FCC ‘rip and replace’ provision for Chinese tech tops cyber provisions in defense bill

The annual defense policy bill signed by President Joe Biden Monday evening allocates $3 billion to help telecom firms remove and replace insecure equipment in response to recent incursions by Chinese-linked hackers.

The fiscal 2025 National Defense Authorization Act outlines Pentagon policy and military budget priorities for the year and also includes non-defense measures added as Congress wrapped up its work in December. The $895 billion spending blueprint passed the Senate and House with broad bipartisan support.

The $3 billion would go to a Federal Communications Commission program, commonly called  “rip and replace,” to get rid of Chinese networking equipment due to national security concerns.

The effort was created in 2020 to junk equipment made by telecom giant Huawei. It had an initial investment of $1.9 billion, roughly $3 billion shy of what experts said was needed to cauterize the potential vulnerability. 

Calls to replenish the fund have increased recently in the wake of two hacking campaigns by China, dubbed Volt Typhoon and Salt Typhoon, that saw hackers insert malicious code in U.S. infrastructure and break into at least eight telecom firms.

Cyber Force and DFHQ-DODIN measures 

The bill also includes a watered down requirement for the Defense Department to tap an independent third-party to study the feasibility of creating a U.S. Cyber Force, along with an “evaluation of alternative organizational models for the cyber forces” of the military branches. 

The final compromise measure gives no deadline for the report and scraps nearly all of the language approved earlier this year by the House and Senate that called for a study focused squarely on a new digital military service, a win for the Pentagon, which lobbied against the provision.

The NDAA will make Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) responsible for defending the Pentagon’s networks worldwide, a “subordinate unified command” beneath U.S. Cyber Command. The move puts the organization on par with the more offensive-minded Cyber National Mission Force, which received a promotion in 2022.

Negotiators on the legislation rejected a DOD request to axe that proposal.

And this year’s NDAA features a provision to create a DOD hackathon program where events would be held four times a year.

Intelligence bill added without FISA fix

As has become something of a tradition in recent years, the annual intelligence bill hitched a ride on the NDAA. 

A Senate provision meant to rein in a surveillance law passed earlier this year was left on the cutting room floor. 

That chamber’s version of the legislation would have amended the reauthorization of  Section 702 of the Foreign Intelligence Surveillance Act (FISA) by solidifying  the definition of “electronic communication service providers” (ECSP) that can be compelled to furnish information to the government.

The House draft of the NDAA didn’t include the fix, and the issue wasn’t reconciled behind closed doors due to resistance from House Republicans, according to multiple congressional sources. The New York Times first reported the omission.

The measure also directs the secretary of state and the director of national intelligence to designate ransomware threats to U.S. critical infrastructure and lists over a dozen notorious criminal groups — including LockBit, Conti and REvil — as “hostile foreign cyber actors.”