This is the first in a series of guest posts dealing with various aspects of CUAS implementation.
The drone security problem is one of the most vexing security issues facing public and private organizations. It is not that we are seeing horrific acts – yet – it is just that security professionals know that a catastrophic event is all but inevitable. The problem is exacerbated by a complex set of of laws and regulations written long before drones took to the skies. Governmental inertia and bureaucracy also contribute to the current state of unreadiness; as does a widespread misunderstanding of what can and cannot be done to defend people and places.
I am a security consultant specializing in the protection of critical infrastructure. For the past three years, I have criss-crossed the United States and Canada educating people about this issue and helping them prepare their organizations and facilities. Wherever I go, I hear the same things:
1) Practically everyone I speak with recognizes there is a severe and growing problem that seems certain to result in a catastrophic drone-related event.
2) Everyone has their collective fingers crossed hoping that it does not happen
3) In most organizations, there are people who grasp the problem yet are waiting on taking action until there is a “complete” solution, i.e. both detection which can be deployed today, as well as a legal mitigation capability.
This article is for those who need to do more than cross their fingers. I will address the high cost of doing nothing. Look at the implications of a “complete” solution and how it impacts SECTION 2209. And share my thoughts about a relatively new way to apply the DHS Safety Act that currently seems to offer the only path forward.
The High Cost of Doing Nothing
We have seen enough news from Iraq, Syria and Ukraine to know that drones are a security risk. Because sUAS are so difficult to defend against, the threat of what one commanding officer called “shitheads on motorbikes” is reshaping US
Because sUAS are both widely available and are easy to build, every security agency around the world knows that this is a problem that is not going away.
Despite this, security directors regularly tell me that detection alone is of no value. I get it, but not really. Security expenditures are difficult, because quantifying a return on investment so that “nothing bad happens” is not the kind of ROI that comes naturally to many corporate stakeholders. However, I can tell you from experience that self-reflection after a catastrophic event is not pleasant either…
Detection is critical. The best practices of security professionals around the world all follow a similar sequence:
- Early detection,
- Quick response if warranted.
We must understand our operating and threat environments. It is central to the security matrix. It is no different than identifying a problem customer, conducting our due diligence, and potentially learning that they may have a propensity to harass your employees, destroy property, equipment or reputation. It is situational awareness. Nothing more, nothing less.
Situational awareness provides you the ability to mitigate the threat e.g. don’t let them on your property, do not take their phone calls, alert law enforcement etc. The same is true for drones – which are an extension of their human operators.
If you can detect and identify the operator, you can begin the path of trying to derive actionable intelligence through proven investigative/security
- Beginning a due diligence investigation on the operator
- Are there previous known incidents against your enterprise with this person/drone?
- Do they have a history of corporate harassment?
- Do they have a propensity for violence?
- Are they affiliated with causes allied against your enterprise?
- Do they have a concerning criminal history?
- Enabling mitigation efforts
- Identification and investigation can provide legal backing for employing mitigation strategies (when and where legally viable)
- No trespass orders
- Security and enterprise awareness
- Legal remedies
- Social media monitoring, awareness and counteractions
Actionable intelligence, something that we can legally collect today, is what we are currently missing out on by doing nothing.
And the associated costs of doing nothing can be extremely high.
The Complete Solution
Many of the security and operations professionals I meet with are overly cautious about waiting for a complete solution before they do anything.
A complete solution is generally imagined as a system that detects, identifies, and tracks multiple drones at true standoff/reaction distances and then either disables, counteracts, or redirects them.
Much of this technology is being or has already been developed for classified defense applications – which means that it will not be available commercially anytime soon.
In their stead, commercial companies around the world are working feverishly to solve these problems. But this is early days so it should come as no surprise that many are making unsubstantiated claims because there is no standard for vetting their solutions or assessing their efficacy.
A directory of CUAS providers is a very different thing from a carefully vetted list of providers whose products have withstood testing for weather, reliability, operability, safety and demonstrated effectiveness under carefully simulated conditions.To say nothing of the qualifications and training of the people who are charged with operating the equipment under the stress of an attack or emergency.
The larger problem is that the “counter” in C-UAS all comes to a head in what those of us in the security business call the “kill, no kill decision”; which is where the rubber hits the road and our current laws fall short of providing either guidance or indemnity with regard to drones.
The “Kill, No Kill” Decision
I have often heard security professionals making statements like “we’ll just take matters into our own hands, regardless of the legal consequences.” When confronted with this thought process, I like to lay out a risk proposition that goes something like this:
QUESTION: As the deciding official, are you willing to take responsibility for what happens when you attempt to interdict the drone?
e.g. your facility is next to a heavily traveled road and the drone – upon your activation of mitigation technology – veers off course and into the windshield of a truck that swerves and hits a family on the road?
e.g. the drone comes down into your critical infrastructure and causes a major disruption to your operations costing your enterprise millions and a PR nightmare – all based on the assumption that it presented a threat.
Which begs the questions…
- How did you truly know the drone was a threat?
- How did you determine the drone’s intent without the operator/pilot?
- Did you have previous intelligence?
- Do you have statutory liability coverage to take action?
The room often gets quiet as bravado is replaced with a more nuanced understanding of the problem.
Where Does the Authority Reside?
Let’s imagine that you are a SEC stadium operator. Thousands of fans are tailgating on a glorious Homecoming afternoon. You have a Temporary Flight Restriction (TFR) in place. You had the foresight to deploy sUAS detection technology. You were alerted when an unknown drone controller powered up and acquired its positioning and communication link 1.6 miles from the
Let us further imagine that you have the legal authority to employ some type of mitigation technology which can disable, remove or reposition the drone.
Think about it – the drone, traveling 30mph will be over your stands in less than two minutes – and most of your security people will never even see it.
What happens next?
Where does your authority to act come from?
- The TFR? It provides the legal basis to keep aircraft out and notes that they can be intercepted – but who is going to do it?
- Venue or facility specific rules or ordinances?
- A law enforcement partner?
Most likely it will be a law enforcement partner. If so:
- How many people will be involved in the decision to act process?
- How long will it take to run the decision chain?
- How long do you have to make a decision within a few miles of your event?
- What will be your deciding intent factor to interrupt, the TFR?
- Where will that intent intelligence come from?
- Duly sworn personnel or your private personnel?
- Data provided by the system?
Do you, a private commercial entity, have the authority to make a Kill decision?
Are you, as a private enterprise, going to push that button and assume all the risk?
These are difficult and complicated questions. Enough to keep a room full of lawyers working indefinitely until a judge saves them from their misery.
The machinations it takes to remove a drunk and disorderly fan pale in comparison to interfering with an aircraft. The fact is that NO technology vendor has enough experience to guarantee you that the drone will behave the way they say it will when you take action against it.
Is Countering a Drone Solely a Law Enforcement Function?
I am not a lawyer so I would love to see some healthy debate around this. I have pondered the question for a long time because this is the central question I get about SEC 2209 – if I designate my infrastructure, will I be able to defend it.
Right now the answer is no. The FAA has still not promulgated rules to designate critical infrastructure under 2209. And without such rules, there is no legal way to mitigate an incursion.
The fundamental question is can the authority to conduct a law enforcement action (i.e. a taking, a seizure, interference/detention) of property be transferred to a private party?
Which brings us back to the fundamental issue of how do we identify the threat? We do not automatically shoot down every wayward Cessna. We identify, attempt to contact and redirect, and then, if necessary, intercept.
Would “killing” or interfering with a drone be construed as a Fourth Amendment seizure – a taking of property that requires law enforcement and legal tests be met before a kill/interference decision can be justified?
The FAA appears to acknowledge just that:
“While the FAA retains the responsibility for enforcing Federal Aviation Regulations, including those applicable to the use of UAS, the agency also recognizes that state and local Law Enforcement Agencies (LEAs) are often in the best position to deter, detect, immediately investigate, and, as appropriate, pursue enforcement actions to stop unauthorized or unsafe UAS operations.” 
Perfect, so let us surmise that you have an aggressive law enforcement partner who is willing to make the decision. This triggers a whole new set of questions:
- What technologies will be used?
- Will law enforcement be comfortable relying on any technologies that you may provide without having done their own testing or certification?
- Are they going to provide you liability coverage in case the technology you provided malfunctions or fails to perform as the systems integrator promised?
Even with the consent of law enforcement, Title 18 U.S.C. § 32 prohibits “the destruction, damage or disabling of an aircraft.” There is no ruling but this is often construed to encompass the gamut of counter technologies; jamming, hacking, interrupting signals and shooting with a conventional weapon.
And for those wondering why it is difficult for the FAA to prosecute these cases, pay particular attention to sections a) and b) of § 32 that precede the actual elements with “whoever willfully” before setting forth the actual violations with the additional element of “intent.”
This is what, in my opinion, the FAA is hinting at when they advise that state and local law enforcement are in the best position to “pursue enforcement actions to stop unauthorized or unsafe UAS operations.”
States and localities have negligence, privacy and trespassing laws whose elements are easier to apply and to prove.
The lack of prosecution six months after the New York Black Hawk helicopter incident, illustrates how difficult it is to get around something as vanilla as the “I lost communications and it just flew away” defense.
Making a negligence argument at the state level is often much easier. Ignorance may be bliss, but it does not necessarily allow for passing a reasonableness test of negligence.
What About Passive Interception?
Most of the focus in the press and at tradeshows revolves around the “proactive” steps associated with mitigation.
What about so-called “passive” steps such as capturing and decrypting signals and signatures?
There is ample precedent that it is OK to look at the outside of the envelope, in this case what the drone is putting out over any open communications links.
However, if you are taking “overt” steps to extract and decrypt messages and information, you may well end up with a Title 18 U.S.C. 2511 or 1030 violation for intercepting or hacking electronic communications. We are still waiting for the first test case here.
Despite what anyone tells you – and I have heard examples of almost everything – with the exception of detection, all of the current counter UAS technology is caught up in this conundrum.
What Does It All Mean?
As I write there is not one federal legal opinion, brief, or statute that authorizes anyone other than the Department of Homeland Security during a National Special Security Event, the Department of Defense or the National Nuclear Security Administration to mitigate a drone incursion.
Until opinions are directly offered by one or more federal agencies; as a commercial entity it would appear that you would assume ALL responsibility for the cause and effect of your actions if you choose to employ mitigation technology.
As any law enforcement officer will tell you, the concept of escalating from reasonable suspicion to probable cause for using force against a threat is a difficult, often split-second decision that is fraught with potentially life-altering civil and or criminal consequences. Which brings me to my last point:
The Safety Act
The question in front of us is how can we extend that kill/interference authority to commercial operators in order to protect our critical infrastructure and
It appears that the first step to a legal solution may exist.
The Department of Homeland Security’s Safety Act (Support Anti-Terrorism by Fostering Effective Technologies Act) of 2002 was enacted to help indemnify manufacturers of technology used to fight terrorism. The problem is that liability protection des not extend to the end user. It appears, however, that DHS has gotten the message.
Within the last few months, DHS has begun certifying entire security plans for professional sports operators.
When I was discussing this issue with the DHS Safety Act help desk I was advised that yes, once a plan is approved and brought under the umbrella of the Safety Act, any technology deployed to prevent an act of terrorism by an end user appears to covered under the Act.
I then inquired if owners of critical infrastructure will be able to do the same thing for their security plans. The Help Desk advised that based on their interpretation and understanding, that this could also be the case.
But in what remains yet another unintended complication of a well-intentioned program, as I understand it the protection only applies to acts of terrorism. Not negligence or criminal intent or mischief. This needs to change and doesn’t seem like it should be a heavy lift.
If you are charged with safeguarding people or infrastructure, I cannot urge you strongly enough to take advantage of every detection opportunity that you have.
It is essential to build a baseline of your current operating environment.
Beyond that, there are simple steps that you can take to put a preliminary counter drone policy in place for your company based on training, not technology.
I would further encourage critical infrastructure owners to directly investigate the Safety Act with the DHS to learn the processes and procedures that are applicable to your specific situation.
Travis Moran is a retired law enforcement professional with over 26 years of enforcement, security, and intelligence experience.
Travis began his federal law enforcement career with the U.S. National Central Bureau – Interpol, before transitioning to the U.S. Department of State and then ultimately the U.S. Department of Justice, Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). During his tours of duty, Travis worked both domestically and internationally on a variety of criminal matters to include narcotics and weapon trafficking organizations, terrorism, mass murders, explosives, bank and immigration fraud.
Travis has extensive experience in energy security working as a physical security specialist for both investor-owned utilities and the North American Electric Reliability Corporation (NERC). During his work with the utility sector, Travis has become an energy subject matter expert regarding threats posed to energy companies from unmanned aircraft systems (UAS/drones).
Travis holds a Master of Arts in Criminology, Law, and Society, a Master of Science in Criminology and a Bachelor of Business Administration.
Link with Travis – https://www.linkedin.com/in/travis-moran-75350665/
follow Travis – @dronin_on