Photograph by D Ramey Logan, CC BY 4.0
Debate rages over data security and Chinese-made drones
By DRONELIFE Features Editor Jim Magill
(The following story is part of an ongoing series on the impact of attempts by the U.S. federal government and some states to limit or ban the use of drones produced by Chinese companies. See the previous article here.)
The debate over the use by public service agencies and others, of Chinese-made drones continues to rage on, with the result potentially impacting these agencies’ ability to protect and serve the public.
Citing national security concerns, U.S. government officials have long sought to restrict government agencies from the use of drones manufactured in China, particularly those produced by DJI, the world’s leading manufacturer of unmanned aerial vehicles. Last December, President Biden signed into law the National Defense Authorization Act of 2024, which contained restrictive provisions originally proposed in the American Security Drone Act (ASDA) of 2023.
The NDAA prohibits government agencies from buying or operating drones or components from certain “covered” countries thought to be hostile to the US, including China. The legislation also prohibits the use of federal grants to state and local government entities for purchase of these products.
In addition, an even more comprehensive ban – this time targeting DJI specifically – is being proposed in the Countering CCP Drones Act, currently pending in Congress. Should this bill become law, it would include DJI on the Federal Communications Commission list of companies prevented from accessing any FCC-regulated communications network. This legislation could affect all users of DJI products, including public service, commercial or consumer operators.
Proponents of the so-called country-of-origin bans say they are necessary to ensure that drones manufactured in China do not send data related to critical U.S. infrastructure and other important data back to China, where under laws of that country it is liable to being turned over to the Chinese government or the Chinese Communist Party (CCP).
“This is not the boogeyman — we’ve seen these drones leak data overseas and it’s good to see government agencies call out the known threat,” Brian Harrell, former assistant secretary of the U.S. Department of Homeland Security, said in a statement. “It’s clear that the United States government has deemed Chinese-made drones a threat to security as China’s dominance of the electronics supply chain, including drones, is harming U.S. national security interests.”
Meanwhile, opponents of such bans – including, of course DJI itself – argue that the drones’ communications software can be configured to where the data is not collected by DJI and that the drones can be air-gapped from the internet so the data can be securely retained by the user. They also say that some of the motivations behind the proposed bans is the result of pressure by U.S. drone manufacturers, who want to eliminate the competition from the Chinese drone companies, whose products are frequently less expensive and more capable than their U.S. counterparts.
In a recent blog, DJI outlined the steps it has taken to ensure the security of its customers data.
“DJI created the market for ready-to-fly civilian and commercial drones almost two decades ago and has invested heavily in robust safety and security protections as well as expanded user privacy controls for our products,” the company said. DJI went on to say:
- Customers only share flight logs, images or videos with if they affirmatively choose to do so. Default collection does not exist with us.
- Operators of our consumer and enterprise drones can choose to ‘fly offline’ through Local Data Mode, ensuring that no unauthorized parties can get access to their drone data.
- Since 2017, we have regularly submitted our products for third-party security audits and certification.
Drone bans: pros and cons
Former Homeland Security official Harrell notes that as drones have become essential tools for use by infrastructure maintenance and public safety organizations it has become even more critical that the data they collect does not fall into the wrong hands.
“Because of how they are deployed operationally, drones have inherently unique access to sensitive system and enterprise information,” he said. “Drones provide the data and imagery used for vital decision-making and planning. However, in the hands of the adversary, that same data offers the potential for data exfiltration, espionage and exploitation.”
Michael Gips, an attorney with 30 years of experience as a security professional, cited the Chinese law that requires China-based technology companies to turn over, on demand, data they have collected through their business operations, to the Chinese government.
“So, basically Chinese companies are intimately tied to the government, to the military and are in effect, arms of the military, information-gathering and -collecting, data-providing arms of Beijing,” he said.
Gips said that despite DJI’s assurances to the contrary, he does not think that the security solutions outlined by the company are sufficient to ensure that data collected by their drones is secure.
Many users, particularly law enforcement agencies and others concerned about protecting the security of their sensitive data, rely on the use of third-party data-collection software from companies such as Texas-based DroneSense, rather than the software package offered by the same company that produced their Chinese-made drone.
“Those overlays, that kind of middleware, I don’t know that it gets actually at the problem. They say it does but I’m not so sure it does,” said Gips, who serves on the board of the Global Consortium of Law Enforcement Training Executives. “I’m skeptical that these third-party solutions can be overlaid on the components that are already in there can mitigate that problem.”
Other experts say that while the issue of data security is a major problem and one that goes beyond the use of drones, country-of-origin bans are not the answer.
“If you’re going to say that that an American drone is more secure just because it’s made in America, that is a false claim. You cannot say that if there’s not any infrastructure or technology built into it to keep the data from not going where it doesn’t need to go,” said Jon McBride, chairman of the Droning Company,
McBride, who has spent more than two decades in the drone industry and was the first DJI Enterprise dealer in the world, said that instead of banning foreign-made drones, the U.S. government should establish data-security standards that all drones – foreign or domestic – must adhere to. “Build a standard, create a way that every drone has to go through a third-party test or scrutiny” to make sure that whatever data is collected can’t be transmitted to anywhere it shouldn’t go.
Brandon Karr, chief operating officer of the Law Enforcement Drone Association, agreed on the need a national data-security standard for every entity that flies drones, particularly law enforcement agencies, regardless of what brand of drone they operate.
“Every agency, regardless of what they’re utilizing, whether that’s a Blue UAS platform, a Chinese drone, or any other system, should always do a data security analysis on any hardware that they’re utilizing that touches the internet,” he said. “They need to look at what that system is doing and communicating with, and then make the decision as to whether the mitigations that they are wanting to employ meet the data security concerns for their agency and their use case.”
He said blanket bans on foreign-made drones, such as those proposed in some federal and state legislation, do not benefit anybody.
“There needs to be a standardized practice that all drone manufacturers need to be beholden to, regardless of origin, from a data security perspective, and that standard has yet to be set,” Karr said.
Read more:
Jim Magill is a Houston-based writer with almost a quarter-century of experience covering technical and economic developments in the oil and gas industry. After retiring in December 2019 as a senior editor with S&P Global Platts, Jim began writing about emerging technologies, such as artificial intelligence, robots and drones, and the ways in which they’re contributing to our society. In addition to DroneLife, Jim is a contributor to Forbes.com and his work has appeared in the Houston Chronicle, U.S. News & World Report, and Unmanned Systems, a publication of the Association for Unmanned Vehicle Systems International.
Miriam McNabb is the Editor-in-Chief of DRONELIFE and CEO of JobForDrones, a professional drone services marketplace, and a fascinated observer of the emerging drone industry and the regulatory environment for drones. Miriam has penned over 3,000 articles focused on the commercial drone space and is an international speaker and recognized figure in the industry. Miriam has a degree from the University of Chicago and over 20 years of experience in high tech sales and marketing for new technologies.
For drone industry consulting or writing, Email Miriam.
TWITTER:@spaldingbarker
Subscribe to DroneLife here.
