China-made drones pose significant risk to U.S. data, security agencies say

China-made drones pose a significant risk to American data, critical infrastructure and national security, two federal security agencies said this week in an official cybersecurity guidance urging U.S. professional and hobby users to transition to safer alternatives

The use of Chinese-manufactured unmanned aircraft systems—UAS, or more commonly known as drones—in critical infrastructure “risks exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety,” the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation on Wednesday.

The warning comes amid a deepening technological and national security competition between the United States and China, with concerns growing among lawmakers and officials over a range of technologies that are made in China or by Chinese companies with U.S. branches, widely sold in the U.S., and are even in the heart of critical infrastructure systems.

China is “the most advanced, active, and persistent cyber threat to the United States,” using data collection and cyber operations “to challenge the global order and U.S. interests,” the two federal agencies said, citing the White House.

“Central to this strategy is the acquisition and collection of data—which the PRC views as a strategic resource and growing arena of geopolitical competition,” said the CISA and the FBI, using the acronym for the People’s Republic of China.

China-Made Drones Post Data Risk—US Agencies
A drone flies during a demonstration at a DJI store in Shenzhen, in China’s southern Guangdong province, on July 12, 2022. Guidance jointly released by the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation on January 17, 2024, urged American users of Chinese-made drones to transition to safer alternatives, citing data and national security risks.
AFP via Getty Images/JADE GAO

All drones collect information and could have vulnerabilities that compromise networks, thus enabling data theft by companies or governments, the guidance said.

Since 2015, China has passed a slew of tough laws aimed at controlling data flows to and from China, with Chinese technology companies bound to that system, too. That is to say, the state and Communist Party can legally access all data obtained by them, according to the U.S. agencies.

In addition, under China’s 2017 National Intelligence Law, all citizens and organizations including businesses must “support, assist and cooperate” with the security and intelligence agencies when asked to—refusal to collaborate is not an option. Further turning the screw, the law also says that citizens and organizations must “protect national intelligence work secrets they are aware of,” and that the state will protect them in turn.

It means not only that myriad forms of data can be accessed by Beijing perfectly legally under Chinese law, it also must happen in full secrecy.

DJI, the biggest drone manufacturer in the world with at least 70 percent of global market, is headquartered in Shenzhen in southern China, and is also the market leader in the U.S., where it has a subsidiary. In 2022, DJI’s drone sales amounted to $30.6 billion and are projected to reach more than $55 billion by 2030, according to ShotKit, a specialist website that tracks photography and drone technologies.

Contacted by email, a DJI spokesperson declined to confirm sales figures, including for the U.S., saying: “As a privately held company, we do not comment on sales or profit numbers.”

The company denied it posed a security risk to U.S. users. “DJI strictly follows all applicable data privacy protection laws, regulations, and norms in the U.S. and anywhere else we operate,” said the spokesperson.

“Our cybersecurity/privacy practices have been substantiated by multiple independent third parties in the United States and elsewhere. These audits were independently conducted by U.S. cybersecurity agencies including—the U.S. Departments of the Interior and Commerce, Idaho National Laboratory, Booz Allen Hamilton, FTI Consulting, and Kivu Consulting,” DJI said.

“We started these audits in 2017 and the findings have consistently validated our longstanding commitment to drone security,” the company said. “As a manufacturer and provider of commercial civilian drones, DJI is not a data company and can’t access user data or provide user data to any entity even if we were required to do so.”

DJI’s users have “total control over the data they collect and generate,” it said, calling its privacy standards the most robust in the industry. “Any position or concern solely based on country of origin limits competition, innovation, and the availability of technology.”

Chinese officials deny they cybersnoop on the U.S. or launch cyberattacks, and instead accuse the U.S. of spying on the world—including on China.

But the concerns aren’t going away. A Newsweek exclusive last year highlighted another area that has recently drawn federal attention: cellular internet modules, or CIMs, that connect the futuristic “Internet of Things,” whereby machines talk to other machines to manage everyday technological processes that humans increasingly rely on.

Several Chinese companies are prominent in the U.S.’s IoT connectivity module market, including Quectel, which is used by the FirstNet public safety network, the federal first responders disaster system. Engineers and geopolitics analysts are concerned that, in a crisis, the disaster response system could be manipulated, degraded, or even switched off by Beijing.

U.S. authorities are increasingly alarmed by vulnerabilities in America’s critical national infrastructure including energy, water and transport—but also by broad data collection about people and institutions, even physical geography, which they say drones connected to the internet—providing a path for data collection, storage and transmission to other locations—are positioned to gather.

“UAS devices controlled by smartphones and other internet-connected devices provide a path for UAS data egress and storage, allowing for intelligence gathering on U.S. critical infrastructure,” the CISA and FBI guidance said.

Public and private sector organizations using UAS to collect sensitive or national security information were “encouraged” to buy, or transition to, “secure-by-design” systems, the guidance said, noting that the Pentagon has a whitelist of UAS that are compliant with federal cybersecurity policies, known as the Blue UAS Cleared List.

The guidance comes amid broader concerns about China’s growing digital footprint in the U.S. and around the world.

A report last year by the Center for Strategic International Studies, a Washington, D.C., think tank, said while China’s global infrastructure and trade program, the Belt and Road Initiative, was well known, another, all-digital effort—the Digital Silk Road—aimed to spread Beijing’s influence expressly through telecommunications, e-commerce, hardware, software, big data, artificial intelligence and machine learning, and other global digital infrastructure.

“The U.S. public and other international audiences are often unaware of the full nature and scope of these Chinese activities, including those that target U.S. and other Western companies, government agencies, universities, news media, digital platforms, and other NGOs,” said the report by Seth Jones, Emily Harding, Catrina Doxsee, Jake Harrington and Riley McCabe.

The CISA and FBI guidance highlighted two other specific areas of concern: updates to China-made drone systems could additionally introduce unknown data collection and transmission capabilities without the user’s awareness, thus offering a “broader surface for data collection.”

And, since drones and their peripheral devices, such as docking stations, are incorporated into networks, “the potential for data collection and transmission of a broader type—for example, sensitive imagery, surveying data, facility layouts—increases.”

“This new type of data collection can allow foreign adversaries like the PRC access to previously inaccessible intelligence,” the agencies said.