Press Room
Counter Threat Solutions White Paper

VULNERABILITY, THREATS, and RISK - How Do They Relate to UAS?

By Dan Delgado, Program Technical Lead, Counter Threat Solutions view bio

It’s unfortunate, but more and more often, bad things are happening recently, and it is apparent today’s mass gatherings are purposely a target. Adding to modern-day concerns, a person with malicious intent, utilizing current technologies, could easily distance themselves from the scene and complicate a “normal” public safety response. For example, Unmanned Aircraft Systems (UAS or “drones”) have become ubiquitous in the consumer technology market, and their misuse could readily add to the confusion and exacerbate a coordinated effort to react to any criminal (or terror-inspired) event.

Once reserved for specialized government and military use, today’s drone is inexpensive to produce, highly intuitive, and simple enough that the average consumer can efficiently operate most variants with precision. This new dynamic creates innovative solutions to existing problems and drives a new commercial industry, empowering users to deliver supplies or collect data in remote areas.

While these capabilities have proven to be a positive catalyst for commercial growth and innovation, drone technology can also serve as an agent of chaos, disrupting conventional security methods. Corporate espionage, smuggling contraband, invasion of personal privacy, and many terrorist activities become easier using drones.

"Today's drone is inexpensive to produce, highly intuitive, and simple enough that the average consumer can efficiently operate most variants with precision." 

These easy-to-fly aircraft can carry heavy payloads, be flown long distances, and (sometimes) last for well over an hour. Conventional security methods simply can’t account for such new risks associated with UAS.

Given today’s environment where our public safety agencies must prepare for an increasing number of unanticipated events, we can still strive to address such unexpected risks with a “tried and true” mindset which begins with a solid risk assessment.

Before starting any review, I suggest a shared understanding of “risk.” Specifically, let’s focus on human-caused public safety events and the risks associated with an intentional incident.

Although there are slightly different definitions of risk, one model is most recognized in my experience working within the Federal Bureau of Investigation and collaborating with the Department of Homeland Security. This model classifies risk through understanding its three measurable sub-components:

  1. Consequence
  2. Vulnerability
  3. Threat

Risk is not synonymous with threat or vulnerability

The first component, consequence, is readily assessed through the accumulation of reportable data (e.g., illness, death, and economic impact). In other words, “How bad can it get?"

Most large corporations and governments have mechanisms to monitor adverse events. These organizations can aggregate information regularly to produce a clear picture of a specific consequence for each type of disaster.

We can define vulnerability as a physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.

The standard measure of vulnerability is the likelihood an attempted attack is successful. Across our Nation, some agencies have relied upon vulnerability assessments to identify, quantify, and classify vulnerabilities to prioritize actions to mitigate those identified vulnerabilities. In trying to figure out “how easy is it to hurt us?” vulnerability assessments should also consider systems and networks instead of solely focusing on any particular asset.

threat, in general, is a natural or manufactured occurrence, individual, entity, or action that has (or indicates) the potential to harm life, information, operations, the environment, and property.

For this discussion, the best indication of a credible threat is a timely calculation related to a person who can demonstrate operational practicality and skills with the requisite technical or logical capability and malicious intent. In other words, this describes a person with three factors:

  1. Skills
  2. Capacity
  3. Demonstrated desire to cause harm

Following these concepts, imagine a loaded pistol left unsecured on a table. What is the associated risk? The consequence of misuse, such as potential harm to others, can be readily imagined.

There are measurable vulnerabilities to people and operations should this firearm be abused. Although, because an unattended gun will not discharge by itself, it does not present a threat until a person manipulates it, then functions it correctly with intent to harm.

This example has a describable risk; even so, the danger of the gun only becomes a consideration when a human is involved.

Risks associated with UAS

Emerging technologies can initially challenge the risk paradigm for our first responder communities. With the advent of artificial intelligence, autonomous technologies, and unmanned systems (including “drones,” aka UAS), there is one vital factor to be considered: the absence of a recognizable human.

Let’s delve into this deeper using the scenario of a package brought to your front door by your usual delivery person.

  • Is there any risk associated with this delivery?
  • If the package was expected and delivered in the usual manner, there is likely less vulnerability that it will bring something unwanted or hazardous.
  • If you expected the delivery, there is less of a consequence it will contain something harmful.
  • Should this be your usual delivery person or recognized company, this would likely diminish any associated threat which would cause you to infer some unknown danger.

Nevertheless, should any part of this delivery occur with circumstances outside the norm, where something was different (an unexpected package, left in an unusual location, or an unknown delivery person), it would be logical to begin evaluating the potential of elevated risk.

How does a person’s risk equation change when packages are delivered using a UAS?

With all other details remaining unchanged - except the delivery system is now UAS-based - is there an enhanced “threat” or a more significant risk? How would things change if delivered by a driverless vehicle?

To take this example a few steps further, utilizing UAS to provide anything now has associated considerations:

  • Do you recognize the person or company?
  • Although expected, would things change if dropped at your back door?
  • Could you stop its delivery because it’s not convenient?
  • Are you ok if the package is beyond your usual security measures when delivered?

When referring to risk, the point of this example is that the determination of threat remains the one variable we cannot readily distinguish. Because we cannot interact with the delivery person, the package recipient cannot determine who is delivering, what is in the package, or why this package’s delivery is different.

Specifically, if a human is involved who may have the skills, capacity, and desire to cause harm, we would likely never know until it’s too late.

The drone does not go to jail

These challenges highlight today’s need to initiate risk-based assessments and a substantial communications plan to mitigate societal fears.

Given our inability to slow down technological advancements, a general consideration of all risk factors becomes especially important as society evolves alongside continuously advanced capabilities. In this modern world, vulnerabilities vary based on each device and the public’s fear of the unknown.

Likewise, a perceived threat can differ significantly from an actual consequence. Especially for our public safety agencies trying to mitigate risks, when a crime or potentially unsafe situation occurs involving a UAS, we must develop new response protocols that emphasize finding the human operator.

For those new to this discussion, UAS are aircraft. Regardless of how small they may be, these UAS enjoy the same rights to use airspace as any other airplane in the sky and remain subject to FAA rules and regulations.

These rights mean if a US public safety agency is considering the purchase of equipment or technologies which somehow affect the flight of a UAS (which effectively removes or replaces the pilot/operator), that agency is most likely in violation of several federal laws and statutes. When the aircraft has no pilot, beyond being illegal, using such countermeasure technologies may not mitigate the threat or eliminate the hazard and could have other unintended consequences.

Law enforcement’s use of force against any aircraft (including UAS) is strictly limited and reserved for specialized US government and DOD applications. Finally, it is not always advisable to destroy or lose the evidence contained within the UAS. This advice is most important as the pilot is liable for the aircraft’s actions, and that person may be arrested and charged with a crime.

"using such countermeasure technologies may not mitigate the threat or eliminate the hazard and could have other unintended consequences."

Vulnerabilities associated with UAS flights have changed

Taking account of the capabilities of UAS, there are new considerations to the risk factors.

Because the aircraft operation is typically farther than a human eye can see details, it’s practically impossible for the casual observer to tell if the drone is carrying a camera or another device. If it is a camera, the observer cannot determine which way it is pointing or if it’s actively recording. UAS can readily challenge classic security protocols that control unwanted human behavior with “gates, guards, and guns.” In other words, neither existing fences, on-site security personnel, nor firearms can prevent the flight of any aircraft, including UAS.

The current war in Ukraine and past terror groups’ use have demonstrated the consequences of a weaponized drone. Exacerbating the threat of UAS misuse by a nefarious actor is the difficulty in identifying the motive of any person controlling such aircraft. Most people cannot distinguish a UAS flight of a realtor taking pictures from an armed drone carrying a dangerous payload.

This scenario highlights the major challenge for our public safety personnel: their inability to differentiate between intentional nefarious behavior or careless behavior in UAS operations.

In the end, public safety officials’ interaction with the operator of the UAS is critical. Officials responding to reports concerning the operation of a UAS must first recognize the flight of this aircraft is merely the extension of the pilot’s commands. To the observer, such aircraft may appear to be flying in a manner that is suspicious or unsafe. Interaction with the UAS pilot is the only definitive method to determine the intent of their operation.

A potential threat is not analogous to fear

As humans, we tend to prefer predictability in our lives.

According to Merriam-Webster, fear is a “strong emotion caused by anticipation or awareness of danger.” Based on our own experiences and those relayed to us through external trusted sources, humans can become programmed to recognize a set of circumstances as something that could be potentially dangerous.

Some people even have a natural fear response to anticipate potential danger when something is unknown or unexpected. To counter a situation where any person with the skills, capability, and malicious intent could cause harm, many personnel from public safety agencies have dedicated their lives to preparing for and preventing such a threat from becoming a reality. Think how some subconsciously feel “safer” at a mass gathering when there is a visible presence of first responders.

Referring to the example of a loaded pistol sitting unsecured on the table, we can readily formulate the risk related to this scene.

How do things change when a person walks into that room?

  • The presence of a human might begin a calculus of the changing threat condition, but absent other details about the person, some people might naturally become alarmed - or even afraid.
  • On the other hand, if the person is recognized or at least wearing something like a police uniform, the potential threat may be less of an issue.
  • Succinctly restated, even if the “risk” equation remains unchanged, the predictable behavior of the person is proportional to the observer’s comfort.

When an unexpected UAS is merely an extension of a human, neither the pilot nor the purpose of the flight is readily apparent. It is logical how the absence of further information could induce some apprehension in public about the presence of a nearby drone.

The biggest challenge to our first responders is that it’s almost impossible to prevent an unsafe or dangerous event until it happens.

The most unpredictable element in considering threats (and risk) associated with UAS is the inability to make a judgment about the intent of its human pilot. However, the fear of the unknown or unexpected UAS flight can lessen with a better understanding of risk.

Uncertainty is part of the human experience; learning to predict what is coming next can be daunting. Planning a public safety-inspired, risk-based approach before responding to reports of a suspicious UAS at public events will prevent fear from driving reactionary policies, poor protocol, or an ineffective reaction.

Fortunately, the threat associated with unknown UAS flights isn’t as bad as it looks to the casual observer. When we take the time to understand the nature of these pilots, the overwhelming majority of flights in our national airspace are of minimal risk.

From anecdotal experience and interaction over many years with U.S.-based and international law enforcement agencies, we can visualize the intentions of UAS pilots in this graphic:

  • Most UAS pilots who come to the attention of law enforcement are either inexperienced or unaware of the rules.
  • There is also a proportionally smaller group of careless pilots.
  • Even fewer pilots intentionally break laws or flight rules, specifically acting with criminal intent or potentially terrorist designs.

Knowing the minuscule odds of a malicious UAS pilot helps law enforcement focus efforts on the threat actors identified in their risk assessments. This simple assessment is essential for the public to understand and digest.

Public Safety professionals understand this and want the public to feel safe and thereby minimize fears associated with UAS operations, mitigated with education about these technologies, understanding of the concept of risk, and the necessity, of determination of the pilot’s intent.

How to prepare

Free DHS FEMA training is available for public safety individuals related to UAS investigations and response. Learning about a similar risk-based process is highly recommended for those unable to attend such classes.

At a minimum, this protocol should include practice in detection, identification, tracking, assessment, response, and reporting interaction with all entities potentially involved in the incident.

If your agency has or is planning to incorporate UAS technologies into detection protocols:

  • Check with appropriate legal staff for compliance with federal laws.
  • Practice integration of this technology between responding agencies, including proper command and control entities.
  • Initiate liaison with neighboring agencies to discuss UAS-related issues.
  • Look at the potential for mutual-aid opportunities.
  • Identify best practices to incorporate into your agency protocol, and interact with your prosecutors to pre-plan what state or local law violations could apply to specific circumstances.
  • Reach out to your federal partners (e.g., DHS, FAA, FBI, JTTF) to learn what support options are available to your agencies.

For scheduled mass-gathering events, think about initiating an in-depth risk assessment. You can do these assessments in-house, or vendors are available to work through the steps and produce printed output suitable for dissemination to command staff, emergency management planners, and others, as needed.

This risk assessment should include a meeting with local leaders and public safety agencies to “brainstorm” potential vulnerabilities, identify worst-case scenarios and consequences, and discuss threat vectors and information sharing. A great product to produce is a “Consequence vs. Likelihood” chart, which ties to critical infrastructure and government stakeholders (including the possibility of international concerns).

Additionally, identify others in your community who may know about UAS technologies, such as your regional colleges or universities, technological industries, local businesses, and federal agencies. Finally, include a training plan to exercise against your risk assessment.

The way forward

Because public safety is the primary concern, it is imperative to recognize the distinct difference between consequence, vulnerability, threat, risk, and fear.

These terms are not synonymous.

Consider a risk assessment before shopping for a technological solution – there is no “easy button” out there. Ultimately, an honest and complete risk assessment will focus on how people will address others. Machines and technology are tools but not the answer to managing risks.

As in the case of potential malicious misuse of unmanned systems, there will always be a necessity to identify the person behind the machine.


About Dan Delgado

Connect with Dan on LinkedIn

Dan Delgado is Program Technical Lead for AVIAN's Counter Threat Solutions capability. Dan has over 20 years of FBI experience with a demonstrated history of working in Crisis Management, Risk Management, Weapons of Mass Destruction, Counterterrorism, Human Intelligence, and Emergency Management. Dan holds a Master's Degree in Criminology, Weapons of Mass Destruction from the Indiana University of Pennsylvania and a Bachelor's Degree in Civil Engineering from the US Coast Guard Academy.

Back to Insights