Federal officials say drones present an emergent cybersecurity risk
Discussions about the use of unmanned aerial vehicles in U.S. airspace have long revolved around privacy concerns and hazards to public safety. But federal officials are increasingly turning their attention to the potential cybersecurity threats posed by increased drone use.
In a panel discussion during DC CyberTalks 2018 in Washington on Thursday, a Federal Aviation Administration official said drones present equal parts opportunity and challenge, and that the essential governance of the technology is being forged across the various levels of government right now.
“We are dealing, truly, with an aviation asset that is unlike anything else,” said Angela Stubblefield, deputy associate administrator for the FAA’s Security and Hazardous Materials Safety office.
Congress approved the FAA’s five-year reauthorization bill earlier this month. In addition to its funding provisions, the legislation establishes new guidelines for drone use, including new allowances for the federal government to remove potentially dangerous aircraft from the air, and a new framework for future governance. But many of the details of how drones will be governed are yet to be established.
Stubblefield said drawing the line between the federal and state and local levels of government is a work in progress and will be refined in the coming months and years. As practical applications for drones grow, she said the FAA will be privy to a growing pool of data to determine the appropriate levels of authority across the various levels of government.
Past attempts to breach drone systems required the sophistication of a nation-state or another well-funded or well-resourced entity, Stubblefield said, but such efforts today are becoming cheaper and easier to accomplish, presenting a heightened risk.
“We have to think not just about trying to isolate systems from an access perspective but [have an eye] on the air as well,” Stubblefield said.
State and local government agencies are increasingly launching their own drone programs or outsourcing for drones to either gather new imagery data that was previously unavailable — such as scans of built infrastructure, like roads and bridges — or prohibitively expensive when gathered by traditional aircraft. Drones are taking off in a growing number of public safety jurisdictions; California fire agencies turned to drones this summer to take 360-degree photographs of towns heavily affected by a series of fires that scorched hundreds of thousands of acres.
Stubblefield said the use cases to use drones to remove humans from potentially unsafe scenarios are “virtually limitless.”
This growing use by public safety presents a natural cybersecurity challenge, said Stephen “Herbie” Hancock, director of special projects for the Department of Homeland Security’s Science and Technology Directorate. Emergency responders like firefighters generally aren’t interested in where their drones are sending data — they’re interested in putting out fires, Hancock said.
He continued that mitigating cyberthreats presented by drones is a major challenge because drones were designed to keep a low profile while collecting various types of information, whether it’s visual images or data packets flying out of a Wi-Fi router. Spy drones don’t have giant antennas or any other conspicuous characteristics, he said.
“How do you find it?” Hancock said. “That’s difficult. Really, really difficult.”
