October 5, 2019
When the U.S. Federal Aviation Administration issued its first commercial drone license in late September it made the risks and rules of commercial drone flights no longer an interesting hypothetical. CISOs need to have concrete plans dealing with privacy, security and compliance right away.
Drones are IoT devices that can fly almost anywhere, deliver and grab almost anything and equipped with video and microphones that enables drones to see and hear almost everything. Let's start with privacy. What happens when a retailer's drone delivers to a customer's backyard and unintentionally beams back live video of a woman sunbathing in little to no apparel? Or when a pharmaceutical's drone delivers critically-needed medicine to a hospital's emergency room and accidentally sees sensitive patient records as it's dropping off its injections? Or when a drone for a hotel chain swoops alongside a highway close enough to capture license plates that happen to show someone being somewhere they shouldn't be?
Then there are the security implications. What if a thief is able to remotely takeover control of the drone and engages in illegal activity (casing houses for potential burglaries, watching an intended rape/kidnap victim, using its mechanism to steal packages left on doorsteps, etc.) with a drone that has markings of your employer? Let's aside for the moment the thief controlling the drone itself. What if instead the thief merely piggybacks on video transmissions? In the privacy examples above, employees and contractors might be trusted to adhere to your company's privacy practices, but how secure are those transmissions? For that matter, wireless interception might not even be needed. What if the thief physically steals the drone when it flies low to deliver something and then hacks into the mechanism to access all video and flight controls—and then releases it back into the air?
As has happened with just about every major technology advancement in the last couple of decades, compliance rules often lag far behind technology deployments. Bottom line: enterprise CISOs are going to have to make their own rules, until industry groups and government agencies around the world catch up.