Congress approves 2025 NDAA with important cyber provisions

The must-pass fiscal year 2025 defense policy bill advanced out of the Senate on Wednesday to President Joe Biden’s desk with a list of cybersecurity measures focused on technology aid to foreign allies and cyber defense hardening at home.

The National Defense Authorization Act passed 85-14 with an $895.2 billion topline, authorizing the distribution of funding for the U.S. military, defense and intelligence nexus.

The bill greenlights up to $300 million in myriad defense and security assistance for Taiwan, inserted by China hawks aiming to help the island nation deter invasion.

Select assistance — officially slotted under the House-led Taiwan Security Cooperation Initiative — includes intelligence and surveillance support, cyber defense capabilities, electronic warfare assets, secure communications equipment and other digital protection systems.

Another measure approves the creation of a strategy to enhance internet freedom in Iran. It authorizes $15 million annually for fiscal years 2025 and 2026 for the nonprofit Open Technology Fund to support tools, research and programs that promote unrestricted internet access and digital safety in the nation.

That includes internet access for Iranian civil society, virtual private networks, countering government-ordered internet blackouts and assessing alternatives to bypass online censorship.

At home, the NDAA also includes long-sought funding that closes a $3 billion shortfall the Federal Communications Commission needs to remove and replace Chinese networking equipment deemed dangerous to national security. The funding comes amid an ongoing Chinese government breach into telecommunications infrastructure that’s targeted major providers and their affiliated wiretap systems.

“By fully funding this program, Congress is demonstrating their support of carriers nationwide as they continue their efforts to remove untrustworthy equipment. The recent high-profile and significant intrusions across [information and communication technology] networks demonstrates that more must be done to secure our critical communications infrastructure,” Dave Stehlin, CEO of the Telecommunications Industry Association, said in a statement to Nextgov/FCW.

The defense bill also seeks to better protect servicemembers and diplomats from being ensnared by commercial spyware programs. It mandates a review of past spyware compromises and regular reporting to Congress on spyware incidents, including identification of any responsible foreign powers that deployed the cyber surveillance tools.

The DOD will also now be required to conduct a broad assessment into the cybersecurity of internal mobile devices used by servicemembers. The evaluation must consider anonymizing technologies like dynamic selector rotation, a protocol that allows digital location identifiers like IP addresses to be changed at certain time intervals.

Relatedly, a watered-down measure to determine whether the U.S. should establish a formal Cyber Force branch in the Pentagon was also included. The National Academies of Sciences, Engineering and Medicine is, at most, directed to explore the “feasibility” of establishing a cyber military branch. The final bill sheds earlier draft language that had directed the National Academies to conduct a full-fledged study about the need for a cyber armed service.

Additionally, in the civilian realm, the NDAA orders the Government Accountability Office to craft a study and report about vulnerabilities in the national airspace system that may allow adversaries to sabotage airspace operations.

Government-vendor relations also got a salute in the legislation, which directs DOD to create a strategy for managing and securing its multi-cloud environments within 180 days. That measure also requires the department to address endpoint security, identify and resolve cloud-specific security issues and explore how AI can be better integrated while protecting sensitive government data.

Additionally, the legislation orders the NSA to establish an artificial intelligence security center within 90 days of its signing that would develop countermeasures against adversarial AI attacks and promote secure AI adoption in national security systems. Notably, the center may be disbanded after three years if justified by the NSA director, with a detailed report to Congress submitted six months prior to its termination.

“This NDAA is not just about one vector of attack. It really looks at everything that’s unfolded over the last year in cyber,” said Amit Elazari, cofounder and CEO of OpenPolicy, a D.C.-based policy intelligence and engagement firm.

One measure that renewed the State Department’s Global Engagement Center — the agency’s bureau for fighting foreign disinformation and propaganda — was left out of the NDAA but resurfaced in separate continuing resolution text released late Tuesday. GEC faced pushback from some GOP members who thought it contributed to the censorship of conservative viewpoints online.

Under that stopgap funding bill, GEC would be extended by an additional year.

“It won’t surprise anyone to hear that China and Russia tell big fat lies about America and our allies,” Mark Montgomery, senior director for the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said in a phone interview. “[GEC] is really necessary.” 

The NDAA also did not include proposals pushed by civil liberties groups that asked the U.S. to clarify the scope and likely expansion of a controversial spying authority that allows the intelligence community to target foreigners abroad without a warrant. Also left out was a related measure that would have required more legal oversight of the court managing those foreign surveillance requests.

The absent measures centered on Section 702 of the Foreign Intelligence Surveillance Act, which was reauthorized in April. It is widely believed and has been reported that data centers were quietly added as authorized avenues for facilitating intelligence collection when the ordinance was renewed.

Sen. Mark Warner, D-Va., who heads the high chamber’s Intelligence Committee, sought to clarify the language this year, but fellow lawmakers reportedly disagreed over whether to proceed.

“It’s disappointing that despite promises made during reauthorization of 702 to address the concerns raised that the expanded definition of electronic communication service provider is ripe for abuse, Congress failed to do so,” Kia Hamadanchy, senior policy counsel at the ACLU, said in a text message to Nextgov/FCW.