FCC ‘rip and replace’ provision for Chinese tech tops cyber provisions in defense bill

Avatar

The annual defense policy bill signed by President Joe Biden Monday evening allocates $3 billion to help telecom firms remove and replace insecure equipment in response to recent incursions by Chinese-linked hackers.

The fiscal 2025 National Defense Authorization Act outlines Pentagon policy and military budget priorities for the year and also includes non-defense measures added as Congress wrapped up its work in December. The $895 billion spending blueprint passed the Senate and House with broad bipartisan support.

The $3 billion would go to a Federal Communications Commission program, commonly called  “rip and replace,” to get rid of Chinese networking equipment due to national security concerns.

The effort was created in 2020 to junk equipment made by telecom giant Huawei. It had an initial investment of $1.9 billion, roughly $3 billion shy of what experts said was needed to cauterize the potential vulnerability. 

Calls to replenish the fund have increased recently in the wake of two hacking campaigns by China, dubbed Volt Typhoon and Salt Typhoon, that saw hackers insert malicious code in U.S. infrastructure and break into at least eight telecom firms.

Cyber Force and DFHQ-DODIN measures 

The bill also includes a watered down requirement for the Defense Department to tap an independent third-party to study the feasibility of creating a U.S. Cyber Force, along with an “evaluation of alternative organizational models for the cyber forces” of the military branches. 

The final compromise measure gives no deadline for the report and scraps nearly all of the language approved earlier this year by the House and Senate that called for a study focused squarely on a new digital military service, a win for the Pentagon, which lobbied against the provision.

The NDAA will make Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) responsible for defending the Pentagon’s networks worldwide, a “subordinate unified command” beneath U.S. Cyber Command. The move puts the organization on par with the more offensive-minded Cyber National Mission Force, which received a promotion in 2022.

Negotiators on the legislation rejected a DOD request to axe that proposal.

And this year’s NDAA features a provision to create a DOD hackathon program where events would be held four times a year.

Intelligence bill added without FISA fix

As has become something of a tradition in recent years, the annual intelligence bill hitched a ride on the NDAA. 

A Senate provision meant to rein in a surveillance law passed earlier this year was left on the cutting room floor. 

That chamber’s version of the legislation would have amended the reauthorization of  Section 702 of the Foreign Intelligence Surveillance Act (FISA) by solidifying  the definition of “electronic communication service providers” (ECSP) that can be compelled to furnish information to the government.

The House draft of the NDAA didn’t include the fix, and the issue wasn’t reconciled behind closed doors due to resistance from House Republicans, according to multiple congressional sources. The New York Times first reported the omission.

The measure also directs the secretary of state and the director of national intelligence to designate ransomware threats to U.S. critical infrastructure and lists over a dozen notorious criminal groups — including LockBit, Conti and REvil — as “hostile foreign cyber actors.”

CybercrimeGovernmentLeadershipNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.

 

Total
0
Shares
Previous Post

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case

Next Post

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Related Posts

Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected

Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution. The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS
Avatar
Read More

Researchers Discover “Bootkitty” – First UEFI Bootkit Targeting Linux Kernels

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded
Avatar
Read More