FBI, CISA Warn Of Risks Posed By Chinese-Made Drones

fbi cisa warn of risks posed by chinese made drones
A new DJI Mavic Zoom drone flies during a product launch event at the Brooklyn Navy Yard in New York City on Aug. 23, 2018. (Drew Angerer/Getty Images)

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a new memo and report on Wednesday, warning U.S. owners and operators of critical infrastructures not to use Chinese-manufactured unmanned aircraft systems (UAS) due to security risks.

Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety,” said David Mussington, executive assistant director for CISA’s Infrastructure Security, in a memo that accompanied the report, titled “Cybersecurity Guidance: Chinese-Manufactured UAS.”

“However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety.”

Mr. Mussington added that “urgent attention” must be paid to “China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations.”

Chinese-made drones have long been a concern in the United States, particularly those made by China-based Da Jiang Innovations (DJI), the world’s largest manufacturer of commercial drones. In December 2020, the Commerce Department added DJI to its export control list for being complicit in the Chinese regime’s human rights abuses. Two years later, the Pentagon added DJI to its list of “Chinese military companies.”

The report does not mention DJI or other Chinese UAS manufacturers by name.

Chinese Laws

However, it highlights the risks associated with using Chinese-made drones by pointing to different Chinese laws, including the National Intelligence Law that went into effect in 2017, which compels Chinese companies to hand over data collected within China and elsewhere to Beijing’s intelligence agencies.

“The 2021 Data Security Law expands the PRC’s access to and control of companies and data within China and imposes strict penalties on China-based businesses for non-compliance,” the report says, referring to China’s official name, the People’s Republic of China.

The 2021 Cyber Vulnerability Reporting Law requires Chinese-based companies to disclose cyber vulnerabilities found in their systems or software to PRC authorities prior to any public disclosure or sharing overseas,” the report adds.

“This may provide PRC authorities the opportunity to exploit system flaws before cyber vulnerabilities are publicly known.”

The report points out three major vulnerabilities that Chinese-made drones can exploit: data transfer and collection, patching and firmware updates, and a broader surface for data collection. Drones controlled by smartphones and other internet-of-things devices could allow foreign intelligence gathering on U.S. critical infrastructure.

Sensitive imagery, surveying data, and facility layouts are some of the vulnerable data that “allow foreign adversaries like the PRC access to previously inaccessible intelligence,” according to the report.

“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” said Bryan Vorndran, assistant director of the FBI’s Cyber Division, in a statement.

The memo encourages owners and operators of U.S. critical infrastructures to buy drones that are “secure-by-design,” including those made by U.S. companies. The report provides several cybersecurity recommendations.

Responses

Rep. Elise Stefanik (R-N.Y.), chairwoman of the House Republican Conference, and Rep. Mike Gallagher (R-Wis.), chairman of the House Select Committee on the Chinese Communist Party (CCP), issued a joint statement in response to the report.

The new Cybersecurity and Infrastructure Security Agency report makes clear that Communist Chinese drones present a legitimate national security risk to our critical infrastructure and must be banned from the U.S.,” the two lawmakers stated.

“The CCP has subsidized drone companies such as DJI and Autel in order to destroy American competition and spy on America’s critical infrastructure sites. We must ban CCP-backed spy drones from America and work to bolster the U.S. drone industry,” they added.

Last November, a bipartisan group of 11 House lawmakers, including Mr. Gallagher and Ms. Stefanik, sent a letter to the Biden administration, calling for an investigation into Chinese drone maker Autel Robotics, citing national security concerns. The group said the firm is openly affiliated with the Chinese military and “poses a direct threat to U.S. national security as local law enforcement and state and local governments are purchasing and operating Autel drones.”

Mr. Gallagher and Ms. Stefanik also introduced the Countering CCP Drones Act (H.R.2864) last April to prevent DJI technologies from operating on U.S. communication infrastructure.

Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee, advised people interested in purchasing Chinese-made drones to read the security report.

“For years, I’ve been concerned about the security risks associated with drones, including those made in the PRC. This memo represents a good first step to studying that, and I hope anyone considering purchasing a Chinese drone reads it carefully,” Mr. Warner wrote in a post on X, formerly Twitter.

Authored by Frank Fang via The Epoch Times January 19th 2024