I’d heard the rumors for a long time, but a leaked memo to a drone news website confirmed it: The U.S. Army has been using DJI Phantom drones, identical to those found under Christmas trees and in hobbyists’ garages. The U.S. Army memo directed all units to stop using the Chinese-made Phantoms until they received “follow on direction,” citing cybersecurity concerns.
Grounding the Phantoms is the right choice. But the U.S. military didn’t go far enough: It should hit the pause button on using all commercial drones, and not only because of security concerns.
The military is using commercially available drones because similar military-developed drones often lack their maneuverability, low cost, and ease of use—the same qualities that appeal to hobbyist dads and amateur mapmakers. The original memo noted that the Army’s Aviation Engineering Directorate has already “issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.” In a comment to Defense One, former Army intelligence soldier Brett Velicovich said that U.S. special operators in Syria were “using DJI products.”
The military remains relatively circumspect about how it has used commercial drones—I’ve been in touch with military spokespeople but haven’t been given any specifics. We do have some hints, though. DVIDs Hub, a media resource run by the U.S. military, has a number of photographs that show DJI projects: One photo shows a Marine explosive ordnance disposal technician flying a DJI Mavic drone during an unspecified training “while forward-deployed in the Middle East.” Per the photo caption, the drone “was a proof of concept in order to determine its applicability for operational use.” Most of the DVIDs photos show drones being used away from the battlefield, including in small unit decision-making training at Camp Lejeune in North Carolina, the Dragoon Ride joint exercise between the U.S. and NATO in Germany, and during reconnaissance experiments at Camp Pendleton in California. The FedBizOpps website, which posts federal government procurement opportunities, lists a number of notices from the military that include commercial drones. There’s a call from the Department of the Army for a “heavy duty police drone” from RMUS (a small company that modifies DJI products), an Army call for two DJI Matrice 600 Pro drones to be delivered to the U.S. Army Research Laboratory, and a call for commercial drones from three different manufacturers for the U.S. Army Mission and Installation Contracting Command.
The U.S. military isn’t alone, either. The Israeli Defense Forces recently announced the purchase of DJI Mavic drones for the majority of its combat companies, while armed groups like ISIS and rebels in the Ukraine have been using commercial drones (very much against their manufacturers’ wishes) for a while now.
But consumer drones aren’t designed for use in conflict zones. The engineers who put them together aren’t primarily worried about protecting them against hijacking attempts or efforts to grab the data they collect: They’re selling to a consumer market that usually has less stringent cybersecurity needs than the military does. A number of studies have identified concerning cybersecurity vulnerabilities in popular commercial drone models. In January, researchers from the Federal Trade Commission found they were able to hack into three different inexpensive commercial drones from Parrot, DBPower, and Cheerson. In 2016, MIT students conducted a security analysis of the DJI Phantom 3 Standard and found that the drone was vulnerable to a number of malicious attacks, while researchers from Johns Hopkins University were able to use an exploit to wirelessly hack and crash a popular hobby drone. (The exact model was not identified.)
While the National Oceanic and Atmospheric Administration recently ran a study finding that the DJI S1000 heavy-lift drone presented “no threat for data leakage,” one of the study authors told the Verge that similar tests on his DJI Phantom 3 Professional—a different model—found that the drone appeared to be sending encrypted data “back to DJI and servers whose location he could not determine.” Naturally, the U.S. military needs to be sure its data doesn’t fall into the wrong hands, so data leakage is very worrisome indeed.
It’s good that the U.S. military is taking cybersecurity worries about commercial drones seriously, as the memo shows. But cybersecurity isn’t the only, or perhaps even the biggest, problem here. By using off-the-shelf devices, the military also risks their drones being confused with those used by other organizations and individuals and could potentially cause further damage to the already dubious public image of civilian drones operated for peaceful purposes.
Let’s start with the risk of mistaken drone identity, which I’m particularly worried about as a humanitarian researcher. Journalists, humanitarians, armed groups that aren’t affiliated with a single state, and civilian bystanders all also use commercial drones like the DJI Phantom. What happens if people on the ground can’t tell these drones apart, especially in chaotic disaster and conflict situations? The potential for chaos is huge. The military might assume a drone operated by a journalist is actually operated by ISIS. This could cause the military to launch an accidental defensive attack on the drone and potentially on civilians operating the drone—a situation that’s just become more likely, as the Pentagon has announced that military bases are authorized shoot down drones.
If it doesn’t clearly identify its drones, the military could even risk violating the Geneva Conventions. One of the key principles of international humanitarian law is distinction: “[T]he parties to the conflict must at all times distinguish between civilians and combatants.” This obligates parties to conflict (like the U.S. military) to clearly distinguish themselves from civilians—and this extends to military aircraft, including commercial drones used by the military for military purposes. Unfortunately, little in existing international humanitarian law doctrine addresses consumer drones, focusing instead on weaponized drone use by the military. When unarmed drones used by civilians do come up, they’re assumed to be covered by the same rules as manned aircraft. This ignores some important differences, from the size difference between a Cessna and a Phantom to the fact that by definition, small commercial drones lack a pilot and thus can’t communicate directly with air traffic control via radio.
There are technological fixes to the “Is a friend or foe flying that thing?” problem. A number of research groups are working on integrating small drones into air traffic control systems. NASA, the Federal Aviation Administration, and a number of private companies have been working together on a drone air traffic management project and are field-testing their ideas this summer. Some companies offer lightweight ADS-B transponders, which permit aircraft to broadcast where they are, their identification information, and their velocities. Another solution—floated by DJI as well as drone and privacy groups—might be remote identification, which is currently under consideration by the FAA. This would enable someone on the ground to pick up a radio signal from the drone with its location and registration number, similar to a license plate. While anyone would be able to tune into these signals with the right receiver, only law enforcement and aviation regulators would be able to “run the number” to identify the pilot. We’ll likely need a combination of these solutions to sort out the drone distinction problem.
Low-tech and policy solutions matter, too. Think of the Red Cross symbol that marks aircraft operated by the International Red Cross and Red Crescent Movement. Perhaps humanitarian drones could use similar markings and symbols. Yes, they would be difficult to see from the ground, but even imperfect solutions would still be better than the current situation. Ultimately, a wide variety of actors and organizations should come together to decide upon the best method of IDing drones, including tech solutions, markings, and developing ground rules. These gatherings could drive the development of new doctrine in international humanitarian law that specifically addresses small drones used by civilians.
More broadly, military use of commercial drones has troubling implications for the entire industry. Civilian drone-users have long struggled with the popular assumption that all drones are in some sinister way linked to the military and law enforcement. But small consumer drones didn’t originate in a straight evolutionary line from armed Predator or Reaper long-range UAS. They’re really just flying mobile phone cameras, made possible by big reductions in the size and price of the same sensors and tiny computers that are used in your iPhone.
Most of the companies that sell consumer drones didn’t start as military contractors, and they remain a little wary of working with armed forces. DJI spokesman Adam Lisberg emphasized this when I spoke with him about the issue: “We don’t sell to the military, we don’t market to the military. We build our drones entirely for peaceful purposes. We know people can do all kinds of modifications to our drones—we can’t stop them from doing that.” He also told me that the military has yet to explain to the company what the specific encryption problem is. “We don’t have military-grade encryption, and if you’re using [our products] for a mission that requires it, you may want to re-evaluate that mission.”
Yet many people still assume that all drones are linked to the military—which means people are inclined to assume that even commercial drones flown by civilian operators are in some way linked to the military or law enforcement. Public mistrust of drones runs so deep that civilian drones are regularly shot at, putting people on the ground at risk. If the military adopts commercial drones in a big way, attitudes that link drones to the military will only grow stronger (and for good reason!). That could make it harder for groups like researchers, activists, search-and-rescue organizations, and others to put the technology to work.
I definitely don’t think the military should never use commercial drones in the future, once security and other concerns have been better sorted out. What I’m calling for is more thoughtful use. The military, humanitarians, drone companies, media, and other actors should start a dialogue about how to best share airspace in conflict and disaster situations. There should be support and funding for research that evaluates different commercial platforms and deduces the best methods of telling them apart from other drones. The military should be prioritizing the development of drones that work as well as their commercial counterparts but are manufactured by traditional military suppliers, are resistant to cyberattack, and can be readily identified as such. Grounding commercial drones for now would give the military time to sort out the cybersecurity and identification risks they present. That will make much wider adoption of drones possible in the future and will keep everyone safer.