A swarm of small commercial drones laden with explosives descended on the attendees departing the local university hockey game in the town of “Minor Spoon” – leaving multiple dead and more wounded. Another swarm attacked the electric grid, leaving the entire city and surrounding area without power. The nearby Air Base suffered considerable damage from a third wave of attack …

This was the hypothetical scenario laid out by Venable’s Center for Cybersecurity Policy and Law during a three-hour exercise in Grand Forks, North Dakota, to explore the threat posed by the malicious use of drones to the homeland. Over the course of an afternoon, participants from local, state, federal government, private industry, the state university, and representatives from the key energy providers responded to hypothetical attacks on the air base, electricity grid, and a local hockey game in the fictitious town of “Minor Spoon.”

Sound far-fetched? Drones have crashed into the seating areas at the U.S. Open and a Major League Baseball game, luckily with no injuries. The drone attack on strategic air bases deep inside Russia as part of Operation Spiderweb is a reminder of the vulnerabilities of places otherwise deemed secure. In just the last few weeks, drone sightings in Europe have led to multiple airport shutdowns. Meanwhile, the low cost of drones makes them a potentially powerful and inexpensive weapon.

To illustrate the threat and practice the response, exercise participants were broken into four teams: the Minor Spoon Air Base, the Minor Spoon Electricity Provider, the Minor Spoon University, and local Minor Spoon government. Over three rounds, the teams were tasked with:

• Responding to warnings about a potential, impending attack.
• Reacting to the attack.
• Engaging in recovery actions the day after the attack, while still facing the possibility of follow-on attacks.

The teams worked collectively to identify actions that would be best ensure the safety and well-being of the local population, minimize damage to property, and gather information to better understand the source of and potential for future attacks.

Each team was forced to struggle with the limited authorities, technical tools, and operational challenges in responding to an active Unmanned Aircraft System (UAS) threat. The group also discussed the challenges posed by new and emerging technologies, including swarm drones and fiber optic drones, the importance of and significant challenges in effective detection, and the limited authorities to mitigate the threat for the non-Air Base Teams.

Among the key findings:

• Effective detection is key. Without effective detection, there is no way to assess whether reported drone are actual drones, and if so, whether they are likely hobbyist drones or uses associated with sophisticated malicious actors.
• Effective detection is hindered by several limitations, including limited resources for entities to invest in detection technologies, a lack of baseline mapping of what is “ordinarily” in the airspace to detect anomalies, and operational coordination challenges.
• Only a handful of federal government actors (the Departments of Defense, Energy, Justice and Homeland Security) are authorized to engage in drone mitigation and active drone detection measures (i.e., detection systems that emit radio frequency signals and can detect communication between a drone operator and the drone) and even these authorities are limited to protecting certain assets and facilities.
• Of particular concern, key portions of the DOJ and DHS authorities expired on September 30 — meaning these agencies lack authority to engage in active detection and mitigation over sporting events and other mass gatherings that otherwise would be eligible for federal Counter-Unmanned Aircraft Systems (C-UAS) protections.

Moreover, state, and local officials and critical infrastructure owners do not have any authority to engage in more sophisticated, active detection measures, let alone any mitigation measures.

A key goal of the exercise was to “normalize” C-UAS as an essential part of good security planning. Regardless of the source of an attack, there is a need for rapid deployment of emergency services, crowd control, engagement across local, state, and federal authorities, smart and effective communications, and strong organizational structures. The discussion focused on each of these elements – which are part of a key response to any crisis. (For those who missed it, Venable recently did an event on the legal and operational requirements related to effective Crisis Management and Crisis Prevention).

In the coming weeks, the Center on Cybersecurity Policy and Law Cybersecurity will publish a report describing in more detail the exercise and findings. This will launch a broader workstream of homeland resiliency, to include a focus on protecting the homeland from the C-UAS threat.

The Center on Cybersecurity Policy and Law is grateful to its co-sponsor GrandSKY, who helped plan and support the event, provided space for the exercise, and invited all participants to an evening reception. We also thank our additional supporters and sponsors: Drone Shield and P3 Tech Consulting.