Home Security US military allocated about $30 billion to spend on cybersecurity in 2025
data center cybersecurity security military monitor men

US military allocated about $30 billion to spend on cybersecurity in 2025

by biztrendz

The United States military will receive about $30 billion in cybersecurity funding in fiscal 2025 from $895.2 billion earmarked for US military activities under the National Defense Authorization Act (NDAA), an annual piece of must-pass legislation signed by President Joe Biden last month.

The nearly 1,000-page bill’s budget doesn’t enable clear-cut or quick calculations of how much of the total funding goes to cybersecurity activities. However, as a ballpark guide, the administration’s proposed annual budget for the fiscal year 2025 NDAA, released in March, allocated an estimated $30 billion to total military cyber efforts. The final legislation likely did not vary substantially from this level.

As is the case each year, the bill is filled with dozens of major and minor cybersecurity-related provisions. The more substantial provisions in the bill range from major spending items that address replacing potentially problematic Chinese technology in telecom networks to protecting DoD employees from foreign spyware to establishing an artificial intelligence security center and much more.

As is also true every year, the NDAA omitted provisions that some had expected to appear in the bill, including one that ensured continued funding for a State Department effort that tracked foreign adversary disinformation. Another omission gives the incoming Trump administration more power to spy on US citizens it deems adversaries.

Key cyber provisions in the 2025 NDAA

Cybersecurity spending provisions are scattered throughout the NDAA, with references that touch on creating more secure digital military systems or establishing international alliances that call for greater cybersecurity collaboration appearing throughout the legislation.

The following summaries highlight some of the more prominent and noteworthy cybersecurity provisions in the NDAA:

$3 billion allocated to cover the shortfall in replacing Chinese gear

The NDAA granted the US Federal Communications Commission nearly $5 billion to help local telcos rip out and replace what might be problematic gear made by Chinese tech providers, including Huawei and ZTE. This funding compensates for a $3-billion shortfall that resulted when Congress initially granted only $1.9 billion for this purpose.

Protecting DoD mobile devices from the proliferation and use of foreign commercial spyware

The bill seeks to protect military mobile devices, including smartphones, tablet computing devices, and laptop computing devices, from foreign commercial spyware. It directs the relevant government agencies to issue standards, guidance, best practices, and policies for Department and United States Agency for International Development (USAID) personnel to protect covered devices from being compromised by foreign commercial spyware.

It further directs those agencies to survey the processes used by the department and USAID to identify and catalog instances where a covered device was compromised by foreign commercial spyware over the prior two years resulting in an unauthorized disclosure of sensitive information. In addition, it requires those agencies to submit to the appropriate congressional committees a possibly classified report on the measures to identify and catalog instances of such compromises by foreign commercial spyware.

Creating a risk framework for foreign mobile applications:

The legislation requires the Defense Department’s chief information officer, in coordination with the undersecretary of defense for intelligence and security, to create a report on the feasibility and advisability of developing a risk framework for the personal mobile devices and mobile applications for DoD personnel.

The framework should include the collection, retention, sale, and potential misuse of data, exposure to misinformation and disinformation, software bill of materials, and origination of the applications’ origins with the governments of the Russian Federation, the People’s Republic of China, the Islamic Republic of Iran, or the Democratic People’s Republic of Korea.

Establishing an artificial intelligence security center

The NDAA features numerous provisions related to artificial intelligence, many of which touch on security issues. However, one AI-related provision stands out: an initiative that directs the National Security Agency’s director to establish an artificial intelligence security center within the agency’s Collaboration Center.

The AI center will function to develop guidance to prevent or mitigate “counter-artificial intelligence techniques,” defined as “techniques or procedures to extract information about the behavior or characteristics of an artificial intelligence system, or to learn how to manipulate an artificial intelligence system, in order to subvert the confidentiality, integrity, or availability of an artificial intelligence system or adjacent system.” Its other clear mandate is to promote secure artificial intelligence adoption practices for managers of national security systems.

Independent assessment of the need for a cyber force

The bill calls for the National Academies of Sciences, Engineering, and Medicine to evaluate alternative organizational models for the cyber forces of the US armed forces. This provision is a nod to the frequently advocated notion that the US should have an independent cyber force that functions equally with the other armed forces.

The evaluation of the alternative models should include, among other things, refining and further evolving the current organizational approach for the cyber forces of the Armed Forces, the feasibility and advisability of establishing a separate cyber armed force in the Defense Department, and consideration of adoption or adaptation of alternative organizational models for the cyber forces of US armed forces.

After their evaluation, the National Academies must report a consensus report to congressional defense committees containing their assessment of alternative organizational models.

Making Joint Force Headquarters-Department of Defense Information Network a subordinate unified command under US Cyber Command

The NDAA designates the Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) responsible for defending the Pentagon’s networks worldwide, a “subordinate unified command” beneath US Cyber Command, making JFHQ-DODIN the lead organization for the network operations, security, and defense of the DoD Information Network.

Proclaiming ransomware actors and nation-states who harbor them as hostile foreign cyber actors

The bill contains language that essentially raises ransomware attacks to the level of terrorism by proclaiming foreign ransomware organizations and foreign affiliates associated with them as hostile foreign cyber actors, extending that designation to the nation-states that direct or harbor such actors.

Deeming ransomware threats to critical infrastructure a national intelligence priority

The NDAA contains language deeming ransomware threats to critical infrastructure a national intelligence priority as part of the National Intelligence Priorities Framework. It requires the Director of National Intelligence, in consultation with the Director of the FBI, to submit a report to the appropriate committees of Congress on the implications of the ransomware threat to US national security.

GAO study on the intentional disruption of the national airspace system

The bill requires the Government Accountability Office to conduct a study and issue a report on the vulnerability of the national airspace system to potential disruptive operations by US adversaries who might leverage the electromagnetic spectrum and security vulnerabilities in the Aircraft Communications, Reporting, and Addressing System and Controller Pilot Data Link Communications. The report is intended to become public, with any classified information omitted.

Limiting funds for the Joint Cyberwar Warfighting Architecture

The NDAA ceases or limits funding for the military’s Joint Cyber Warfighting Architecture (JCWA) components until the Commander of US Cyber Command submits a plan for the next iteration of the JCWA’s development. The JCWA is a software-based system that provides cyber tools and capabilities to the Cyber Mission Force.

Two glaring omissions in the legislation

Despite the many wide-ranging cybersecurity provisions in the NDAA, the legislation lacked two crucial and anticipated provisions.

The first was the lack of continued funding for the State Department’s Global Engagement Center (GEC), which was forced to shut down on Dec. 26, 2024 due to a lack of funding. GEC’s mandate was to serve as “a data-driven body leading US interagency efforts in proactively addressing foreign adversaries’ attempts to undermine US interests using disinformation and propaganda.”

The group has been targeted by right-wing activists, including Elon Musk, US state Republican attorneys general, and others who accused GEC of suppressing “free speech.”

Another prominent omission in the bill was Congress’s failure to narrow a significant expansion of a controversial US surveillance program, Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Civil liberties groups had been pushing lawmakers to close a loophole in legislation that reauthorized FISA early last year. This loophole perpetuated the right of law enforcement to query intelligence agencies’ FISA databases on US persons’ communications without a warrant.

The failure to check the US government’s ability to access wiretap calls between Americans and foreigners abroad now gives the Trump administration extraordinary powers to spy on US citizens it deems to be adversaries.

Related Posts

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.