President Joe Biden signed the annual defense policy bill on Monday evening, which includes a significant allocation of $3 billion to assist telecom firms in removing and replacing insecure equipment, specifically in response to recent incursions by Chinese-linked hackers. The fiscal 2025 National Defense Authorization Act, which outlines Pentagon policy and military budget priorities for the year, also includes non-defense measures that were added as Congress concluded its work in December. With a total spending of $895 billion, the bill received broad bipartisan support in both the Senate and House.
The $3 billion designated in the bill will be directed towards the Federal Communications Commission program known as the “rip and replace” initiative. This program aims to eliminate Chinese networking equipment due to national security concerns, particularly equipment manufactured by telecom giant Huawei. The initiative was initially established in 2020 with an investment of $1.9 billion, falling short of the estimated $3 billion required to address the potential vulnerability effectively.
Recent incidents, such as the Volt Typhoon and Salt Typhoon hacking campaigns by China, have underscored the urgency of bolstering cybersecurity measures. These campaigns involved hackers infiltrating U.S. infrastructure and compromising at least eight telecom firms, prompting calls to replenish the rip and replace fund.
In addition to cybersecurity measures, the National Defense Authorization Act includes provisions related to the establishment of a U.S. Cyber Force. The bill mandates the Defense Department to commission an independent third-party study on the feasibility of creating a Cyber Force, as well as alternative organizational models for cyber forces within the military branches. Although the final version of the bill omits specific deadlines for the report and dilutes the focus on a new digital military service, it emphasizes the importance of enhancing cyber defense capabilities.
Moreover, the legislation appoints the Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) with the responsibility of safeguarding the Pentagon’s networks globally. This move elevates the organization to a “subordinate unified command” under U.S. Cyber Command, aligning its role with the offensive capabilities of the Cyber National Mission Force. Despite initial objections, negotiators retained this proposal within the NDAA to strengthen cybersecurity infrastructure.
Notably, the bill introduces a DOD hackathon program, which will host quarterly events to foster innovation and collaboration in cybersecurity efforts. This initiative aims to leverage the expertise and creativity of cybersecurity professionals to address emerging threats and vulnerabilities effectively.
Incorporated within the annual intelligence bill, which piggybacked on the NDAA as customary, are measures to combat ransomware threats to U.S. critical infrastructure. The legislation designates numerous criminal groups, including LockBit, Conti, and REvil, as “hostile foreign cyber actors,” underscoring the ongoing efforts to counter cyber threats.
While the bill addresses critical cybersecurity challenges and underscores the need for proactive measures, it does not include specific modifications to the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA). The exclusion of provisions aimed at defining “electronic communication service providers” capable of disclosing information to the government highlights ongoing debates surrounding surveillance laws and privacy concerns.
Overall, the signing of the National Defense Authorization Act signifies a significant step towards enhancing cybersecurity resilience and defending against evolving cyber threats. The allocation of funds, establishment of a Cyber Force, and emphasis on collaborative cybersecurity initiatives showcase a concerted effort to bolster national security in the face of increasing cyber risks.