US Interior Dept extends drone grounding over foreign hacking fears
Now can’t be an easy time to be a professional drone pilot working for the US Department of the Interior (DOI).
After years of enthusiastic expansion, in November 2019 the agency announced the temporary grounding of its fleet of Unmanned Aircraft Systems (UAS) over hacking fears unnamed sources claimed were connected to their manufacture in China or use of Chinese parts.
This week, the DOI doubled down on that order, with Secretary of the Interior David Bernhardt signing a follow-up that will keep the agency’s drones on the ground for another 30 days until a more in-depth security review is completed.
It’s not clear what prompted the need for additional checks beyond a sense of caution. The statement simply noted:
In certain circumstances, information collected during UAS missions has the potential to be valuable to foreign entities, organizations, and governments.
Grounding drones for another month would give the agency time to carry out a cybersecurity assessment to make sure this can’t happen, it continued.
Until the issue is resolved, the only DOI drone flights allowed will be those connected to emergencies – monitoring wildfires and floods, both uses that underscore the importance of drones to the agency’s work.
Investigating drone cybersecurity sounds like a good idea even if how the agency might go about this remains open to speculation.
In a separate development last November, the US Department of Justice (DOJ) recommended that drones used by government departments be subjected to a thorough security assessment before use. The latest order is explicit that it’s the foreign dimension the agency is worried about when it specifies:
UAS manufactured by designated foreign-owned companies or UAS with designated foreign-manufactured component.
Easier said than done. In common with almost any other product one might think of, drones are built from a complex mix of hardware and software from across the world.
Much of it might come from China, but not all of it. And even the stuff that doesn’t might involve supply chains that lead who knows where. What’s certain is that many components will not be designed or manufactured in the US.
One answer might be to certify platforms in the same way the US Government does for other types of hardware. However, doing this for a relatively small fleet of drones used by one department would inevitably make them a lot more expensive and less likely to keep up with innovation.
The alternative is for the US to repurpose specialised drone platforms used by the US military but that could be beyond the budget of a department as small as the DOI.
The practical reality is that while engineers can peer at the software code used by drones, achieving absolute certainty about their underlying design is probably Utopian.
More achievable might be to take a leaf from mainstream cybersecurity and develop or adopt an open source platform which could be studied by the wider security community for security issues.
While complex proprietary technologies such as 5G equipment don’t lend themselves to this approach, drones are another matter.
The DOI seems unlikely to scrap or permanently ground its current drone fleet. At some point they will start flying again. But the hiatus is the perfect moment to reassess the flawed ‘fly and hope’ security approach that has shaped current drone use.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.