Cybersecurity & Tech Surveillance & Privacy

The Necessary Authority to Counter Drone Threats

Nicholas Weaver
Thursday, October 4, 2018, 10:00 AM

On Aug. 4, as Venezuelan President Nicolas Maduro gave a speech in front of the ranks of the Venezuelan National Guard, two DJI Matrice M600 drones took to the sky. Each drone was armed with a little less than a kilogram of explosives, their operators seemingly intent on assassinating Maduro.

A recreational use drone. (Credit: U.S. Air Force Air Education and Training Command)

Published by The Lawfare Institute
in Cooperation With

On Aug. 4, as Venezuelan President Nicolas Maduro gave a speech in front of the ranks of the Venezuelan National Guard, two DJI Matrice M600 drones took to the sky. Each drone was armed with a little less than a kilogram of explosives, their operators seemingly intent on assassinating Maduro.

The effort was unsuccessful. One drone crashed into a building while the other appeared to explode in mid air; Maduro was unharmed. But amazingly, should someone try a similar attack in the United States, federal officers do not have sufficient legal authority to stop the drone in progress. The current version of the bill to reauthorize the Federal Aviation Administration (FAA) contains language that would enable federal authorities to directly counter these threats.

The threat is significant. The drones used in the Venezuelan attack, for example, are available commercially for $5,000 each. They weigh less than 25 pounds and can be controlled from five kilometers away over a short-range radio link, essentially the computer equivalent of an old-fashioned walkie-talkie. These are standard drones used for professional aerial photography or similar activities, but modern racing drones are even scarier. One particular $300 drone has a flying weight of less than a pound, can travel at over 100 miles per hour, carry a 200 gram payload—the mass of a 40 millimeter grenade—and yet is agile enough that a skilled pilot can fly it under trees.

It is incredibly hard to intercept and disable small drones like these, even in a military environment and with a military budget—so hard that DARPA is still trying to solve this problem. Disabling drones like these is even harder in a civilian environment, with added budgetary constraints and concerns over collateral damage.

The threat from these drones has been obvious since well before the Maduro assassination attempt. The Islamic State has already shown an ability to weaponize commercial drones; a gang reportedly used swarming drones to disrupt an FBI operation; and at least one Mexican drug cartel has developed bomb drones. Yet under current law, it is illegal for law enforcement to counter such drones: To do so would be interference with an “aircraft,” as the FAA defines even a lightweight toy drone.

Though the FAA legislation would provide the necessary authority to counter this threat, the American Civil Liberties Union and Electronic Frontier Foundation have voiced strong opposition on the grounds that such authorities are overbroad and a threat to civil liberties. The EFF in particular has targeted its criticism at several specific authorities now incorporated into the FAA reauthorization, asking whether “the government need[s] this much power to deal with an attack of the drones.”

Unfortunately, the answer is “yes.” So what are the proposed powers in the reauthorization bill, how do they work, and why are they necessary?

The legislation requires that the government designate sensitive locations around which drones should not be flown. The idea is that an agent in the field shouldn’t be able to just blast away at a drone: These authorities will only apply to predesignated areas that have been declared to need drone protection. These categories are necessarily defined broadly: There are many areas, particularly near the U.S. border, major sporting events and prisons, where reckless or malicious drones are a problem. (Wildfires are also one such area, though the bill does not list them.)

The legislation both specifies a set of categories designating areas as sensitive and requires that the decision to name an area as such is not delegated downward—they can be made only at the high level. This is what prevents the potential for abuse: the authority only applies in limited areas, which can’t be designated in the field.

While the FAA currently has the authority to declare “no fly zones” for drones, this not a suitable replacement authority, simply because it does not enable a legal mechanism to stop a drone. The FAA categories are also considerably broader than anything the DHS may designate—as anyone who’s launched the B4UFLY app, which informs would-be drone operators where they can and cannot fly their drones, can tell you. For the government to disrupt drones in all no fly zones would be a massive overreach. Current “no fly without prior notice” zones for drones extend for five miles around any airport, including helipads on hospitals and elsewhere—making any major city effectively a no-fly zone. Having sensitive areas designated by the Secretary of Homeland Security would be far more precise.

The bill itself doesn’t actually define “threat,” but instead specifies that the term should be defined by the secretary of homeland secretary or attorney general, in consultation with the transportation secretary. While the EFF has criticized the absence of a definition, this is actually a feature of the bill, not a bug. Threats are often very context-specific. A toy camera drone is obviously not a threat while flying over a protest—but it is a threat when near an airport or a wildfire, and it can become a threat if used to smuggle drugs into a prison. Due to this context-specific nature, as well as the evolution of threats, it is infeasible to define threat in the bill itself.

It is also critical that legal authorities do not prejudge the technologies needed to intercept hostile drones: Many people, including myself, are working on developing different techniques to stop hostile drones, and it’s not yet clear which will be the most effective. For that reason, the FAA bill attempts to cover all plausible counter-drone technologies by incorporating blanket exemptions to the Wiretap Act, the Computer Fraud and Abuse Act and other federal laws. For example, the legislation specifies that federal authorities be allowed to seize or destroy a threatening drone—an important capability because one likely anti-drone technique involves shooting ribbons or netting at a hostile drone, disrupting the propellers and causing the drone to plummet to the earth. The bill likewise exempts anti-drone tools from the Wiretap Act, which is necessary if authorities want to hijack a drone’s communication link. Current drones use digital radio links, and intercepting such traffic—the necessary first step in determining what messages one needs to send to take over the drone—is considered wiretapping under current law.

Alternately, stopping the drone may involve hacking, which is otherwise in conflict with the Computer Fraud and Abuse Act, or broadcasting radio transmissions that violate FCC rules and regulations—the most likely technique used to disrupt the drones in the Maduro assassination attempt. Thus the need for a blanket exemption, since specific carve outs would preclude possible techniques.

The bill’s critics note that the bill requires no ex ante judicial oversight before authorities take action against a drone. But that is simply because judicial oversight is impossible in these circumstances. Even a judge on the fastest of “rocket dockets” can’t sign a warrant in the seconds needed to react to a particular drone. This doesn’t preclude judicial oversight after a drone is seized and either forfeited or used as evidence in a criminal case.

Opposition to this legislation may have significant unintended consequences in the future. If Congress waits to legislate until after a drone is used to conduct a serious attack, the resulting knee-jerk legislation would almost certainly be significantly broader and far more likely to raise civil-liberties concerns. And given the proliferation of cheap drones, it’s only a matter of time until such an attack takes place.

It is critical that these authorities remain in the FAA reauthorization. That this is controversial, even after an “assassination drone” was actually used—albeit unsuccessfully—against a national leader, is unfortunate. The need is urgent, and the threat is real.

Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and Chief Mad Scientist/CEO/Janitor of Skerry Technologies, a developer of low cost autonomous drones. All opinions are his own.

Subscribe to Lawfare