The Department of Homeland Security is warning companies that their data may be at risk if they use commercial drones manufactured in China.
The combination of the sensitive data collected by drones and the requirement of Chinese citizens to support “national intelligence activities” makes the Chinese-made technology a significant risk to U.S. companies, DHS’s Cybersecurity and Infrastructure Security Agency said this week in an industry alert, obtained by CyberScoop.
“Be cautious when purchasing [drone] technology from Chinese manufacturers as they can contain components that can compromise your data and share your information on a server accessed beyond the company itself,” the advisory says.
“Manufacturers and vendors can build in malware or collect data from your UAS device without your knowledge,” the alert states. Other concerns are that an organization is susceptible to data theft if the drone is transmitting unencrypted data or, more broadly, that a drone could increase the risk of a network being breached.
The alert comes as U.S. officials have engaged in a broader campaign to warn private companies and allies of the security risks Washington feels are inherent in gear made by Chinese telecommunications companies Huawei and ZTE.
“U.S. intelligence and security officials have repeatedly warned about the cyber and data security risks associated with information or communications technologies designed, manufactured, or sold by commercial enterprises operating under the control or influence of a foreign authoritarian state,” the advisory states.
Businesses use commercial drones for everything from monitoring the yield of crops to inspecting construction sites. And Chinese manufacturers have emerged as a force in the global market for commercial and military drones. On the commercial side, Chinese drones account for nearly 80 percent of the market, according to the Center for Strategic and International Studies.
In response to that growing Chinese market share, DHS officials are asking U.S. companies, particularly those that operate critical infrastructure, to be mindful of how drones interact with their networks.
“Organizations that conduct operations impacting national security or the nation’s critical functions must remain especially vigilant as they may be at greater risk of espionage and theft of proprietary information,” the advisory says.
The drones deployed by DHS itself offer a cautionary tale in data security. A DHS inspector general report published in September 2018 found that IT systems used by the Customs and Border Protection to share drone-gathered data are “at increased risk of compromise by trusted insiders and external sources” because of security shortcomings.
To mitigate the risk from Chinese-made drones, DHS is telling companies to buy devices from reputable vendors and develop a risk strategy that accounts for the way drones and their components interact with networks, among other advice.
Asked for comment on the alert, a CISA spokesperson said, “Information sharing is a key part of the Cybersecurity and Infrastructure Security Agency’s mission as the nation’s risk advisors.”
Politico was first to report on the alert.