatedly emphasized that cyber awareness is a form of combat readiness. 

Charleen Laughlin, deputy chief of space operations for cyber and data at the US Space Force, recently stated that cyber hygiene is now inseparable from military operations: “Every patch, every click that you make, matters. Awareness really is a readiness issue, and the more you know, the better you can do your job.” 

Retired Rear Adm. Mark Montgomery, senior director at the Foundation for Defense of Democracies, said the policy change “seems more like theatrics and less like readiness.” He added, “The cyber domain is the number one attack surface being used by the Chinese Communist Party against the U.S. military today.”

Despite growing cyberthreats, the Pentagon’s directive calls for changes to be “implemented expeditiously.” 

The decision follows a series of recent reforms under Hegseth emphasizing traditional combat preparedness, including crackdowns on grooming standards and a renewed focus on physical readiness.  

Closing the gaps: how to rebuild cyber readiness  

To maintain strong cyber resilience amid evolving threats and reduced formal training, military and security teams should focus on the following key actions.

• Integrate and modernize cyber readiness training by embedding short, mission-focused lessons, realistic threat simulations, and responsible automation into daily operations.
• Lead by example and foster a reporting culture by holding leaders accountable for cyber hygiene and promoting a “see something, say something” mindset across all levels.
• Segment systems and adopt Zero-Trust principles by limiting access to mission-essential data, separating networks, and continuously verifying users and devices.
• Enhance detection, response, and information sharing by maintaining continuous monitoring, updating incident response plans for AI-enabled threats, and sharing intelligence across sectors.

Together, these actions help build a culture of cyber discipline and accountability that strengthens both individual awareness and organizational defense. 

Winning wars starts in cyberspace

The Department of War’s decision reflects a broader tension in national defense strategy: balancing the immediate demands of kinetic warfare with the evolving realities of cyber conflict.

As adversaries increasingly blend cyber operations with traditional espionage and battlefield tactics, experts warn that deprioritizing digital defense could leave US forces exposed to invisible attacks that undermine mission capability before combat even begins.

As AI-powered threats grow more sophisticated, the US military’s approach to cyber readiness may determine not only how it fights wars but whether it can prevent them in the first place.

By combining modern training, strong leadership, and Zero Trust, military and private sector security teams can stay mission-ready against emerging threats.