Extend the Pentagon’s ban on China’s consumer drones

As a former Director of Operations at U.S. Indo-Pacific Command, my birthday wish would be to have U.S. drones comprehensively map China's infrastructure and download it to my targeting team. My war-planning counterpart in the People’s Liberation Army might be able to make that wish come true—unless we get serious about the threat of Chinese-made commercial drones that operate in the United States. 

The People’s Republic of China is investing heavily to advance consumer-drone technology and secure global market domination for its manufacturers. National-security concerns about the use of these drones and the data they gather led the Defense Department in 2018 to forbid their use in the department and in 2022 to place the most prominent of the manufacturers—Shenzhen-based DJI—on a blacklist of companies believed to have ties to the Chinese military.

Those concerns have only deepened, and along several axes.

First, drones can be used to surveil sensitive locations—and Chinese-made ones cannot be trusted to keep out. Numerous PRC-made drones have been detected in restricted U.S. airspace, including over Washington, D.C., despite DJI’s claim that their drone design includes geofencing restrictions to avoid sensitive locations. Drones made by Autel Robotics, another prominent manufacturer, do not even have geofence restrictions. 

Second, DJI drones and their software “leak” potentially dangerous data. In 2017, a programmer participating in a DJI bug-bounty program found that the company had stored various customer data insecurely—including driver’s license information, photographs, and flight logs uploaded from users associated with the U.S. government and military. And just a few months ago, researchers reverse-engineered the radio signals of DJI drones, revealing that DJI drones’ communications transmit their own GPS location and the GPS coordinates of its operators. 

Third, and most concerning, is the five-year-old law that requires Chinese companies to provide any requested information to PRC intelligence agencies and to conceal that they did so. This National Intelligence Law of 2017 obliges PRC drone companies to provide whatever information they gather. This could include flight logs, users’ sensitive data, and drone operators’ geolocation.

As Chinese-made drones crisscross the country, they fly over and near power transmission lines and other infrastructure assets. If the drones could pass this information to China, it would fill in gaps that PRC reconnaissance satellites cannot address, and could enable attacks on critical U.S. infrastructure. 

Yet PRC-made drones remain widely used in the United States. Law enforcement, medical services, meteorological agencies, environmental and oil and gas companies, and other critical infrastructure operators use them for aerial photography, videography, surveying, and more. DJI works with Axon—a public-safety-equipment manufacturer—to develop drones for state and local law enforcement. Autel, whose products are the drone of choice for several law enforcement agencies, is also supplier to the Departments of Agriculture and Commerce and an eager advertiser to border-security and coastal-patrol agencies.

Some federal agencies and states have already begun to act. In 2020, the Department of the Interior temporarily grounded its fleet of DJI drones, citing security concerns. Similar concerns were expressed by DoD and other entities over fears of data leakage or unauthorized access to sensitive locations. This March, a coalition of senators asked the Cybersecurity and Infrastructure Security Agency to investigate the risks associated with PRC-made drones, including the exploitation of sensitive information. As of May, seven states, including Florida and Arkansas, have grounded their DJI drones and banned PRC-made drones over fears of spying by U.S. adversaries. 

But more action is needed. The White House should order the Commerce Department and DoD to conduct an extensive investigation into all PRC-made drone companies to assess national security risks and add PRC drone companies to the Entity list as appropriate. The Pentagon should add Autel to its blacklist. The Department of Homeland Security should issue updated threat guidance and place restrictions on the use of adversarial drone technologies in certain sectors, including critical infrastructure and state and local organizations. The administration should also consider enabling manufacturing tax credits and tailored federal grants to help law enforcement and other U.S. drone users to replace their made-in-China quadcopters. 

The current House-passed NDAA includes a provision (Section 827) expanding the existing statutory restriction on DoD contractors using PRC drones by removing language limiting the existing prohibition to uses “in the performance of a DoD contract.” This provision, which is critical to supporting a whole-of-government campaign against the threat of PRC drones, should pass into law.