Chinese Drones Pose Significant Risk to Critical U.S. Infrastructure, CISA Reports

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint warning regarding the risks associated with Chinese-manufactured unmanned aircraft systems (UAS), commonly known as drones. These drones present a significant threat to U.S. critical infrastructure and national security due to vulnerabilities that could enable data theft or network compromises. The concern stems from laws in the People's Republic of China (PRC) that compel Chinese companies to cooperate with state intelligence services, potentially providing access to data collected globally. This includes data from prominent Chinese-owned UAS manufacturers identified as "Chinese military companies" by the Department of Defense.

The vulnerabilities in these UAS can facilitate various forms of compromise, including unauthorized data transfer and collection, potentially risky patching and firmware updates controlled by Chinese entities, and expanded surface for data collection. The consequences of such compromises could be severe, leading to exposure of intellectual property, detailed intelligence on critical infrastructure, and cybersecurity breaches.

CISA and FBI advise U.S. critical infrastructure owners and operators to consider these risks carefully and implement cybersecurity recommendations and principles when procuring and operating UAS. They emphasize the importance of using UAS that follow secure-by-design principles and recommend consulting the Department of Defense’s Blue UAS Cleared List for compliant devices. Additionally, organizations are encouraged to use separate networks, zero trust frameworks, and vulnerability management programs to mitigate these threats.

This advisory follows a March appeal by a bipartisan group of senators, including Senate Intelligence Committee Chairman Mark Warner, urging CISA to publicly analyze the security risks of Chinese-manufactured drones. As reported by The Record, the senators highlighted concerns about drones made by China's Shenzhen DJI Innovation Technology, which dominates the consumer and industrial drone markets in North America. They pointed to instances where DJI drones enabled Chinese companies to gather sensitive information, such as land purchase decisions in the U.S.

Former CISA official Brian Harrell noted the significance of the new public guidance, emphasizing the proven risk of these drones leaking data overseas. Harrell highlighted that drones, popular with infrastructure and public safety organizations, pose potential risks for data exfiltration, espionage, and exploitation due to their data and imagery capabilities. The new guidance includes detailed instructions for mitigating these threats, including placing drones in an organization-wide cybersecurity structure and using strong encryption and storage procedures.