FBI, DHS Warn U.S. Firms of Cyber Threats from Chinese Drones
A report from the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) lays out the vulnerabilities and consequences of leaving the aircraft unchecked.
Another week, another push by the U.S. government to diminish the dominance of Chinese drones.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) this week released a report highlighting the threats posed by Chinese manufacturers of uncrewed aircraft systems (UAS)—including DJI, which accounts for an estimated 7 in 10 global sales of consumer drones.
The report, titled “Cybersecurity Guidance: Chinese-Manufactured UAS,” holds no legal standing but recommends critical infrastructure and cybersecurity safeguards to American firms at the state, local, tribal, and territorial levels. Its publication comes after 16 lawmakers wrote to CISA Director Jen Easterly in March, requesting an investigation and report on DJI’s U.S. activity—and the security risks it may raise.
“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “The FBI and our CISA partners have issued UAS guidance in order to help safeguard our critical infrastructure and reduce the risk for all of us.”
The FBI and CISA contend People’s Republic of China (PRC) laws expand the government’s legal grounds to access and control data held by Chinese firms. Chinese-made UAS are frequently used in U.S. critical infrastructure operations, which could expose sensitive information to the PRC, the agencies claim.
The report further lays out the vulnerabilities and consequences for U.S. drone firms operating without the proper cybersecurity protocols. The fear is that widely used strategies are inadequate, giving China access to key data that could support its aims—and decimate U.S. national and economic security.
“Our nation’s critical infrastructure sectors, such as energy, chemical, and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety,” said Dr. David Mussington, executive assistant director for infrastructure security at CISA. “However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety.”
The report comes amid a wave of bans targeting Chinese drone manufacturers. U.S. lawmakers have referred to the aircraft as “TikTok with wings,” in reference to the alleged spying taking place on the popular, China-owned social media platform.
Despite China’s decision to curb drone exports amid escalating tension in Russia and Ukraine, lawmakers are still wary of DJI and others. One provision made it into the recently approved defense policy bill, banning the procurement and use of China- and Russia-made drones at the federal level. Another bill, introduced by Representatives Elise Stefanik (R-N.Y.) and Mike Gallagher (R-Wis.), proposes restrictions at state and local levels.
“The new CISA report makes clear that Communist Chinese drones present a legitimate national security risk to our critical infrastructure and must be banned from the U.S.,” Stefanik and Gallagher said in a joint statement on Wednesday. “The [Chinese Communist Party] has subsidized drone companies such as DJI and Autel in order to destroy American competition and spy on America’s critical infrastructure sites. We must ban CCP-backed spy drones from America and work to bolster the U.S. drone industry.”
Like the lawmakers, the report does not provide hard evidence of espionage. Rather, it outlines the conditions in China and the U.S. that could allow the PRC to acquire sensitive data.
Stefanik and Gallagher were not alone in their praise. The Association for Uncrewed Vehicle Systems International (AUVSI), a global UAS industry trade group, also applauded the report, challenging Congress to end China’s “monopolistic control” of the U.S. market in favor of domestic manufacturers.
“China's dominance of the global drone market poses a multitude of challenges for the U.S., and the CISA and FBI warning affirms the threat PRC drones present to our national security,” said Michael Robbins, chief advocacy officer of AUVSI. “As CISA and the FBI noted in their memo [Wednesday], in the interest of national security, organizations collecting sensitive information, including critical infrastructure owners and operators, must shift away from unsecure PRC drones and reliance on foreign supply chains.”
The report’s release comes less than one week after DJI launched global sales of its first delivery drone, unveiled in August. Some observers worry the aircraft—which is more powerful than the company’s consumer drones—could be modified for war, as has been the case in Eastern Europe and the Middle East.
Threat and Mitigation
According to the FBI and CISA, any UAS can pose cybersecurity risks. But China’s laws give the country’s government expansive legal grounds to control data held by Chinese firms, they warn.
“The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety,” the agencies wrote.
A 2017 law, for example, requires Chinese companies to cooperate with state intelligence services and share data collected domestically and abroad. These include firms identified by the U.S. as “Chinese military companies,” such as DJI.
The PRC’s 2021 Data Security Law expanded government control over companies and data within China, with strict penalties for noncompliance. Data collected under the policy is essential to China’s Military-Civil Fusion strategy, the FBI and CISA said. The strategy aims to usurp the United States’ strategic advantage by providing access to advanced technology and expertise.
Another 2021 law requires Chinese firms to disclose cyber vulnerabilities discovered in their systems to the PRC before sharing them publicly or overseas. This, the agencies maintain, may provide the opportunity for China to exploit system flaws before they are widely known.
The FBI and CISA argue that each UAS adds a node that could be the target of a cyberattack. These could take the form of data transfer and collection via internet-connected devices such as cellphones, patching or firmware updates, or even downloads through other systems in the network, such as docking stations.
The attacks, according to the agencies, could expose U.S. intellectual property to Chinese companies, reveal details and vulnerabilities of critical infrastructure, or lead to theft or sabotage. This could allow the PRC to undermine the competitive advantage of American firms or disrupt key U.S. services, for example.
To mitigate these threats, the FBI and CISA recommend U.S. public and private companies procure only UAS that adhere to CISA’s secure-by-design principles. These call for drones to be built in a way that protects against malicious cyberattacks. The agencies also encouraged firms to consult the Department of Defense’s Blue UAS Cleared List, which lists drones that comply with U.S. federal cybersecurity policies.
Beyond those recommendations, the report suggests using multifactor authentication or isolated networks to limit breaches, or contain them to one part of the organization. Firms should also research their manufacturers and supply chain providers, as well as the laws to which they are subjected. Software should be updated regularly, and data should be encrypted and deleted from the UAS once transferred and stored.
The Outlook
It’s important to note that the FBI and CISA guidance is just that: guidance. The report won’t have any direct effect on U.S. policy regarding Chinese drone manufacturers. But it could hurt the opinions of lawmakers and operators on DJI and other foreign manufacturers.
In the U.S., there is already a sizable faction of lawmakers and citizens who fear spying by Chinese drones, as evidenced by the myriad proposals to ban the aircraft. Companies are also somewhat split. Some share the above concerns. Most, though, continue to use the drones because they are often cheaper than American-made alternatives, which has kept DJI’s market share robust.
Detractors of the proposed bans worry that restricting Chinese drones is hasty and shortsighted. The argument is that U.S. customers will be forced to buy more expensive, domestically produced UAS, which could price some of them out. Switching to American-made aircraft would require training on new systems. It could also hamper the quality of the tech—DJI drones are considered by many to be the best available.
In short, the U.S. faces a dilemma. If the threats from Chinese-made UAS are real, lawmakers have a duty to protect the American public. But either way, banning the drones will likely create a few unhappy customers. The government will need to decide if the tradeoffs are worth it.
Like this story? We think you'll also like the Future of FLYING newsletter sent every Thursday afternoon. Sign up now.
Sign-up for newsletters & special offers!
Get the latest FLYING stories & special offers delivered directly to your inbox