In joint guidance released on Jan. 17, the Cybersecurity and Infrastructure Security Agency (CISA) – alongside the FBI – is warning critical infrastructure and state, local, tribal, and territorial partners of cybersecurity threats posed by Chinese-manufactured unmanned aircraft systems (UAS), more commonly known as drones.
“The People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China,” the new guidance says. “The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities.”
This guidance outlines the potential vulnerabilities to networks and sensitive information when operated without the proper cybersecurity protocols and the potential consequences that could result.
The four-page document notes data transfer and collection as one potential vulnerability to U.S. critical infrastructure. “UAS devices controlled by smartphones and other internet-connected devices provide a path for UAS data egress and storage, allowing for intelligence gathering on U.S. critical infrastructure,” the guidance says.
The new guidance also highlights potential consequences of a lack of proper cybersecurity protocols, including exposing intellectual property to Chinese companies and exposing network access details that enhance the PRC’s capability to conduct cyberattacks on critical infrastructure.
CISA and the FBI offered four UAS cybersecurity recommendations around planning and design, procurement, maintaining drones, and operating the technology.
“Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety. However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety,” CISA Executive Assistant Director for Infrastructure Security David Mussington said.
“With our FBI partners, CISA continues to call urgent attention to China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations,” Mussington said. “We encourage any organization procuring and operating UAS to review the guidance and take action to mitigate risk.”
CISA noted that critical infrastructure organizations are encouraged to operate UAS that are secure-by-design and manufactured by U.S. companies. The cyber agency said that organizations should consider the cyber recommendations offered by the new guidance as part of their UAS program, policies, and procedures.
“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” said Assistant Director of the FBI’s Cyber Division, Bryan Vorndran. “The FBI and our CISA partners have issued UAS guidance in order to help safeguard our critical infrastructure and reduce the risk for all of us.”
