Drones and security issues. A regulatory update23 August 2023
"… a technology that was built to support military operations is now proving to be beneficial to various commercial and government organisations. The applicability of drones is wide ranging—for example, to improve urban and regional air mobility; increase public services; monitor environmental changes; facilitate the delivery of commercial and e-commercial goods and services, including medical and pathology supplies; enhance asset monitoring in agriculture, construction, mining and defence; and to support operations for media and entertainment, and recreational activities."
Validating the benefits of increased drone uptake for Australia: Geographic, demographic and social insights Study commissioned by the Commonwealth Government’s Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA)
Studies indicate that commercially licensed drones were first deployed in the United Sates following Hurricane Katrina when the Federal Aviation Agency issued a licence to operate drones equipped with infrared cameras. By 2006 predator drones equipped with thermal scanners capable of detecting humans from 10,000 feet (3038 metres) were being deployed for civilian use.
The projected Australian drone economy for public services (excluding defence) including fire and emergency rescue, border patrol, local law enforcement, disaster management, mapping and research is $1.3 billion by 2040. It is also projected that even with a medium level of drone uptake there is a potential in Australia to create over 5,500 new jobs every year between 2200-2040.
Areas of the private sector especially mining, construction, agriculture and transport have been the first to explore drone usage but significantly so has the public sector especially departments with responsibility for water resources, bushlands and wildlife, local government and entities with responsibilities for the maintenance of critical infrastructure such as bridges, sporting venues and tourist attractions like the Sydney Opera House.
The use of drones by the military has been brought to the attention of the public by war in the Ukraine where they been deployed extensively to destroy enemy targets and when the word ‘security’ is used in relation to drones it is the military usage that is first considered.
However, there are other security related issues which need to be considered by government departments, local councils and those involved in critical infrastructure.
In 2015, a Phantom drone of Chinese manufacturer DJI crashed into the garden of the White House undetected by the radar system, which allegedly was unable to distinguish the drone from a bird. This raised the first concerns about the potential risks from drones in areas of espionage, domestic terrorism and cybersecurity.
In Australia, correctional facilities have reported numerous times where drones have been used to breach security to deliver contraband over prison walls. In 2020 Corrections Victoria received 97 security incident reports from prisons about remotely piloted vehicles from March to early November, up 246 per cent compared to the full year before COVID-19 struck.
Drones can be hijacked or manipulated. Major cyber domain threats caused by drone activity are:
- GPS spoofing—This is where drones are hijacked by being fed false GPS coordinates and full control taken of the drone to use it to even highjack other drones.
- Downlink intercept—This is where a third party accesses all transmitted data between the drone and the controller. Since the majority of commercial drones systems interact with their base using unencrypted communication channels, they can become vulnerable to exploitation by a cyber-criminal who can intercept and have access to sensitive data drone exchanges with the base such as pictures, video and flight paths.
- Data exploitation—Critical infrastructure is usually protected in the terms of digital and physical security but drones can be used to overcome physical security limitations and cybersecurity protections. For example, a small drone carrying a mini-computer can approach undetected sensitive areas and even mimic a Wi-Fi network to steal data or hijack Bluetooth peripherals.
DJI drone ban in the US
In May 2020, the U.S. Department of Commerce banned DJI drone products and services within the United States. This ban applies to all commercial and recreational drone operations, including those that are used for business and hobbyist use. This was a Trump administration order based on the DJI drones being made by a foreign company owned or controlled by the Chinese government and concerns that DJI was supplying data to the Chinese government from the drones it manufactures.
The ban applies to all current and future models of DJI drones, as well as the DJI software and services used to manage the drones. This includes the DJI GO, DJI Pilot, and other related mobile applications. The ban also applies to the DJI FlightHub software, which is used to manage fleets of drones.
In March, Arkansas joined Florida, Mississippi, and Tennessee in recently passing bills restricting government agencies’ use of Chinese-manufactured drones by state and local agencies in response to cybersecurity concerns. California, Washington, Texas and Alabama are in the process of issuing bans of state and local government agencies using Chinese manufactured drones.
By March 2023 the United States Department of the Interior (DOI) had issued a ban on the use of DJI drones citing potential security risks. This ban impacts the use of DJI drones in all DOI operations and activities, including the National Park Service, US Fish and Wildlife Service, US Geological Survey, and Bureau of Land Management. DOI has also stated that it will not purchase, use, or support the use of any DJI drones for aerial surveying, data gathering, or any other activities that involve collecting sensitive information.
In June 2023 the US Senate started considering legislation to prohibit the Federal Aviation Administration from buying or using drones made in China, Russia, Iran, North Korea, Venezuela and Cuba. There are also moves to ban the US Capital Police from using drones manufactured by Autel Robotics and other Chinese companies.
There is currently no law within Australia that prohibits the use of drones manufactured by any foreign entity. Shadow Cyber Security Minister James Paterson has recently stated that there are over 3000 DJI internet connected drones or DJI accessories not internet connected in use with Commonwealth agencies including the Australian Federal Police, Services Australia, Home Affairs and the Great Barrier Reef Marine Park Authority. Australia has no formal bans in place so the assessment of risk is up to each organisation to determine unless directed to ban a specific drone manufacturer by a government directive.
The Commonwealth Government is developing a Drone Rule Management System (DRMS) to coordinate, implement and manage nationally consistent rules on drone use relating to noise, privacy, security, environmental impacts and cultural sites. DRMS is being developed in consultation with Commonwealth, state, territory and local governments, and industry stakeholders.
Drone usage has a myriad of regulatory, compliance and liability issues to be considered in order to get the maximum usage from the new technology. Laws exist at national, state and local government levels. If your business or agency is using or is thinking of using drones then it is essential that it have a well applied drone strategy that encompasses everything from drone registrations with Civil Aviation Safety Authority (CASA) to pilots, flight mapping and insurance.
Many organisations have started using drones because an employee has suggested a specific use and often that individual has used their personal drone to carry out the activity. If drones are deployed for any commercial use the entity on whose behalf they are being used may need to be registered with CASA.
Here are just a few areas that should be on the checklist if you are deploying drones to carry out activities whether it be business, local government or government entity.
- Do you have a specific drone strategy?
- Have you carried out a cybersecurity risk assessment and put security measures in place?
- Do you know what your regulatory and compliance obligations are when deploying drones?
Drones are adding a new dimension to different types of work and if managed properly are providing numerous opportunities that are cost effective and opening up new areas of exploration as well as management of existing issues.
However, this exciting area comes with regulatory and compliance issues that need to be identified and managed. This includes assessing the cybersecurity risks and the monitoring of drone security.
We are here to help you with these issues so you can realise the cost savings and efficiencies within a regulatory framework than minimises your compliance risks.