By: Daniel Castro
This week Sen. Chuck Schumer (D-NY) introduced the U.S. Innovation and Competition Act (formerly known as the Endless Frontiers Act), aiming to boost U.S. innovation-based competitiveness, enhance manufacturing, and increase supply chain resiliency. Included in the nearly 1,500-page proposal is the American Security Drone Act (ASDA), a bill originally introduced by Sen. Rick Scott (R-FL), which bans the federal government from buying or using Chinese-made drones and limits other organizations from using federal funds to purchase or operate them.
This latter restriction means many organizations that receive federal funds — such as academic researchers, first responders, state and local transportation agencies, and public utilities — cannot use the most popular drones on the market, raising their costs and limiting important uses of drones. It will also put more American lives at risk, as many types of organizations increasingly use drones for tasks that would be dangerous for humans, such as inspecting power plants and surveying wildfires.
According to Sen. Scott, the goal of the legislation is to protect “national security and the privacy of American citizens.” But by those measures, the bill is doomed to fail. Limiting technology deployment based solely on where it is manufactured is an ineffective security countermeasure — not just for drones, but for most technologies — because the country where a product is built has no direct bearing on whether it is secure. Indeed, if the United States were to pursue this policy to its logical conclusion, it would need to ban virtually all tech made in China, from wearables to printers and laptops. Say goodbye to iPhones.
In the long term, such a policy would also be disadvantageous for U.S. firms. If the United States restricts Chinese-made products solely because of vague and unsubstantiated security concerns, then why shouldn’t other countries restrict U.S. products? Claims that the U.S. government may use U.S. companies to secretly engage in mass surveillance already serve as justification for restrictive policies that target U.S. tech companies in Europe and Asia. Endorsing this type of policy in the United States would make it even harder to oppose such restrictions when they impact U.S. firms abroad.
But putting all of that aside, there is the technical reality of the question at hand: What makes the country-of-origin policy particularly misguided for drones is the fact that most of these devices present little to no privacy or security risk in the first place, because the vast majority of drones are not connected to the Internet during operation. The notion that the Chinese government, or anyone else, might remotely capture data from U.S. drones is not even technically feasible. Moreover, most commercial drones are flown in unrestricted airspace where others can also freely fly and observe their movements, so it is not even clear what privacy threat the legislation is trying to prevent.
If the Chinese government wants to launch a cyberattack against drones in the United States, it does not need to rely on a Chinese-owned drone company. Instead, one of the most likely attack vectors would be to covertly embed malicious code in a software update that users might download to their devices, and this type of attack is as feasible against a U.S. company as a foreign one. Drone operators must manage this risk regardless of where they get their drones, such as through security testing, code audits, and authenticating software updates.
Indeed, the premise of modern security architectures is to implement a “zero trust” framework where organizations operate on the assumption that there are no trusted sources. Instead, they adopt a security model that assumes potential attackers are both inside and outside the organization’s network, and they use a variety of controls to systematically minimize risk.
Drone security is a legitimate concern, and drone operators should consider a variety of risks. But just as policymakers eventually learned that “security through obscurity” is an ineffective countermeasure — better to use open security protocols that have proved to be capable of withstanding public scrutiny than rely on proprietary ones that do not face similar tests — they should also learn that “security through geography” is worthless. Restricting drones based on their country of origin is a misguided policy that will do little to address genuine cybersecurity threats, but it is sure to stall legitimate deployment and use of drones in the United States.