BIS seeks public comment on potential rule restricting the import and use of unmanned aircraft systems involving China, Russia and other foreign adversary countries

Pursuant to the authority in Executive Order (“E.O.”) 13873, “Securing the Information and Communications Technology and Services Supply Chain,” the Bureau of Industry and Security (“BIS”) released an advanced notice of proposed rule-making (“ANPRM”) on January 3, 2025 seeking public input on issues related to transactions involving ICTS that are integral to UAS (drones) and are “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” (the “foreign adversary ICTS”). Per BIS’s press release, the ANPRM is concerned with how foreign adversary involvement in UAS ICTS supply chains may offer such foreign adversaries the ability to remotely access and manipulate UAS. The ANPRM itself describes BIS’s concern that foreign adversaries (particularly China and Russia) could co-opt private entities with dominant market positions in the global commercial UAS sector to engage in cyber espionage and exploit ICTS supply chains.

The ANPRM seeks public comment through 50 questions organized around several matters involving foreign adversary ICTS, including: (1) definitions of UAS and components, (2) assessments of how potential classes of ICTS transactions integral to UAS may present undue or unacceptable risks to U.S. national security, (3) evaluations of risk posed by different foreign adversaries, (4) data collection and remote access and control capabilities of UAS and the ICTS components therein, (5) the economic impact such regulation could have on certain entities, and, where feasible, (6) potential processes for the public to request approval to engage in an otherwise prohibited transaction and potential mitigation measures.

Unlike the September 23, 2024 Notice of Proposed Rulemaking issued by BIS related to Connected Vehicles, this ANPRM related to UAS does not include proposed text for regulations to restrict imports of UAS systems and related sub-systems or software.  Rather, the ANPRM is aimed at collecting sufficient information from industry sources to inform the development and drafting of regulations.  That said, the questions posed by BIS in the ANPRM suggest that the agency is focused on a similar set of integral control systems and communications systems and related components and software that could be manipulated to collect sensitive data from covered UAS or gain control of the UAS or its sensors.   

E.O. 13873 – National Security Threat Posed by ICTS Transactions Involving Foreign Adversaries

E.O. 13873 (issued May 15, 2019) prohibits “any acquisition, importation, transfer, installation, dealing in, or use of” any transactions, by any person (U.S. or non-U.S.), that are deemed to involve any property in which any foreign country or a national thereof has any interest, if such transaction has been determined by the Secretary of Commerce (in consultation with heads of various U.S. Government agencies) to (i) involve ICTS designed, developed, manufactured, or supplied by a “foreign adversary”; and (ii) pose certain risks to the United States collectively referred to in the January 3, 2025 ANPRM as “undue or unacceptable risks.” 

E.O. 13873 Implementing Regulations

In November 2019, the Department of Commerce issued a Proposed Rule (“PR”) implementing E.O. 13873. The rule proposed processes for (1) evaluating ICTS transactions involving foreign adversaries; (2) identifying and assessing parties to such transactions; (3) notifying these parties regarding any review of the ICTS transaction and possible mitigation actions; and (4) establishing penalties for violating these mitigation agreements.

The rule evolved through public comment and the Department of Commerce issued an Interim Final Rule (“IFR”) in January 2021 that clarified the definition and scope of an ICTS transaction and the parties of concern to such a transaction. On December 6, 2024, the Department of Commerce issued a Final Rule (“FR”) that made minor changes to the IFR and adjusted procedures related to initiating reviews, including the provision of the government’s factual basis for review. The FR goes into effect on February 4, 2025.

BIS Rulemaking on Connected Vehicles Components and Software

On January 14, 2024 BIS published a final rule prohibiting the sale in or import into the United States of Connected Vehicles integrating specific hardware and software, or those components or software if sold or imported separately, with a sufficient nexus to certain foreign adversaries including the People’s Republic of China (“China”) and The Russian Federation (“Russia”). This final rule was implemented under BIS’s ICTS authorities, as provided for under EO 13873, and followed a Notice of Proposed Rulemaking (“NPRM”) published by BIS on September 26, 2024, and an ANPRM published by BIS on March 1, 2024.

The final rule currently applies only to passenger vehicles (defined as those under 10,001 pounds), but BIS’s press release announcing the final rule states that it intends to “issue a separate rulemaking addressing the technologies present in connected commercial vehicles – including in trucks and buses – in the near future.” 

Further details regarding this final rule can be found in our alert on the ANPRM, available here, and our alert on the NPRM, available here.

BIS’s Goals in the January 3, 2025 ANPRM

BIS’s January 3, 2025 ANPRM aims to gather public input regarding how best to address the undue or unacceptable risks identified in E.O. 13873 posed by transactions involving foreign adversary ICTS integral to UAS, and determine which mitigation measures would continue to address these risks, while preventing U.S. industry and supply chain disruption. Per the ANPRM, the “ICTS most integral to UAS’s data collection and connectivity capabilities and that are most vulnerable to compromise by an adversarial actor” include, but are not limited to: “(1) onboard computers responsible for processing data and controlling UAV flight; (2) communications systems including, but not limited to, flight controllers, transceiver/receiver equipment, proximity links such as Global Navigation Satellite Systems (GNSS) sensors, and flight termination equipment; (3) flight control systems responsible for takeoff, landing, and navigation, including, but not limited to, exteroceptive and proprioceptive sensors; (4) ground control stations (GCS) or systems including, but not limited to, handheld flight controllers; (5) operating software including, but not limited to, network management software; (6) mission planning software; (7) intelligent battery power systems; (8) local and external data storage devices and services; and (9) artificial intelligence (AI) software or applications.”

BIS also states that the ANPRM is soliciting comments on “mechanisms to mitigate the risks posed by foreign adversary ICTS integral to UAS, such as potential design requirements, machine learning controls, implementation standards and protocols, cybersecurity firmware and/or software inputs, manufacturing integrity ( i.e., the security of the manufacturing process to ensure no foreign adversary manipulation) protection systems and procedures, or prohibitions.” BIS also notes it is seeking feedback on whether to create a process to apply for specific authorization to engage in certain transactions involving foreign adversary ICTS integral to UAS by demonstrating risk-mitigation measures.

BIS notes in the ANPRM that it “[r]ecognizes the benefits of UAS technologies and does not imply through this ANPRM that any particular UAS components, such as data transmission or connectivity devices, should not be used.”

Specific Areas for Public Comment

Definition of UAS 

BIS requests public input regarding the definition of UAS to use in a potential future rule regarding transactions involving ICTS integral to UAS, including (but not limited to) several specific questions. The ANPRM discusses several potential definitions that could be utilized, including definitions from the International Trade Administration (“ITA”), the Federal Aviation Administration (“FAA”), and the Export Administration Regulations (“EAR”). The ITA defines UAS as “air vehicles and associated equipment that do not carry a human operator, but instead are remotely piloted or fly autonomously.” The ITA also clarifies that UAS pertains to an aircraft without a pilot on board, a remote pilot station, a command-and-control link, and a specified payload for the aircraft’s intended operation. 

The FAA defines UAS as “an unmanned aircraft and associated elements (including communication links and the components that control the unmanned aircraft) that are required for the operator to operate safely and efficiently in the national airspace system.” (49 U.S.C. 44801(12)). “Unmanned aircraft” is further defined as “an aircraft that is operated without the possibility of direct human intervention from within or on the aircraft” (49 U.S.C. 44801(11)).

And the EAR defines an unmanned aerial vehicle (“UAV”) as “[a]ny ‘aircraft’ capable of initiating flight and sustaining controlled flight and navigation without any human presence on board” (15 CFR 772.1). “Aircraft” is further defined as “[a] fixed wing, swivel wing, rotary wing (helicopter), tilt rotor or tilt-wing airborne vehicle” (15 CFR 772.1).

The ANPRM states that BIS is inclined to use the ITA’s definition because “it identifies specific components and systems that are integral to UAS,” and UAVs are defined too narrowly because they fail to include other system elements besides the air vehicle itself. The ITA’s definition also includes “actively tethered UAS”, which refer to UAS with a load-rated tether that is physically attached to a ground station and allows the UAS to stay airborne for extended periods of time.

The ANPRM also clarifies that any definition selected by BIS for its own rulemaking regarding UAS would not supersede any other legal definition of UAS used in other contexts.

Undue risks and vulnerabilities associated with commercial UAS in U.S. industry

Per the ANPRM, UAS, and ICTS integral to UAS, are foundational to several U.S. industry sectors, including agriculture, chemical (pipeline inspection and hazardous material handling); physical infrastructure and transportation (surveying, bridge inspections, and construction site management; emergency response; health care administration; energy; and media and entertainment. The ANPRM states that UAS are comprised of ever-evolving sophisticated models with improved functionalities that require software to collect vast amounts of data, creating vulnerabilities that malicious actors may exploit. 

In the ANPRM, BIS explains it is concerned about foreign adversaries gaining remote access to commercial UAS used in critical U.S. infrastructure. Risks to U.S. national security could include physical harm and damage, delivery of kinetic payload, or altered sensitive readings on critical infrastructure data. 

BIS is therefore seeking public comment regarding the associated risks of foreign adversary ICTS integral to UAS and vulnerabilities of increasing reliance on UAS and their remote access and control (including two specific questions, although the ANPRM states BIS encourages the submission of any germane comments). 

Threats posed by transactions involving foreign adversary ICTS integral to UAS

The ANPRM explains that foreign adversaries such as China and Russia have implemented legislation mandating companies operating within their jurisdictions to comply with certain national security and intelligence actions, including sharing data and consumer information, installing government equipment on company infrastructure, and assisting national security agencies in investigations and surveillance. BIS is concerned such legislation may require technology companies to share personal information of U.S. citizens or companies, or access to systems in the U.S. ICTS supply chain.

Additionally, BIS is concerned that foreign adversary (primarily China and Russia) control over commercial-use UAS elements and the broader UAS supply chain presents risks to U.S. national security and critical infrastructure, including “direct[ing] UAS companies subject to their jurisdiction [to] engineer vulnerabilities into their products, exploit existing vulnerabilities, or push malicious updates.” 

BIS thus seeks public comment regarding how best to address the role of persons or entities subject to the jurisdiction of a foreign adversary in the U.S. supply chain for ICTS components integral to UAS. Such concerns include addressing which ICTS components that are integral to UAS are designed, developed, manufactured, or supplied largely by entities controlled by foreign adversaries, and determining whether UAS companies (by which BIS states it means “manufacturers or distributors of a finished UAS product, like a drone”) can track and report these sources. Moreover, BIS seeks to “understand how UAS [original equipment manufacturers] (“OEMs”) may impact UAS functionality through their incorporated ICTS components,” including termination of said functionality, and the standards and best practices for reinstating full operability following termination. The ANPRM includes several other specific questions involving “UAS service providers” (“entities responsible for desktop and mobile applications supporting UAS”) and explains that a single company could be a UAS company, OEM, and service provider at the same time.

Data collection and remote access capabilities of UAS ICTS components

UAS incorporate various ICTS components, such as sensors, to gather sensitive, complex data and information for commercial or military purposes. Such data can be stored in multiple locations, including internet-connected and remote-controlled devices or data centres located outside the user’s home country. Additionally, UAS rely on advanced communication technologies such as Wi-Fi, Bluetooth, or cellular connections, creating potential vulnerabilities throughout their supply chain for “malicious actors to intercept or hijack communication signals between a UAS and its controller.” The ANPRM states that BIS is concerned such actions can lead to sensitive data leaks and illicit remote access and control of the UAS and associated ICTS. 

BIS seeks public input regarding how best to address the data collection and remote access and control capabilities of UAS and the ICTS components therein, including specific questions on the aggregation and scale of data collection, the nature of UAS intelligent machine learning algorithms, where data is stored on and off the physical UAS, and the physical range of connectivity for UAS systems for commercial use, amongst other questions and concerns.

Economic impact of regulating transactions involving foreign adversary ICTS for UAS

BIS is concerned about the economic and anticompetitive impact any regulation of transactions involving foreign adversary ICTS integral to UAS may have on UAS, including UAS component and end-user prices. The ANPRM lists several specific questions seeking public comment on related issues, including how best to address “the short-term and long-term consequences of UAS and UAS supply chain abuse by foreign adversaries,” without economically incapacitating the industry. BIS is also seeking input concerning any regulation’s impact on data privacy and protection of U.S. businesses and the public and competitive effects.

Mitigation measures and authorizations

Finally, BIS also seeks public input on processes for entities to request approval to engage in otherwise prohibited transactions involving ICTS integral to UAS and related measures to mitigate the aforementioned risks of such transactions. Specifically, BIS is seeking comments regarding (a) specific scenarios in which temporary authorization would be necessary to prevent supply chain disruptions, (b) types of end users that would not pose undue risk while engaging in ICTS transactions, (c) categories of ICTS transactions relating to UAS that should require specific government authorization, and (d) criteria and processes for industry participants to seek and receive special authorization for these transactions.

Authored by Ajay Kuntamukkala, Stephen Propst, Deborah Wei, Julia Diaz, Nicki Ghazarian-Foye