The recent signing of the annual defense policy bill by President Joe Biden has allocated $3 billion to assist telecom firms in removing and replacing insecure equipment, particularly in response to recent cyber incursions by Chinese-linked hackers. The fiscal 2025 National Defense Authorization Act, which outlines Pentagon policy and military budget priorities for the year, includes this significant funding provision as well as non-defense measures that were added as Congress concluded its work in December. With a total budget of $895 billion, this spending blueprint garnered broad bipartisan support in both the Senate and the House.
The $3 billion allocated in the bill is designated for a Federal Communications Commission program commonly known as “rip and replace,” which aims to eliminate Chinese networking equipment deemed insecure due to national security concerns. This initiative was originally established in 2020 to phase out equipment manufactured by telecom giant Huawei but fell short of the necessary funding for a comprehensive removal process. Recent hacking campaigns by China, such as Volt Typhoon and Salt Typhoon, have raised awareness of potential vulnerabilities in U.S. infrastructure and highlighted the urgent need for additional resources to address cybersecurity threats.
In addition to the provisions related to telecom equipment, the defense policy bill also includes measures to enhance cybersecurity efforts within the U.S. military. A requirement for the Defense Department to commission an independent study on the feasibility of establishing a U.S. Cyber Force, along with alternative organizational models for cyber forces across military branches, was included in the final compromise measure. However, the report does not have a specified deadline and differs significantly from earlier proposals that focused on creating a new digital military service. The bill also designates Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) as responsible for defending Pentagon networks worldwide, placing it under U.S. Cyber Command and aligning it with other cyber defense initiatives.
Moreover, the defense policy bill incorporates a provision for the establishment of a DOD hackathon program, which would host events four times a year to promote collaborative efforts in cybersecurity research and innovation. While these measures aim to strengthen U.S. cyber defense capabilities, the bill also addresses intelligence-related issues, as is customary in recent years. The inclusion of the annual intelligence bill within the NDAA has become a tradition, although certain provisions, such as those aimed at amending Section 702 of the Foreign Intelligence Surveillance Act (FISA), were not reconciled in this year’s legislation.
Specifically, efforts to rein in a surveillance law through amendments to FISA were left out of the final bill, despite earlier attempts in the Senate to address concerns related to electronic communication service providers (ECSP) and government information access. The absence of a fix for FISA in the NDAA highlights ongoing challenges in balancing national security interests with privacy considerations. Additionally, the bill mandates the designation of ransomware threats to U.S. critical infrastructure and identifies several notorious criminal groups as “hostile foreign cyber actors,” underscoring the evolving nature of cybersecurity threats faced by the nation.
Overall, the 2025 National Defense Authorization Act reflects a concerted effort to address cybersecurity vulnerabilities, enhance defense capabilities, and adapt to the changing landscape of digital threats facing the United States. By allocating resources for the removal of insecure equipment, exploring innovative approaches to cyber defense, and recognizing the complex nature of intelligence and cybersecurity challenges, the bill underscores the ongoing importance of prioritizing national security in an increasingly digital world.