FBI, CISA Warn of Risks Posed by Chinese-Made Drones

‘The CCP has subsidized drone companies such as DJI and Autel in order to destroy American competition and spy on America’s critical infrastructure sites.’

U.S. owners and operators of critical infrastructure are being warned not to use Chinese-made unmanned aircraft systems (UAS) due to security risks, in a memo and report issued on Jan. 17 by the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

“Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety,” David Mussington, executive assistant director for CISA’s Infrastructure Security, said in a memo that accompanied the report, titled “Cybersecurity Guidance: Chinese-Manufactured UAS.”

“However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety.”

“Urgent attention” must be paid to “China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations,” Mr. Mussington added.

Chinese-made drones have long been a concern in the United States, particularly those made by China-based Da Jiang Innovations (DJI), which is the world’s largest manufacturer of commercial drones. In December 2020, the Commerce Department added DJI to its export control list for being complicit in the Chinese regime’s human rights abuses. Two years later, the Pentagon added DJI to its list of “Chinese military companies” that are operating directly or indirectly in the United States.

The FBI–CISA report doesn’t mention DJI or other Chinese UAS makers by name.

Chinese Laws

However, it highlights the risks associated with using Chinese-made drones by pointing to different Chinese laws, including the National Intelligence Law that took effect in 2017, which compels Chinese companies to hand over data collected within China and elsewhere to Beijing’s intelligence agencies.

“The 2021 Data Security Law expands the PRC’s access to and control of companies and data within China and imposes strict penalties on China-based businesses for non-compliance,” the report says, referring to China’s official name, the People’s Republic of China.

“The 2021 Cyber Vulnerability Reporting Law requires Chinese-based companies to disclose cyber vulnerabilities found in their systems or software to PRC authorities prior to any public disclosure or sharing overseas,” the report adds.

“This may provide PRC authorities the opportunity to exploit system flaws before cyber vulnerabilities are publicly known.”

The report points out three major vulnerabilities that Chinese-made drones can exploit: data transfer and collection, patching and firmware updates, and a broader surface for data collection. Drones controlled by smartphones and other internet-of-things devices could allow foreign intelligence gathering on U.S. critical infrastructure.

Sensitive imagery, surveying data, and facility layouts are some of the vulnerable data that “allow foreign adversaries like the PRC access to previously inaccessible intelligence,” according to the report.

“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement.

The memo encourages owners and operators of U.S. critical infrastructure to buy drones that are “secure-by-design,” including those made by U.S. companies. The report provides several cybersecurity recommendations.

Responses

Rep. Elise Stefanik (R-N.Y.), chairwoman of the House Republican Conference, and Rep. Mike Gallagher (R-Wis.), chairman of the House Select Committee on the Chinese Communist Party (CCP), issued a joint statement in response to the report.

“The new Cybersecurity and Infrastructure Security Agency report makes clear that Communist Chinese drones present a legitimate national security risk to our critical infrastructure and must be banned from the U.S.,” the lawmakers stated.

“The CCP has subsidized drone companies such as DJI and Autel in order to destroy American competition and spy on America’s critical infrastructure sites. We must ban CCP-backed spy drones from America and work to bolster the U.S. drone industry.”

Last November, a bipartisan group of 11 House lawmakers, including Mr. Gallagher and Ms. Stefanik, sent a letter to the Biden administration, calling for an investigation into Chinese drone maker Autel Robotics, citing national security concerns. The group said the firm is openly affiliated with the Chinese military and “poses a direct threat to U.S. national security as local law enforcement and state and local governments are purchasing and operating Autel drones.”

Mr. Gallagher and Ms. Stefanik also introduced the Countering CCP Drones Act (H.R.2864) in April 2023 to prevent DJI technologies from operating on U.S. communication infrastructure.

Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee, advised people interested in purchasing Chinese-made drones to read the security report.

“For years, I’ve been concerned about the security risks associated with drones, including those made in the PRC,” he wrote in a post on X, formerly Twitter. “This memo represents a good first step to studying that, and I hope anyone considering purchasing a Chinese drone reads it carefully.”

 

Read More

Leave a Reply