By Gary Corn
In 2020, Chinese drone manufacturer and market-dominant Dajiang Innovations (DJI) donated at least 100 of its small unmanned aerial vehicles (UAVs) to more than 40 U.S. law enforcement and public safety departments and agencies across 22 states. DJI made the donations as part of what it calls its Disaster Relief Program, established in late 2019 to enhance the emergency response capabilities of public safety agencies. The goal of these specific donations, according to DJI, was to help with the monitoring of public health issues in the midst of the coronavirus pandemic—on its face, at least, a laudable goal.
But DJI’s donations reignited lingering questions about the risks of Chinese drone technology. These debates are just the tip of the larger clash developing between the U.S. and China over technology. These debates are just the tip of the iceberg of the technological battles developing between the U.S. and China, with various assertions of security and privacy vulnerabilities floating just below the surface and legal implications looming large underneath.
Not surprisingly, the beneficiaries of these gifts from DJI were all too willing to accept them. Programs like Drone as First Responder, where U.S. police departments send out drones in advance of officers to respond rapidly and gain critical situational awareness, are popping up around the country with growing frequency. And there is no doubt that small UAVs can be a force multiplier for law enforcement and first responders.
But not everyone is so sanguine about this claimed act of corporate largesse. Some public officials and others have questioned DJI’s motives and called for official federal inquiries into the drone giveaways, citing federal law enforcement warnings about information and national security risks with DJI drones and the company’s potential cooperation with, or at least susceptibility to, Chinese espionage efforts. Given the popularity of DJI’s products across private consumer and business markets, the concerns raised about its Disaster Relief Program are representative of a much larger debate emerging about Chinese drone technology specifically, and Chinese tech products in general.
DJI denies that it is engaged in any nefarious behavior and dismisses claims about national security risks as thin veils for protectionism. The company holds a dominant share of the small UAV market and faces little competition from domestic U.S. manufacturers, which, as Dawn Zoldi points out, has been identified in official policy as a national security risk in and of itself. Some commentators have echoed DJI’s denials, describing security concerns as unsubstantiated rumors. However, as is often the case, the truth likely falls somewhere in the middle—and that alone should be cause for a cautious and deliberate approach.
Make no mistake about it: The Chinese government is in the business of collecting data at scale, and the United States is its prime target. Federal government intelligence and national security assessments consistently note that China presents a persistent and significant cyber espionage threat aimed at, among other objectives, bolstering its civil-military industrial development, gaining economic advantage, and supporting its attack capabilities against core military and critical infrastructure systems. And unlike traditional espionage activities, which focus on stealing government secrets, China routinely targets corporations in furtherance of economic espionage and intellectual property theft. It also considers every U.S. citizen as a potential collection target. As FBI Director Christopher Wray has stated regarding China’s threat to national security, “If you are an American adult, it is more likely than not that China has stolen your personal data.”
These U.S. assessments call out the very real “potential for Chinese intelligence and security services to use Chinese information technology firms as routine and systemic espionage platforms ”—pointing, in particular, to China’s 2017 National Intelligence Law, the latest in a series of laws meant to formalize and strengthen the state’s intrusive security activities. Under the 2017 law and other components of China’s domestic legal framework, the Chinese government can arguably compel Chinese businesses to cooperate with and provide access to intelligence and security services. Whether these laws sweep as broadly as some claim is open to debate, but the lack of effective oversight structures and institutions is not. There should be little doubt that the relationship between the Chinese security services and Chinese industry is fundamentally different than in the United States and not hindered in any meaningful way by legal limitations or privacy concerns.
This is certainly a concerning backdrop for assessing the security concerns about DJI and other Chinese drone manufacturers. In response to similar accusations leveled against a range of Chinese technology products and services, the Trump administration aggressively deployed a mix of statutory and regulatory measures to restrict or outright ban Chinese companies such as Huawei, ByteDance (which owns TikTok) and Tencent (which owns WeChat) from doing business in the U.S. or with U.S. companies. This trend doesn’t portend well for DJI.
Unfortunately, international law offers little protection or remedies against the risks presented by Chinese drone technology. First, and simply put, international law does not prohibit espionage. It is a ubiquitous activity engaged in by all states. As former Director of National Intelligence James Clapper said regarding China’s breach of the Office of Personnel Management and the exfiltration of gigabytes worth of sensitive data in 2015, “It was simply stolen—so that’s a passive intelligence collection activity, just as we do.” States certainly have a variety of tools available to counter espionage efforts, but invoking international law violations does not figure among them—not even in the case of economic espionage. Second, it is not even clear that compelling Chinese companies to share customer data with the government constitutes espionage in the traditional sense or runs counter to any U.S. domestic laws—a fact that would also complicate efforts to pursue espionage-related prosecutions in U.S. courts. Finally, China’s security laws might have international human rights law implications, but China shows little interest in recognizing, let alone abiding by, its human rights obligations.
Options grounded in domestic U.S. law are a different matter. Enough concerns have already been raised about DJI specifically and Chinese drone technology in general to motivate several federal departments and agencies to take action. For example, the U.S. Army banned the use of Chinese drones in 2017, citing security concerns documented in classified reports, and the Department of Defense followed suit the next year. In 2019, the U.S. Department of Homeland Security issued an advisory that warned U.S. companies against using Chinese drones—and more recently, the Department of the Interior grounded its entire fleet of DJI drones notwithstanding the company’s production of models specifically configured to meet the department’s security requirements. The Department of Justice also recently banned the use of agency grants to purchase drones and other unmanned aerial systems from foreign groups “subject to or vulnerable to extrajudicial direction from a foreign government.”
But the federal government is not likely to stop with these limited policy bans. Congress has already taken some steps to check DJI’s ability to operate in the U.S., and it is considering more. It effectively cemented the Defense Department ’s ban into law in the National Defense Authorization Act (NDAA) for Fiscal 2020. Congress has also flirted with broader bans, such as the draft American Security Drone Act (ASDA), which would bar any federal agency from acquiring Chinese drones or drones made with Chinese components, and would also codify the different policy prohibitions on using federal grant money to buy Chinese drones or components—an aspect of the law clearly aimed at curbing use of the technology at the state and local levels. And given the growing overlap of individual privacy concerns, big-data aggregation, and national security, it is not too hard to imagine executive branch actions to ban Chinese drone technology more broadly, along with the Trump administration’s attempts to limit American access to TikTok and WeChat.
Thus far, DJI has opted against challenging these limited actions in court, preferring the route of public relations and lobbying to stem the tide. Those efforts seemed to bear some fruit. At the last minute, Congress removed the ASDA from the NDAA for Fiscal 2021, which some observers attribute to Chinese lobbying efforts. The reprieve was somewhat ephemeral, however. In December 2020, the End-User Review Committee (ERC)—an interagency group composed of representatives from the Commerce, State, Defense, Energy and Treasury departments—voted to add DJI to the Entity List maintained by the Department of Commerce, effectively barring U.S. companies from exporting or reexporting designated goods or technologies to DJI. Interestingly, the ERC did so not on security grounds but because of DJI’s reported support to Chinese government surveillance of Uighurs in Xinjiang province as contrary to U.S. foreign policy interests. In theory, DJI could seek reconsideration from the ERC and, if denied, challenge the listing through the Administrative Procedures Act. But there is little precedent for doing so, and the likelihood of success is slim.
Adding DJI to the Entity List is a tactical action of limited impact in a much broader strategic fight. So, although DJI products are not banned and remain available in the U.S. market, that could change if Congress or President Biden chooses to ratchet up pressure. In fact, in a parting shot before leaving office, President Trump signed an oddly framed executive order directing federal agencies to conduct a 60-day review of their authorities to “cease” procuring UAVs manufactured in or containing or using technology from adversary countries. And given the deference courts generally accord the other branches of government on national security matters, it is far from clear that litigation would offer DJI much hope of relief.
Any challenge to the current Defense Department ban, and the ASDA or similar legislation should it be enacted, would likely prove unfruitful. There is little to distinguish Section 848 or the ASDA from similar laws recently challenged in Kaspersky Lab, Inc. v. United States or Huawei Technologies USA, Inc. v. United States. In those cases, the courts easily dispensed with claims that similar technology bans contained in prior NDAAs were unlawful bills of attainder prohibited by Article I, Section 9, Clause 3 of the Constitution. In a nutshell, both cases looked to Supreme Court precedent in holding that plaintiffs face a high bar to establishing that congressional enactments, even those that identify a company with specificity, constitute legislative punishment. Where Congress acts to further nonpunitive legislative purposes, the resulting law will benefit from the presumption of constitutionality, notwithstanding burdens it may impose on a particular company. In Kaspersky and Huawei, the courts found the bans at issue rationally based, proportionate measures aimed at addressing legitimate national security concerns.
But what of potentially broader executive action, as in the cases of TikTok and WeChat? While the president’s options are more limited with respect to DJI, the options available are perhaps less complicated. Of the two laws leveraged against ByteDance and Tencent, Section 721 of the Defense Production Act of 1950 and the International Emergency Economic Powers Act (IEEPA), only the latter offers a possible avenue for banning DJI’s products. Quite simply, DJI has not engaged in any transaction that would come within the review jurisdiction of the Committee on Foreign Investment in the United States (CFIUS).
At the same time, the IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States. This statute could provide the basis to impose targeted sanctions against DJI or an outright embargo of its products.
As a procedural matter, any IEEPA sanctions directed at DJI would have to fall within the scope of a presidentially declared emergency. Given the specific nature of DJI’s business and products, and the security threats associated with its drones, it is unclear that the president could leverage existing declarations such as those contained in Executive Orders 13757 or 13873. Of course, these orders can be modified with relative ease or a new “emergency” declared to trigger IEEPA authority.
Historically, courts have interpreted presidential authority under the IEEPA broadly and have been reluctant to overturn IEEPA measures. Nevertheless, at least at the preliminary injunctive stage the TikTok and WeChat bans have not fared well—albeit for reasons that might not be relevant to the drone context. For instance, the primary reason for the temporary reprieves that have been granted in those cases is the specific carve-out in the law meant to protect personal communications or the transmission of informational materials from sanctions. And the nature of those platforms raises particular First Amendment concerns not likely implicated, at least to the same degree, in the case of Chinese drone technology. How the TikTok and WeChat cases are ultimately resolved remains uncertain. Regardless, the IEEPA remains an available mechanism to address national security concerns related to Chinese drones.
But aside from these esoteric questions over the CFIUS and the IEEPA, the more important factor may be the skepticism that courts have shown regarding the government’s national security claims. This raises the question of whether broadly sweeping bans are warranted or proportionate.
There are undoubtedly security risks presented by use of Chinese drone technology that need to be accounted for. For example, security researchers have identified a number of vulnerabilities and anomalies in DJI’s controller software that have been described as “obfuscated, acquisitive, and always on.” While there are potentially benign explanations for these vulnerabilities, the cybersecurity firm GRIMM recently discovered that the DJI GO4 Android app was, among other things, skirting Google Play’s terms to allow DJI to push updates directly to a user’s phone—as a deliberate design feature, not a flaw. China’s surveillance-state model of governance and corporate relationships must also factor into the risk calculus. DJI’s frequent protestations notwithstanding, there has been a steady drip of revelations about cooperation with the Chinese government that should not be ignored.
But a one-size-fits-all approach to national security risk is unhelpful. The nature and level of risk varies by user and technology. Succumbing to the temptation to hammer them all as a single nail can have broader, unintended but foreseeable consequences—blowback to U.S. businesses, impacts on individual rights, and data balkanization, to name a few. The Biden administration will have to address head-on the foundational question of how the U.S. should define its relationship with China into the future, taking account of China’s emergence as a strategic competitor and threat.
The question of how best to deal with the issue of Chinese technology should fit prominently into the broader effort to reshape U.S.-China engagement. Addressing this challenge starts with development of a policy framework that accurately identifies and quantifies the national security risks presented by particular technologies and balances foreseeable collateral impacts of proposed mitigation measures. This will require both principle and nuance. Engaging in an unrestrained tech war represents neither and likely serves the interests of no one.
No comments:
Post a Comment