The ultimate Trojan Horse? US drone makers up in arms about Chinese industry advancement

To date, around 4,000 to 5,000 drones or ‘uncrewed aerial systems’ (UAS) have been imported into the US from China for agricultural spraying, estimates Massachusetts-based drone company Guardian Ag.

As much as 99% of drones in the US are Chinese ones, typically made by DJI, the largest Chinese drone maker, or XAG, and this number is expected to double in 2024.

It was Americans who invented commercial drones in 2008. But according to Guardian Ag, China came to dominate small drones​ through strategic policy, targeted investment and subsidies, driving many US companies out of business.

What security risks do Chinese drones allegedly pose?​

The threat to the US industry from Chinese drones isn’t simply commercial, however, with insiders also voicing allegations of security and food safety concerns – all of which have been denied by DJI.

In order to export an autonomous drone that can carry more than 20 litres and is able to deliver an aerosol, any US manufacturer must receive export permission from the Department of Commerce's Bureau of Industry and Security.

This is ostensibly to prevent an adversary from using the UAS on American troops, explained Matt Beckwith, Guardian Ag’s VP of business development and regulatory affairs. However, “There is nothing preventing or even tracking the importation of a UAS that meets the same criteria upon entry into the US.” 

There is no government tracking on these aircraft when they are imported into the US and only a fraction are registered with N numbers (an FAA requirement to operate UAS over 55lbs), he said. Currently fewer than 1,400 DJI and XAG large UAS’s have N-numbers, according to the US Federal Aviation Administration.  

Meanwhile, numerous US government warnings​ have documented the perceived threat posed by foreign-based Chinese actors who could control these drones, although these allegations are strenuously denied by the China drone sector.

Say there was conflict with China, claims Beckwith, these UAS could potentially be re-programmed through an over-the-air software update and used against Americans. “They are the ultimate Trojan Horse,” he believes.

US food security should not depend ‘upon the good will of a strategic adversary’​

There are also fears in relation to food security. One claim, again disputed by the China sector, is that such systems could theoretically be turned off by the manufacturer at the whim of the Chinese Communist Party (it is claimed this has been documented in Ukraine​), making American food production vulnerable to a denial-of-service attack.

The US administration has, accidentally, taken steps to block internet-connected Chinese cars and trucks from entry to the US auto market, including electric vehicles, over fears they pose risks to national security as their operating systems could send sensitive information to Beijing​.

According to Guardian Ag, America’s food security should not depend upon the good will of a strategic adversary. “The analogy I use is trying to prevent something from leaving the front door in order to avoid something bad happening in the front yard,” added Beckwith, “while allowing it to enter the house by the back door”.  

Evidence more US agricultural land being snapped up by China​

Spring planting season is upon us and farmers across the US have begun fertiliser and weed spray applications, many via drones.

This had led to concerns that some farmers may be accidentally be sharing vital information about the location and health of American crops with China, warns agricultural drone expert Arthur Erickson, CEO of Hylio, a US drone manufacturer.

He says that as more farmers start using drones to automate some crop treatment and surveillance activities, if they are using Chinese-made drones, he says they could unknowingly be sharing information about crop location, health, treatment schedules and so on each time the drone uploads data. 

“I'm not calling for Chinese-made drones to be banned in the US,” he said. “I want there to be regulations governing our drones and their drones in order for this to be a safe experience for everybody as this industry grows.”

But the US, he complains, is allowing China-made drones “to flood our market with no oversight whatsoever… These drones represent a vulnerability.”

Would China take the same approach to US technology? ​

He questions if China would take the same approach to US technology.

China would say ‘absolutely not, you're not going to sell those drones especially not without any regulation or oversight in our country’. And for whatever reason the opposite has happened.

This is not Sinophobia, he stresses. But neither is it hysteria, he believes.

On top of the steps to protect the US electric vehicle industry, the American Drone Security Act, passed in November 2023, prohibits federal agencies from acquiring UAS produced by Chinese military companies including DJI (the US Department of Defense actually identifies DJI as a Chinese military company). Why, the US companies ask, propose a ban on federal agencies buying Chinese-made drones and not the agricultural sector?

There is also evidence America is seeing more agricultural land being snapped up by China, although the data is hard to gauge​. “You gotta wonder about the end plan,” said Erikson.

How are US drones responding to the purported threat? ​

Erikson and Beckwith are urging farmers to buy American-made drones designed specifically for agricultural operators, with the message their data is completely secure.

“We have a lower total cost of ownership than a Chinese drone as we have designed this for the American farmer,” explained Beckwith. “It's a piece of agricultural equipment. It's not disposable. We will have a higher ticket price, but much lower operating costs.”

But more needs to be done, including raising awareness. “Nobody knows that there are now more spray drones in the US than crop dusters,” Beckwith said.

Erikson is calling for more oversight and cooperation with China firms and the Chinese government to level the playing field. “If they could play by our rules in our country then they are fine to play in our market. But they can't play by Chinese communist party rules in the US and vice versa. There's a reason Google aren't allowed to operate in China. It's a similar situation.”

Chinese drone industry denies any government links ​

AgTechNavigator put some questions to a DJI spokesperson who denied that the US and China share no commensurate import controls.

“China's Ministry of Commerce has its own import/export control list of items that require prior permission before exporting, similar to the United States,” we were told.

In August 2017 a Department of Homeland Security intelligence bulletin noted that, “since 2015, DJI has targeted a number of US companies in the critical infrastructure and law enforcement sectors to market its UAS,” and, “the Chinese government is likely using information acquired from DJI systems as a way to target assets.”

The Department of the Treasury, too, has placed DJI on the Office of Foreign Assets Control’s list of Chinese tech firms that are part of the Chinese military-industrial complex. These lists restrict US investments in DJI.

In January 2024, the US Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation also released an updated warning memo noting that, “The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC [People's Republic of China] authorities, jeopardizing US national security, economic security, and public health and safety.”

The DJI spokesperson, however, denied that DJI drones can be re-programmed at the direction of Chinese state actors through an over-the-air software update.

“DJI drones cannot be reprogrammed at the direction of any third party through an over-the-air software update. This is because DJI drones are equipped with best-practice security technologies to help prevent malware, software tampering, remote control hacking, and aircraft hijacking. This includes Trusted Execution Environment (TEE), which secures authentication, key management, firmware decryption, and verification throughout the use of the drone, as well as NIST FIPS 140-2 validated DJI Core Crypto Engine which serves as the secure engine of DJI drones.”

The spokesperson added that operators would have to choose to accept to upgrade their firmware through their remote controller or flight app. If operators want additional peace of mind, they can activate “Local Data Mode” or even switch on their mobile phone’s “airplane mode.” This would sever the connection between their flight app and the internet which makes any risk of an “over-the-air software update” impossible.

Asked if the company encrypts data to prevent bad actors getting into the software, it said: “Drone data shared with DJI is TLS-protected,” the spokesperson said. “Data communicated between the DJI flight app and the cloud server are encapsulated and transmitted through the HTTPS protocol to ensure security. Any personal data shared by users (i.e., name or email address for account registration) is further secured with AES-256 encryption in storage.”

“Since 2017, we have regularly submitted our products for third-party security audits and certification. These are US and European cybersecurity experts, including Booz Allen Hamilton​, FTI Consulting,​ and Kivu Consulting​. They procure our products off the shelf and conduct the reviews independently. And it’s not just independent firms that have analysed and validated our drone security, but also US government agencies, including the US Department of Interior​ and Idaho National Laboratory​.”

Concerning the alleged security gaps and vulnerabilities in Chinese software identified by the US Cybersecurity and Infrastructure Security Agency​, we were told that “DJI implements security best practices as demonstrated by the DJI Core Crypto Engine obtaining NIST FIPS 140-2 certification​, formally validated by the US and Canadian Governments. This certification is widely adopted worldwide in governmental and non-governmental sectors as a practical security benchmark. It is issued to products with a high level of security and complies with industrial and regulatory security standards.

“Second, DJI has an established Bug Bounty Program that encourages security researchers to report potential security vulnerabilities related to DJI products. This was first established in 2017 and has been an important part of our overall efforts in bolstering DJI product and data security.

“Third, drone operators are free to use third-party software providers if they prefer. We operate an open ecosystem that allows third-party providers, including US-based software companies, to offer their software solutions through our drone hardware platforms. Often, these providers cater to specific industry needs, including agriculture.”

Would you give data to Chinese government if asked? 

Asked if it would give any data obtained from its drones to the Chinese government if it was requested to, the DJI spokesperson said: “We have not had such a request from the Chinese government. To add, DJI does not collect flight logs, photos, and videos by default. DJI operators have complete control over how their drone data is collected and stored and must manually opt-in to share that data. Therefore, if you have not shared data with us, then it is impossible for us to give it to any government. 

“We sometimes receive warrants or subpoenas from the US and other government authorities for customer data for a drone associated with some kind of illegal activity. On receipt of such an order from any government, DJI's policy is first to review the request to check if it meets legal requirements for disclosure. Part of that requirement is that the disclosure would only include data that has been shared with DJI within the national jurisdiction of the government agency requesting it. So, if a US agency requests data about a drone being flown in Mexico, as an example, we would politely decline the request and assert that they should route the request through Mexican officials. 

“To reiterate, this only applies to data DJI does have access to, as we do not collect flight logs, photos, or videos by default.”

DJI also told us it is a privately held and controlled company and has been since it was founded in 2006. “Its founder, Frank Wang, controls the company. No government entity or representatives sit on DJI’s board or have any role in its management. The remaining investors are from the private sector and include Sequoia Capital and Accel.”

XAG did not respond to requests for comment.