CISA, FBI warn on risks of China-made drones
A DJI drone at the Chongqing International Expo Center in Chongqing, China in September, 2023. U.S. policymakers are alerting critical infrastructure owners about potential risks posed by drones manufactured in China. Costfoto/NurPhoto via Getty Images
The new guidance is meant to alert critical infrastructure operators to potential security risks, including data exfiltration and cybersecurity risks, posed by unmanned aircraft systems manufactured in China.
The FBI and the Cybersecurity and Infrastructure Security Agency issued new guidance on Wednesday, addressing security concerns surrounding Chinese-manufactured unmanned aircraft systems.
The agencies are warning owners and operators of critical infrastructure that Chinese-manufactured drones could surreptitiously collect data and images on critical infrastructure operations while providing a vector for cyber attacks.
Cheap, Chinese-manufactured drones have proliferated in the U.S. market. Despite their availability, policymakers have long raised concerns of their potential to surveil Americans and threaten digital network security. One China-based company, Shenzhen DJI Innovation Technology Co., has an estimated 70% share of the U.S. market for industrial drones.
In March 2023, a bipartisan group of senators wrote to CISA Director Jen Easterly requesting the agency "revisit its analysis of the security risks posed by the use of DJI-manufactured drones." Some of those same lawmakers sponsored the American Security Drone Act of 2023 which prohibits, with limited exceptions, the acquisition and use of Chinese-made drones by federal agencies or their purchase with federal funds. That bill was incorporated into the FY2024 National Defense Authorization Act and was signed into law in late December.
The new alert doesn't mention DJI by name, but states that, "the use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety.”.
Three major vulnerabilities sensitive to exploitation by UAS listed in the guidance include data transfer and collection, patching and firmware updates and a broader surface for data collection. Drones capable of taking advantage of software vulnerabilities can be controlled by smartphones or other internet of things devices. Sensitive imagery, surveying data and facility layouts are all potentially vulnerable, according to the alert.
“The use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety,” CISA Executive Assistant Director for Infrastructure Security David Mussington said in a statement. “We encourage any organization procuring and operating UAS to review the guidance and take action to mitigate risk.”