The Ongoing Concerns
Chinese-made drones 'continue to pose a significant risk to critical infrastructure and US national security' and companies should be wary of using them, the FBI and Cybersecurity and Infrastructure Security Agency warned in a new memo issued Wednesday.
The warning comes as the US has been working to defend against Chinese targeting of US critical infrastructure organizations, which Chinese hackers have been actively attempting to spy on since 2021, CNN previously reported. Organizations targeted by the hackers cover the maritime, transportation, communications, utility and government sectors, among others.
'Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on [unmanned aerial systems] for various missions that ultimately reduce operating costs and improve staff safety,' said CISA Executive Assistant Director for Infrastructure Security Dr. David Mussington in a statement.
The Department of Homeland Security has been warning about the risks posed by Chinese-made drones, which dominate the global market for commercial drones, for years. In 2019, DHS said in an alert that the drones may be sending sensitive flight data to their manufacturers in China, where it can be accessed by the government there, CNN reported at the time.
And in 2017, the US Army banned the use of Chinese-made DJI drones – the leading manufacturer of drones used in the US and Canada – alleging in a memo that the company shared critical infrastructure and law enforcement data with the Chinese government.
DJI denied those accusations at the time, saying that 'at DJI, safety is at the core of everything we do, and the security of our technology has been independently verified by the U.S. government and leading U.S. businesses.'
The Data Security Law
Wednesday’s memo points to laws passed by the Chinese government since 2015 that require Chinese companies, including Chinese-owned drone manufacturers, to provide the government with access to data collected within China and around the world.
'The 2021 Data Security Law expands the PRC’s access to and control of companies and data within China and imposes strict penalties on China-based businesses for non-compliance,' the memo says, using an acronym for the People’s Republic of China.
'The data collected by such companies is essential to the PRC’s Military-Civil Fusion strategy, which seeks to gain a strategic advantage over the United States by facilitating access to advanced technologies and expertise,' it adds.
Brian Harrell, who served as assistant director for infrastructure security at DHS from 2018-2020, told CNN the new guidance 'is an important update given that we still have law enforcement agencies and critical infrastructure operators using these risky tools.'
Mitigating the Risks
The 2021 Data Security Law expands the PRC’s access to and control of companies and data within China and imposes strict penalties on China-based businesses for non-compliance.
CISA and the FBI rightly point out the risk, and more importantly, how to mitigate these known cyber risks. It’s clear that the United States government has deemed Chinese-made drones a threat to security as China’s dominance of the electronics supply chain, including drones, is harming U.S. national security interests.