Chinese Drones Pose Significant National Security Risk, Warns FBI and CISA

In a joint advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday about the considerable risks associated with using Chinese-made drones. The memo emphasized the continued threat these drones pose to critical infrastructure and U.S. national security. This advisory comes amid ongoing efforts to safeguard against Chinese cyber attacks targeting crucial sectors such as maritime, transportation, communications, utility, and government, as reported by CNN in 2021.

Chinese Laws Raise Concerns Over Data Access

The advisory points to Chinese laws enacted since 2015 that compel Chinese companies, including drone manufacturers, to grant the government access to collected data both within China and globally. Specifically, the 2021 Data Security Law broadens China’s access to and control of companies and data, aligning with the Military-Civil Fusion strategy. This strategy aims to give China a strategic advantage over the U.S. by gaining access to advanced technologies and expertise.

Historical Context: DHS Warnings and Previous Bans

The Department of Homeland Security (DHS) has long cautioned about the risks associated with Chinese-made drones dominating the global market. In 2019, DHS expressed concerns about potential data transmission to the Chinese government, and in 2017, the U.S. Army banned the use of Chinese-made DJI drones, the leading manufacturer in the U.S. and Canada. Despite DJI’s denial of sharing critical data with the Chinese government, the FBI and CISA underscore the continued threat these drones pose.

Recent Legislative Action and Industry Concerns

In March 2023, a bipartisan group of senators requested CISA to reassess the security risks of DJI-manufactured drones. This call led to the American Security Drone Act of 2023, prohibiting the acquisition and use of Chinese-made drones by federal agencies, now part of the FY2024 National Defense Authorization Act. The advisory does not name DJI explicitly but highlights the risks associated with Chinese-manufactured unmanned aircraft systems in critical infrastructure operations.

Vulnerabilities and Mitigation Measures

The advisory outlines three major vulnerabilities in Chinese-made drones: data transfer and collection, patching and firmware updates, and an expanded surface for data collection. It emphasizes the potential exploitation of software vulnerabilities, enabling unauthorized access to sensitive information, including imagery, surveying data, and facility layouts. CISA Executive Assistant Director Dr. David Mussington urges organizations to review the guidance and take action to mitigate these risks.

National Security Concerns Acknowledged

FBI and CISA officials acknowledge the direct threat Chinese-made drones pose to national security. Without proper mitigations, the widespread deployment of these drones in critical sectors raises the risk of unauthorized access to systems and data. The advisory emphasizes the need for a comprehensive cybersecurity structure for drones, including creating separate networks, adopting a zero-trust framework, and implementing secure data-at-rest and data-in-transit procedures.

Safeguarding Critical Infrastructure

In conclusion, the FBI and CISA’s joint advisory serves as a critical update, addressing the ongoing use of Chinese-made drones in law enforcement agencies and essential operations of infrastructure. As the U.S. government identifies Chinese-made drones as a threat to national security, the guidance emphasizes securing all unmanned aircraft systems. It underscores the broader implications beyond Chinese-manufactured drones. It urges organizations to adopt secure-by-design principles and implement robust cybersecurity measures to safeguard critical infrastructure.