FBI and CISA Warn of Security Risks from Chinese-Made Drones

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Wednesday about the “significant risk” that Chinese-made drones pose to U.S. critical infrastructure. The agencies provided updated guidance on protecting networks from potential malicious use of these drones.

The newly released guidance highlights that recent Chinese laws grant the government expanded legal authority to access data held by Chinese companies. This creates a risk that drones made by Chinese manufacturers could be a direct channel for sensitive information on U.S. vulnerabilities to reach Beijing. This update revises a previous CISA alert from 2019.

The announcement follows a March appeal by a bipartisan group of senators, including Senate Intelligence Committee Chairman Mark Warner (D-VA). The senators urged CISA to reassess the security risks associated with Chinese-manufactured drones and to make their findings public.

The senators’ concerns were partly based on the dominance of Chinese company DJI in the drone market. DJI is reported to control nearly 90% of the consumer drone market and over 70% of the industrial drone market in North America, according to 2021 reporting by Reuters. The senators referenced a 2017 Department of Homeland Security assessment which indicated that DJI drones used in the U.S. might help Chinese companies gain insights into land acquisition decisions.

Brian Harrell, a former CISA official and author of the 2019 alert, welcomed the updated guidance, noting its importance in light of ongoing use of Chinese drones by law enforcement and critical infrastructure operators. Harrell emphasized that the U.S. government has recognized these drones as a national security threat.

The guidance underscores that while drones offer valuable data and imagery for operational planning, they also pose risks for data exfiltration, espionage, and exploitation. The senators’ March letter had warned that DJI drones could provide the Chinese government with detailed and updated information about U.S. infrastructure, potentially making it easier to target critical facilities.

FBI Assistant Director Bryan Vorndran noted that without appropriate mitigations, the widespread use of Chinese-made drones in key sectors presents a national security concern, increasing the risk of unauthorized access to sensitive systems and data.

The guidance advises U.S. companies to adopt “secure-by-design principles” for all drones, including those manufactured domestically. Key recommendations include:

• Integrating drones into the organization-wide cybersecurity framework like other Internet of Things (IoT) devices.
• Creating separate networks to isolate potential threats from drones.
• Employing a zero trust framework to manage access.
• Understanding and securing how drones store and transmit data.
• Implementing a vulnerability management program to keep security patches current.
• Conducting periodic log analyses to detect anomalies.
• Using strong encryption and storage procedures for data-at-rest and data-in-transit.
• Erasing collected data, including imagery and GPS history, once transferred.
• Utilizing a virtual private network (VPN) for secure drone operations.

The updated guidance aims to help organizations safeguard critical infrastructure and reduce risks associated with the deployment of Chinese-made drones.