cisa.gov Central@cisa.gov @cisa.gov
@CISA.gov @CISACyber
CYBERSECURITY GUIDANCE:
CHINESE-MANUFACTURED UAS
OVERVIEW
Chinese-manufactured unmanned aircraft systems (UAS), more commonly referred to
as drones, continue to pose a signicant risk to critical infrastructure and U.S. national
security. While any UAS could have vulnerabilities that enable data theft or facilitate network
compromises, the People’s Republic of China (PRC) has enacted laws that provide the
government with expanded legal grounds for accessing and controlling data held by rms in
China. The use of Chinese-manufactured UAS requires careful consideration and potential
mitigation to reduce risk to networks and sensitive information. The Cybersecurity and
Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) encourage
U.S. critical infrastructure owners and operators to procure UAS that follow secure-by-
design principles, including those manufactured by U.S. companies. CISA and FBI further
recommend following principles and implementing cybersecurity recommendations listed in
this guidance to any organization procuring and operating UAS.
THREAT
The White House’s 2023 National Cybersecurity Strategy and the Annual Threat
Assessment from the Ofce of the Director of National Intelligence both recognize the
PRC as the most advanced, active, and persistent cyber threat to the United States. Their
analysis describes how the PRC expanded cyber operations to challenge the global order
and U.S. interests. Central to this strategy is the acquisition and collection of data - which
the PRC views as a strategic resource and growing arena of geopolitical competition.
1
Since 2015, the PRC has passed or updated comprehensive national security,
cybersecurity, and data privacy laws and regulations, expanding their oversight of
domestic and foreign companies operating within China.
2
One of these laws, the PRC’s
2017 National Intelligence Law, compels Chinese companies to cooperate with state
intelligence services, including providing access to data collected within China and
around the world. This includes prominent Chinese-owned UAS manufacturers that
the Department of Defense has identied as “Chinese military companies” operating
within the United States.
3
The 2021 Data Security Law expands the PRC’s access to and
control of companies and data within China and imposes strict penalties on China-based
businesses for non-compliance.
4
The data collected by such companies is essential to
the PRC’s Military-Civil Fusion strategy, which seeks to gain a strategic advantage over
the United States by facilitating access to advanced technologies and expertise.
5
The
2021 Cyber Vulnerability Reporting Law requires Chinese-based companies to disclose
cyber vulnerabilities found in their systems or software to PRC authorities prior to any
public disclosure or sharing overseas. This may provide PRC authorities the opportunity to
exploit system aws before cyber vulnerabilities are publicly known.
6
The use of Chinese-manufactured UAS in critical infrastructure operations risks
exposing sensitive information to PRC authorities, jeopardizing U.S. national
security, economic security, and public health and safety.
