FBI and CISA warn of national security threat posed by Chinese drones

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned Wednesday that Chinese-made drones pose a “significant risk” to U.S. critical infrastructure and provided new guidance on how entities can better protect networks from their malicious use.

The public guidance highlights that Chinese law now gives its government “expanded legal grounds” for accessing data held by Chinese companies, making drones a potential direct channel to Beijing of sensitive information on U.S. vulnerabilities. It updates a prior CISA “for official use only” industry alert sent in 2019.

The Wednesday announcement follows a March appeal to CISA by a bipartisan group of senators, including Senate Intelligence Committee Chairman Mark Warner (D-VA), urging the agency to “revisit its analysis of the security risks” posed by the use of Chinese- manufactured drones and make the results of that analysis public.

The senators outlined how China’s Shenzhen DJI Innovation Technology is already benefiting from the increasing use of consumer drones across the U.S., citing 2021 reporting from Reuters showing that DJI boasted almost 90% of the consumer market for drones in North America and over 70% of the industrial market.

The senators’ letter pointed to a 2017 Department of Homeland Security assessment that a DJI drone used by a California vineyard owner allowed Chinese companies to better decide where to buy land.

A former CISA official, Brian Harrell, said the new public guidance from the FBI and CISA is an important update since law enforcement agencies and critical infrastructure operators are still using Chinese drones.

“This is not the boogeyman, as we’ve seen these drones leak data overseas, and it’s good to see government agencies call out the threat,” said Harrell, a former assistant secretary at the Department of Homeland Security who authored the 2019 alert. “It’s clear that the United States government has deemed Chinese-made drones a threat to national security.”

Drones have become popular with infrastructure and public safety organizations, Harrell said, especially as developments in what he called miniaturization have yielded smaller and cheaper drones without weakening their capabilities.

“China has moved to capitalize on the miniaturization movement and the demand for compact, economical, high-performance drones,” Harrell said.

He added that while drones provide data and imagery for important operational planning by critical infrastructure companies and other entities, that same value add makes them a potentially powerful tool for data exfiltration, espionage, and exploitation.

In their March letter the senators told CISA Director Jen Easterly the use of DJI drones could allow the Chinese government to “develop a richly detailed, regularly updated picture of our nation’s pipelines, railways, power generation facilities, and waterways,” allowing the Chinese to better target U.S. critical infrastructure.

FBI and CISA officials acknowledged that threat when announcing the new public guidance Wednesday.

“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS [unmanned aircraft systems] in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement.

The new guidance is meant to “safeguard our critical infrastructure and reduce the risk for all of us,” Vorndran added.

Urging U.S. companies to follow “secure-by design principles” even for drones manufactured domestically, the guidance made clear that the potential threat extends beyond Chinese-made drones.

Organizations must ensure they are using up to date patches and firmware and recognize that when they incorporate drones and docking stations into their networks “data collection and transmission of a broader type — for example, sensitive imagery, surveying data, facility layouts — increases,” the new guidance document said. That kind of data collection could give China “previously inaccessible intelligence.”

The guidance includes additional detailed instructions for how to mitigate the threat, including by:

• Placing drones in an organization-wide cybersecurity structure like all other Internet of Things (IoT) devices
• Creating separate networks to silo threats posed by drones
• Using a zero trust framework
• Understanding nuances for how the drone works such as how data is stored and secured
• Establishing a “vulnerability management program” to ensure security fixes are current
• Performing periodic “log analysis” to look for anomalies
• Using strong “data-at-rest and data-in-transit procedures” for encryption and storage
• Erasing collected data, imagery, GPS history and other data once it has been transferred
• Using a virtual private network (VPN) to establish a strong connection with the drone during operations