A Chinese drone company founded by a college student in 2006 now controls more than 70 percent of the global commercial drone market and upward of 90 percent of consumer sales. That same company—Da-Jiang Innovations, known universally as DJI—is effectively banned from selling new products in the United States after a series of legislative and regulatory actions culminating in a December 2025 Federal Communications Commission ruling. The question of whether DJI products represent a genuine national security threat, or a trade-policy proxy war wrapped in cybersecurity language, remains genuinely contested despite nearly a decade of official scrutiny.

From a Dorm Room to Shenzhen's Supply Chain

Frank Wang—Wang Tao in Mandarin—started developing drone technology as an undergraduate at Hong Kong University of Science and Technology, working initially on flight control systems for RC helicopters. He co-founded DJI in 2006; the company name, Da-Jiang Innovations, translates loosely as "vast fields." Permanent headquarters went to Shenzhen, a deliberate choice. No other Chinese city concentrates electronics engineers, PCB fabricators, motor manufacturers, and logistics infrastructure at the density Shenzhen offers—an advantage DJI would exploit over the following two decades.

The company's first decade was a steady climb up the technical stack. Early products targeted hobbyists and research operators who needed stable flight platforms. The 2013 launch of the Phantom changed the calculus: DJI billed it as the first genuinely "plug and fly" consumer drone, with an integrated camera mount that stripped out the soldering-iron barrier to aerial photography. Three years later, the Mavic Pro folded to roughly the size of a water bottle and unlocked the high-end travel market.

Today DJI's portfolio spans four major lines. The Phantom and Mavic families handle consumer and prosumer aerial imaging, with the Mavic 3 Enterprise offering 56× optical zoom, a mechanical shutter, and an RTK module capable of centimeter-level positional accuracy—features that put it in direct competition with purpose-built survey instruments. The Matrice line targets industrial deployments: the Matrice 4T is marketed to public safety agencies for thermal imaging, while the Matrice 4E is aimed at precision mapping and infrastructure inspection. The Agras agricultural drones carry 30-to-40-liter tanks of pesticide or fertilizer and use radar terrain-following to spray at consistent height above crop canopy. The company's estimated valuation sits around $15 billion.

A Decade of Escalating Restrictions

US government concern about DJI did not arrive suddenly with the FCC's December 2025 action. The restriction timeline is long enough to read either as a methodical national-security response or as a slow-motion ban in search of an evidentiary foundation—depending on one's priors.

The Army banned all DJI drones in 2017 following internal cybersecurity concerns. Three years later, the Commerce Department placed DJI on its Entity List, requiring additional export licensing for US technology transfers to the company. In July 2021, the Pentagon issued a formal statement calling DJI systems "potential threats to national security." That December, the Treasury Department prohibited US investment in DJI. In October 2022, the Defense Department added DJI to its list of "Chinese military companies"—a designation with significant downstream contracting implications.

Congress formalized the ban logic in statute. Section 817 of the James M. Inhofe National Defense Authorization Act prohibits the Department of Defense and its contractors from using Chinese-made surveillance drones. Section 1709 of the FY2025 NDAA—the Countering CCP Drones Act—mandated a formal evaluation by five agencies (DHS, DoD, FBI, NSA, and ODNI) to determine whether specific foreign-manufactured drones posed an "unacceptable risk" to US national security. The statutory deadline was December 23, 2025.

The interagency review was never completed. On December 1, 2025, DJI took the unusual step of formally writing to all five agencies, urging them to "take up this audit immediately" before the deadline—and adding that "the American people, including those who use DJI drones for their jobs, for their livelihoods, or for ensuring the safety and security of our communities, deserve no less." The agencies did not act in time. On December 22, 2025, the FCC updated its Covered List to include all foreign-manufactured UAS and UAS critical components, citing a National Security Determination issued the previous day under Section 1709. The agency used the same enforcement infrastructure—the Secure and Trusted Communications Networks Act of 2019—it had deployed against Huawei and ZTE. New DJI and Autel models are barred from receiving FCC equipment authorization; previously issued authorizations were not revoked, and existing drones remain legal to own and operate.

The practical mechanics matter. Covered List designation means new DJI models cannot receive FCC equipment authorization and therefore cannot be legally imported or sold in the US. Even minor hardware or software changes would require fresh authorizations DJI cannot obtain—effectively blocking the product update cycle. Existing drones already in consumers' hands remain legal to own, operate under Part 107, and sell secondhand. The DoD's Blue UAS Cleared List functions as the officially sanctioned alternative ecosystem.

The Security Case: Allegations and Audits

The security allegations against DJI cluster around four concerns: that operational data could reach the Chinese government through state-funding mechanisms embedded in the company's corporate structure; that DJI systems have been used to surveil Uyghur populations in Xinjiang; that drone vulnerabilities could be exploited to bypass restricted airspace; and that fleet-scale mapping operations could generate detailed charts of US critical infrastructure. The FCC's December 2025 action cited a National Security Determination finding that foreign-manufactured UAS posed "unacceptable risks to the national security of the United States and to the safety and security of U.S. persons."

"Any technological product with origins in China or Chinese companies holds a real risk and potential of vulnerability that can be exploited both currently and during conflict." — Sen. Marco Rubio

DJI's counter-narrative rests heavily on independent technical audits. A Booz Allen Hamilton cybersecurity assessment—conducted for PrecisionHawk and the UAS Center of Excellence—examined the DJI Government Edition Mavic Pro, Government Edition Matrice 600 Pro, and Mavic 2 Enterprise. Auditors found "no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party." They identified several low-to-moderate severity threat vectors, most requiring physical proximity to the aircraft; DJI responded by implementing AES-256 encryption on new enterprise products. The company also cites independent security reviews conducted by NOAA, the US Department of the Interior, DHS, and Kivu Consulting.

The most comprehensive recent assessment came from security firm OnDefend in a five-month engagement running from October 2025 through March 2026. Testing the DJI Air 3S and Matrice 4E, the team deployed static and dynamic application security testing, full network traffic capture, man-in-the-middle attacks with certificate bypass, full-spectrum RF scanning from 1 MHz to 6 GHz, PCB-level teardowns, near-field antenna analysis, supply chain integrity verification, and RF exploitation attempts. The result:

"During the window of testing, OnDefend's assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization."

Zero critical, high, or medium-risk vulnerabilities. Ten low-risk software issues. All data connections resolved to US-based IP addresses. Local Data Mode functioned as documented. DJI stated that "our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence."

Why It Matters

The DJI case crystallizes a tension that will define the US drone industry for the next decade: the gap between structural risk and demonstrated threat. The structural argument is real—Chinese company law creates obligations toward the state that no voluntary auditing process can contractually override. But five independent technical audits spanning eight years of heightened scrutiny have not produced a documented instance of covert data exfiltration or demonstrated exploit.

What the FCC action has done, practically, is foreclose the dominant commercial platform for US public safety agencies, agriculture operations, infrastructure inspection firms, and the hobbyist sector—without a domestic alternative at equivalent price points in every segment. The Blue UAS list exists, but 81 enterprise vendors cannot substitute for the breadth of the consumer and prosumer market that made aerial imaging routine across industries. First responders and survey teams operating DJI hardware now occupy a gray zone: legal to fly existing platforms today, yet facing growing restrictions as Congress and federal agencies continue to act.

The procedural dimension cuts even deeper. The interagency review mandated by Section 1709—the mechanism Congress specifically designed to answer the evidentiary question on the merits—was never completed before the FCC acted. DJI publicly demanded that review happen. The agencies missed their own statutory deadline, triggering automatic Covered List inclusion by default rather than by finding. The interagency body issued a broad National Security Determination on December 21, 2025 — but the manufacturer-specific Section 1709 product audit DJI formally requested was never conducted. For an industry watching the Blue UAS list grow and DJI's US market share dissolve, the absence of that product-level review is as consequential as the ban itself.

Sources