WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released guidance for cyber security vulnerabilities related to uncrewed aircraft systems (UAS) manufactured in the People’s Republic of China (PRC) and the risk the aircraft pose to U.S. national security.
CISA and the FBI have emphasized that Chinese-manufactured UAS, commonly known as drones, continue to present a significant threat to critical infrastructure and U.S. national security. While any UAS may have vulnerabilities leading to data theft or network compromises, the PRC has enacted laws that grant the government broader legal authority to access and control data held by Chinese firms. Caution and potential risk mitigation are advised when using Chinese-manufactured UAS to safeguard networks and sensitive information.
The PRC enacted or revised comprehensive national security, cybersecurity, and data privacy laws and regulations, broadening their supervision of both domestic and foreign companies operating in China. One noteworthy law is the PRC's 2017 National Intelligence Law, which mandates Chinese companies to collaborate with state intelligence services, including granting access to data collected within China and globally. This requirement extends to prominent Chinese-owned UAS manufacturers identified by the Department of Defense as "Chinese military companies" operating in the United States.
The 2021 Data Security Law further amplifies the PRC's authority over companies and data within China, imposing stringent penalties on non-compliant businesses based in China. The information gathered by such companies plays a role in the PRC's Military-Civil Fusion strategy, aiming to secure a strategic advantage over the United States by facilitating access to advanced technologies and expertise.
The agencies say vulnerabilities via the transmission of data, and the connections necessary for those transmissions are targets to exploit to compromise sensitive information. Companies are also instructed to maintain a secure connection with the drone during operations by using a VPN or other encryption methods to protect the confidentiality and integrity of communication pathways.
The Association for Uncrewed Vehicle Systems International (AUVSI) a nonprofit focused on the advancement of uncrewed systems, including technology companies, reiterated the threat to information and national security with drones made in the PRC.
"China's dominance of the global drone market poses a multitude of challenges for the United States, and the CISA and FBI warning affirms the threat PRC drones present to our national security," AUVSI chief advocacy officer Michael Robbins said. "As CISA and the FBI noted in their memo today, in the interest of national security, organizations collecting sensitive information, including critical infrastructure owners and operators, must shift away from unsecure PRC drones and reliance on foreign supply chains.
Robbins continued, "AUVSI’s Partnership for Drone Competitiveness challenges Congress to take resolute action to end China’s monopolistic control of the U.S. drone market and to support a strong domestic drone industry. Our coalition remains committed to working with policymakers at all levels of government to implement common-sense policy solutions that safeguard U.S. data and foster a robust domestic drone industry."
The FBI-CISA cyber security guidance brief can be viewed at https://www.cisa.gov/resources-tools/resources/cybersecurity-guidance-chinese-manufactured-uas.