Using Country-of-Origin as a Litmus Test for Drone Security Is Bad Policy
The recently amended Senate 2023 National Defense Authorization Act (NDAA) contains an updated version of the American Security Drone Act (ASDA), a legislative proposal that would ban federal procurement of unmanned aircraft systems (UAS) made by certain “covered foreign entities” (i.e., made in China). While intended to protect national security, this proposal—even with the recent updates—would still do little to bolster drone security and would limit government agencies from using some of the best-in-class drones.
The primary motivation of supporters of ASDA is to protect national security. For example, Sen. Rick Scott (R-FL), who introduced the ASDA, has said banning Chinese-made drones is necessary to “protect our national security and the privacy of American citizens.” But a close look at the technology shows that critics are overstating the risks of foreign-made drones.
Consider the risk that foreign-made drones might have hidden backdoors that would allow foreign adversaries to remotely gather aerial information about critical infrastructure. At first glance, this might seem like a serious concern. After all, utilities fly drones to inspect transmission lines and oil companies use drones to check on pipelines. But foreign adversaries do not need to hack into drones to obtain this type of information. First, much of this aerial imagery is freely available online on sites like Google Maps. Second, drones may collect more detailed information, but drone operators store this information in databases. If policymakers want to secure sensitive information about critical infrastructure, they should be concerned with how drone operators store sensitive data not where the drone is manufactured. Third, foreign adversaries do not need to compromise a third-party drone operator’s UAS to collect sensitive data about critical infrastructure—they can fly their own drones. Indeed, there have been past instances of unauthorized drone flyovers, including over a restricted U.S. Navy base that is home to nuclear submarines. Securing airspace above critical infrastructure should be a greater priority.
Or consider the risk that foreign-made drones might have hidden vulnerabilities allowing foreign adversaries to remotely control them. While the “Internet of Drones” has not yet arrived—many drones operate without an active Internet connection, and some even have a “local data mode” that prevents any data connections over the Internet—it is reasonable to consider the risks that exist for fully connected drones. For example, hackers might use backdoors to disrupt legitimate activity by crashing or disabling commercial drones. But this concern exists for any Internet-connected drone. Indeed, many drones allow third-party flight software—operators do not have to fly their drones using the manufacturer’s software. Because operators can replace the software used to control the drones, the security risks are related more to the flight software not the drone hardware. To mitigate this risk, the priority should be setting security standards for Internet-connected drones and flight software, not banning drones based on where they are made.
The ASDA would impose a thorough ban on Chinese-made drones. Federal agencies would not be allowed to procure, operate, or use federal funds (including grants) for Chinese-made UAS. Effectively, this ban would cut off federal agencies (as well as state and local agencies that either use federal funds for drones or coordinate their activities with federal agencies) from using drones made by DJI, a Chinese company that is also the most popular drone brand. Such a ban would have a deleterious impact on U.S. drone adoption and use, because DJI is widely considered to make the best drones. Indeed, the quality of these drones is the reason that so many federal agencies, from the FBI to DHS, have purchased DJI’s foreign-made drones, and also the reason organizations using drones for public safety, like the Law Enforcement Drone Association, the Drone Service Providers Alliance, and the Airborne Public Safety Association, have opposed the ban. Ironically, even though the purpose of the legislation is to protect national security, the ASDA exempts the intelligence community—arguably the most sensitive federal government drone operator—from the ban.
There are valuable elements in the ASDA that Congress should consider. In particular, the ASDA proposes developing a government-wide policy for procuring UAS and working with NIST to develop an information security program to manage risks from UAS, including restricting access control; preventing unauthorized changes to software, firmware, and hardware; cryptographically securing data at rest and in transit; and other related measures. This type of performance-based risk management framework for UAS would be a much more effective approach for addressing security concerns for drones than haphazardly banning them based on where they are made (or assuming they are secure if they are made elsewhere).
Improving drone security is a legitimate issue for Congress to consider, but the ASDA does not deliver on its goal and would set back efforts to deploy drones for a variety of federal use cases, such as surveying wildfire and aiding first responders. Rather than push this through the NDAA, Congress should continue to refine this legislation before moving forward.
