U.S. owners and operators of critical infrastructures that use drones in their operations should purchase “secure-by-design” unmanned aircraft from approved domestic vendors and not use Chinese-made drones due to security risks, the Department of Homeland Security and FBI warned on Wednesday.
Chinese laws enable the Peoples Republic of China (PRC) to collect data from, and obtained by, Chinese companies, including drone manufacturers, says a new interagency guidance document published by the DHS Cyber Security and Infrastructure Security Agency (CISA) and the FBI. The data grab by the PRC is one way the country works to benefit its military and companies to the detriment of the U.S, the agencies say.
“The data collected by such companies is essential to the PRC’s Military-Civil Fusion strategy, which seeks to gain a strategic advantage over the United States by facilitating access to advanced technologies and expertise,” the agencies say in Cybersecurity Guidance: Chinese-Manufactured UAS.
The guidance points to several paths of potential compromise using Chinese drones, including during data transfer when an unmanned aircraft system (UAS) is controlled by a smartphone or other internet-connected devices, when software is patched and the update is controlled by a Chinese entity, and using related equipment such as docking stations that are part of the UAS network.
Potential consequences of data theft by China via Chinese drones include exposure of intellectual property, details on critical infrastructure operations and vulnerabilities, awareness of cybersecurity and physical security vulnerabilities, and network details that improve the PRC’s ability to conduct cyber-attacks.
The guidance recommends that critical infrastructures consult the U.S. Defense Department’s Blue UAS list, which is maintained by the Defense Innovation Unit and includes 14 companies and 24 drones that are compliant with federal cybersecurity policies.
The agencies also make four recommendations for UAS cybersecurity, including purchasing drones that are secure-by-design, creating a cybersecurity program for an organization’s drone network, regularly update the drone systems and conduct training with security controls, and conduct operations in line with security policies.
China’s DJI is the world’s largest manufacturer of small drones and the company has the lion’s share of the U.S. market. Congressional and federal policies prohibit the use of Chinese-made drones by government agencies without a waiver but these directives do not extend to the private sector.
“Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve safety,” David Mussington, CISA’s executive assistant director for infrastructure security, said in a statement. “However, the use of Chinese-manufactured UAS risk exposing sensitive information that jeopardizes relying on UAS for various missions that ultimately reduce operating costs and improve staff safety. With our FBI partners, CISA continues to call urgent attention to China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations.”