Drone Operators Concerned With DJI Cybersecurity Concerns Have Few Options

November 2019

In the 1980s classic An Officer and a Gentleman, Richard Gere’s character, Zack Mayo, breaks down and cries, “I got nowhere else to go” when threatened with being thrown out of Navy Aviation Officer Candidate School. That sentiment is likely the same felt by drone operators when it comes to drone manufacturer DJI , which is based in China. Many are concerned with the well-publicized cybersecurity concerns associated with DJI, but they’ve “got nowhere else to go.”

In 2017, both the U.S. Military and Department of Homeland Security (DHS) placed bans on the use of DJI products due to concerns about the Chinese government accessing data produced by DJI drones. Waivers are now required for any such use of DJI products, and they are only granted on a “case-by-case” basis. The U.S. Department of the Interior adopted a similar approach because it found that DJI drones “did not meet UAS [unmanned aircraft systems] data management assurance standards.” DJI has refuted any suggestion that the Chinese government has access to data produced by DJI drones, and in 2018, DJI hired Kivu to perform a study of its data practices. Kivu issued a report that was largely favorable for DJI. Nonetheless, in an effort to further win back government business, DJI has come forward with “Government Edition” hardware, firmware and software, but the Department of the Interior has only allowed the use of Government Edition equipment on limited “non-sensitive missions that collect publicly releasable data.” And, as noted above, the military and DHS bans remain in place. Most recently, bipartisan legislation was introduced that would ban any federal spending on Chinese-made drones.

According to published reports, DJI has a virtual monopoly on the world’s non-military drone market, occupying approximately 74% of the market. In gaining such market share, DJI has killed off most of its competition in the hardware space and there is essentially no domestic drone market. As a result, operators that are concerned with the safety of their data have few options to which to turn if they wish to avoid DJI. And, the available options generally come with higher price tags and lower performance standards.

So what is a drone operator that is concerned with the security of its data to do? One option is to only operate with non-DJI equipment, but, as noted above, that is easier said than done. If operators are going to use DJI products (and nearly three-quarters of all drone operators are), it is imperative that they fully understand the options that are available through DJI’s software to prevent data sharing, and adjust their settings appropriately. Indeed, data protection should be top of mind for all commercial drone operators, regardless of the platform being used. As such, operators are potentially attractive targets for ransomware and other malicious activity. Even if DJI’s claims are true and the Chinese government is not stealing data, hackers and other bad actors may be looking to do so. Thus, a robust cybersecurity program should be put in place to protect data that is captured and that will be shared with clients and other stakeholders. Failure to do so could be deemed negligent or, to round out the movie reference, “conduct unbecoming an officer.”