The U.S. military will receive an estimated $30 billion in cybersecurity funding in fiscal 2025 from the $895.2 billion earmarked for U.S. military operations under the National Defense Authorization Act (NDAA), an annual must-pass law signed by President Joe Biden last month.
The bill’s nearly 1,000 bill budget does not allow for a clear or quick calculation of how much total money goes to cybersecurity activities. However, as a ballpark guide, the administration’s proposed fiscal year 2025 NDAA budget, released in March, allocated $30 billion to the military’s overall cyber effort. The final rule is probably not much different at this level.
As is the case every year, the bill is filled with a number of major and minor provisions related to cybersecurity. The bill’s most important provisions range from major provisions dealing with replacing potentially problematic Chinese technology in telecommunications networks to protecting DoD personnel from foreign spyware to establishing a counter-intelligence agency and more.
As is the case every year, the NDAA exceeded provisions that some had expected to appear in the bill, including one that would ensure continued funding for the State Department’s effort to track information against foreign adversaries. Some omissions give the Trump administration more power to vet US citizens who they identify as enemies.
A key cyber provision in the 2025 NDAA
Cybersecurity spending provisions are scattered throughout the NDAA, with references to creating more secure digital military programs or establishing international alliances that require greater cybersecurity cooperation appearing throughout the law.
The following summaries highlight some of the most important and notable cybersecurity provisions in the NDAA:
$3 billion has been allocated to cover the Chinese gear shift
The NDAA gave the US Federal Communications Commission nearly $5 billion to help local telcos remove and replace potentially problematic gear made by Chinese technology suppliers, including Huawei and ZTE. This funding makes up for a $3 billion shortfall that resulted in Congress appropriating only $1.9 billion for this purpose.
Protecting DoD mobile devices from the proliferation and use of foreign commercial espionage
The bill aims to protect military mobile devices, including smartphones, tablet computers, and laptop computers, from foreign spyware. Directs appropriate government agencies to issue standards, guidelines, best practices, and policies for Department personnel and the United States Agency for International Development (USAID) to protect covered equipment from being compromised by foreign commercial espionage.
It also directs those agencies to review the procedures used by the Department and USAID to identify and catalog instances where a covered device was compromised by foreign commercial espionage in the past two years resulting in the unauthorized disclosure of sensitive information. In addition, it requires those organizations to submit to the appropriate congressional committees a possibly classified report on the steps taken to identify and catalog the events of such complicity by foreign commercial espionage.
Creating a risk framework for external mobile applications:
The law requires the chief information officer of the Department of Defense, in cooperation with the under secretary of defense for intelligence and security, to prepare a report on the feasibility and advisability of developing a risk framework for personal mobile devices and mobile applications for DoD personnel.
The framework should include the collection, storage, sale, and possible misuse of data, exposure to misinformation and disinformation, software, materials, and applications originating from the government of the Russian Federation, the People’s Republic of China, the -Islamic Republic of Iran, or the Democratic People’s Republic of Korea.
Establishing an artificial intelligence defense agency
The NDAA has many provisions related to artificial intelligence, many of which touch on security issues. However, one measure related to AI stands out: a move directing the director of the National Security Agency to establish a defense intelligence agency within the agency’s Collaboration Center.
The AI Center will work to develop guidance to prevent or mitigate “artificial intelligence techniques,” defined as “techniques or processes for extracting information about the behavior or characteristics of an artificial intelligence system, or learning how to use an artificial intelligence system. , to destroy the privacy, integrity, or availability of an artificial intelligence system or a nearby system.” One of its clear mandates is to promote secure approaches to the acquisition of artificial intelligence for managers of national security programs.
An independent assessment of the need for a cyber army
The bill calls for the National Institutes of Science, Engineering, and Medicine to examine alternative organizational models for cyber forces for the US armed forces. This provision is in line with the often-advocated idea that the US should have an independent cyber force that works on a par with other armed forces.
Evaluation of other models should include, among other things, refining and improving the current organizational structure of cyber forces in the Armed Forces, the feasibility and advisability of establishing a cyber force in the Department of Defense, and acquisition considerations. or the transformation of other organizational models of the cyber forces of the US armed forces.
After their evaluation, the National Institutes of Education must report a consensus report to congressional defense committees containing their evaluation of other types of organization.
Making the Joint Force Headquarters-Department of Defense Information Network a unified joint command under the US Cyber Command
The NDAA designates the Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) responsible for protecting the Pentagon’s networks around the world, a “joint joint command” under the US Cyber Command, making JFHQ-DODIN the is a leading organization in network performance, security. , and protecting the DoD Information Network.
Declaring ransomware actors and host states as hostile cyber actors
The bill contains language that elevates ransomware attacks to the level of terrorism by declaring foreign ransomware organizations and foreign agents associated with them as hostile cyber actors, transferring that designation to countries that direct or host those actors.
Addressing ransomware threats to critical infrastructure is a national intelligence priority
The NDAA contains language that considers ransomware threats to critical infrastructure a national intelligence priority as part of the National Intelligence Priority Framework. Requires the Director of National Intelligence, in consultation with the Director of the FBI, to submit a report to the appropriate committees of Congress on the implications of the ransomware threat to US national security.
GAO investigation into the intentional disruption of the national airspace program
The bill requires the Government Accountability Office to conduct an investigation and issue a report on the vulnerability of the national airspace system to potential interference by US adversaries who may use electromagnetic energy and the security vulnerability of the Aircraft Communications, Reporting, and Communication System and Controller Pilot Data Link Communications. The report is intended to be public, with any classified information removed.
Limiting funds for the Joint Cyberwar Warfighting Architecture
The NDAA freezes or limits funding for military components of the Joint Cyber Warfighting Architecture (JCWA) until the US Cyber Command submits a plan for the next iteration of JCWA development. JCWA is a software-based program that provides cyber tools and capabilities to the Cyber Mission Force.
Two obvious exceptions to the law
Despite the many broad cybersecurity provisions in the NDAA, the law lacks two important and expected provisions.
The first was the lack of continued funding for the State Department’s Global Engagement Center (GEC), which was forced to close on Dec. 26, 2024 due to lack of funds. The GEC’s mandate was to serve as “a data-driven organization that leads US efforts to engage with the US in proactively countering foreign adversaries’ efforts to undermine US interests using disinformation and propaganda.”
The group has been targeted by right-wing activists, including Elon Musk, US Republican attorneys general, and others who accuse the GEC of stifling “liberal speech.”
Another notable omission from the bill is the failure of Congress to scale back a significant expansion of the controversial US surveillance program, Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Human rights groups have been pressing lawmakers to close a loophole in the law that reauthorized FISA early last year. This hack furthered law enforcement’s right to request FISA information for intelligence agencies on the communications of US citizens without a warrant.
The failure to check the US government’s ability to access wiretaps between Americans and immigrants abroad now gives the Trump administration incredible power to spy on American citizens it sees as enemies.
Source link