Drone Threats Are Evolving; Data Retention Rules Are Not

The rapid proliferation of small, unmanned aircraft systems (UAS) has transformed what was once a limited aviation concern into a persistent challenge for force protection and homeland defense. Commercially available drones now possess range, endurance, payload capacity, autonomy, and coordination capabilities that, until recently, were confined to specialized and tightly controlled systems. In the domestic context, these platforms are increasingly used to approach, observe, and probe military installations, sensitive facilities, and other protected sites within the United States.

The threat UAS devices pose to U.S. national security, including surveillance of military installations, mapping of security perimeters, and signal collection against critical infrastructure, is no longer hypothetical. Over the past several years, the Department of Defense and U.S. Northern Command have reported a steady increase in unauthorized drone activity near domestic military installations. Publicly available reporting has described repeated incursions at sites such as Joint Base Langley-Eustis and other sensitive facilities. Senior defense officials have testified that the number of drone sightings over U.S. installations now reaches into the hundreds annually. Meanwhile, the Federal Aviation Administration and the Nuclear Regulatory Commission have documented hundreds of unauthorized drone incursions near civilian airports and nuclear power plants, underscoring a broader rise in low-altitude unmanned activity across the national airspace. Recent prosecutions involving UAS-enabled surveillance indicate that many incursions are deliberate, not incidental.

In response, Congress has granted the Department of Defense counter-UAS authorities, most notably in 10 U.S.C. § 130i. That provision authorizes the Defense Department, notwithstanding any other applicable criminal statutes, to detect, identify, monitor, track, and mitigate threats posed by UAS to covered facilities and assets located domestically. From the outset, these authorities were deliberately narrow and designed to operate alongside long-standing domestic surveillance and privacy protections. Over time, the practical operation of these authorities came to rely on limited retention of UAS-related data to support, among others, countermeasure evaluation and pattern recognition.

However, subsequent amendments to § 130i, most recently in the National Defense Authorization Act (NDAA) for Fiscal Year 2026, have narrowed both the purposes and the duration for which the Department of Defense can retain certain lawfully acquired records of communications intercepted from UAS and data derived from them, including command-and-control links, telemetry, and associated signal characteristics. Motivated by legitimate concerns regarding privacy, oversight, and the domestic use of military capabilities, these changes replaced a broad, function-based retention framework. The result is a more restrictive, categorical regime that is poorly equipped to confront how modern UAS threats manifest domestically.

Domestic UAS incursions now function less as isolated events than as iterative probes of defensive posture. As these threats become more adaptive, persistent, and networked, § 130i mandates a retention posture that presumptively disfavors data persistence and constrains longitudinal analysis. Congress should revisit the statute to restore coherence between retention authority and operational reality without weakening the privacy protections that are especially important in the domestic context.

Critically, nothing in this analysis calls for expanding domestic collection authorities, loosening minimization requirements, or using UAS communications for generalized intelligence purposes. Section 130i already authorizes limited interception of UAS communications to mitigate threats, even when those signals incidentally contain human-originated content. The narrower question is whether data lawfully acquired under that existing authority, including technical indicators of system behavior, may be retained long enough to support defensive, system-focused analysis of how platforms and control methods evolve. All current statutory safeguards on acquisition, minimization, oversight, and reporting would remain unchanged.

From Tactical Authority to Strategic Constraint in the Homeland

Section 130i was enacted with a clear tactical purpose. Congress sought to ensure the Pentagon could lawfully counter drones that pose threats to certain facilities and assets within the United States—detecting the system, mitigating the risk, and protecting the facility or asset—despite otherwise restrictive statutes governing domestic electronic surveillance, communications interception, and aircraft operations. At the time of enactment in 2016, domestic UAS incursions were generally treated as isolated events rather than persistent or adaptive activity.

The domestic operating environment, however, has changed. UAS incursions near military installations are no longer rare or anomalous. Adversaries increasingly use inexpensive, commercially available drones as persistent access tools. They probe defenses, reuse platforms and control methods, and adapt in response to countermeasures. These activities may never mature into attacks, yet they nonetheless present intelligence, security, and readiness risks.

Recent international events underscore how such dynamics can translate into operational risk. Overseas operations have demonstrated how coordinated use of low-cost unmanned aircraft can penetrate defended airspace and strike high-value military assets through mobile launch platforms and distributed control. Although these incidents occurred outside the United States, they are frequently cited in U.S. defense discussions as cautionary examples of how similar techniques could be adapted against fixed installations if defenders lack the ability to analyze patterns over time.

In this environment, the operational value of counter-UAS data frequently emerges only through longitudinal analysis. Radio frequency signatures that appear generic in isolation become meaningful when aggregated across incidents. Platform configurations dismissed as commercially ubiquitous reveal patterns across locations and time. Even the effectiveness of deployed countermeasures can be assessed reliably only through sustained analysis. A statutory retention framework that strongly privileges near-term disposition inadequately addresses the character of the homeland threat.

What the 2026 NDAA Changed

The 2026 NDAA made substantive changes to § 130i’s data retention framework.

Prior to the enactment of the 2026 NDAA, § 130i permitted retention of certain counter-UAS data, specifically communications intercepted, acquired, or assessed to and from an unmanned aircraft system, when retention was necessary to support “one or more functions of the Department of Defense.” In the homeland, that broad standard could encompass force-protection assessment, cross-installation threat characterization, trend identification, evaluation of defensive systems, and adaptation to evolving tactics. These activities are central to readiness and learning but not necessarily tied to criminal prosecutions or discrete security operations.

The 2026 NDAA amended that framework. As revised, counter-UAS data subject to the statute’s retention provisions may be retained only to “investigate or prosecute a violation of law or to directly support an ongoing security operation” or if it “is required under Federal law or for the purpose of any litigation.” These narrow retention purposes are coupled with enhanced oversight and reporting requirements. In sum, retention authority is no longer anchored to defense functions broadly, but to discrete legal or operational endpoints. In the domestic context, where many incursions never result in prosecutions or clearly bounded operations, this shift is consequential.

Consider a representative domestic scenario. Over several months, separate installations detect small commercial UAS exhibiting broadly similar but individually unremarkable control-link behavior. Each incursion is brief, benign, and results in no prosecution. Only when lawfully acquired UAS communications, including protocol-level commands, telemetry fields, and other content reflecting system configuration, are retained and correlated across time and geography does it become apparent that the same platform or control method is being reused to probe multiple sites. Under the amended § 130i framework, retention necessary to support that form of longitudinal analysis is difficult to justify absent an ongoing security operation or prosecution, even though the analytic value is entirely defensive and system focused.

The amendments also reframed duration. Earlier versions of § 130i permitted retention for up to 180 days unless the secretary of defense approved longer retention. The amended statute now provides that data may be retained “only for so long as necessary, and in no event maintained for more than 180 days unless the Secretary of Defense determines that maintenance of such records” satisfies an authorized purpose.

Necessity, once a guiding principle exercised through executive judgment, is now a continuous statutory condition that must be affirmatively satisfied throughout the retention period. For counter-UAS data whose value lies in recognizing trends across time and geography rather than in immediate evidentiary use, this dual constraint materially alters retention practice.

What Section 130i Regulates—and Why That Distinction Matters Domestically

Precision is particularly important in the domestic setting. Section 130i does not treat all counter-UAS data as equally sensitive, nor does it impose uniform minimization or retention rules across all data types.

The statute’s explicit minimization, retention, and destruction requirements attach to communications in which interception or acquisition would otherwise implicate the Wiretap Act or the Pen Register and Trap and Trace statute, laws enacted amid heightened privacy concerns. For counter-UAS purposes, however, many intercepted communications consist of machine-to-machine command, control, and telemetry content describing how a system operates. Section 130i expressly authorizes limited interception of such communications, subject to heightened safeguards. By contrast, non-communications technical data, such as radar returns, non-content radio frequency detection, spectrum occupancy, flight paths, and kinematic tracking, generally do not, by their nature, trigger those statutes and are not subject to the same communications-specific retention limits under § 130i’s text.

The 2026 NDAA did not erase this distinction. However, by narrowing permissible retention purposes and elevating necessity as a continuous statutory requirement, Congress has created strong incentives for agencies, particularly in a criminal-statute compliance environment, to apply the same restrictive retention logic across all counter-UAS data types, even where the underlying privacy risks differ materially. This functional convergence risks erasing distinctions Congress itself deliberately preserved. The statute’s text does not compel that functional convergence, but it is a foreseeable compliance outcome in a risk-averse environment.

Lessons From Other Security Domains

This challenge is not unique to counter-UAS operations. Across multiple security missions, the federal government has learned that emerging technological threats cannot be understood through isolated incidents alone.

Early efforts to counter improvised explosive devices treated each device as a discrete problem to be neutralized and cleared. Meaningful progress occurred when data was retained and correlated across thousands of incidents. Analysts examined components such as trigger mechanisms, wiring configurations, component sourcing, placement geometry, and timing, enabling them to identify patterns, attribute networks, and shift from device defeat to threat disruption. No single incident was decisive; insight emerged only through persistence.

Cybersecurity doctrine reflects the same lesson. Intrusions are rarely recognized in real time, and analysts rely on retained logs and metadata to reconstruct activity and attribute behavior well after detection.

Domestic counter-UAS threats exhibit the same profile: Individual events are low-signal, but patterns are decisive.

Conclusion

Domestic UAS threats do not present themselves as discrete events susceptible to immediate resolution through prosecution or time-bounded security operations. They emerge through repetition, adaptation, and technical reuse. Indicators of probing behavior, control-link experimentation, and iterative testing of defenses often become apparent only when data is examined across incidents, installations, and time.

Congress did not foreclose this operational reality when it enacted § 130i. The statute deliberately authorizes the Department of Defense, under tightly bound conditions, to acquire UAS-related data that would otherwise implicate the Wiretap Act and the Pen Register and Trap and Trace statute. That judgment reflected an understanding that effective counter-UAS defense in the homeland sometimes requires limited interception of communications to understand how systems behave, adapt, and recur.

The 2026 NDAA amendments disrupted that alignment. By collapsing data retention into prosecution, ongoing operations, or legal compulsion, the statute now mandates destruction of lawfully acquired counter-UAS data, including communications-derived technical indicators, before their defensive value can be realized. This is not a function of heightened constitutional constraint or newly discovered privacy risk. It is a structural mismatch between how UAS threats evolve and how retention purposes are now defined.

Congress could correct that mismatch without expanding collection authority or weakening safeguards. It could clarify that § 130i permits retention of lawfully acquired UAS communications content and content-derived technical indicators when such material reflects system behavior and is retained to support longitudinal analysis subject to existing minimization, oversight, and reporting requirements.

Absent that clarification, § 130i will continue to authorize the Department of Defense to detect and mitigate UAS threats in the homeland while compelling it to discard the very data needed to understand how those threats learn and adapt. A statutory regime that authorizes interception but systematically impedes learning risks satisfying privacy formalism while undermining the defensive judgment Congress sought to enable.