The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, along with the Federal Bureau of Investigation (FBI), have issued a public service announcement regarding the potential security risks associated with Chinese-manufactured drones. According to the announcement, these drones could pose a threat to critical infrastructure and U.S. national security. The agencies highlight concerns that under Chinese law, the government may have the ability to access data collected by private firms, including those involved in manufacturing drones. This could potentially place American data at risk if connected to these unmanned aircraft systems (UAS).
The announcement emphasizes the importance of careful consideration and potential mitigation strategies when using Chinese-manufactured UAS, especially in operations involving critical infrastructure. The release cites the People’s Republic of China (PRC) as a significant cyber threat, partly due to their ability to exploit data used by American consumers. According to the document, the PRC’s strategy includes the acquisition and collection of data, viewing it as a strategic resource in geopolitical competition. The use of Chinese-manufactured UAS in critical sectors, such as energy, chemical, and communications, could expose sensitive U.S. information to Chinese authorities. The 2021 Chinese law expansion, which increases government access and control over companies and data within China, was also mentioned.
The release points out that data collection by these companies is crucial to the PRC’s Military-Civil Fusion strategy, aiming to gain a strategic advantage through access to advanced technologies and expertise. The agencies note the growing reliance of U.S. critical infrastructure sectors on UAS for cost-effective operations and improved staff safety. However, they warn that using Chinese-manufactured UAS could expose sensitive information, thus compromising national security, economic security, and public health and safety. The announcement details potential exploitation methods, including data transfer and collection through software updates and docking stations, which could access sensitive information like imagery, surveying data, and facility layouts. CISA and the FBI advise companies and individuals to be cautious, suggesting measures like isolating Chinese-made drones from their networks and ensuring regular maintenance for security. The potential consequences of data harvesting include exposure of intellectual property, details of critical infrastructure operations, weakened cybersecurity and physical security controls, and network vulnerabilities.