I read through the July 1st, 2025 draft of the Big Beautiful Bill to learn how it affects the cybersecurity industry.
The Federal Government of the United States is the largest player in the cybersecurity space. The Feds are the largest consumer of cybersecurity services, likely the largest producer of cybersecurity intelligence, and nurture the educational pipelines that feed into the cybersecurity industry.
If you are a hacker or work in the cybersecurity industry, you need to understand where the Feds' priorities are.
It looks like the Big Beautiful Bill, Congress's budget for fiscal year 2026 starting in September, is going to pass. Everyone knows that this bill has been a shitshow, with Fox's own polling from the middle of July showing that 60% of voters oppose the BBB and 49% believe it will hurt their family. This was before the recent media frenzy surrounding the bill. This bill increases tax burdens on lower-income households and will add multiple trillions to the deficit, despite campaign promises to do the opposite.
Here's the sections of the Big Beautiful Bill I think my fellow hackers should know about:
The Big Beautiful Bill for Hackers
Section 20005 - DoD Scaling Low-Cost Weapons into Production
(1) $25,000,000 for the Office of Strategic Capital Global Technology Scout program;
(6) $50,000,000 for the creation of additional Defense Innovation Unit OnRamp Hubs;
(16) $1,000,000,000 for the expansion of programs to accelerate the procurement and fielding of innovative technologies;
(30) $90,000,000 for APEX Accelerators, the Mentor-Protege Program, and cybersecurity support to small non-traditional contractors;
These line items allocate funds to incentivize the creation and support of smaller, scrappier contractor startups to compete with the lumbering defense prime juggernauts. There are resources available to you if you want to start a federal contracting company.
(21) $124,000,000 for improvements to Test Resource Management Center artificial intelligence capabilities;
(22) $145,000,000 for the development of artificial intelligence to enable one-way attack unmanned aerial systems and naval systems;
(24) $250,000,000 for the advancement of the artificial intelligence ecosystem;
The keyword "artificial intelligence" appears 18 times in the bill, showing that Congress has demonstrated a willingness to integrate this new technology into the federal government on the scale of billions of dollars across multiple sections. If you can work with AI, some of that money can be yours.
(29) $1,685,000,000 for military cryptographic modernization activities;
While opaque, I would guess this massive amount of money is allocated to preparing for a post-quantum world by ripping and replacing vulnerable encryption implementations with quantum-safe algorithms. For reference, the bill sets aside $4.6 billion for a new Virginia-class submarine, meaning that the DoD is effectively sacrificing their ability to build a third of the most powerful submarine on the planet to protect against quantum-based cryptographic attacks.
Section 20006 - Enhancement of Department of Defense Resources for Improving the Efficiency and Cybersecurity of the Department of Defense
Line item 4 allocates $20 million to DARPA for cyber-related programs.
(4) $20,000,000 for defense cybersecurity programs of the Defense Advanced Research Projects Agency.
Remember that DARPA specializes in "high-risk, high-reward" basic and applied research, and has done foundational research on everything from the semiconductor to the Tor Network. My favorite of their unclassified projects is "TRanslating All C Code TO Rust", codenamed TRACTOR. Besides the charming name, if successful, this project could eliminate most memory safety vulnerabilities, which are notoriously difficult to track down.
I thought that this was a foolishly small amount to allocate to probably the most capable research agency in the US for a high-impact issue. It turns out that DARPA receives its funding from the DoD Research, Development, Test, and Evaluation (RDT&E) allocation, which is included in the presidential funding request, and thus would not be part of a Congressional budget. DARPA's budget has increased 10% to about $3.4 billion, so the $20 million allocated above is small potatoes.
Notably, is the only mention of DARPA in the entire bill. If anyone has penetrated the shadow network of White House aides, I would like to track down which Congressman advocated for this. The bounty is a firm handshake and maybe a cheap steak dinner next time I’m in DC.
Section 20009 - DoD in Indo-Pacific Command
(16) $30,000,000 for surveillance and reconnaissance capabilities for United States Africa Command;
(17) $30,000,000 for surveillance and reconnaissance capabilities for United States Indo-Pacific Command;
(20) $1,000,000,000 for offensive cyber operations;
The US military splits up the world into different "commands", with INDOPACOM representing the forces "in charge of" the Indian and Pacific oceans.
Line items 16 and 17 fund the creation of Intelligence, Surveillance, and Reconnaissance capabilities in INDOPACOM and AFRICOM (which is responsible over the African side of the dicey Gulf of Aden). I would bet that the majority of this funding is allocated to either developing cybersecurity assets.
Line item 20 allocates $1 billion to offensive cyber operations in the region. INDOPACOM is home to Mainland China and North Korea, which are both adversarial nations with world-class cyber capabilities. To counter them, the US will need to further develop its own cybersecurity capability, both offensively and defensively.
The big story isn't the actual dollar amounts, its the fact that INDOPACOM is the only command mentioned in the bill. Since Obama's second term, the executive branch has consistently signaled a shift from counterinsurgency in CENTCOM in the Middle East, to countering a powerful China in INDOPACOM. These congressmen do not want to be seen as perpetuating never-ending war in the Middle East. However, congress has demonstrated a willingness to prepare for both cyber and conventional warfare with mainland China.
Section 40002 - Spectrum Auction
This section instructs the Department of Commerce to auction off 500 megahertz of frequency between 1.3 and 10.5 Gigahertz for commercial use at base station power levels. Licenses to transmit on certain frequencies are distributed by the FCC under the Department of Commerce. If you're a radio hacker like my friend Evan "sh0rtrange" Cook, then you might have a new section of the spectrum to play with.
Section 40011 - Rescission of funding to Public Wireless Supply Chain Innovation Fund
Of the unobligated balances of amounts made available under section 106(a) of the CHIPS Act of 2022 (Public Law 117-167; 136 Stat. 1392), $850,000,000 are permanently rescinded.
The Public Wireless Supply Chain Innovation Fund is funded by the bipartisan CHIPS act, and encourages a more robust 5G equipment market through funding products that move away from a vendor-locked system to an Open Radio Access Network architecture. This way, smaller companies can compete with Huawei by selling individual components instead of an entire ecosystem.
This section removes a significant portion of that funding, which leads to a less competitive and Chinese-controlled 5G equipment sector. There is space for American companies to compete in this space given the right incentives.
Section 90004 - Border Security
(a) ... $6,168,000,000 for the following:
(a.1) Procurement and integration of new nonintrusive inspection equipment and associated civil works, including artificial intelligence, machine learning, and other innovative technologies, as well as other mission support, to combat the entry or exit of illicit narcotics at ports of entry and along the southwest, northern, and maritime borders.
...
(b) None of the funds made available under subsection (a) may be used for the procurement or deployment of surveillance towers along the southwest border and northern border that have not been tested and accepted by U.S. Customs and Border Protection to deliver autonomous capabilities.
This administration's primary talking point on the campaign trail was arguably border security. We see the commitment in ink here, as well as the pledge to use AI and ML to surveil our land and sea borders.
What is missing in the Big Beautiful Bill for Cybersecurity?
I would like to see more support for free streams of cyber intelligence sharing. CISA's Automated Indicator Sharing (AIS) hasn't achieved the critical mass of inbound intelligence to become useful yet. While Crowdstrike and SentinelOne provide excellent services, they are prohibitively expensive. Nurturing AIS would have outsized benefits in terms of preventing economic loss if other products can utilize the data it provides.
I would also like to see specific support of the educational pipelines that produce cybersecurity professionals. With the administration's hostility to both skilled and unskilled immigration, the gap between cybersecurity roles and personnel will only ever increase. If this administration is set on decreasing skilled immigration (which admittedly is an issue it flip-flops on every few months), then we need to compensate by strengthening our homegrown talent pool. The only CTF held by the Department of Defense is actually held by a contractor that does recruiting for the DoD.
Frankly, I expected there to be more cuts to federal cybersecurity services, but either those aren't happening, or they're not apparent in this bill.
🦅🇺🇸🎇HAPPY FOURTH Y’ALL🎇🇺🇸🦅
Music I listened to this week
In America - The Charlie Daniels Band
Akhasmak Ah - Nancy Ajram
Aerodynamic - Daft Punk
Lockjaw - King Geedorah
Really well said!
Great post, as per usual from your substack. I'm interested to see how AI/ML usage at the border will play out. I'm glad that the current administration is investing into cybersecurity, but I agree that cultivating homegrown talent is a crucial part of a cyber-strong nation. Hopefully more efforts are led to train/recruit the next generation of personnel who will keep our country safe, as well as staffing increases at relevant agencies.