Industry’s growing reliance on China-made drones poses a “significant risk” to critical U.S. infrastructure, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned.
The two agencies issued joint guidance (PDF) on Jan. 17 urging organizations to only procure drones – or unmanned aircraft systems (UAS), as the document refers to them – that adhered to secure-by-design principles and were made in the U.S.
The use of drones has proved to be an effective way to reduce costs and improve staff safety across critical industry sectors, including energy, chemical and communications.
But David Mussington, CISA executive assistant director for infrastructure security, said the use of Chinese-manufactured drones risked exposing sensitive information that could jeopardize U.S. national security, economic security, and public health and safety.
That was because China has enacted laws that gave its government expanded powers to access and control data held by the country’s businesses, including drone manufacturers.
“One of these laws, the PRC’s (People’s Republic of China’s) 2017 National Intelligence Law, compels Chinese companies to cooperate with state intelligence services, including providing access to data collected within China and around the world,” the CISA/FBI guidance stated.
It said prominent China-owned drone manufacturers operating in the U.S. and identified by the Department of Defense as “Chinese military companies” were included within the scope of the National Intelligence Law.
“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” Bryan Vorndran, assistant director of the FBI’s cyber division, said in a statement.
The CISA/FBI guidance comes 10 months after a bipartisan group of 16 senators wrote to CISA asking the agency to reevaluate the cybersecurity risks of consumer drones manufactured by Shenzhen DJI Innovation Technology, a Chinese company that dominated the U.S. drone market in 2021.
It had been alleged DJI has deep connections with the Chinese Communist Party (CCP) and could present a risk to U.S. critical infrastructure, the senators said in the letter to CISA Director Jen Easterly.
"[T]he widespread use of DJI drones to inspect critical infrastructure allows the CCP to develop a richly detailed, regularly updated picture of our nation’s pipelines, railways, power generation facilities, and waterways,” they wrote.
“This sensitive information on the layout, operation, and maintenance of U.S. critical infrastructure could better enable targeting efforts in the event of conflict."
In a UAS resources page on its website, CISA said projections from the Federal Aviation Administration (FAA) showed the U.S. commercial drone fleet was expected to grow from 277,000 in 2018 to 835,000 in 2023.
“As a result, potential threats associated with UAS will continue to expand in nature and increase in volume in the coming years. Because of their physical and operational characteristics, UAS can often evade detection and create challenges for the critical infrastructure community,” the agency said.
As well urging organizations to shun Chinese-made devices, CISA and the FBI’s guidance offered a range of suggestions for mitigating the security risks associated with industrial drones. These included reviewing the privacy policy to understand where drone data was being stored and shared, ensuring firmware patches and updates were installed, but only from a reputable source, and not leaving collected data stored on the drone.