Global Drone Security Network Event #2- Jacob Tewes (Kutak Rock)

Masumi Arafune
Global Drone Security Network Event #2- Jacob Tewes (Kutak Rock)

This is the eighth post of GDSN #2 review, if you haven't read our previous reviews it is a good time to check out the great talks!

Jacob Tewes (Kutak Rock) - Counter-UAS Legal Challenges and Solutions for R&D

Alright, so thanks to everybody who's on. And looking forward to discussing this a little bit. As far as professional background, I won't spend much time but I'm an attorney at Kutak Rock, which is a law firm based in Omaha, Nebraska, roughly in the middle of the continental US. And I work in our tech transactions group, as well as our privacy and data security group. Do some aviation work as well. And basically, I'm in those business-to-business tech transactions every day. The counter UAS stuff is a passion project and something that I love to talk about. So, I appreciate you giving me the opportunity to do so here. With that, we're going to go ahead and jump right in like an advanced my slide. So, what are we talking about here? As far as the legal issues related to counter UAS? First, I think it's important to kind of set the playing field. So, the policy landscape right now is it's fairly undisputed that UAS are aircraft, if you rewind the clock, and 20 or even 10 years, there, were still some open questions about whether that was going to be the case, sort of whether we were going to regulate them more like remote control cars, or more like Cessna. And the verdict isn't there, they are like Cessna, at least as the as far as the US is concerned. There are certain laws that apply to them differently, of course, but they are aircraft. And that triggers the whole cascade of the regulatory framework here in the US anyway, on the use of National Airspace System licensing. certification is handled differently with respect to the drones themselves, but they that is sort of the genesis for a lot of the issues that we're going to talk about. We have not had what I would describe as a major drone related security incident yet in terms of, you know, broken glass and bloody bodies, kind of incidents. We have had some close calls. As all of you might know, after the 2018 FAA Reauthorization Act included some counter UAS authority for the Department of Justice and the Department of Homeland Security. They, one of the first places they use that authority was at the Super Bowl in 2019. And if you were watching that Super Bowl, you might have noticed that the flyover seems to miss its target. That was not accidental, they had detection and actually some interdiction capabilities available there and detected a drone in the flight path or close to the flight path, which was 500 feet above ground level, going 400 miles an hour right over the middle of the stadium. So, as you can imagine hitting anything in the air at that altitude would not be a good thing. They communicated in real time to the flight lead, the flight lead was able to move the formation over and up to avoid that conflict. So, we've had those kinds of close calls. And those are too close for comfort. For me anyway. We've sort of know that this is an issue but haven't been able to get muster the momentum to do in my opinion, and enough about it yet.

We've taken some good steps. And we'll talk about some of those here. You don't need me to educate you about the technical parameters of those threats, the people listening to this call are more well versed in that than I am.

The I would point out that if we're thinking about this at a policy level, one of the most important trends has been this one that we've got sort of an increase in the use of stock and modified commercial off the shelf systems. And if we're thinking about how we can mitigate this threat in a way that sort of makes sense, from a policy perspective, you always have to focus on sort of what's feasible, not necessarily what's ideal. And if we're thinking about what types of systems might be helpful to mitigate the public safety threat, I think you have to think about the ones that are generally useful against most cots systems. And so, some of my comments today are going to focus on sort of that segment of this industry. I was on one call recently with an individual who's at a CVS provider based in Israel. And he, he gave me the trope at the top there that you can't shoot the drone, but you can shoot the pilot. That sounds extreme, but it's actually it's true in in many jurisdictions in the US is no exception to that. If you are local police in the US, it is essentially illegal for you to use a counter UAS interdiction system, unless you've been sort of effectively deputized by the federal government under its own authority. That has happened a few times, but it's not common. So right now, the best cis measure that most of them have is detection of the drones themselves, which has its own legal issues, and interdicting the operator himself or herself.

That is effective up to a point and we should continue to prioritize that over some of the more extreme interdiction measures. So, I don't want I don't want this talk to be construed as me saying we ought to start jamming everything or shooting everything down. That is that is not what I'm saying categorically. But I do think that we're behind the curve on trying to prevent the sorts of tragedies that could happen. With respect to weaponized UAS. The cost curve is just so beneficial to the bad guys. In this case, it's so cheap and so easy to even if you don't spread an actual harmful agent as a payload, just to spread fear and panic. Once we have stadiums that are full again, it's going to be important that we continue to improve our capability to respond. We've already seen in the US the NFL call for additional state and local police authority on CBS. And just in the last couple of days, Major League Baseball has decided it's tired of having its games routinely stopped and would actually like some of its own authority to do some of this stuff. That's an uphill battle. But that's what we're going to be talking about today. If you think about the legal problems, I think you can kind of draw a matrix here, a two-by-two matrix. So, you can think about the modality and you can think about the target. So, if you're talking about the modality, is what you want to do in terms of use of the RF spectrum, or use of a directed energy device, and is that use legal at all, no matter what you're trying to do with it. And then you can focus on what you're actually targeting. So, whether that's the aircraft itself, whether you're talking about detection, and intercepting signals intelligence, you can kind of think of it on that axis. And I think that those both have caused sort of two categories of effects on the CES industry. One of them is this, I think, artificially constrained demand for the systems. Meaning that at least if you're talking about the United States, the there's a small list of federal actors that can use these systems, and nobody else can. And so, you obviously have less demand than you would if it were a little bit more open, or there was a responsible use regime in place. But the other one is that even if you are selling to federal authorities who have the authority to use this stuff, developing them in doing your research and development can be really challenging, because if you go back to those, those two axes I talked about earlier. In some cases, if you're talking about a jammer, for example, it's just illegal to intentionally interfere with radio communications, as we'll see when we get to that slide. And that includes when you're developing your own technology. And so even if you have a lawful sort of end pointer or objective in mind, like selling it to the Department of Justice, you're, you run into these development challenges. And that constrains the effectiveness of the CUAS. And it just makes it's just a barrier to entry for folks to be able to get into this market and try to mitigate this public health threat. So, we're going to talk about sort of the ladder on this talk, we're going to focus on research and development. But obviously, the demand side plays into that, because why develop CVS for something you can't sell. We're going to discuss detection at the beginning, but we'll kind of focus on interdiction. So, I'm going to get right into it here. If we're talking about detection, as you know, we have roughly four or five modalities that that we can use, we can listen to the radio frequency spectrum in some capacity, we can use radar, you know, emit energy and catch it as it comes back off of the drone. We have electrical optical capabilities and infrared capabilities, where we're using some part of the visual spectrum or invisible light spectrum. And then we have acoustic. At a high level, the electro optical infrared and acoustic are subject to quite a bit less in terms of their legal challenges, which you might expect, the radio frequency is similar to the most and the radar, you just needed an FCC license in order to use that particular technology. So, we'll run through those really quickly here.

If we're talking about the RF spectrum, which is arguably the most common way that that folks are using to do this, there are a couple of statutes to think about. One of them is the pen trap statute. And this is the one that covers non content DRS information. If we're talking about content, then we're in the wiretap Act, which is the next slide. And for the pen trap statute, you have to have all four of these elements. This was summarized, I think, pretty well by the interagency guidance that came out a month or two ago. If you haven't seen that take a look at it, it's referenced in a couple of the other slides here. But you need to have the use or installation of the device or process that records decode or captures non content trust. So, a couple of things to highlight here. If we're thinking about research and development, this is really the key use is very broad, it doesn't mean that you're deploying a see us system, it means you're just out there using a device to listen and intercept these signals. So even if you're just doing it to try to develop your own CES solution on a drone, that that you've got, you know, a hold of you need to find an exemption, potentially if the rest of these elements apply. The other important one from the market perspective is that installing a system that's capable of doing this can be a wiretap or it can be a pin trap violation even if you don't turn it on. And so that affects you know, stadiums or others that might want to try to use this technology. device or process is brought in to cover basically the use of whatever device you want, as long as it's doing this from a functional perspective. So, there are, for example, some companies that fly little modules on board a commercial off the shelf drone, where it'll go up, and it'll listen just like the ground station would, as part of the CES detection system. The fact that that's on a drone, or even if you just reprogram the drone to use its own hardware to do this, you will still run into the same problems, it doesn't need to be a purpose-built device. With records decodes or captures, it seems nice because sort of listens or observes, doesn't seem to be in there. But we run into the same problem as we do with the internet, where copyright law or law rules everything. And that's the fact that machines when they read something, make copies of it. almost invariably, it's very difficult to come up with good use cases where a computer is reading any kind of information and not making a copy of it or recording it at some point in the process. So that one is not quite as helpful as it might initially seem, it's pretty easy to meet that one. With respect to the information itself, the content as it's defined for this distinction between dross and content is information concerning the substance purport or meaning of the communication. So, if you're intercepting the actual signals, the flight controller is sending to the drone, you're arguably talking about content. If you're talking about the routing information, like the ones that are listed here, device, serial number, cell site, MAC address, those kinds of things, you would be talking about dross.

From there, we move into the wiretap Act, which is the one that governs content. And the This one's a little bit different in that any of these three will do it. There are other ones that I've admitted here, you can tell I'm jumping from A to C to D, the intentional interception of electronic communication, and the intentional disclosure also cover any what they call endeavours are failed attempts to do this, and they also cover hiring anybody else to do it. So those obviously have market effects. electronic communication is defined very broadly, I'm not going to go through the whole thing there. But as you can see, almost any signal that is coming off of either the controller or the drone trying to communicate with the other one would arguably meet that definition. Even if it's just a light show write it, you really don't have to do very much to meet that threshold. The only other one I would note is that on D with the intentional use, you have to know or have reason to know of the interception. Which seems nice. But that's not all that helpful if you're talking about CES, because the systems are designed to do that. So, it's very easy to trip, one or all three of these, if you're talking about using a CES system, you have to be very careful. The wiretap Act does include some helpful exceptions, or what seemed to be helpful exceptions. The first one that is not as helpful as you think the idea that it's readily accessible to the general public. This might help for things like remote ID, but if you're talking about the use of the RF spectrum itself, a lot of folks will look at this and say, Oh, I'm in the unlicensed spectrum bands, I'm in the ASM bands. So, this is generally available, it doesn't quite work that way. So, if the connection is scrambled or encrypted, and you defeat that, you’d scramble it or you decrypt it, you you're outside of this exemption, if it's just using frequency hopping or modulation. And you know, and that frequency moppet mapping or modulation has not been publicly disclosed, you just by figuring out that those parameters, you can fall outside of that first exception. And then in the near future, we're probably going to have command and control links shift from exclusively being RF to using cell networks or other things. So, if you start, you know, intercepting 5g signals that are being used for command and control, you're going to fall out of that same exception. The one on the right, the other users have the same frequency. Again, with the RF spectrum, since we're talking about the ISM bands, a lot of people look at that and say, Oh, I'm it's just like a walkie talkie. We're all using the same frequency here. Well, it really does have to be like a walkie talkie. This case, down at the bottom here, jockey Google is still good law for right now. And one of the things that does is narrow the definition, at least in the ninth circuit of radio communications down to something that meets these two elements of here. It's got to be predominantly auditory, and it's got to be broadcast. So that's something like a two-way radio signal. Arguably an FM or am radio transmission would also qualify, but something that is a machine-readable command and control link. Probably not. So, we're really left with the middle one, which can be helpful. From the interagency guidance report, they actually specifically mentioned that RF control systems might be aeronautical communication systems under the Act, and so that you might be able to fall under this exemption. But it's unclear and they cited to this case. So, some potential daylight there as far as a way to get around the wiretap act, but kind of, we won't really know until that gets challenged directly, and see some courts work through that analysis. For R&D, it's important to note that they do both pen trap and wiretap act, and both include consent exceptions, however, the pen trap one is limited to providers of electronic communication services. So, if you're a cell phone network provider, that's easy. If you're an internet service provider, that's easy. If you are a counter UAS provider, it gets a little bit harder, yes, you're holding the controller, maybe on your test flight drone, and you're sending that signal to the drone, but are you a provider within the meaning of the act a little bit tight, so it's less useful for pen trap. If you are using this exception for R&D, it's really important to note that you've got to be in a controlled environment where you know, there aren't other signals out there. Because if you're picking up those other signals, you obviously aren't collecting prior consent for you know, Grandma, Jane, she drives by and is texting on her cell phone or whatever else. So, making sure that you're only listening to what you want to listen to, and that you're in a controlled test environment is really important here from a compliance perspective.

If you are going to use radar, last thing, I'll note on detection, you do need that radio location service license, I put a link at the bottom here of where you can go to check out what you need to do that. It's a known process, it's just as hard as getting other licenses with from the FCC, but not harder. So, you just have to go through that extra hoop. With that, I'm going to move over to the interdiction side of things, which is where I want to spend most of our time. And I'm not going to spend as much time as I normally would in a presentation like this on the modalities, because you've got so many other speakers who are more qualified to talk about this than I am, I'm just going to highlight a couple of things that are important for the law. But this is sort of the terminology I use. I know people have slightly different ways of describing all of this stuff. But we're really mostly going to focus on jamming again, because from this sort of policy perspective of how we solve this gap where we'd really like to mitigate this public safety threat. I think those four on the introduction side have some pretty strong potential to be a low cost, low risk thing that we could try to implement in safe ways. So, we'll spend a little more time on those. But this is sort of the terminology I use, all of these systems are useful, none of them is perfect. defence in depth is key. You all know all of that your security professionals. When we're talking about the use here of the radio spectrum, specifically, so what I call jamming, spoofing hacking, it really does exist on a spectrum, I suppose you could put directed energy over here, you know, things like your EMP, or lasers or those kinds of things. But once you get into sort of using what's actually going across the spectrum, you can jam it, you can relay it, which is what meaning is you can spoof it. But most of what we think about is hacking is really over software defined radio over the command control link, Mike would be able to say a lot more about this than I can. But it's important to note that they hit both of them. So, when we talk about some of the legal restrictions on the information side, like the Computer Fraud and Abuse Act, or the DMCA, it's important to note that you might also be running into the jamming problems because you're using the radio spectrum. So, it's not there isn't really a get out of jail free card on these. So, with respect to jamming, the FCC has been pretty consistent in the way that it describes what jamming is. This is on the left from a case in 2013, where there were a number of things that happened where they were looking at using jammers in prisons to block cell phone transmissions. And then on the right is from the interagency guidance, that these are remarkably similar in terms of their elements. So they are, you know, trying to kind of hold out some consistency, I would point out that there are a few pretty interesting differences here. So, if you think about the stuff in yellow, not a lot there, that's two different on the left side on the blue transmits on the same radio frequencies as wireless devices or base stations. So, there's no mention of power there. Other than that, it has to disrupt the communication link. So, they're really using sort of more of a functional test there. On the right, this is the guidance that just came out this year, and you'll notice it's transmitting RF signals from a jammer at higher signal strength. Then there was RF signals that are being used to navigate or control the aircraft and they're specifically talking about UAS here. The guidance was on counter UAS systems. So if you think about a couple of these things, you know, back here on the spectrum that we were talking about, there are solutions out there that use basically the same power on the same frequencies as remote controllers, or ground stations, for UAS, so I genuinely don't know whether the FCC was trying to throw a bone to those kinds of solutions here on the right, or if that was inadvertent, but it's important to be really careful when you're reading these things and trying to figure out your sort of legal obligations, to pay attention to the way this evolves because the Commission's, you know, continuing evolution of their own understanding of jamming could affect whether your particular solution is in or out. If we're talking about jamming of C UAS, generally, we're talking about the ISM bands, particularly the 2.4 and 5.7 gigahertz bands. Most drones now use frequency modulation techniques under the service rules under those bands. And I'm sure you're all familiar with this, I just want to point out their sort of two ways to jam right, you can jam a full spectrum, as

I forget who it was, one of the most recent speakers was talking about how you, if you really want to effectively jam a drone, you have to jam the entire capable spectrum that it has, because otherwise it could just hop somewhere else. So typically, if you do that those solutions use equipment that lets them have more of a field of regard so that it's not a totally, you know, omnidirectional antenna. Because they know they're knocking out some of those adjacent frequencies. By contrast, you can if you know exactly, if you know enough about the drone, you can do what I sometimes call micro jamming, where you know, how the frequency is going to modulate, and you can specifically reach out and just jam the frequency as it as it jumps around. There are vendors who have demonstrated the capability to do that to one drone and not another that are flying within six feet of each other, because they're hitting the signature of this drone and not the signature of that round. So there, these have very different implications when we're thinking about the collateral damage associated with jamming is the reason, I'm bringing them up. So, if advantages and disadvantages of jamming again, they're effective against pretty much any UAS that's under positive control from a ground station, because it's got to use some kind of RF signal to get up there. Even if that's through like a cellular network and a data network, you can still reach out and touch the signals. The drones also, for the most part, depend on GPS, or GNSS signals. And so, you can also jam those, although that has its own set of legal issues. The big disadvantages are obviously the potential for harmful interference, which in in your real nightmare scenarios can be really problematic. The one you sometimes would hear about is the worst case would be drones over a stadium, you jam the drones, you knock out 911 calling capability within the building. There are things like that that could actually be force multipliers rather than mitigation. So, you had to be careful with them. If you do use them. The other disadvantage is that your positive control is limited. Most of the time, if you cut the link, the drone is either going to hover in place, or it's going to go return to home. And then it's going to hover until its battery's about to die and it's going to try to land the that can be a good thing in some cases. But if they took off from a sensitive place, or if they, if it's just got a payload on there that you don't really want to stay in one place. That can be a problem because now you've got control of the drone and you're actually keeping it there. Or moving it back to someplace you might not want it to go. And that's that gets tricky from a liability perspective. Because you've exercised some control over that payload effectively. So, you have to be very careful when you're thinking about how you might deploy these in practice. spoofing, I won't spend much time here. The difference between spoofing and weakening is basically whether you are imitating a satellite by you know, projecting a dummy satellite signal or rebroadcasting NGSS signal, they have the same effect which is that by manipulating where the satellite above manipulating the satellite signal, you can basically achieve positive control over the drone if you're good enough at it, because you can fool the drone into triangulating its position to somewhere else. This have limited effectiveness on drones that have a lot of redundancy, because they may be able to sniff out that problem. Or they may just be able to see enough satellites that they can just disregard the one that you're trying to imitate. But it has been demonstrated as being effective, including against some really advanced, like military grade systems. So, there are, it's an important technique to keep in mind, but not really a focus for this talk. Hacking is a little bit more in play. And there are more vendors that have some component of hacking on there. When I say hacking, as I said earlier, I typically am talking about using software defined radio to exploit something some vulnerability in the protocol itself. Or more frequently in the firmware or software on the drone or on the controller. You when you're doing this, you depending on how you do it, you may or may not achieve positive control. So, you have some your advantages and disadvantages vary quite a bit by what your particular solution is. There's the possibility for what I call pre-flight cyber or pre-flight hacking, where you've actually got an exploit sitting on the drone sitting on the controller or sitting on the phone that's linked to the drone, any of those things. Those are not your garden variety, exploits. But I would not be shocked if they're out there. For some

well-resourced nation, state actors, actors. The advantages here are of course, it's very low cost and very easy to implement from a physical perspective, because you really just need a software defined radio and a laptop. frying I'm not going to talk a lot about, but this is what I use to describe using the electromagnetic energy itself to hit the drone. So, you're talking about lasers, microwaves, EMPs, any of those kinds of things. I would point out, the reason why you're seeing these emerge for CES in a way that we haven't, even though we've had these technologies for a long time, is because drones actually are a uniquely suitable target for this. There are, you know, famous stories of particular US national security apparatus, trying to use lasers to down much, much bigger targets, like intercontinental ballistic missiles. Not the most practical idea we ever had. But taking down a couple pounds of plastic with a laser is actually not that hard, comparatively speaking. So, these are going to be an important part of the arsenal for sort of your high risk in military theatre, maybe even protecting things like airports or national defence sensitive sites in the homeland, or those kinds of areas, but not really suitable for the broader public safety threat that we're talking about, for the most part, because there's no possibility for positive control. And you know, you're going to down whatever that drone is, whenever you do this, it's going to gravity is going to take over. Similarly, with respect to destructive kinetic options, they're basically have the same potential use cases, right? You use them to protect things that you absolutely must protect. But you're, you're always going to have some risk of collateral damage when you shoot down a drone. This is one that as a lawyer who people know deals with drone stuff, you can guess the most frequent call I get is from angry homeowners, businesses, whoever saying Can I shoot this thing down? We'll talk about the legal implications of that. But I'll tell you, many people have done it. So, it can be done with drones, they're not that tough. And they're not as hard to hit as you might initially think. There are some interesting non-destructive options here, which I would guess maybe some of the folks on this call might actually produce those solutions. Those include your neck guns, your hunter drones, where they're going out and capturing the rogue drone, even trained eagles, or other things there, you're still using kinetic energy to go out and grab the drone and do something to the drone. And I think of all the use cases out there, AI has a very high potential to improve this particular modality. We've already seen that with respect to some of the targeting systems for like net guns and things like that. But there are, I think this one could get a lot better. And if you look at sort of the history of you know, military conflict, it suggests that, at our most sensitive sites, this is going to be an important option. The, we'll see exactly how quickly it develops. But if the positive control could get good enough here, they could also be valuable for protecting sort of civilian infrastructure. Because if you can go out and grab a drone with a net and then go fly it off somewhere else as part of your own drone. That might be a very useful way to deal with that threat. Actually, it might be the highest degree of positive control you can get. So, there's important, but they're sort of more sophisticated, more difficult. So now let's start to dig into some of the legal problems now that I've used up half of my presentation in the setup. With respect to jamming, there are a myriad of reasons why it is illegal. And I like to kind of describe it in layers, because it's, if you're not an attorney, this this doesn't initially make sense. But at the regulatory level, you have service rules for unlicensed spectrum. At the statutory level, you have the statute that specifically prohibits private actors from doing certain things, regardless of what the FCC rules say. And then at the administrative or constitutional law level, that statute from the second level here, this statute, actually is what creates the FCC. So, the FCC, even if it wanted to pass rules that would violate that would go against those statutory norms, it doesn't have the option to do that. So, I'll dig in and explain that a little bit here. With respect to the service rules, as we said, most UAS use the unlicensed spectrum, the ISM bands for their command control links, the use of this spectrum is not licensed, obviously, but it is still authorized. And that's important for the statutes we'll talk about on the next slide.

Generally, equipment that's operating this band has to accept interference from other equipment that's using the ISM bands. So again, query whether with the FCCS, take on jamming, you know, broadcasting another controller on sort of the same frequencies, whether that would count with respect to the service rules, maybe not, it's a close call. Maybe it would, the, but there is the prohibition on creating harmful interference. And the way that that term is used in the regulatory regime means that you can't interfere with a service, a service would cover things like GSS, you know, satellite navigation, a cell phone network, a UTM system, once those are online, any of those types of things where you have a, an approved use of the electromagnetic spectrum in order to do something sort of in that public way. Those are generally going to fall under that definition of service. So, you can't mess with those, you can't generate harmful interference. The statutory prohibitions on these are the ones that apply directly to anybody that's not the federal government. Essentially, they prohibit unauthorized or unlicensed radio transmissions. So again, remember the ISM bands are authorized, even though they are not licensed. Section 333 then prohibits wilful or malicious interference with licensed or authorized communications. Notice it says interference there it does not say harmful interference. So, if your ISM banned, Command or Control link is authorized, and you are wilfully interfering with it, you've got a problem, even if you're not touching a cell network, or you know, some other authorized FCC service. So that's where you really, this is just a really tough one to deal with. There's also the prohibition in 302 B, which is problematic for CBS providers, specifically. And as we'll see on the next slide, the FCC is not afraid to use this one. But essentially, it prohibits you from doing anything to sell these or even to develop these systems. So that can be a real problem unless you're operating within one of the options that we'll talk about later. Finally, on jamming the FCC, even if it wanted to issue you a license for a jammer literally could not. So, it has broad authority to manage spectrum. But these statutes are found in that same. These sections are found in the same statute that creates the FCC or gives the FCC its authority. So, it literally doesn't have the statutory authority to issue a rule that would go against those. And that's why if we're talking about real solutions here, it sounds sort of trite to say it would take an act of Congress, but that is literally true in this case. I would also note that for any sort of legal nerds out there, the there is some interesting activity here on pre-emption. One of the prison cases I mentioned from back in the early 20, teens, 2012 or 2013, I think there was a prison guard who was shot and the hitmen who came and did that were ordered to do it from a cell phone within a prison. So, the prison guard and his wife, I believe, brought a couple of state law Tort Claims against the cell phone network providers, and basically said, you knew that there were inmates using cell phones for no good in this facility, and you didn't do anything to block them. And those state law claims were pre-empted, because under these statutes, there was nothing that those cell phone providers could have done. There were things that prison could have done in terms of the materials that used to build the prisons and where it put inmates and things like that. But in terms of technically defeating the ability of those cell phones to use the electromagnetic spectrum, they couldn't do it. They didn't have the ability to do it because they weren't the federal government. And so, it's it. This is a very broad and deep prohibition. It's not something that that can be sort of flippantly worked around.

In terms of the enforcement side, the FCC doesn't always enforce jamming stuff, but when it does, it's not afraid to make an example of people. The case on the top was, if I remember correctly, the individual who used a little, I don't know how much it cost $10 $20 little jammer that he put on the top of the truck commercial truck, so that his employer couldn't police his speed limit. And unfortunately for him, his trucking route involved flying right underneath an international airport. And his little jammer knocked out. GPS signals are GNSS signals from overflying aircraft on more than one occasion where they were coming in on Final and lost their link. So, he's got quite a hefty fine. And I believe that fine is from that case, don't quote me on that. But that is a real case. He second one, there is a fine that the FCC may never be able to collect on because it happens to be a Chinese company. But as you can see, they find the company just shy of $35 million for basically violating that prohibition on selling or distributing jammers. So, if you see a site that purports to legally sell you a jammer in the US, you should leave, because you don't want to be necessarily running around in that circle. With respect to the other uses of the electromagnetic spectrum, there are a few other miscellaneous things here to talk about 18 USC is the US Federal Criminal Code, and that prohibits interference with Government Communications and with GNSS signals as sort of separate offenses away from the Communications Act. So, if you do use a jammer, you can run afoul of those, even though it doesn't have anything to do with jamming specifically on the FCC authority. Most of your directed energy devices like a laser, and EMP or microwave, do emit harmful interference. That's one of the things you have to test like when you're going to sell a laser, you have to show that it's not causing harmful interference if you want to distribute it. So just note that that you can run into those problems when you're using a high energy device. And then lasers, this is one that folks don't talk about that much. But the statute that makes it illegal to point a laser pointer at me, if I'm flying around in a Cessna, which don't do that you that those do get prosecuted. That statute also would not really let you use a laser to mark an aircraft as part of a CES system. So, if we were to get any kind of a licensing regime, it would have to carve that statute out. Otherwise, you would have a criminal offense just for marking the aircraft with the laser. As we keep moving down the electromagnetic spectrum, toward hacking, a lot of folks here are probably familiar with the Computer Fraud and Abuse Act may or may not be familiar with the DMCA. But both of them have some potential play here. So, as you know, software code is generally copyrightable. It's a written work. There are cases that have found software was not copyrightable because it was so short or so simple. But generally, the stuff that is being used to control the flight controllers on drones and things like that, are above that level of complexity. So not safe to assume that it's too simple. The DMCA does something a little bit different than the general Copyright Act, the general Copyright Act says you can't infringe on that copyright. So that would be copying the code using the code in a way you don't have a license to use it, etc. The DMCA effectively says if anybody puts a perimeter around that copyright, you can't try to breach the perimeter. So that might look something like this. You've got the code on the aircraft itself on the controller on the phone being used as the controller, whatever, in the grey circle there. If you're breaking any encryption, if you're impersonating a user if you're doing any of those other things, the definition of technical measure under the DMCA is broad enough that you could run afoul of it quite easily by breaking any of those measures. It does have a few exceptions, but they're not that useful for CBS. I'm not going to spend time on why. Except I will note there is an exception here for law enforcement, which is not limited to the federal government. So, this is one thing that that sort of cops can do even though civilians can't at the state or local level. The DMC VA does specifically prohibit the distribution of exploits that circumvent technical, technological measures. So, this is something like the prohibition on selling jammers, but it's a little bit more nuanced. Again, I'm not going to dig into the details on this just know what's out there.

The other big one on the hacking side, which most of you are probably familiar with is the Computer Fraud and Abuse Act. There are two I would point out here to see and it talks about accessing a computer without authorization or exceeding authorized access and obtaining information from any protected computer. The definition of computer is very, very broad, I'm not even going to read it, but it would include even ships that do their own sort of processing. So, there are plenty of commercial off the shelf drones that include two dozen, or three dozen or four dozen computers onboard the drone, because if your GSS receptor is computing its own position, it's a computer, it's just feeding the signal through to the flight controller, it might not be. But as a practical matter, there are many on most of these drones. The protected computer definition is different. That means it's a computer used in or affecting interstate or foreign commerce or communication. I'm not going to give you a whole history lesson on the Commerce Clause. But it at one point in US history, it was interpreted pretty narrowly, this idea that sort of commerce within a state was not interstate commerce, that has consistently eroded since roughly the 30s. To where now, the famous case is a wheat farmer who grew wheat for his own consumption. And they decided that since he wasn't selling that into the interstate market, it affected interstate commerce. So, it's very, it's very broad, it's easier to it's much easier to fall into interstate commerce than to avoid it. With respect to five a, that's the other one that could potentially catch you up here. You're transmitting any kind of code information, etc, and causing damage to that protected computer. So, if you damage a drone that is in that interstate commerce world, you've got a potential problem there. One thing that's really helpful for research and development on this one is that it's all without authorization or exceeding authorized access. And that means that if you're doing it on your own drone, you effectively don't have to worry about the CFAA. You may still have problems with the DMCA if you're breaking those technical measures. But it is helpful on this front. I'm not going to dig through the penalties because I'm running a little bit short on time. The last legal problem I'll talk about here is what I'll call aircraft crimes. So, this table shows the sabotage Act, the aircraft sabotage Act, which applies to the conditions that are sort of listed here. The special aircraft jurisdiction of the United States is pretty much any aircraft. So, don't let that sort of look like a get out of jail free card. And as you can see, you've got even something as simple as damaging or disabling as potential triggers here. So, it's, it's quite easy to run afoul of this. The other one here, that would really be applicable to a lot of them is this one. Because if you're messing with the ground station, the controller, it's incredibly easy to trip up on this one, because you've got if you have any intent to damage or disable or destroy the aircraft, and you sort of do anything to the controller in the process, you can have the same problem. That said this, there have been multiple shutdowns of drones directly with like shotguns. And to my knowledge, the federal government still has not prosecuted anybody who's actually done that. So, when I take those calls, I have to tell them, what you're doing is unambiguously a felony, because that thing is an aircraft. However, it's never been enforced against any of the people that have done it. And so, you really have to, it's a tricky one to try to do a risk analysis on because it's so clear. The there's a similar provision with respect to hijacking called the aircraft Piracy Act. I'm not going to go through that. But it's basically the same problem because the drone is an aircraft. It's just as illegal to hijack it as it is to hijack a Cessna under the same legal regime. This table just shows the statutes that we've been talking about, it's really for your reference later. This table does the same thing, but maybe in a little bit more accessible format.

With respect to research and development, one thing that's kind of helpful, you know, to visualize here is that if you can be working on your own dream and such that you have authorization. And you can be outside the National Airspace like you're inside a warehouse, a test facility, whatever. The picture goes down to this. So, there are you can get out of a lot of the of these x's just by controlling the environment. But you can't get out of all of them. And you particularly can't get out of these ones, which as we said, if you buy my thesis that RF solutions are maybe the most viable for sort of widespread use. That's, that's problematic. So, what do we do about it? There are basically two ways to do R&D right now. aboveboard, one of them is to develop the technology exclusively under the federal government under the watch of the federal government. The 2018, FARA gave the DOJ and DHS authority to use CRA s effectively, then go get them. The it also gave the FAA the responsibility to test out those systems to make sure they wouldn't break the National Airspace System effectively. There are solicitations out there right now on this that you can go look up my reference one of them here. And there is this process is underway. So, if you're a vendor in the US, and you want to get in on this action, the time is right now, there are federal agencies looking for these solutions, and the FAA is looking to test them. So, I would point out that these carve out basically the legal issues that the federal government itself might have, they don't cover out, they don't carve out the other ones that would be potentially applicable to civilians. What that means is, you still can't use this, to develop a solution that you intend to sell the federal government leader, you've actually got to get that authority passed down from the federal government in order to do even the research and development if you're trying to get out of something like the Communications Act, the DMCA, etc. This has a number of disadvantages. The big one is that it's difficult to iterate. As one CBS provider told me, imagine how terrible my code would be on my software, if I could only debug it while I was on a federal range. And that's the case for a lot of these folks. If they're trying to do it, aboveboard. It's difficult. And it's suboptimal. The, if you talk to folks who have actually used this technology in theatre I, which I have, that's the number one problem they have is just effectiveness, particularly against if you're talking about those sorts of micro jamming or hacking type exploits. In many cases, all the bad guy has to do is buy a new drone from some new manufacturer that the particular CUAS vendor hasn't had time to iterate against. And they don't have an exploit to pull out of the library to use against that particular system. So, it really, it's not a good environment, even for the folks that we all agree we want to use the UAS like the military, Homeland Security, those types of folks. You also have potential export control issues here, which you're going to have anyway. But if you've got technology you developed in the US trying to get it out of the US can be tricky, depending on what it does. And let's be honest, you've got noncompliant competition. So, because of how frustrating this environment is, if you're one of the actors, he's trying to do it aboveboard, you're going to be competing with folks who aren't. And that can be challenging. There are some tools you can try to use to do this. If you have existing relationships, that's the best way to start. If you don't have existing relationships, you can try to go through the federal acquisitions process. There is sort of traditional FA our acquisitions, there are OTAs other agreements, there are CRADA, which are these sort of research agreements where you can't get funding from the federal government that they can give you access to their facilities and things like that.

If you happen to qualify for Small Business, Innovation Research or small business technology, transfer programs, encourage folks to use those, because there are typically you know, percentages of budgets that have to be allocated over there. So that can be a helpful way to get those inroads started. While you're still growing, but long and short is you've got to figure out some way to make that connection. There are plenty of you know, consultants, law firms, other folks who can help you do that, including ours. But there are getting over that relationship hurdle is sort of the first step if you want to try to do it this way. The other option is to go abroad. And there's a reason why this particular market is I would argue more globally distributed than sort of comparable defence technologies or security technologies. And it's that the US is just not a friendly place to do this. The way that the US is a friendly place to do other things. And this is costly and complex. Especially if you're a US entity. But if you are already one of the folks that's watching this from abroad, you've actually enjoyed the benefit of this to some degree for some folks, and it's I suspect, it's going to continue to be that way, unless you're until the US really make some of the changes that that it would need to make to solve these problems. Okay, what would those solutions look like? And, David, I'm almost done. I think we'll get to you on time here. The statutory change is differing a little bit depending on if we're talking about R&D, or if we're talking about opening up the market, or opening up the use cases. But in both cases, it really has to be statutory. If I'm going to focus on jamming with these two solutions, but the same framework applies if we're talking about things like the aircraft sabotage act, right. If you want to let people out of, you know, committing a felony, you have to provide an exception to that felony, there's not another great way around it. So, if we're talking about this is just as an example, for the way it would work for jamming. If you had a statutory clause or section here that you stuck into something like the National Defence Authorization Act as we did in 2016, or the FAA reauthorization act as we did in 2018. You could direct the FCC to issue experimental licenses for counter UAS that use jammers. This would solve all three of those problems, because it would Trump the service rules, it would allow, it would remove the statutory problems, sort of the direct statutory problems, because it would be later in time, and it would solve the authority issue for the FCC, if he did this, you could do it in two or three sentences. The FCC already has an experimental license structure you could leverage. And that's the one you actually would use if you're testing, in some cases, if you're testing other technology to see whether it emits harmful interference. So, it's already geared up to sort of look at these questions of how you do it safely, you can limit that down, you could start with only micro jamming. Or only jammers that have a very narrow field of regard on the antenna itself. You could do plenty of things to control the potential for harmful interference here. And as I said, the process could look very similar to things we've already had success doing. So, I don't think this is crazy. I've had people tell me, I'm crazy for thinking I could get this through. But we it just wouldn't be that hard to stick this in, if we could convince the stakeholders that it was necessary. And I'm just really hopeful we can do that, before we have a tragedy because I think after a tragedy, it's going to be easy to do this and next to impossible to get some of the really positive uses of UAS that we're waiting for. If we're talking about using the UAS more broadly, in terms of enabling basically somebody other than the federal government to use them, whether you're talking about state and local police, or you're talking about, you know, property owners have sensitive sessions, there are a few things you could do, I think one of them would be to have a broad license that basically was I shouldn't say probably a narrow license that enabled actors to use a particular system, within pre negotiated rules of engagement with the federal actor or actors here would agree to, that'd be a way to minimize the risk for harmful interference, minimize the risk of collateral damage, etc. And I would envision this sort of as a one stop shop license, like the one we use for space launches. And we have templates out there for the ways that this could be done. But it would be quite a bit harder than the first statutory change, in part because there are legitimate policy reasons why the government might not want to give jammers to too many people.

The government might legitimately say, look, we're not comfortable letting anybody use a jammer to stop corporate espionage, even though we are comfortable with it for true public safety in terms of dangerous payloads or other things like that. And so, I think in the near term, if this happens, it's likely to happen with state and local police rather than with private property owners. But we'll see you never know where this is going to go. That's the end. If you have any further questions, please get a hold of me. I've got my contact information up here. I think these slides are going to be available to you afterward. And I'd be particularly interested in talking to any of you that are interested in joining the effort to try to get one of these solutions through. I know there are several companies that are already working on this. There are trade groups that are already working on this that I've spoken to. And I would love to try to include you in that dialogue.

Back to Blog top

Ready to take your drone security to the next level?

Let's Talk