Agency officials say they have taken various technical precautions to keep DJI from gathering intelligence with their drones.
The Interior Department authorized officials to buy drones from a Chinese manufacturer that experts in government and industry view as a national security threat.
On July 3, the agency approved the purchase of two specific models of drones built by SZ DJI Technology, a Chinese firm that occupies nearly three-quarters of the global drone market. Security experts have warned the company acts as a channel for Chinese government espionage, but according to Interior officials, the agency is taking a number of technical precautions to prevent DJI from getting a literal bird’s eye view of America’s critical operations.
“It’s a very narrow, very specific, very limited authorization,” Mark Bathrick, director of the Office of Aviation Services, told Nextgov. “We’re doing the very best we can to make sure the data we collect is secure.”
DJI is one of the many Chinese firms accused of secretly feeding data on U.S. customers to the Chinese government. Last month, national security experts warned a Senate subpanel that drone manufacturers like DJI collect “an unprecedented level” of intelligence on America’s physical, social and economic infrastructure, which could potentially help the Chinese obtain an economic and military advantage.
Related: Russia Plans More Arctic UAVs
They compared the threats to those posed by Huawei, the Chinese telecom titan the White House is trying to effectively blacklist from U.S. markets.
But while people can easily turn to U.S companies like Comcast and AT&T for their telecom services, America’s domestic drone market is already largely outsourced to China. Experts estimate roughly 80 percent of the drones in the U.S. are manufactured by Chinese companies, with the vast majority built by DJI.
In May, the Homeland Security Department warned companies their data could be at risk if they use Chinese drones, and in 2017, the Army banned soldiers from using any unmanned aircraft manufactured by DJI. But as Interior officials look to significantly expand their own fleet of small, inexpensive drones in the years ahead, there are only so many vendors they can choose from, according to Bathrick.
When the department began courting commercial drone vendors in 2015, DJI wasn’t even considered an option. The year before, officials had laid out a set of security and performance standards for Interior’s drone fleet, and the company didn’t meet the requirement “to decline and lock out any device information sharing,” according to internal agency documents. In other words, DJI couldn’t guarantee it would keep its hands off the data collected by its drones.
The department ended up buying hundreds of 3DR Solo aircraft from the U.S.-based company 3D Robotics, but the firm stopped manufacturing the drones within weeks of the procurement, Bathrick said.
As officials looked for a new supplier, they found the aircraft manufactured by U.S. companies “were up to 10x less capable for the same price, or up to 10x more costly than similarly capable DJI aircraft.”
While 3DR Solos still make up more than 90 percent of Interior’s drone fleet, Bathrick said the department needed a more cost-effective, scalable option to support its expanding drone operations. And ultimately, DJI came to the table with a suitable offer.
In 2017, the department began working with DJI to develop drones outfitted with custom hardware, software and firmware that addressed the data management risks associated with its commercial products. The “Government Edition” build is air-gapped from both the department’s IT infrastructure and the public internet, preventing any illicit exfiltration of data, Bathrick said. The department itself will upload the software for each drone, and operators must manually download any data collected during their flights.
The department approved the purchase of the aircraft after 15 months of performance and security testing, and officials plan to apply the same rigorous reviews to any future software upgrades, Bathrick said.
“We still get all the full functionality of the DJI product,” Bathrick said, but with controls that would prevent DJI from getting access to the department’s data. As an added layer of security, pilots are only authorized to use the DJI aircraft for “non-sensitive missions whose ... data is publicly releasable,” according to the order.
A DJI spokesperson told Nextgov the agreement shows the company’s commitment to ensuring its tech meets all of its customers’ requirements.
When asked about the procurement approval, the Homeland Security Department declined to comment and referred Nextgov to Interior.
Drones are becoming a critical tool in the department’s efforts to survey federal land, monitor wildlife and respond to natural disasters, and Bathrick said his office plans to purchase thousands of new unmanned aircraft in the years ahead. While many of those will likely come from DJI, he said the department will gladly do business with U.S. companies that offer a competitive product.
“We’re looking at drones from all over the world, and we’re applying the same [security] requirements,” he said. “For us, this [authorization] is an interim solution. This is just a milestone in our longer journey for secure and scalable solutions.”
When pressed on the national security concerns surrounding DJI, Bathrick said industry and the government “should treat all technology as if it’s a potential security risk, regardless of where it’s [manufactured].” He also rejected the idea floated by some lawmakers to ban all DJI products from the U.S. market, citing the proposal as ineffective and potentially misguided.
“It’s kind of easy for pundits and others to sit back and say ‘we should just ban them’ … if you don’t have any operational requirements, if you don’t have any mission you have to perform,” he said. “For those of us who have a responsibility to not only our agencies but the American public to go out and perform these missions … the only option is to collaborate with industry and collaborate with our federal partners and chart a path forward that is as secure as technically possible. I think that’s all any government organization and any company can do.”