Chinese-made drones “continue to pose a significant risk to critical infrastructure and US national security” and companies should be wary of using them, the FBI and Cybersecurity and Infrastructure Security Agency warned in a new memo issued Wednesday.
The warning comes as the US has been working to defend against Chinese targeting of US critical infrastructure organizations, which Chinese hackers have been actively attempting to spy on since 2021. Organizations targeted by the hackers cover the maritime, transportation, communications, utility and government sectors, among others.
“Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on [unmanned aerial systems] for various missions that ultimately reduce operating costs and improve staff safety,”
said CISA Executive Assistant Director for Infrastructure Security Dr. David Mussington in a statement.
“However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety.”
Cheap, Chinese-manufactured drones have proliferated in the U.S. market. Despite their availability, policymakers have long raised concerns of their potential to surveil Americans and threaten digital network security. One China-based company, Shenzhen DJI Innovation Technology Co., has an estimated 70% share of the U.S. market for industrial drones.
In March 2023, a bipartisan group of senators wrote to CISA Director Jen Easterly requesting the agency “revisit its analysis of the security risks posed by the use of DJI-manufactured drones.” Some of those same lawmakers sponsored the American Security Drone Act of 2023 which prohibits, with limited exceptions, the acquisition and use of Chinese-made drones by federal agencies or their purchase with federal funds. That bill was incorporated into the FY2024 National Defense Authorization Act and was signed into law in late December.
The new alert doesn’t mention DJI by name, but states that, “the use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety.”.
Wednesday’s memo points to laws passed by the Chinese government since 2015 that require Chinese companies, including Chinese-owned drone manufacturers, to provide the government with access to data collected within China and around the world.
“The 2021 Data Security Law expands the PRC’s access to and control of companies and data within China and imposes strict penalties on China-based businesses for non-compliance,”
the memo says, using an acronym for the People’s Republic of China.
“The data collected by such companies is essential to the PRC’s Military-Civil Fusion strategy, which seeks to gain a strategic advantage over the United States by facilitating access to advanced technologies and expertise,” it adds.
The Department of Homeland Security has been warning about the risks posed by Chinese-made drones, which dominate the global market for commercial drones, for years. In 2019, DHS said in an alert that the drones may be sending sensitive flight data to their manufacturers in China, where it can be accessed by the government there, CNN reported at the time.
And in 2017, the US Army banned the use of Chinese-made DJI drones – the leading manufacturer of drones used in the US and Canada – alleging in a memo that the company shared critical infrastructure and law enforcement data with the Chinese government.
DJI denied those accusations at the time, saying that “at DJI, safety is at the core of everything we do, and the security of our technology has been independently verified by the U.S. government and leading U.S. businesses.”
Three major vulnerabilities sensitive to exploitation by UAS listed in the guidance include data transfer and collection, patching and firmware updates and a broader surface for data collection. Drones capable of taking advantage of software vulnerabilities can be controlled by smartphones or other internet of things devices. Sensitive imagery, surveying data and facility layouts are all potentially vulnerable, according to the alert.
“The use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety,” CISA Executive Assistant Director for Infrastructure Security David Mussington said in a statement. “We encourage any organization procuring and operating UAS to review the guidance and take action to mitigate risk.”
Brian Harrell, who served as assistant director for infrastructure security at DHS from 2018-2020, told CNN the new guidance “is an important update given that we still have law enforcement agencies and critical infrastructure operators using these risky tools.”
“This is not the boogeyman – we’ve seen these drones leak data overseas and it’s good to see government agencies call out the known threat,” he added. “CISA and the FBI rightly point out the risk, and more importantly, how to mitigate these known cyber risks. It’s clear that the United States government has deemed Chinese-made drones a threat to security as China’s dominance of the electronics supply chain, including drones, is harming U.S. national security interests.”
The full 4-page advisory can be accessed here.
More material from CISA on best practices and resources can be found here.