My opinion is that ISR is the most likely type of malicious UAV operation and kinetic the least, probably by an order of magnitude.

Bear with me while I cover some familiar ground before talking about the most interesting threat – SIGINT.

To start, let us all acknowledge that there is insufficient data to develop any solid statement about the types of malicious UAV operations that are, or might be, occurring in the U.S. The open source reporting misses a lot of incidents that are not reported at all or are reported into a silo where it is hard to find even with authorization. A topic for another post.

That said, it is my opinion that malicious kinetic operations such as we see in Ukraine are highly unlikely to occur domestically. As recent attacks on electric substations demonstrate, a high powered rifle is easier to deploy and possibly more effective.

I believe the biggest threat to critical infrastructure operators, secure facilities, public safety, and executive protection teams is UAVs conducting ISR operations. Brenton Tarrant, the Christchurch shooter, used a drone when planning his 2020 mosque attacks. Using UAVs for surveilling potential targets shows up in domestic violent extremist literature such as “Hard Reset”. The UAVs operating on multiple occasions over U.S. nuclear sites were clearly gathering information about the sites, the security forces, and response patterns. ISIS, Mexican drug cartels, and both sides of the war in Ukraine use UAVs for ISR with great effect. ISR is the sweet spot for malicious UAVs.

The first publicly documented case of a UAV enabled cyber attack appeared in the Register last year and off the record conversations suggest that several similar attacks occurred that year as well. Someone invested over $20,000 worth of UAVs plus $10,000 worth of additional equipment to breach corporate and residential networks on multiple occasions. I’m certain we will see more of this in the future.

But I could argue that cyber attacks are a form of signal intelligence, SIGINT. We’ve not seen this yet. Or have we? The long endurance, heavy lift drones seen over the U.S. nuclear facilities could easily have carried SIGINT payloads as well as optical. And the SIGINT payloads would give the operators superb insights into the data and voice infrastructure and operations at these sites.

If a malicious UAV operator places a large CUAS resistant UAV over your facility and remains overhead for more than an hour they have an opportunity to not only map your communications infrastructure, but they can also analyze how it is used during your response.

As Tyler Rogoway wrote for The War Zone:

“Whereas 60 years ago, electronic warfare systems may have required an entire plane or a large pod on a plane, today totally expendable electronic warfare systems that can wreak havoc on radars and other air defense nodes can be dropped out of  of a chaff and flare dispenser or be housed in the tip of a small missile—or flown on a balloon or lower-end drone.”

He was talking about disrupting the defenders’ electronics but similar packages exist for gathering RF information. Either application creates significant risk for defenders.

The above is just one guy’s opinion. We, collectively, need to get a lot better at determining the intent behind malicious UAV operations in the national airspace and broadly sharing that information. If we do not understand the threat it is much harder to defend against those threats. And without supporting evidence, justifying investments in counter UAV programs is much more difficult.