States push back against Chinese drones

In March, Arkansas became the latest state to ban the usage of Chinese drones by state and local agencies in response to cybersecurity concerns. The state joined Florida, Mississippi, and Tennessee in recently passing bills restricting government agencies’ use of Chinese-manufactured drones, following earlier actions by the Department of Defense and other federal agencies. While some of these efforts cover all Chinese drone manufacturers, many are focused on one company: DJI.

Since its founding in 2006, DJI has grown to control 70 percent of the global commercial drone market today. The company has received investments from the Chinese Communist Party, despite denying it for years. These close ties have led to DJI drones being used to surveil Uyghurs in Xinjiang. The company has also aided Russia in its war against Ukraine by disabling Ukraine’s drone detection software while leaving Russia’s functional.

Despite these abuses, the U.S. government at the federal, state, and local levels is largely reliant on DJI drones. Nearly 90 percent of the drones used by police and emergency service agencies are from DJI. Similarly, my own review of state-level forestry, transportation, and wildlife agencies’ drone purchases found that approximately 80 percent of their drones are from DJI.

Now, concerns about DJI’s abuses abroad are compounded by fears of surveillance at home. The American national security community has become increasingly concerned that DJI drones may be sending proprietary information back to China, where it can be accessed by the CCP. This is a justified concern, given the CCP’s history of requiring technical equipment to have backdoors installed in them, granting the CCP access to the equipment’s data. In the case of DJI drones, these backdoors could give the CCP access to data the drones collect on critical infrastructure and U.S. agencies’ operations, posing a national security threat.

Recognizing this danger, the federal government has taken steps to protect the country from potential cybersecurity abuses by DJI and other Chinese drone manufacturers. In 2017, the army called for its units to stop using DJI drones after it became aware of the drones’ cybersecurity vulnerabilities. The 2020 National Defense Authorization Act took more aggressive action, banning the usage of federal funds to buy Chinese drones at the Department of Defense. Other federal agencies, including the Department of the Interior, have grounded Chinese-manufactured drones in their fleet in response to similar concerns. In March, a bipartisan group of senators asked the Cybersecurity and Infrastructure Security Agency to evaluate cybersecurity concerns with DJI drones. And just last month, the Senate Committee on Homeland Security and Governmental Affairs approved the American Security Drone Act, which would ban the federal government from buying Chinese drones.

Now, state lawmakers are following their lead. In addition to the four states mentioned above, blue states such as California, Hawaii, and Washington, and red states such as Texas and Alabama are taking steps to prohibit state and local government agencies from using Chinese-manufactured drones. These bans vary in several ways, including which branch of government is enacting them, and how quickly they go into effect. Texas, for example, enacted an immediate ban through the governor’s office, with no advanced warning. In Florida, meanwhile, the legislature immediately banned the usage of state funds to buy Chinese drones, and set rapid timetables for when state agencies could no longer use Chinese drones. Other states, such as Mississippi and Arkansas, have set multi-year phase-outs of their agencies’ use of Chinese drones. A closer look at these legislative and executive actions at the state shows that these moves will improve security, but there is more work to be done.

First, some of these bans, such as Texas’s, too narrowly focus on DJI. This type of ban would still allow state and local government agencies to purchase other drones from other Chinese manufacturers, such as Autel and Yunnec. Like DJI, these companies may create similar cybersecurity vulnerabilities, so any ban should apply to Chinese drones across the board. 

Second, these laws should be expanded to cover government contractors. While Florida, Arkansas, and Mississippi had in their laws banned the usage of Chinese-manufactured drones, applied the law to contractors working with state and local agencies, Tennessee did not. If a state doesn’t want agencies using Chinese-manufactured drones, why allow a contractor to use those drones for the same task? 

Finally, to ensure that these bans do not create a fiscal burden and risk being challenged as unfunded mandates, states should use federal grant programs to create funding plans for replacing their Chinese drones. For example, state police departments can apply for Department of Homeland Security grants, which police departments have used to purchase drones in the past. 

Similarly, state transportation agencies can apply for grants from the Department of Transportation’s SMART program, and state forestry departments can apply for equivalent grants through the U.S. Forestry Service. Finally, wildlife departments can apply for the U.S. Fish and Wildlife Service’s State Wildlife Grants program. Creating a funding plan, as Florida did, would also ensure that drone bans are not challenged and potentially struck down as unfunded mandates.

It’s encouraging that state and local policymakers are recognizing the cybersecurity threat posed by Chinese drones. But to be effective, federal and state bans must be comprehensive.

Lars Erik Schönander is policy technologist at the Foundation for American Innovation.