Among the challenges facing the security of high-risk facilities, locations, and events is the inexpensive, highly capable airborne threat from drones. We have been hearing about drones in the military sphere, with attacks like experienced in the Kingdom of Saudi Arabia stretching that definition to attack critical infrastructure. The threat burst into wider view at Gatwick airport and the attempt against the President of Venezuela, but these can seem fuzzy, undefined. With the recent reports of a drone almost hitting Air Force One and the drone swarm apparently surveilling a nuclear power facility, the risk is coming into focus.
There are a number of factors to consider when assessing, planning, designing, deploying, and operating any airspace surveillance, and/or integrated ground and airspace security system. Many of the security process elements tip into sensor requirements and, as a recent Interagency Advisory helpfully noted, some of the sensors provide functionality that is itself illegal. When combined with the reality that any mitigation efforts by non-federal public agencies or private entities are also illegal, customers, integrators, and security professionals are left with a very complicated framework to operate within.
While the news may trend toward potentially lethal drone payloads, the corporate risks from a drone spying, eavesdropping, or remote hacking are real and growing. And with the sheer volume alone, one cannot waive away the random chance of a drone in the wrong place at the wrong time.
How do companies and security organizations prepare? How does industry move from a security posture exclusively focused on threats from the ground plane to a three-dimensional security architecture that can detect drones, which are smaller, faster, and more versatile than any previous threat?
As we begin to take stock of this quite unusual year and plan for next and the following, a pattern may be emerging that allows investments to be considered and appropriate actions taken by all involved in non-federal/non-defense security.
The most recent data from the Federal Aviation Administration (FAA) is dated September 01, 2020. In just the US there are nearly 1.7 million drones and nearly 200 thousand certified drone pilots. The number of home-built drones or unregistered drone pilots is unknown, but there are few barriers to either. Flying a drone by sight is not technically challenging and remote operations and autonomous flight are becoming ever simpler. While the news may trend toward potentially lethal drone payloads, the corporate risks from a drone spying, eavesdropping, or remote hacking are real and growing. And with the sheer volume alone, one cannot waive away the random chance of a drone in the wrong place at the wrong time.
Most of us are aware of this, even as we stumble over the reality that there are neither technical nor market obstacles to drone use that will test the security of critical infrastructure, public spaces, and events. The good news is that the solution framework is becoming clearer. Not sunny day clear, but no longer so opaque that we are unable to see the path forming.
As a baseline, only four federal agencies (Defense, Energy, Justice, and Homeland Security) have any authority to mitigate a drone threat. For all public agencies and private entities, however, the full weight of federal law prohibits more than it allows. A recent interagency “advisory guidance document” was released by the U.S. Department of Justice (DOJ), U.S. Department of Homeland Security (DHS), the Federal Aviation Administration (FAA), and the Federal Communications Commission (FCC) clarifies the legal ramifications of counter-drone security.
The document identifies the multitude of laws and regulations that constrain the security industry. While the individual laws themselves are detailed in the document and are reviewed by more competent professionals elsewhere, the consequences are for deploying and operating counter-UAS capabilities described in the advisory should be well understood. The advisory guidance document is essentially a summary of the laws that a security organization, however well-intentioned, can violate when pursuing a drone surveillance competency.
Begin with the premise that any flying device is regulated by the FAA, and any interference with an aircraft is illegal in all cases. The laws make no distinction between manned and unmanned aircraft. If it is illegal to fire a shotgun at a small manned airplane, it is equally illegal to shoot at a drone. In planning activities, the expectation should be that attempts to interfere with an aircraft by kinetic or non-kinetic means will remain broadly illegal.
When the prohibitions on aircraft interference are combined with laws and regulations regarding privacy and electronic security, we have a very tangled web of laws obstructing security practices. If it is illegal to hack a computer or intercept a wireless session, it is equally illegal to monitor, record, or interfere with drone wireless communications or onboard computers.
Many security professionals grapple with this regularly in their NERC CIP compliance activities where the threat can be identified but nearly all response options are fraught with substantial risk. The document helpfully separated the Detection and Tracking of airspace objects from Mitigation. The latter category consists of a litany of illegal kinetic and non-kinetic mitigation activities and technologies. There are vendors in the industry who recommend deploying and operating Mitigation practices and technologies anyway, but note that the document is painfully clear on the illegality of mitigation systems, technologies, or activities.
The advisory document also distinguished between sensor technologies used in Detection and Tracking, with the respect to application of law. One sensor, in particular, was identified as potentially troubling to operate – radio frequency (RF) sensors. A RF sensor operates by detecting certain types of wireless signals in the spectrum frequencies typically utilized by drones as a command and control link to the remote drone pilot. In many cases, a RF sensor can detect a drone as it is turned on, before it even takes off. Once the RF signal is detected, it can be interrogated, manipulated, or tracked.
An example use case would be that most retail drones will automatically return to point of origin if the signal is interrupted, making this one of the safer options for mitigation. Unfortunately, the advisory document is quite clear about the general illegality of such use. This has significant potential for operational disruption, as many RF sensors were acquired with the very sensible task of documenting drone overflight. If the RF sensor only detects the signal and does not tap, alter, or record the signal, that may be a permissible use. Many RF sensors can be configured for Detection only, without engaging in review or analysis of encrypted or scrambled signals or communications. RF sensors have very high utility value in Detection, provided they are deployed and configured properly.
The document did identify sensors that are available for immediate use, as long as they are licensed for use by the FCC (where appropriate). These sensors are radar, optical, and acoustic. While acoustic sensors can perform well at remote facilities or in very quiet locations, performance can be subject to ambient noise. Radar is the only sensor that can actively detect and track any object moving in the airspace in any weather at any time of day. Performance can vary widely, with airspace accuracy a much more complex challenge than ground object tracking. PTZ optical sensors are typically integrated with radar to form the base layer for precisely and rapidly detecting and tracking airspace threats.
While this might seem like extraneous detail, the advisory guidance document should be considered in the context of another government document, a memorandum issued by the U.S. Attorney General to DOJ to its own components. This memo represents a way to untangle the web of constraining laws and regulations and to define a review and approvals process for deploying and operating comprehensive airspace perimeter security, including detection, tracking, and mitigation. It is a template for broader application to non-federal public agencies and private entities that might be adopted, in parts or as a whole, by other federal agencies.
Another recent activity that appears to follow this template is the recent Broad Agency Announcement (BAA) from the FAA to identify and test selected counter-drone technologies and systems for use at U.S. airports. While this pertains only to airports, it defines a system of selection, testing, and down-selection to arrive at permissible components and solutions that airports can utilize.
While there are no guarantees when predicting such broad legal and regulatory changes, there is a clear pattern emerging. The numerous laws and regulations for privacy and aircraft and electronic security are not going to change but exceptions are being made and institutionalized. These exceptions consider all elements that compose airspace security, and those technologies and systems that receive approval will be in the pole position for nearly all critical infrastructure security deployments.
A key element noted in the DOJ memorandum is the emphasis on process. It is nearly certain that a human-in-the-loop (HITL) process step will be required for any mitigation option. This HITL step will rely on the fidelity of data produced by Detection and Tracking technologies, and Mitigation may also rely on this data for kinetic response targeting. This data will be imperative for operational and legal reviews of performance, including data to support prosecutorial action.
The integrity and maintenance of primary security systems will be stressed, as airspace situational awareness is no simple addition. The number and technical nature of different sensor types can be complicated by hyperbole from sensor manufacturers. But now is the time to prepare.
Preparation will require building a new ecosystem of trusted sensor and system suppliers. Security professionals and their organizations should be investing in acquiring the knowledge and technical competencies to build comprehensive security solutions. Suppliers should be pressed for transparency to sensor and system test data to validate performance claims. With so much at stake, now is the time to learn, test and prepare.