The National Defense Authorization Act (NDAA) for the U.S. military fiscal year 2025 dedicates approximately $30 billion to cybersecurity, marking it as a crucial focus in the broader $895.2 billion military budget.
"As usual, this year's NDAA is a sweeping piece of legislation that touches all corners of the Department of Defense (DoD) as well as elements of the intelligence community," said Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); Chairman, Cedric Leighton Associates, LLC. "Its provisions will help determine whether or not the U.S. is ready to achieve its military objectives in potential future conflicts, whether they be counterinsurgency operations like we saw in Afghanistan, a major theater war such as one that could develop from the war in Ukraine or over Taiwan, or a series of hybrid conflicts with a large cyber warfare component."
Here's a summary of the key provisions, initiatives, and notable omissions from the sweeping legislation included in the 100-page bill's budget. Richard Staynings, Chief Security Strategist for IoT security company Cylera and teaching professor for cybersecurity at the University of Denver, provides comments throughout.
Securing communications networks
Five billion dollars is allocated to help local telecommunications providers replace potentially insecure Chinese technology (e.g., Huawei and ZTE equipment). This includes covering a $3 billion shortfall from previous efforts.
"Removal of insecure and possibly backdoored Chinese telecom equipment has been a concern since the presidency of George W. Bush. The fact that we are still trying to rip and replace Chinese communication gear more than 15 years later perhaps says a lot more about the ineffectiveness of the U.S. government than anything else," said Staynings. "The issue has been about the shortfall between FCC budgets and the cost of making good small and rural telcos that invested in Huawei and ZTE equipment for their 4G and 5G networks years ago. The Senate effort to fund the shortfall was led by John Hickenlooper who has been advocating for this program for many years now. The fact that the money was approved is testament to his tenacity."
"Rural telecom providers put their businesses on the line to make sure Chinese companies can't spy on Americans through our communications systems," said Hickenlooper. "We're finally repaying those businesses so they can maintain essential connectivity."
Protecting military mobile devices
Standards and policies will be implemented to secure Department of Defense mobile devices from foreign spyware. Agencies must report any compromises involving foreign spyware over the past two years.
"Securing the software and hardware supply chain will be critical here. The trouble is that thanks to globalization and decades of dumping by China, most U.S. and European manufacturing capabilities have disappeared, leaving few safe manufacturing sources," Staynings said. "Many of those may in fact be compromised, as California-based Taiwan manufacturer Supermicro found out with motherboards it produced for Congress. Also of concern is the firmware and ROM found on many components that go into the manufacture of systems, nearly of all which are manufactured today in mainland China. The security of the supply chain is the open back door to security today, and we haven't even begun to understand the true risks involved or the backdoors to our networks."
Artificial Intelligence (AI) Security Center
The National Security Agency (NSA) will establish an AI Security Center to prevent counter-AI techniques and promote secure AI adoption for national security systems.
Ransomware as a national threat
Ransomware attacks targeting critical infrastructure are elevated to a national intelligence priority, equating them to acts of terrorism. Nation-states harboring ransomware actors are now classified as hostile foreign cyber actors.
Staynings' take:
"Ransomware is now an extremely lucrative business. In the first half of 2024, ransomware victims paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. The ransomware business has gone from demanding extortion payments of $3.6 million in 2017 at Hollywood Presbyterian Medical Center to $240 million in 2021 with an attack on MediaMarkt, Europe's largest consumer electronics retailer. Attackers have become bolder and more demanding as they realize the lucrative nature of extortion. That and the fact that most victims are ill-prepared for this sort of attack despite multiple decades of warnings from cybersecurity and law enforcement leaders, along with growing cyberattacks against business.
"Organizations simply lack the IT infrastructure resiliency to take a hit and keep going. Nor do they have well-practiced and robust cyber incident response capabilities. It's like a boxer going into a prime fight with a glass jaw.
"CEOs and boards seem blind to the need to make adequate investments in resiliency and security to protect their businesses. It's all about short-term gain, quarterly profit reports, and playing Wall Street with stock buy-backs and fat executive bonuses.
"The Change Healthcare cyberattack in 2024 will go down in history as the singularly most disruptive cyberattack against a national population and critical national infrastructure industry. It appears to have been caused by a misdirected focus by parent company United Healthcare Group (UHG) on its profits and the total compensation packages of its leaders. It remains to be seen just how many Americans died and how many hospitals and clinics go out of business as a result of this attack.
"What's fueling the growth of this criminal extortion is that victims are paying the cyber terrorists. Russian school kids are lining up to become the next cyber extortionist and to drive their first Ferrari or Lamborghini with their ill-gotten gains. By paying ransoms, victims are inadvertently fueling the growth of this illicit industry.
"The U.S. government (and many other national governments) have determined ransomware to be a form of terrorism. Yet, few have enacted robust laws that prevent the payment of ransoms to cyber terrorists under existing Sanctioned Entity Laws. These were designed to prevent payments to terrorist groups like Al-Qaeda. Much is due to the fact that attribution of an attacker takes time, so when a ransom is paid, it's often to an unknown entity. This needs to change to make all extortion payments punishable by jail time so that directors who failed to invest and prepare can no longer hide behind their Directors' Insurance.
"There needs to be better corporate accountability, and that means CISOs need to fully document decisions by CEOs and boards to accept risks that are against the recommendation of company security leaders and experts. CISOs also need to ensure that their employment contracts include provision for independent legal representation for any security incident that may be blamed upon them, and for a period well after they have left their positions. This needs to include their time and expenses to attend court hearings and government committees of inquiry.
"Also driving the growth in cyberattacks is the lack of cost or risk imposed on perpetrators of these crimes. Russia, China, Iran, and North Korea lack extradition treaties with the West and fail to recognize many cyberattacks as criminal activity. When tried in their own countries, perpetrators usually get off with very light sentences thanks to endemic corruption. Many of these pariah states provide safe harbor behind the former Soviet 'iron curtain' and permit criminals to attack the West with impunity in return for a few favors.
"Ransom attacks serve a second far more nefarious purpose than simple revenue generation for criminal groups. These attacks are increasingly about maximizing disruption. Not only to maximize payment pressure on victims, but to cause damage and mayhem to critical national infrastructure in countries opposed to Russia's or China's expansive foreign policy stance. In using criminal groups to exact revenge for weapons shipments to Ukraine, as an example, the Kremlin can claim plausible deniability in attacks against foreign countries. Both China and Russia appear to be doing something similar with their anchor dragging across the Baltic or around Taiwan. The very thin veneer, however, is beginning to crack, thanks to a rising body of evidence to suggest collaboration and coordination between criminal gangs and state actors.
"Ransomware and other cyberattacks have thus become highly useful and highly disruptive instruments in the projection of power by pariah nation-states."
Exploring a separate cyber force
The National Academies will evaluate the feasibility of creating an independent cyber force alongside existing armed forces.
Strengthening DoD network defense
The Joint Force Headquarters–Department of Defense Information Network (JFHQ-DODIN) is designated as a subordinate unified command under U.S. Cyber Command.
Limiting cyberwar funding
Development of the Joint Cyber Warfighting Architecture (JCWA) will be restricted until U.S. Cyber Command presents a comprehensive plan for its next phase.
"Plainly, given rising geopolitical tensions and a deluge of cyberattacks from foreign nations, the U.S. needs to ensure that it has truly devastating offensive cyber capabilities in order to act as a deterrent against others," Staynings said. "Perhaps the intent should be to replicate the capabilities of nuclear weapons in this space to ensure an effective stand-off, similar to MAD, mutually assured destruction, that has kept the peace since WWII."
State Department's Global Engagement Center (GEC)
Funding for the GEC, responsible for combating foreign disinformation, was not included, leading to its closure.
Staynings' viewpoint:
"This is perhaps the most worrying aspect of the entire NDAA given the magnitude of the Russian and Chinese mis- and dis- information campaigns against the West. Both Russia and China are spending millions of dollars every month fabricating information and then amplifying these false narratives deigned to sow division, create confusion, and stoke existing divisions, using social media platforms. TikTok, X (Twitter), and now Meta platforms will be useful tools for the propaganda and intelligence offensive forces of our adversaries.
"While Russian interference in the 2016 election was designed to create confusion and inflame existing discontent, thus distracting the government and military by creating domestic social and political turmoil, the adaptation of 1950s and 1960s KGB tactics to take advantage of the omnipresent use today of technology, and in particular social media, has changed the playing field. As a consequence, Russia and China have both invested heavily in troll farms, fake social media personas, and uber amplification of false narratives using AI bots in order to divide, confuse, and dumb down Western capabilities.
"As cyber defenders, we need to take a step back to see the big picture and understand the context in which individual mis- and dis- information attacks take place today. That, in turn, will help us to better design defensive strategies and tactics to thwart future attacks. Combatting mis- and dis- information needs to be a top priority."
Reforming surveillance practices
Proposals to restrict Section 702 of the Foreign Intelligence Surveillance Act (FISA) were left out. This omission continues to allow warrantless access to U.S. citizens' communications under certain conditions.
"Whether the FY2025 NDAA hit the mark might not be known until we're in the middle of a conflict, and by then it might be too late," Col. Leighton added. "Nevertheless, this year's NDAA is an attempt to shore up some of our defenses while neglecting others. There are some interesting provisions impacting cyber warfare, AI, and the world of disinformation."
While the NDAA emphasizes cybersecurity investment, its omissions highlight ongoing debates about privacy, surveillance, and disinformation. The bill also reflects growing concerns about the role of AI, ransomware, and foreign threats in shaping military and national security policies.