U.S. Reliance on Chinese Drones: A Sector for the Next CHIPS Act?
Published by The Lawfare Institute
in Cooperation With
Bipartisan members of Congress are beginning to pay attention to the issue of drones and national security. The American Security Drone Act of 2023 (ASDA) seeks to regulate federal agency procurement and use of certain foreign-made unmanned aircraft systems (UASs), or drones. The Increasing Competitiveness for American Drones Act of 2023 (ICADA) establishes a new office within the Federal Aviation Administration (FAA) to bolster the United States’ position in the China-dominated commercial drone industry. In addition, a discussion draft of a bill for drone research and development was the basis for a Senate hearing in late March.
These initiatives call attention to two aspects of the U.S.’s precarious global position with respect to drones. First, the U.S. is lagging in market share and innovation in the drone industry. The global drone market was worth over $30 billion in 2022 and is projected to increase to over $55 billion by 2030. However, China’s Da Jiang Innovations (DJI) had a 54 percent share of the global commercial drone market as of 2021. Skydio, the most prominent American drone company, had approximately 3 percent share in the same year. Second, despite selected bans by various entities in the U.S. (most recently in Florida and Arkansas), numerous U.S federal agencies continue to rely on foreign-made drones, particularly DJI drones, with documented security risks. These risks are both political and technical. Politically, the risks stem from DJI’s obligation by law to support the People’s Republic of China’s (PRC) state intelligence work. Technically, a study published in late 2022 demonstrates that DJI drone security is easy to exploit by remote malicious actors using commonly available software and tools.
The recent Chinese “weather” balloon’s brazen traversing over U.S. sovereign territory and use of DJI drones supporting war fighters on both sides of the Russia-Ukraine War have vividly alerted U.S. policymakers to Chinese leadership in this sector. On the battlefield, drones play a key role in reconnaissance and attacks. A foreign adversary dominating the world market could deny the U.S. effective drone support in warfighting or potentially disable U.S. drones in a conflict. Last year, a Chinese CH-4 military drone entered the Taiwanese air defense identification zone. The CH-4 is China’s counterpart to the U.S. military’s MQ-9 reaper. There are also reports that Chinese-made drones are already likely being used to conduct surveillance on U.S. infrastructure. In light of these risks, strategically and quickly strengthening domestic drone manufacturing capabilities is imperative to bolster U.S. national security. The ASDA and ICADA present a critical opportunity to address this need.
Building on the bipartisan consensus to enact the 2022 Creating Helpful Incentives to Produce Semiconductors and Science (CHIPS) Act, there is a compelling case that UASs should be a next sector for similar action. The CHIPS Act represents a $280 billion investment in domestic semiconductor production, research and development, and overall U.S. competitiveness in innovative technology. It could serve as a model for the drone sector as policymakers try to strengthen both the ASDA and ICADA within a national security context.
Too Many Exemptions
The ASDA seeks “to provide for drone security” and is a promising start to limit federal agency use of foreign-made drones. The ASDA was introduced by Sen. Rick Scott (R-Fla.) and referred to the Senate Committee on Homeland Security and Governmental Affairs. Co-sponsors range across the political spectrum, from Republicans such as Sens. Marco Rubio of Florida and Josh Hawley of Missouri to Democrats such as Sens. Richard Blumenthal of Connecticut and Mark Warner of Virginia.
Unfortunately, the bill as written is riddled with exemptions. As its guiding principle, the bill prohibits any federal agency from using federal funds to procure and operate UASs from countries identified as national security threats, or “covered foreign entities.” The PRC and any organization under the influence of the PRC or the Chinese Communist Party are explicitly named as such a threat. Each of the bill’s three main sections is followed by a list of exemptions for multiple agencies. Exemptions are permitted under the vague standard of “required for the national interest of the United States.” Prohibiting federal purchases is justified given the documented cybersecurity concerns from foreign drones and the risks of relying on them in case of conflict with a covered foreign entity.
Exemptions are permitted based on any of a long list of purposes, such as research for electronic warfare, search and rescue missions, cybersecurity, counterterrorism and intelligence activities, UAS development, and safety investigations. State and local governments may procure and operate foreign UASs as long as federal dollars are not used. The bill also permits executive agency heads to initiate case-by-case suspension of UAS procurement bans.
With all of these exemptions available, federal agencies will retain multiple paths for continuing to purchase Chinese-made drones. In a 2022 Senate Homeland Security and Governmental Affairs Committee hearing, witnesses from the Department of Homeland Security and FBI testified that they are buying Chinese-made drones due to the lack of high-quality American alternatives.
The current bill has so many exemptions that it is difficult to see how it will achieve its stated goal of protecting national security. Instead of relying on vague exemption approvals, Congress could require a National Security Impact Assessment, similar to the Privacy Impact Assessment required for new government systems under the E-Government Act. For these assessments, the agency would need to document its analysis of cybersecurity and other risks that would result from relying on a drone from a covered foreign entity. The agency would examine the options for mitigating such risks. Federal agency purchase of a drone from a covered foreign entity would be permitted only upon a finding that the risks had been mitigated or with a detailed explanation of why the benefits of the particular purchase outweigh the risks.
Technical standards concerning risk and mitigation could build on similar initiatives under Section 10224 of the CHIPS Act. That act requires the National Institute of Standards and Technology (NIST) director to use a severity-based metric to designate vulnerabilities found in open-source software and employ digital signatures to indicate whether NIST-released software is authentic. For UASs, it is worth considering how to create analogous mechanisms for technical standards for assessed risks related to drone procurement and mitigations of those risks.
Improving the Impact of the ASDA
Building on lessons from the CHIPS Act, there are three opportunities to further improve the ASDA’s support for federal drone procurement. First, the current version of the ASDA requires the under secretary of defense for acquisition and sustainment to submit a UAS supply chain report to Congress within a year of the bill’s passage. The report would describe the current global and domestic drone market, evaluate the quality of drones produced domestically or by allies, and set forth a plan to address the current reliance on drones from covered foreign entities. The UAS supply chain report could also specifically study procurement by state and local governments, which is an area of concern noted in a critique of the 2021 version of the ASDA.
Second, the CHIPS Act directs NIST to create a National Supply Chain Database for use by industry and the federal government. ASDA could similarly require a UAS Supply Chain Database. Such a database, built in collaboration with industry and allied countries, would have greater impact than simply conducting the proposed ASDA study.
Third, the CHIPS Act requires NIST, in collaboration with industry, academia, and other federal agencies, to establish security best practices for the chips sector. Again, the ASDA could follow this lead and require NIST to develop security best practices for the UAS sector and include such practices in the required defense secretary’s plan to bolster domestic drone production. Cybersecurity should be the centerpiece in expansion of American drone manufacturing, not an afterthought.
Strengthening Domestic UAS Manufacturing and Its Supply Chain
There are multiple opportunities to improve cybersecurity and national security features of the ICADA, which primarily addresses aspects of commercial drone activity. The ICADA was referred to the Senate Committee on Commerce, Science, and Transportation. Like the ASDA, the ICADA has bipartisan support.
As introduced, the ICADA seeks to foster more commercial drone flights. These flights often occur beyond visual line of sight and pose greater logistical and regulatory challenges than flights that occur within the operator’s field of vision For example, Prime Air, Amazon’s drone delivery division, is currently authorized to test operations in two U.S. towns but is limited by numerous FAA constraints and regulations. Amazon cannot fly its drones over roads or people without explicit FAA permission, on a case-by-case basis. From Prime Air’s launch in December until mid-January 2023, fewer than 10 houses reportedly received deliveries via the service. If passed, the ICADA would alleviate barriers for flight approvals like those of Prime Air.
The ICADA seeks to reduce regulatory barriers in the drone delivery industry but does not place any restrictions on the manufacturer or origin of the commercial delivery drones, nor does it account for security risks despite the amount of intelligence the drones could collect if flown over critical infrastructure. For example, Amazon designed its delivery drones in house, yet it is unclear where the drones are manufactured. Walmart, however, is partnering with three U.S. drone companies, DroneUp, Flytrex, and Zipline. Ideally, the ICADA would continue the momentum of investing in U.S. drone companies while diminishing over-reliance on foreign-made drones for commercial industries. In doing so, it would directly support President Biden’s American supply chains executive order.
To improve cybersecurity for the ICADA, NIST could develop cybersecurity best practices for the drone sector and include such practices in ASDA’s proposed Department of Defense drone security plan. In addition, Congress could consider ways to encourage the adoption of such practices for commercial drone activities.
For both cybersecurity and national security purposes, the ICADA could encourage the use of American-manufactured drones and require transparency on the origin of components used to produce drones for commercial deliveries. In addition, this attention to transparency about supply chains could build on the idea of the “software bill of materials” required for federal agencies under President Biden’s 2021 executive order on improving the nation’s cybersecurity. Greater transparency on provenance could shift attention to aspects of supply chain hardware and software that may pose national security risks.
Finally, if enough support exists to address drone security risks, Congress could decide to adopt the CHIPS Act approach of supporting domestic production of key semiconductor technologies, by appropriating funds to support domestic production of key drone-related technologies.
Conclusion
The CHIPS Act could serve as a model for addressing national security risks resulting from reliance on key foreign-provided technologies. Any new legislation could amplify and build on the UAS-relevant provisions of the CHIPS Act. The CHIPS Act requires the NASA administrator to coordinate research efforts on air traffic management systems for UASs, directs NASA research to inform the integration of UASs into the national airspace system to achieve public safety and national security, and calls for the National Science Foundation to coordinate with the FAA and NASA to fund UAS research and related activities. These provisions in the CHIPS Act form a critical basis for advancing UAS technology in the U.S. and lay the foundation for a healthy manufacturing ecosystem.
To build public support, Congress should consider the possibility of combining the ASDA and the ICADA, along with any R&D initiatives into an overall drone package reminiscent of the CHIPS Act. Critics of the CHIPS Act argue that it is not sufficiently tied to national security interests. However, policymakers recognized a problem and provided funding for a comprehensive solution with the CHIPS Act. To address the current national security and cybersecurity issues discussed above, policymakers could get on a path to a similar solution for the U.S. and its allies with respect to UASs. Thus, a unified piece of legislation that blends the ASDA and the ICADA could be considered for drones. As they currently stand, the ASDA is scoped for the government and the ICADA is scoped for the commercial delivery industry. Commercial safety risks, however, are not sufficiently distinct from national security risks to warrant a separate bill. This is increasingly important given that commercial off-the-shelf solutions may comprise key components of future strike and reconnaissance drones for the U.S. military. A combined bill could better focus attention on the serious challenges facing the entire UAS sector.
In short, the objective is to ensure the U.S. is a global leader in producing secure and safe drone technologies with a strong manufacturing capability bolstered by a resilient and reliable domestic supply chain.