Government cybersecurity officials continue to warn U.S. companies about the dangers of using unmanned aircraft systems (UAS) designed or manufactured abroad, according to a sensitive document distributed to private industry by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Nov. 20.
The private industry bulletin warns companies that they risk the exposure of private data when operating UAS “designed, manufactured, or supplied abroad where the data is stored, transferred to, or accessible by servers in a foreign country,” according to a copy of the bulletin obtained by Defense Daily.
“While companies operating within any country are typically expected to comply with applicable law and government regulations, foreign governments may require companies to disclose far more information without significant legal protection for customers,” the bulletin reads. “UAS data is often sent to servers controlled by or accessible to the UAS manufacturing company or third-party application vendor … Data servers run by or accessible to foreign companies, especially those located in foreign countries, may be susceptible to foreign law enforcement and government seizure without the benefit of the types of legal protections under US law.”
While the document specifically mentions it is not “an endorsement for or warning against any particular UAS manufacturer, model, or software solution,” it references another industry bulletin released in May of this year, titled “Chinese Manufactured Unmanned Aircraft Systems.” That document, apparently published by sUASNews, warns private industry of Chinese-made UAS-connected devices capable of collecting and transferring data, citing China’s “unusually stringent obligations on its citizens to support national intelligence activities.”
Though neither of these documents mention Chinese company DJI by name, the drone giant — which owns 75-80 percent of the drone market worldwide — has raised concerns across the federal government in recent years, with the Department of Interior recently grounding its fleet of about 800 drones, including DJI models as well as others containing Chinese-manufactured components, due to congressional pressure. Proposed legislation to ban Chinese-made drones across the federal government passed the House Homeland Security Committee unanimously in October.
The concerns raised by private industry bulletins released by CISA represent a stark departure from the conclusions of a DHS-funded investigation that examined potential data leakage from four UAS models, including the DJI Matrice 600 Pro and Mavic Pro, equipped with “Government Edition” cybersecurity upgrades. That report, conducted by the Department of the Interior, found no evidence of data leakage, though it characterized the cybersecurity tests conducted as “limited-scope analysis” and did not rule out that data leakage could occur “with the right conditions and circumstances.”
Months later, CISA continues to warn private industry that “the U.S. government has strong concerns when UAS data is stored, transferred, or accessible in the territory of a foreign country with limited or no data privacy protections, or subject to a foreign government which does not share the US’s Constitutional norms and values, including meaningful and independent judicial review,” according to the private industry notification marked Nov. 20.
DHS did not respond to requests for comment regard the private industry notification distributed by CISA. DoI’s Office of Aviation Services is listed as a partner organization on the Nov. 20 private industry notification.
As Congress and government agencies continue to weigh further bans of DJI hardware and software, the company counters that “origin-based” bans targeting Chinese-made companies are unnecessary and ineffective, maintaining that stricter cybersecurity standards can suffice.
Contacted for comment, DJI emphasized that only data associated with customers in mainland China is stored on servers located in China and that data from all other users is always kept on secure Amazon Web Services (AWS) [AMZN] servers in the United States.
“Like any global company, we obey the laws of the countries in which we operate, and we routinely consider requests for customer data under proper legal authority. For example, we have provided customer data to US government agencies when presented with a valid subpoena or warrant,” a representative for DJI said in a statement. “Similarly, Apple and other tech companies provide information to the Chinese government upon request.”
Advocates for further bans of DJI products within the Pentagon, private industry and Capitol Hill recognize that, for most use cases, DJI drones are superior and cheaper than U.S.-made alternatives, presenting a procurement problem without an easy solution, as DJI’s dominance has prevented the emergence of real competition.
If the government-wide ban on drones with Chinese parts currently being considered by Congress were to pass, industry experts aren’t sure if any North American companies currently have the supply chain and capitalization to meet the need.
“Most companies I know would need some significant time and investment to scale,” said Michael Blades, vice president for aerospace, defense and security at Frost & Sullivan.
The Pentagon is working to address this capability gap through its Defense Innovation Unit, as well as the Trusted Capital Marketplace launched this fall, which aims to connect sources of capital with small tech firms.
The Army’s Short Range Reconnaissance (SRR) effort awarded $11 million last year to six companies to prototype and develop small commercial drones for battlefield use. The six awarded companies were Parrot, Skydio, Altavian, Teal Drones, Vantage Robotics and Lumenier.
Canadian drone manufacturer Draganfly, which recently held an IPO on the Canadian Stock Exchange (CSE) and added well-connected former U.S. government officials to its board, is also angling to capitalize on a potential DJI ban, though it currently doesn’t hold a significant share of the drone market.
“Draganfly isn’t a part of the Army’s SRR, so in my mind, those companies already have an advantage on them,” said Blades. Draganfly does, however, claim to have an all-North American supply chain, which competitors such as Skydio do not.