When the Army moved to ban drones made by China-based manufacturer DJI in the summer of 2017, it did so on the advice of the Navy. While the Army’s memo was made public in August 2017, the Navy memo has not yet been published until today. The memo warns of a range of cyber vulnerabilities inherent in the system, and offers a range of mitigation strategies.

Obtained by the National Security Archive through a FOIA request, the Navy memo is housed online as part of the NSArchive’s Cyber Vault project.

Titled “Operation Risks With Regards To DJI Family of Products,” the Navy’s memo is dated May 24, 2017, and goes into much greater detail than the Army memorandum that was publicly released. Specifically, “Operation Risks” warns about the data link between the aircraft and the ground station, pointing to open-source research that exists allowing adversaries to passively view video and metadata from the drone, and even assume control over the vehicle.

Despite the cybersecurity risks feared with the drones, the low cost and ease of availability made the drone prevalent in military use. The Navy memo does not call for an outright moratorium on using the commercial drones. Instead, it outlines a range of risk mitigations possible to manage cyber vulnerability, electromagnetic compatibility, and the need for training and technical support.

A fourth category of risk, low reliability, is self-mitigated. The memo notes that “loss of the air vehicle through damage, or malfunction should be considered highly probably over time; DJI systems are expendable.”

Much of the cybersecurity risks are common across internet-connected commercial off-the-shelf devices. The memo recommends not using a removable SD memory card, in case it is lost when the drone is lost, but notes that memory on such cards and on the cache of the drone’s ground control station can also be wiped before connecting to the internet.

Other recommendations are broadly common sense for any device that, when connected to the internet, could store data in servers outside the jurisdiction of the United States. These include “conduct training in areas that are not operationally sensitive,” “cover the camera when not in use” and “do not connect the [ground control station] to military networks using wired or wireless connections.”

Overall, the Navy memo gives a reason portrait of the baseline risks expected incorporating a useful hobbyist toy into military service.

It is also worth reading the Navy memo in light of the subsequent development of DJI’s “Government Edition” hardware and firmware for the drones. While not in use nor designed for use by the military, Government Edition was built in collaboration with the Department of the Interior to provide the utility of low-cost commercial drones, without the security compromises inherent in just buying an internet-connected device off the shelf.

In October 2019, Interior grounded all its DJI drones, as well as other drones made by China or incorporating parts made in China, citing security risks. It is unclear, especially with the existence of Government Edition, what security risks persist in the DJI-made products.

In the meantime, the military has been unable to find a product that matches the utility and price point of DJI drones while meeting security standards. The newly released Navy memo gives insight into the risks as first identified, and what mitigation measures were recommended at the time.