In early January, the Bureau of Industry and Security published an Advanced Notice of Proposed Rulemaking (ANPRM*) on how to think about regulating drones and drone-parts from China (link to the text of the ANPRM here). We got input from manufacturers, wholesalers, and operators and submitted our comment, which is available to read below.

*An Advance Notice of Proposed Rulemaking is a preliminary notice, published in the Federal Register, announcing that an agency is considering a regulatory action. The agency issues an ANPRM before it develops a detailed proposed rule. The ANPRM describes the general area that may be subject to regulation and usually asks for public comment on the issues and options being discussed. An ANPRM is issued only when an agency believes it needs to gather more information before proceeding to a notice of proposed rulemaking.

I. Introduction

The Agricultural Drone Initiative ("ADI") appreciates the opportunity to comment on the Bureau of Industry and Security's (BIS) advanced notice of proposed rulemaking (ANPRM) regarding the Information and Communications Technology and Services (ICTS) vulnerabilities in Unmanned Aircraft Systems (UAS), particularly as they relate to agricultural applications. We recognize the critical national security concerns associated with UAS technology, and we are generally supportive of BIS's efforts to address these risks.

ADI represents agricultural UAS manufacturers, wholesalers, and the majority of licensed agricultural UAS pilots across America. ADI recognizes the critical national security threats presented by Chinese UAS and, in particular, Chinese agricultural UAS, as well as the associated ICTS supply chain vulnerabilities. BIS must ensure that, in the course of regulating these legitimate threats to U.S. national security, non-threatening but associated parts are not unreasonably restricted and that bans are implemented on a timeline that allows American businesses to respond and adjust without undue disruption. 

This response focuses on the specific ICTS components identified by BIS, offering a prioritized risk assessment framework based on the potential for exploitation and impact on national security, particularly within the agricultural sector. ADI proposes a tiered approach to regulation, distinguishing between high-risk components (e.g., ground control stations and mission planning software) and lower-risk components (e.g., sensors and motors) where possible, allowing a more gradual transition to maintain cost competitiveness. We also highlight the unique vulnerabilities associated with third-party mission planning software, the need to pay particular attention to regulating battery technology, which is far more challenging to shift out of China compared to other goods, and the emergent threat of Chinese drone companies re-badging as American through shell-companies.

II. Agriculture and Agricultural UASs in particular, are integral to national security

As Napoleon once said “a nation marches on its stomach.” Food security, and the security of the technologies that produce that food, are an oft-overlooked but critical aspect of national security overall. Agricultural UAS represent the largest innovation in agricultural equipment technology since the tractor. They have the potential to reduce input costs by 25-70%[1] and increase per-acre yields by 7-25%.[2] However, as UAS technology becomes more integrated into the nation’s agricultural practice, the national security risk grows in parallel and must be addressed.

It is crucial for agencies like BIS to mitigate vulnerabilities in domestically used agricultural UAS. While supporting American UAS companies is the most logical solution, a balance must be struck: farmers and wholesalers who have already invested in existing (often Chinese-made) UAS must be provided with reasonable time and accommodations to transition to safer, American-made models in a manner that avoids undue financial hardship on American businesses and farmers. BIS needs to be mindful of the significant financial difficulties encountered by companies who have, and will continue to be, harmed by rushed import policies which result in the loss of millions of dollars in investments by American companies trying to advance American agriculture. 

III. Chinese Communist Party’s Prior Attempts to Circumvent Import Controls. 

China has already demonstrated a capacity and willingness to preemptively circumvent pending import controls for UAS. As efforts to ban DJI gained traction in Congress in 2024, Anzu Robotics entered the UAS market in April of 2024. Anzu asserts that they are a wholly American-owned company, producing UAS from their unique intellectual property.[3] They offer two variants of their Raptor UAS, with either an RGB (the Raptor) or thermal camera (the Raptor T) mounted on the same body.[4] While ADI takes no position on the veracity of Anzu’s statements, just four months after Anzu entered the market, the House Select Committee on the Chinese Communist Party sent Anzu Robotics a letter stating that “security researchers have confirmed that Anzu’s Raptor T is essentially a DJI Mavic 3 painted green, with its remote control and application all running on DJI technology [and that]... it appears that DJI is using Anzu as a passthrough company in an attempt to avoid current and anticipated U.S. restrictions on DJI products.”[5] 

Further the letter stated that “Anzu did not disclose its relationship with DJI in its filings with the FCC, even while the Anzu drone was found to include DJI parts… [Anzu] only revealed its partnership with DJI after security researchers publicized the fact that Anzu’s Raptor T was in fact a repainted DJI Mavic 3.”[6]

The letter observes that “[t]he nature of the DJI-Anzu relationship appears to defy common business conventions…” The letter then explains that the licensing agreement permitted ‘industry-leading drone technology’ in exchange for no cognizable benefit (no royalties, ownership interest, or data-reporting agreement).[7] The Committee found it “hard to understand the business rationale for DJI to enter into this relationship aside from using it as a passthrough to circumvent legal restrictions (current and prospective) placed on its products.”[8] This was compounded, in the Committee’s mind, by the fact that Anzu’s founder had “no technical expertise or pre-existing drone customer base” and he “admitted…that the purpose of the Anzu/DJI relationship [was] to overcome legislative bans on DJI products.”[9]

Despite claims by Anzu Robotics that they have developed custom firmware, an in-depth examination revealed that the firmware was signed and encrypted using DJI's keys, with DJI Mavic 3 Enterprise keys successfully decrypting the Anzu device. This would potentially leave all Anzu drones vulnerable to a PRC-based supply chain attack. Anzu… claims that it has eliminated the underlying security risks of the DJI software… That does not appear to be the case. The remote controller (RC) provided with the Anzu Raptor drone also mirrors DJI's technology…it is essentially a relabeled DJI RC Pro. The firmware within the controller is identical to the DJI RC Pro's firmware, apart from the inclusion of a different app. This app, Aloft ai, appears to be built using the DJI Software Development Kit (SDK) and retains many of the functionalities and services typical of DJI’s control systems. Even though Aloft ai is presented as a unique application, it heavily relies on DJI’s technology… which undermines Anzu Robotics' claims of proprietary development and data security.[10]

It is critical that BIS be extremely wary of DJI and other Chinese UAS platforms making similarly aggressive efforts to engage in similar partnerships, with witting or unwitting, American citizens and businesses, in the future. It is unlikely that this is the last time DJI, or other Chinese UAS companies, will attempt similar partnerships - and may pursue them in the agricultural UAS space specifically. In addition to monitoring imports for similar efforts, BIS and other government agencies would be well advised to publish advisory letters for American companies, explaining how to identify and respond if approached by Chinese companies (e.g., production facilities similar to those in Manilla, recruitment and transaction structures similar to those described in the Anzu Letter) and the features of a partnership which may generate legal liability. 

IV. Proposed Risk Assessment Framework: A Layered Approach

ADI proposes that BIS adopt a layered approach to classifying and mitigating ICTS risks in UAS, drawing inspiration from the OSI model in network communications.[11] This framework categorizes components based on their function and potential for malicious exploitation:

• Layer 1: Physical Layer (Hardware): Basic hardware components (e.g., simple sensors outputting raw data). Lower immediate risk, but potential long-term supply chain vulnerabilities if imports are restricted by source countries[12] or if the supply chain is otherwise exogenously disrupted.

• Layer 2: Data Link Layer (Data Transfer): Components facilitating data transmission with low-level software integration (e.g., basic transceivers). Moderate risk, requiring secure communication protocols, but downstream from significant threats of malicious code injected through the Network or Application Layers.

• Layer 3: Network Layer (Routing & Addressing): Components handling network connectivity. This represents a significant risk if compromised and is the layer directly exposed to the wider digital world, requiring robust security measures.

• Layer 4: Transport Layer (End-to-End Communication): Components managing data flow and integrity. High risk, requiring encryption and authentication.

• Layer 5: Session Layer (Interhost Communication): Components managing communication sessions. High risk, requiring secure session management.

• Layer 6: Presentation Layer (Data Representation & Encryption): Components handling data formatting and encryption. High risk, requiring strong encryption standards.

• Layer 7: Application Layer (User Interface & Software): Software and user interfaces (e.g., mission planning software, Ground Control Software (GCS)). This category represents the highest risk, due to complexity, potential for embedded malware, and direct control over UAS operation. 

For agricultural UAS, there is an outsized risk of malicious alteration at the Application Layer as the information on outputs and application paths may be intentionally maliciously altered to make an operator unaware of actual amounts of materials output or the fidelity of automated routes. As discussed elsewhere in this comment, that can have significant negative effects on American agriculture in the long run.

This layered approach would allow BIS to assess ICTS components’ risks against their utility to American companies, especially while allied countries’ manufacturing capacity develops in response. Subsequent to that adjustment, it will remain a useful framework when evaluating potential requests for exemptions. 

While hardware can theoretically be manipulated as a vector for subsequent malicious code injection, as shown in Bloomberg’s highly controversial 2018 Supermicro article,[13] there have been no credibly demonstrated instances of such attacks being executed in the real world. Further, parasitizing Layer 1 hardware faces a number of physical and technical challenges prior to being theoretically feasible,[14] much less used in reality in such a diffused application necessary to impact the components used in these UAS. 

V. Import Restrictions’ Adverse Impact on American Agricultural UAS Manufacturers and Wholesalers

One significant consideration is the unique challenges faced by agricultural UAS manufacturers and wholesalers. Agricultural UAS have two distinct features which set them apart when considering import restrictions on UAS and associated ICTS. 

First: As discussed in more detail in subsequent sections, agricultural UAS operate in an environment with little exogenous data traffic, and therefore represent a low immediate threat to national security, as compared to other UAS categories. Agricultural UAS, in the medium-to-long term, represent a disproportionately high risk to national security as they become more fully integrated into American farms. However, agricultural UAS currently represent a very small market, and well-intentioned, but ill-considered, regulations run the risk of inadvertently punishing or deterring the early adopters of this technology who, instead, need to be encouraged to continue to grow this sector. 

Second: Agricultural UAS are 8-10 times the cost of other UAS categories. As a result, sudden and unexpected import bans on Chinese UAS have already cost American agricultural UAS wholesalers millions of dollars in UAS which they purchased, paid bonds on while contesting the issue with customs, and ultimately could not receive in addition to the hundreds of thousands or millions spent switching to other platforms.[15] While ADI supports a transition to American UAS platforms, it needs to be done in a manner that provides American companies who have invested in the next generation of farming a manageable off-ramp from UAS legally purchased with the good-faith assumption they would be as saleable as any other commercial good purchased legally on the international market. 

American agricultural UAS manufacturing is a nascent, but growing, industry. There are a number of American agricultural UAS companies selling agricultural UAS or coming to market in the next year. Some, such as Hylio and Guardian Agriculture, construct their drones in the U.S. from globally sourced parts. Hylio GCS runs on software that they designed in-house, and Guardian uses a fork of a European open-source project.[16] Hylio offers an array of agricultural platforms for a variety of spray and spreading applications, while Guardian has focused on a single, large-scale spray application platform. Two newer market entrants, DMR and Talos, are part of a group of American agricultural drone companies that are coming online in 2025-26, though ADI is less familiar with their manufacturing, sourcing, and software development processes. Along with Pyka and RotorAI, two agricultural UAS companies using plane-sized vehicles, these companies represent the vanguard of an emergent and critical industry. As such, it is critical that BIS’s import restrictions balance national security while permitting imports of the necessary materials to allow them to survive and help American agriculture advance.

As a result of the low short-term risk to national security, and disproportionately high degree of potential harm to American small businesses who are already assuming a great deal of risk to try to advance American agriculture, BIS and other federal agencies should be careful not to disproportionately harm American small businesses. 

VI. Responses to BIS’ Request for Comments on ICTS Most Integral to UAS

1. Onboard Computers:

Risk Level: Moderate (All layers)

Reasoning: Onboard computers, the "brains" of the UAS, run complex software, vulnerable to a range of potential attacks. Embedded malware could allow for complete control of the aircraft, data exfiltration, and manipulation of material outputs, harming crop production by misapplying fertilizers or pesticides. The volume and complexity of code transiting these systems makes thorough security audits extremely difficult.

In the agricultural sector, the risk of direct attacks on onboard computers is significantly lower than other types of UAS, as, by definition, they are generally used in environments with reduced cellular and wireless traffic compared to more densely populated areas. Onboard computers in agricultural UAS are likely exposed to external networks primarily through the GCS to which the UAS is tethered. As a result, the GCS presents a disproportionate threat vector in the agricultural sector, with onboard computers representing a critical step in the risk-chain, but largely subordinated to the risk profile of the GCS. 

For the same reasons, undeclared sniffers[17] and other covert data-collection and monitoring operations carried out by foreign-made agricultural UAS are far less likely to represent a serious threat than in other similar UAS which may be operated in more signal-rich areas. Because pesticide and fertilizing operations are definitionally carried out exclusively over unoccupied spaces, issues such as time bombs[18] which could force randomized failures or outright crashes would be, at worst, an inconvenience compared to the same behavior in more populated operational settings. 

Recommendation: ADI recommends that imports of physical layer equipment (the literal computers) without pre-loaded flight control software be restricted significantly more gradually than flight computers with active software on them. Sourcing onboard computers from foreign adversary nations with pre-loaded flight control systems and other software should be addressed at the same pace as import restrictions on complete foreign-adversary agricultural UAS (e.g., DJI drones) overall. ADI advocates for a tiered approach to import restrictions on UASs and related hardware, ensuring that American farmers and wholesalers are not disproportionately harmed by having parts needed to keep UASs they purchased legally operating for long enough to recoup their investments, and transition to American alternatives as they become available.

2. Communications Systems:

Risk Level: Variable (Layers 2-4)

Reasoning: For communication systems, ADI supports an approach that differentiates each communication sub-component’s risk profile as follows:

• Basic Antennae and GPS Receivers (Lower Risk - Layer 2): A simple antenna, GPS receiver, or other equipment that transmits raw data to US-made and programmed equipment presents a low immediate risk. However, long-term reliance on components produced by a foreign adversary should remain a concern (if not a crisis) for self-evident reasons.

• Fully Functioning GPS Systems with Commercial Off-the-Shelf APIs (Higher Risk - Layer 3-4): More advanced ‘plug and play’ communications systems, requiring software updates and offering external interfaces and / or Application Programming Interfaces (APIs), pose a significantly greater risk than ‘pure’ hardware components. They can be compromised to provide false location data, disrupt navigation, or even inject malicious code into systems.

• Flight Controllers, Transceivers, Flight Termination Equipment (High Risk - Layer 3-4): These components are critical for secure communication and control. Compromise could lead to loss of control, unauthorized access, or denial of service. While these are critical to secure, as with onboard computers discussed above, in an agricultural use case, the risk of these systems being compromised is largely downstream from GCS systems because of the unreliability or total lack of cellular or internet connections. 

Recommendation: Implement a tiered approach. Allow a longer transition period for low-risk components (e.g., basic GPS receivers) while prioritizing security requirements for high-risk components (e.g., flight controllers with network connectivity). Requires strong encryption and authentication for all communication links.

3. Flight Control Systems (Sensors):

Risk Level: Variable (Primarily Layer 1, some Layer 2)

Reasoning: ADI supports a phased approach to regulating flight control systems with a two-tiered classification.

• Low-Complexity Sensors (Lower Risk - Layer 1): Sensors outputting simple, binary, or linear data (e.g., basic altitude sensors) pose a minimal risk of becoming a direct vector for malicious software interference. The primary concern is quality and reliability, which can largely be determined through batch-testing upon receipt. For sensors without embedded processing power or software, permitting their continued import from China allows American companies the time to identify other sourcing options and should largely be privileged over the marginal security gains from expedited restrictions.

• High-Complexity Sensors with Embedded Processing (Higher Risk - Layer 2): Sensors with significant onboard processing or communication capabilities (e.g. APIs)pose a greater risk and as such should be prioritized for restrictions. Some allowance of time to shift sourcing is critical, to ensure that American companies are not disproportionately burdened by these restrictions, but should be fast-tracked compared to lower-risk simple sensors.

Recommendation: BIS should develop a process to classify exteroceptive and proprioceptive sensors based on each sub-categories’ complexity and risk profile. A longer transition period should be allowed for low-risk sensors to avoid disruption to the agricultural sector, which relies on affordable, specialized sensors to resolve the complex navigation challenges of autonomously operating just-above crops and terrain. This phased approach will allow time for the market to respond and for new domestic or allied manufacturers to emerge. 

A tiered approach to restricting sensors is critical, as newly sourced sensors have to be tested, engineered to fit into the UAS’s physical body and around other components (requiring the reengineering of supports, cowlings, etc. to accommodate changes in the physical geometry of the new sensors), and integrated into the UAS’s software as well. While this is not an insurmountable hurdle by any means, forcing companies to functionally redesign their UASs to make numerous changes at once would present a far larger challenge than permitting incremental changes that can be addressed in smaller intervals. 

4. Ground Control Stations (GCS):

Risk Level: Highest (Layer 7)

Reasoning: ADI strongly supports stringent mitigation measures for Ground Control Stations (GCS), particularly the handheld units common in agricultural applications, as they represent the most critical vulnerability in the overall UAS system. GCS are the primary interface between the user and the UAS, possessing complex software, network connectivity, and the ability to receive over-the-air updates which may either contain undeclared, malicious changes, or occur surreptitiously. Further, because of the geographically remote nature of many agricultural applications, the only exposure to exogenous signals is through a GCS’s connection to the internet. This makes them the disproportionately likely target for cyberattacks and unauthorized control.

Recommendation: Prioritize security requirements for GCS, including mandatory security audits, secure update mechanisms, and restrictions on network connectivity for GCS sourced from foreign adversaries.

5. Operating Software (Network Management):

Risk Level: High (Layer 7)

Reasoning: ADI recommends BIS pay a great deal of attention to operating software with UAS, as that is, definitionally the greatest threat-vector for devices that can connect to, and be controlled over networks. That said, of the various types of UAS and related ICTS which BIS will be evaluating, agricultural UAS likely represent the lowest cross sectional risk of network attacks both from broader networks into UAS and from UAS into external networks. ADI acknowledges and praises BIS for focusing on the very real general risk of network-based attacks from UAS, due to their ability to encounter a range of networks and signals while operating. In fact, the relatively noisy signal profile, and propensity to roam over a range of networks during flight, make UAS a disproportionately attractive vector to surreptitiously run sniffers and other network mapping systems for malicious purposes. This is especially true for nation-state actors who could use Advanced Persistent Threat groups (APTs)[19] partnered with companies coerced to comply, to develop, distribute, and capitalize on such malware to gain extraordinarily valuable information about entire American cities through apparently safe UAS used for commercial and recreational purposes.

ADI’s focus, however, is solely agricultural UAS, which as discussed, operate in rural settings and therefore generally represent the lowest threat of network infiltration and exfiltration. As such, ADI defers to other commenters such as the Association for Unmanned Vehicle Systems International (AUVSI), whose work is focused on broader categories of UAS which more frequently transit public, private, and or government owned wifi signals, areas of persistent cellular coverage, and elsewhere that have more signals-information available for collection. ADI does unequivocally emphasize and support the importance of secure operating systems and robust network security protocols for all UASand ICTS.

Recommendation: Focus on secure coding practices, regular security updates, and network segmentation to isolate UAS from external networks.

6. Mission Planning Software:

Risk Level: Highest (Layer 7)

Reasoning: ADI is a strong advocate of mission planning software (MPS). MPS from a UAS manufacturer and from a third-party should be regulated differently, as the risks are quite different (though the function is the same). 

Manufacturer-Provided Software: Manufacturers’ MPS will generally be as trustworthy and secure as the rest of the company’s software. However, significant vulnerabilities may exist company to company, especially if it is made available on public websites or available (or required) to be downloaded to users’ cellular devices.

Third-Party Software (Greatest Risk): Third-party MPS can be anticipated to be interoperable across platforms, which creates a major threat vector but, equally, a major potential benefit to the industry. These platforms have the potential to achieve a wider reach than any single UAS manufacturer's software, making them attractive targets for nation-state actors seeking to maximize disruption. The impending ban on DJI (§ 1709 of the 2025 NDAA) has already increased the number of Chinese agricultural UAS companies in the U.S. market, decreasing the value of injecting malicious code into a single company’s platform. BIS should work to ensure that third-party MPS is available from trustworthy companies. This type of software offers improved mission planning features across UAS platforms. Third-party companies can allocate more resources to crop and pest identification, refinement of algorithms, and improvements to user interfaces, and other aspects of MPS, which individual UAS companies may not have the budget, or bandwidth, to develop and refine to the same degree. However, it is undeniable that, for the same reasons that third-party MPS can be so advantageous to the industry, that same interoperability makes it susceptible to watering-hole attacks.[20] 

• Example Threat Scenario: A malicious actor could subtly alter pesticide application rates in MPS. Even small variations, if applied at scale, could lead to pesticide resistance in pests, rendering treatments ineffective and causing widespread crop damage. Similar manipulations of fertilizer application could lead to nitrogen poisoning or reduced yields. These apparent bugs could be kept at a relatively low incidence rate which, coupled with the cost savings and increased yields from agricultural UASs, still netted a positive for most farmers most of the time, and so be considered worth the trouble, however over time, the issues could compound and cause significant harm at a national-scale. 

MPS for agricultural UAS present a significant threat, especially as the overall agriculture UAS market decentralizes. To functionally integrate into agricultural mission planning, the software must control critical parameters like application rates for pesticides and fertilizers. As a result, it would be very difficult for an American company to wall-off critical systems from malware injected into MPS software. Malicious code which altered outputs could have devastating consequences for crop yields, food security, and environmental safety through subtle changes, which compound over time.

Recommendation: Implement strict security requirements for MPS identified as being controlled by foreign adversaries. Conversely, given the disproportionate value of these systems, BIS should be cautious about overregulation of third-party MPS from companies without ties to foreign adversaries, given the high potential benefit those platforms can offer.

7. Intelligent Battery Power Systems:

Risk Level: Moderate (Hardware - Layer 1, Software - Layer 7)

Reasoning: China dominates the high-performance battery market, particularly the large batteries required by agricultural UAS (which often lift 150-225 pounds on net). A sudden ban on Chinese batteries would severely disrupt agricultural UAS operations, as their batteries only last one to two seasons, and it would take some time for comparable batteries to become available from alternate sources. 

While there are emergent efforts to produce heavy-load batteries domestically, most of those efforts are focused on electric vehicles and other areas with larger potential markets. While U.S.domestic lithium mining and battery manufacturing are developing, they are not yet at scale to meet the demand in the heavy-lift UAS market. Aside from the technological capacity and manufacturing, sourcing the raw materials is especially challenging in the United States, as the environmental concerns around mining the raw materials, particularly cobalt, nickel, and lithium make it far more costly to source in the U.S.[21]

Battery Cells (Lower Risk - Layer 1): The core battery cells themselves pose a lower immediate risk, however, long-term reliance on components produced by a foreign adversary should remain a concern (if not a crisis) for self-evident reasons.

Smart Charging Terminals and Battery Management Software (Higher Risk - Layer 7): The software controlling charging and power management presents a greater vulnerability, potentially allowing for overcharging (fire risk) or remote disabling of the battery.

As this comment must be submitted by March 4th, 2025, it will not address the potential agreement between the United States and Ukraine regarding access to Ukrainian mineral deposits. Ukraine possesses 5% of the world’s mineral resources, but only 15% of Ukraine’s mineral deposits were being actively extracted when Russia first invaded Ukraine.[22] As such, whether or not America secures a preferential rate, it will require a great deal of time and capital to repair Ukrainian infrastructure, construct the mines and processing plants, and induce a sufficiently large workforce to extract meaningful quantities of any materials from undeveloped Ukrainian mineral deposits. As a result, BIS should certainly monitor this potential vector for the predicate natural resources to make advanced batteries, but still functionally project a reliance on current supply chains in the near-term.

Recommendation: Implement a gradual phase-out of Chinese-sourced batteries, providing sufficient time for domestic or allied production to ramp up. Focus immediate security efforts on the battery management software and charging terminals, which can likely be developed and manufactured domestically. Permit the importation of raw or post-processed physical batteries without integrated software systems for as long as feasible, focusing exemption options on this sector. BIS should work with other agencies (e.g., Department of Energy) to incentivize domestic battery production generally to accelerate our national production capacity.

8. Local and External Data Storage:

Risk Level: High (Variable Layers)

Reasoning: ADI lacks specific expertise in data storage security. However, we strongly recommend that data storage be either local to the device or on cloud servers owned and operated by U.S.corporations, subject to U.S.data privacy and security regulations.

The crop-health data ingested by agricultural UAS is already available at high resolution via satellite imagery which foreign adversaries have access to through public markets and, likely, through their own government’s satellites as well.[23] Therefore, there is no increase in data-storage concerns for agricultural UAS when compared to other types, as the information they specifically collect is already publicly available. 

Recommendation: BIS should consult with data security experts to develop appropriate regulations for data storage and transmission.

9. Artificial Intelligence (AI) Software:

Risk Level: Currently Low, Potential for Future Higher Risk (Layer 7)

Reasoning: First, it is important to address the issue that ‘Artificial Intelligence ‘(AI) is an inexact term, used as a catchall for a number of processes which can be significantly different in nature, use, and risk profile. It is important to differentiate between Machine Learning (ML) software, often referred to as “AI” and Large Language Models (LLMs) such as OpenAI, Google Gemini, and other popularized technologies, also described as AI. 

ML algorithms are relatively simple, and can generally be thought of as ‘classifiers,’ such as image-identifiers, natural language processors, or dictation software, generally relying on Recurrent Neural Networks (RNNs) or similar structures. While the gradient between these different categories can be fuzzy, ML can be differentiated from LLMs, for the purpose of this comment, with MLs having exponentially fewer tensors than LLMs,[24] and only being intended to have the capacity to receive one type of input to render one output (e.g. be given only pictures of diseased corn-plants and identify the pest) and offering binary outputs (a given input is or is not a match)[25] but breaking in the face of related tasks (e.g. failing at wheat disease identification) - whereas LLMs, especially LLMs leveraging reinforcement learning through human feedback (RLHF), are largely designed intentionally to service the broadest array of requests as competently as possible. 

Currently, ‘AI’ applications in agricultural UAS are limited to ML classifiers, used for image analysis (e.g., plant, pest, and tree identification as well as route optimization).[26] These applications do not pose the same level of risk as advanced, general-purpose LLMs, because the ML use-cases, having been given a binary task, fail in more self-evident ways and have more avenues for direct intervention were they to go awry.

Recommendation: BIS should monitor the development and integration of AI in UAS but practically few serious use cases and threats are on the immediate horizon. Current regulations should focus on the security of existing machine learning applications, ensuring data integrity and preventing unauthorized modification.

VII. Responses to § III(a-e)

ADI’s singular focus is agricultural UAS manufacturers, wholesalers, and operators. As such, there are many questions that we have no comment on and will defer to others better positioned to provide responses, such as AUVSI. For company-specific questions, we have asked our members to submit separate comments regarding their data-storage practices and other subjects that would invoke business confidential information (BCI).

For the sake of clarity, we have only included responses to questions below which we have substantive comments on. 

§III(a)(4) - The appropriate focus of any BIS regulations should be vulnerable software and anticompetitive hardware. As discussed elsewhere, software self-evidently, represents the most significant and dynamic threat vector because of the potential for malware and hacking. Further, software is the hardest to inspect and ensure its safety. Anticompetitively priced hardware is a significant threat because it undermines the ability of American companies to enter the market, driving reliance on China.

§ III(b)(7) - While not traditionally considered critical infrastructure, the agricultural sector’s UAS are at disproportionate risk of compromise. This is due to the potential for slight changes in output rates, which would appear to be software bugs, to result in large issues when compounded (e.g., minor, intermittently reductions in pesticide output can exponentially increase the stochastic potential for pesticide resistant diseases and animals to emerge). As such, encouraging domestic agricultural UAS development is key - including facilitating the importation of predicate materials, especially related to batteries, and other hardware not competitively available in the U.S., until American sources become available. 

§ III(c)(8) & (10)(a) - One issue not directly addressed by BIS’s ANPRM, is the emergent threat of Chinese drone manufacturers such as DJI, standing up shell-companies to manufacture DJI platforms in countries such as Malaysia, to circumvent import restrictions on DJI products. As covered in more detail in Section IV of this comment. BIS should work closely with the U.S. House of Representatives’ Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, and other government entities with a national security valence who may have more specific insights into examples of this type of behavior, and work to implement significant restrictions on companies associated with that type of behavior, regardless of their geographical location. 

§ III(d)(15) & (23) - Agricultural UAS collect two types of data generally not collected by traditional drones: multispectral crop data and fine-grained topographical data for mapping (not just for real-time navigation). Both types are already available at comparable resolution through commercial satellites and, presumably, higher-resolution equivalents from Chinese Communist Party research satellites as well. As such, that data is not particularly sensitive. 

§ III(d)(27) - While each UAS system varies, most in the agricultural space have an integrated app that can be downloaded on a user’s phone, as well as a cloud-based record of flight logs which can be accessed. These services are likely to be used more frequently by agricultural operators, due to reporting requirements from state and federal agencies related to the application of pesticides and the operation of heavy UAS (55 lbs+), which are greatly facilitated by these automatically generated flight logs. 

§ III(e)(41) - Definitionally, agricultural UAS will operate in geographic areas with lower connectivity to cellular and other wireless networks. As a result, the potential for direct attacks over live networks, such as denial of service, are lower than for most other UAS categories. However, as discussed elsewhere in this comment, the potential of OEMs to subtly modify outputs, as described in detail of § VI(6) of this comment, could have significant detrimental effects. 

§ III(f)(42) - While ADI cannot offer specific hypotheticals regarding regulations which have yet to be put in place, ADI certainly supports the creation of a process by which temporary authorizations can be expeditiously applied for and, when meritorious, secured. These applications should, self-evidently, be adjudicated on a case by case basis, weighing the risks against the harms of the specific disruption. 

§ III(g)(47), (49), (50) - The potential impacts of regulations associated with this ANPRM, not directly addressed elsewhere, which would disproportionately impact the agricultural UAS sector focus on two primary areas: (1) overly aggressive regulations on the batteries required for heavy-lift drones (as differentiated from the charging systems and software associated with said batteries, which are more of a threat) (see § VI(7) of this comment for a more detailed analysis), and; (2) the importation of drones mirroring the transaction described in the Anzu Letter above.

As discussed throughout this letter, American agricultural UAS manufacturers buying hardware from overseas, and even from foreign adversaries, is safe and reasonable in a range of instances. However, in situations such as that described in the Anzu Letter in § III of this comment, there is a clear pattern of Chinese companies surreptitiously presenting complete Chinese agricultural UAS as American UAS, which represents a profound threat to American national security and the health of the American UAS market; and the agricultural sector is particularly vulnerable to this. 

Were DJI or another Chinese UAS company to surreptitiously introduce an agricultural platform under the guise of an American company, as described in the Anzu Letter, it would present four primary threats to American companies and farmers:

1. Anti-competitive Pricing - There is a great deal of research and development which goes into UAS platforms, especially for agricultural UAS, which have unique challenges related to operating in agricultural environments, where signal-loss, operating in hot, cold, wet, and dry conditions at a high interval rate, day-after-day, is more common than in other UAS use-cases. By re-badging a Chinese product as an American company, they can offer far lower prices than other ‘true’ American companies, artificially undercutting their competitors and exacerbating the other knock-on harms, detailed below. 

2. Data and Security - This comment addresses, and is in response to, BIS’s legitimate concerns about the national security risk of Chinese UAS and ICTS components. It has been well-established that continued operation of Chinese UAS in American airspace in perpetuity is, at best, a legitimate theoretical national security risk for America. Whatever risks to American data and security are presented by Chinese and other foreign adversaries’ UAS operating in American airspace, that risk, and the efficacy of attempts to respond through import and operation regulations, are self-evidently compounded, if those platforms are operating under the guise of an American company.

3. Detrimental Impact on American Farmers - America’s farmers are intelligent and patriotic people - definitionally dedicated to helping to feed our country. That said, farming is more than a full time job. Farmers will likely try to diligently research agricultural UAS before purchase and may strongly wish to buy American. However, they simply do not have the time (nor would it likely occur to them, or any other reasonable customer) to check to see if, as described in the Anzu letter, an American company that is presenting their UAS as 100% American, but are, instead, offering re-badged Chinese products funneled through a complex web of shell-companies. As such, it is critical to address these companies, to ensure that money meant to go to American manufacturers goes to the companies who have taken the time, and effort, to develop independently American platforms. 

4. Congressional Dollars - Agricultural UAS, in particular, represent the potential to revolutionize farming across the country. Rightfully so, Congress has included agricultural UAS in a number of proposed grant programs.[27] These programs are meant to support American agriculture and likely may, once in the hands of the implementing agency, contain provisions favoring American manufacturers who the grant recipients would be purchasing from. It would be a gross violation of Congressional intent for federal monies intended for American manufacturers, to be directed to a foreign adversary nation. 

VIII. Conclusion

ADI urges the BIS to adopt a tiered, risk-based approach to regulating ICTS in UAS, prioritizing the most critical vulnerabilities while allowing for a phased transition for lower-risk components. We believe this approach will effectively address national security concerns without unduly hindering the development and use of UAS technology in vital sectors such as agriculture. 

We are particularly concerned about the vulnerabilities associated with ground control stations, the potential for subtle, malicious manipulation of agricultural inputs, and Chinese UAS being sold by American passthrough companies in an attempt to bypass import controls. 

Thank you for the opportunity to submit our perspectives on these challenging issues.

Endnotes

[1] Currently, input costs can be reduced by approximately 25% through the application of soil monitoring. Future projections are that inputs may be reduced by up to 70% with sufficiently advanced plant health analysis and targeted application technologies.

[2] The increase in yield is a result of optimized fertilizer and water inputs combined with the capacity to remove drive rows from crops. For row crops such as corn, the per-acre increase is estimated to be 7%, while cucurbits and other plants which ‘wander’ may realize gains of up to 25%.

[3] See, Anzu Robotics FAQ Page (https://www.anzurobotics.com/faq/).

[4] See, Anzu Robotics Raptor & Raptor T(https://www.anzurobotics.com).

[5] U.S. House of Representatives, Select Committee on the Chinese Communist Party, Letter to Anzu Robotics CEO Randall Warnas, page 1 (August 20, 2024) (hereafter “Anzu Letter”); House Select Committee on the CCP Letter to Commerce Department and Anzu Robotics Exposing PRC Drone Company Masquerading as U.S. Firm August 27, 2024.

[6] Anzu Letter, pg. 2.

[7] Anzu Letter, pg. 4.

[8] Id.

[9] Id.

[10] Id.

[11] https://en.wikipedia.org/wiki/OSI_model.

[12] China Responds to U.S.Restrictions with Export Ban on Select Critical Minerals, S&P Global (January 30, 2025).

[13] Erik Wemple Audit Heightens Pressure On Bloomberg Over China Hack Story, Washington Post (December 11, 2018); Scott Ferguson Bloomberg Hardware Hacking Story Faces Fierce Backlash From Apple & DHS, DarkReading.com (2018).

[14] Patrick Kennedy Investigating Implausible Bloomberg Supermicro Stories, ServeTheHome.com (2018).

[15] Miriam McNabb, What We Know About the DJI Customs Issue Drone Life (October 20, 2024).

[16] See https://qgroundcontrol.com/; https://en.wikipedia.org/wiki/Fork_(software_development).

[17] https://www.solarwinds.com/network-performance-monitor/use-cases/network-sniffer-tool.

[18] https://www.twingate.com/blog/glossary/time-bomb.

[19] Bart Lenaerts-Bergmans What is an Advanced Persistent Threat? CrowdStrike (2025).

[20]“Watering hole [Attack]: [When] Malicious actors are able to infect legitimate websites commonly visited by the victim or people associated with the target with malware for the explicit purpose of compromising the user.” Kurt Baker Cyber Espionage Explained CrowdStrike (2025).

[21] Connor Brown, et al., Occupational, environmental, and toxicological health risks of mining metals for lithium-ion batteries: a narrative review of the Pubmed database, Journal of Occupational Medicine and Toxicology 19-35 (2024); see also, https://greenly.earth/en-us/blog/industries/the-harmful-effects-of-our-lithium-batteries; https://en.wikipedia.org/wiki/Environmental_impacts_of_lithium-ion_batteries.

[22] Nataliya Katser-Buchkovska The future of critical raw materials: How Ukraine plays a strategic role in global supply chains World Economic Forum (July 9, 2024).

[23] See e.g., https://www.earthdata.nasa.gov/topics/biosphere/vegetation/near-real-time-data; https://blog.onesoil.ai/en/how-satellite-images-are-turned-into-ndvi; https://eos.com/products/crop-monitoring/.

[24] A simple ML algorithm can be put together in a matter of days or less, run on a high-end, but recreational, laptop and will rely on tens or hundreds of tensor arrays, largely relying on the quality of training data directly to inform the quality of output. LLMs are characterized by taking months to fundamentally structure and trained on, and requiring not-insignificant amounts of human intervention.

[25] Note: Pedantically, yes, multiple ML’s can be nested, resulting in the user experiencing the categorization of an input from a range of items, but that is the result of weighing the probability of each in post processing - but that is also the matryoshka doll of ML vs LLM - for the purposes of this discussion, the ML would still be sorting from with, say, a range of plant diseases.

[26] See, e.g. Shoaib M, et al., An advanced deep learning models-based plant disease detection: A review of recent research. Frontiers in Plant Science 14:1158933. doi: 10.3389/fpls.2023.1158933 (2023); Javidan, Seyed Feature engineering to identify plant diseases using image processing and artificial intelligence: A comprehensive review Smart Agricultural Technology 8 (2024); Jafar A, et al., Revolutionizing agriculture with artificial intelligence: plant disease detection methods, applications, and their limitations Frontiers in Plant Science 15:1356260. doi: 10.3389/fpls.2024.1356260 (2024).

[27] H.R. 118-149 (The Precision Agriculture Loan Program Act) and H.R. 118-5062 (Specialty Crop Mechanization Assistance Act).