We live in an era of cheap, readily available hobbyist drones. There’s a whole host of reasons for that, from decades of electronics miniaturization to parts standardization to inexpensive flight controllers, but also there’s a big three-letter reason: DJI.
DJI, the Chinese drone giant, makes the popular Phantom and Mavic series of hobbyist drones, as well as larger models (such as the Inspire line), and has roughly 70 percent of the drone market. Two new moves — one by the Department of Homeland Security and another via legislation introduced in the Senate — could change how Americans, at least in the government, buy and fly drones. It would also have implications for the Department of Defense.
The alert, issued by the Cybersecurity and Infrastructure Security Agency at DHS, didn’t specifically name drone manufacturers, but it did state that Chinese-made drones are a “potential risk to an organization’s information” because they “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”
That “server accessed beyond the company itself” is a risk with any cloud storage, especially if the company running the cloud storage can be compelled to offer the data to legal authorities in other countries, or if the company is not particularly vigilant in keeping interlopers out of its data.
The alert, as reported by CNN and others, went on to note that “the United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access.”
This concern about authoritarian abuse of data is echoed by a recent bills in the Senate, like the one sponsored by Sen. Martin Heinrich, D-N.M., and Sen. Rob Portman, R-Ohio, to fund artificial intelligence domestically (and, in theory, more ethically).
DHS’s alert also notes that the concerns about data collection “apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities.”
As for what to actually do about the data, DHS suggested users disconnect their drones from the internet and understand how to limit the drone’s access to networks and data. DJI said it gives customers full control over their data, and has programs in place for government and infrastructure customers to ensure that their flying robots do not connect to the internet or DJI. DJI also supported concerned customers adopting the precautions laid out by DHS. An independent security audit of DJI, paid for by the drone maker in 2018, found that these data security claims mostly (though not entirely) held up.
It remains to be seen if the alerts from DHS and the responses from DJI will change consumer behavior, but the Senate may mandate that change for the military.
Connecticut Sens. Chris Murphy and Richard Blumenthal worked together to include a provision in the Senate Armed Services Committee’s draft of the annual defense policy bill for 2020 that would prevent the Department of Defense from using Chinese-made drones.
This is hardly the first time military use of Chinese-made commercial drones has been called into question. The Army published a memo August 2017 halting the use of Chinese-made drones, citing cyber vulnerabilities. The Pentagon again suspended purchase of commercial drones in June 2018, also citing cybersecurity concerns. But DJI’s Phantom remained in use. Marines used the Phantom during at least two operations or exercises, according to a January report from the Pentagon.
“A recent U.S. Senate committee provision would restrict the ability of certain U.S. government agencies to acquire or use the industry’s most advanced drone technology simply because of its country of origin,” said DJI in a statement emailed to C4ISRNET.
“Drone operators deserve to make their own careful evaluations and informed choices about technology purchases, and DJI remains the leading drone platform of choice because our technology is reliable, safe and secure," the statement continued. "DJI products have helped create American drone jobs and drone businesses, as well as an entire American ecosystem of hardware and software companies. DJI’s data security has been independently verified by the U.S. government and leading U.S. businesses, and we give all customers full and complete control over how their data is collected, stored, and transmitted.”
DJI also made an appeal to the universal value of the technology in the hands of users, no matter the maker.
“Limiting the ability of any operator to acquire small drone systems based simply on their country of origin undermines the American workers and public service employees who use DJI drones to save lives promote worker safety, maintain infrastructure and support vital operations every day,” said DJI.
If the Senate provision becomes law, the temporary bans and reviews of drone cybersecurity will be supplanted by another need: Pentagon leaders will have to rethink how they buy and develop drones, rather than relying on off-the-shelf models. That’s one of Murphy’s goals: to foster the U.S. supply chain.
While it’s unlikely anything can match the scale and market penetration of the DJI or other Chinese-made models, the InstantEye quadcopter adopted by the Marine Corps and the Air Force is the likeliest ready replacement.
Kelsey Atherton blogs about military technology for C4ISRNET, Fifth Domain, Defense News, and Military Times. He previously wrote for Popular Science, and also created, solicited, and edited content for a group blog on political science fiction and international security.