The Authority Gap: Why Most Organisations Can Detect Drones But Cannot Stop Them

Executive Summary

The counter-drone market has fractured into two incompatible economies: detection and mitigation. Detection systems—optical, RF, radar—are widely available, broadly legal to operate, and increasingly deployed across critical infrastructure. Mitigation systems—jamming, kinetic intercept, directed energy—are heavily regulated, operationally complex, and available only to government and military operators.

The authority gap is the legal and regulatory chasm between these two economies. An organization can legally purchase, install, and operate a system that detects drones with high confidence. The same organization cannot legally operate most systems designed to stop detected threats. This gap creates a risk asymmetry: detection capability generates alerts without actionable response, potentially increasing liability rather than reducing it.

This briefing addresses the legal constraints that create the authority gap, explains procurement implications, and provides practical guidance for organizations evaluating C-UAS investments.

Part 1: The Market Structure—Two Economies, No Bridge

The Detection Economy

Detection systems are widely available, offered by numerous vendors, and operate in a relatively permissive regulatory environment. Dedrone, Eaton, SRC, DJI (via Enterprise Shield), and dozens of smaller vendors offer optical, RF, and radar-based detection platforms. These systems are designed to identify unmanned aircraft, estimate threat profiles, and alert operators.

Detection systems enjoy relatively broad legal permission because:

• Detection is passive observation. Unlike jamming or intercept, detection does not interfere with aircraft operation or RF spectrum.
• Detection supports law enforcement. Providing evidence of airspace violations to law enforcement is protected activity under most jurisdictions.
• Detection has dual-use civilian applications. Airspace awareness benefits civil aviation and wildlife management, not just security operations.

As a result, detection systems are sold commercially, with few regulatory barriers to purchase or operation. Organizations can deploy detection systems across multiple sites, integrate them into security operations, and use generated data to coordinate with law enforcement—all within clear legal frameworks.

The Mitigation Economy

Mitigation systems—jamming, RF spoofing, kinetic intercept, directed energy—operate in a heavily constrained regulatory environment. These systems are available primarily to government and military operators, with explicit statutory prohibitions preventing private sector deployment.

Mitigation systems are constrained because:

• They interfere with RF spectrum. Jamming or spoofing transmissions require explicit Federal Communications Commission (FCC) authorization.
• They are weapons. Kinetic intercept systems are explicitly classified as weapons under international law and U.S. federal statute.
• They create uncontrollable effects. Jamming affects all RF-dependent systems in the area, not just target drones.
• They create liability exposure. Misidentified aircraft could be engaged, creating catastrophic consequences.

The mitigation economy is therefore restricted to government agencies with explicit statutory authority: the U.S. military, the Federal Bureau of Investigation, the Secret Service, and select Department of Homeland Security components. Private sector operators, critical infrastructure owners, and state/local governments do not have clear statutory authority to operate mitigation systems.

The Authority Gap

The authority gap is the space between detection capability and mitigation authority. An organization can legally detect a threat but not legally stop it. This gap creates operational friction:

• Alerts without actionable response. Detection systems generate alerts, but private operators cannot take direct action. Response depends on law enforcement availability and response time.
• Coordination complexity. Detection-only systems require integration with law enforcement command structures, creating dependencies outside the detecting organization's control.
• Liability exposure. Detecting and reporting a threat creates evidence of awareness. If that threat materializes into an incident, the detecting organization may face liability for inadequate response.

For many organizations, this gap is tolerable. Airports have FAA air defense procedures and police liaison. Critical infrastructure operators can coordinate with federal law enforcement. But for smaller private operators, the gap becomes a fundamental constraint: they can purchase detection capability but cannot purchase the ability to respond to detected threats.

Part 2: The Legal Constraints

The Aircraft Sabotage Act (49 U.S.C. § 46506)

The Aircraft Sabotage Act prohibits intentionally destroying, disabling, or damaging any aircraft in flight. The statute does not distinguish between manned and unmanned aircraft. Kinetic C-UAS systems—directed impact, directed energy, or other systems designed to disable or destroy aircraft—fall squarely within this prohibition when applied to any aircraft, including drones.

Exception: The statute includes explicit carve-outs for military operations and law enforcement acting under federal authority. The U.S. military and federal law enforcement agencies can operate under these exceptions. Private operators, state and local governments, and critical infrastructure operators do not qualify for these exceptions.

Practical implication: Kinetic C-UAS is off-limits for non-federal operators without explicit congressional authorization or formal delegation of federal authority.

The Communications Act (47 U.S.C. § 333)

The Communications Act prohibits intentional or reckless operation of RF transmission equipment outside authorized frequency allocations or without FCC authorization. Jamming—intentional RF interference designed to deny or degrade signals to UAVs—is explicitly prohibited.

The statute includes narrow exceptions for:

• Government agencies operating under explicit FCC authorization. The Department of Defense, FBI, Secret Service, and select DHS components have FCC-authorized frequency bands for EW operations.
• Aviation safety operations under FAA authority. The FAA can authorize temporary RF interference in narrow circumstances (typically military operations or air defense exercises on restricted airspace).

Exception: Private operators and critical infrastructure owners do not qualify for these exceptions. Jamming by a private operator, even in response to an imminent threat, violates the Communications Act.

FCC Enforcement History: The FCC has prosecuted private parties and small companies for unauthorized jamming. Penalties include fines up to $112,500 per violation and equipment seizure. The FCC does not grant exceptions for "defensive" jamming by private operators.

Practical implication: RF-based C-UAS (jamming, spoofing, RF shaping) is legally unavailable to non-federal operators.

The Computer Fraud and Abuse Act (18 U.S.C. § 1030)

The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems and intentional interference with system operation. GPS spoofing, which involves transmitting false GPS signals to confuse UAV navigation, can be construed as interference with navigation systems.

Additionally, some C-UAS systems operate by injecting false commands into UAV control channels (typically 2.4 GHz WiFi or proprietary frequency bands). This injection constitutes unauthorized access to the UAV's computer system.

Exception: Federal law enforcement and military operations have explicit authority under federal statute. Private operators do not.

Practical implication: Sophisticated C-UAS techniques like GPS spoofing or control-channel injection are legally restricted to government operators.

The Wiretap Act (18 U.S.C. § 2511)

The Wiretap Act prohibits intentional interception of electronic communications. Some C-UAS systems operate by intercepting and decoding UAV control signals, GPS telemetry, or video transmission to understand threat intent or capabilities.

Intercepting and decoding these signals—even for defensive purposes—can violate the Wiretap Act if the signals constitute "electronic communications" under the statute's definition.

Exception: Law enforcement operating under wiretap authorization or during emergency circumstances has limited authority. Private operators do not.

Practical implication: Sophisticated C-UAS approaches involving signal interception or decoding are legally constrained.

Part 3: SAFER SKIES and the Limits of Federal Infrastructure

The SAFER SKIES program—the FCC and Department of Homeland Security collaborative initiative to establish integrated airspace monitoring networks at critical infrastructure—was explicitly designed to operate within legal constraints while advancing detection capability.

SAFER SKIES participants operate detection systems only. The program creates shared airspace intelligence without implying mitigation authority. Participating organizations coordinate with law enforcement but do not independently engage detected threats.

The program explicitly addresses the authority gap by clarifying what is NOT authorized. SAFER SKIES guidance states:

• Participants have no authority to jam, spoof, or otherwise interfere with RF signals.
• Participants have no authority to engage aircraft with kinetic force.
• Participants' role is detection and threat reporting, not response.
• Law enforcement response depends on law enforcement availability and assessed threat severity.

Practical implication: SAFER SKIES is a workaround to the authority gap, not a solution. It formalizes detection-only operations while explicitly preserving law enforcement's role as the mitigation agent.

For organizations in SAFER SKIES, this means:

• Detection capability is institutionalized through integrated networks.
• Response is systematic but law enforcement-dependent.
• Authority constraints remain unresolved for private operators.

Part 4: Procurement Implications

Detection-Only May Be Your Only Legal Option

For private operators, critical infrastructure owners, and state/local governments, detection-only systems are likely the only legally defensible C-UAS investment. This is not ideal from an operational perspective, but it is the legal reality.

Organizations should evaluate detection systems with this constraint in mind:

Assume law enforcement response times. Detection systems should integrate with law enforcement notification workflows. Evaluate systems based on how quickly alerts reach law enforcement and how actionable the alert data is for police responders.

Prioritize forensic value. If direct mitigation is unavailable, detection systems should provide high-quality forensic data (video, signal patterns, flight paths) that supports law enforcement investigation and evidence preservation.

Evaluate integration costs. Detection systems must integrate with existing command-and-control, dispatch, and evidence management systems. The true cost of detection is installation plus ongoing integration overhead with law enforcement.

Plan for sustained operations. Detection systems will operate continuously, generating alerts that require routing to law enforcement and documentation for incident records. Budget for 24/7 monitoring capability and personnel training.

Mitigation Systems Require Explicit Authority

Organizations seeking mitigation capability—jamming, RF shaping, kinetic intercept—must first obtain explicit legal authority. This is not a procurement decision; it is a regulatory decision.

Organizations considering mitigation should:

Consult legal counsel with federal law expertise. The authority gap is defined by complex federal statutes and FCC precedent. Local counsel may not be familiar with C-UAS-specific legal constraints.

Engage with relevant federal agencies. For federal operators, the Department of Defense, FBI, and Secret Service can clarify authority and procurement constraints. For non-federal operators, engagement with the FCC and DHS is necessary to understand whether statutory authority exists.

Anticipate regulatory timelines. If authority does not currently exist, obtaining it through congressional statute or executive action requires multi-year timelines. Organizations should not assume that pending legislation (such as proposed SAFER SKIES expansion) will clarify authority in near-term procurement cycles.

Multi-Layer Detection May Be More Cost-Effective Than Single-Modality Systems

Given the constraint to detection-only operations, organizations should consider multi-modal detection (optical, RF, radar) rather than single-modality systems. Each modality has performance constraints in different environmental conditions (weather, time of day, RF noise). Layering detection modalities improves reliability and reduces false-positive rates.

Multi-layer detection is also more resilient to countermeasures. If an adversary defeats RF detection (through jamming or spoofing), optical and radar detection may remain functional. This resilience justifies the higher cost of multi-modal systems.

Part 5: Practical Guidance for Organizations

If You Operate Critical Infrastructure

Participate in SAFER SKIES if eligible. The program formalizes detection-only operations and creates integrated airspace monitoring while preserving law enforcement response authority.

Establish liaison relationships with federal law enforcement. FBI field offices and local Secret Service details should know your facility and understand your threat profile. Establish communication channels that enable rapid law enforcement response to detected threats.

Develop detection-to-law-enforcement workflows. Detection alerts should route automatically to law enforcement dispatch. Test these workflows quarterly to ensure they function under stress.

Budget for sustained monitoring. Detection systems require continuous operation and 24/7 personnel availability. Plan for staffing, training, and system maintenance as part of detection lifecycle costs.

If You Operate an Airport or Aviation Facility

Coordinate detection systems with FAA and airport security. Airports have established air defense procedures and law enforcement liaison. New detection systems should integrate into existing protocols rather than replacing them.

Prioritize alert quality over alert volume. Airport operators benefit from low false-positive detection systems that provide high-confidence alerts to airport operations and law enforcement. Consider vendor track records in your operational environment.

Plan for regulatory evolution. Federal authorities are developing C-UAS policy for aviation environments. Detection systems should be flexible enough to integrate with future federal guidance as policy matures.

If You Operate a Private Facility Without Law Enforcement Presence

Understand that detection may not be sufficient. If your facility is remote or has limited law enforcement response capacity, detection without mitigation authority creates unresolved risk.

Explore hybrid approaches. Consider combining detection with physical security (perimeter barriers, screening), business process changes (temporary flight restrictions for sensitive operations), or coordination with nearby law enforcement.

Monitor regulatory developments. Federal and state regulations around private operator C-UAS authority are still evolving. Subscribe to FCC and DHS guidance to understand when private mitigation authority may become available.

Consult legal counsel on facility-specific authorities. Some facilities (nuclear power plants, federal research institutions) may have delegated federal authority or specific statutory authorities. Facility-specific legal review is necessary to understand your actual authorities.

If You Are Evaluating Mitigation Systems

Do not assume purchase equates to legal authority. A vendor can sell you a system that is illegal to operate. Purchasing a mitigation system does not grant legal authority to use it.

Obtain explicit legal authorization before procurement. Work with your legal counsel and relevant federal agencies to confirm that your organization has statutory authority to operate the system you are considering. This authorization should be in writing.

Plan for regulatory timelines. Obtaining new statutory authority can take years. Organizations should not depend on future regulatory changes to justify current procurement decisions.

Consider that federal policy may change. Even if you obtain current authorization, future administrations and congresses may change C-UAS policy. Build procurement strategies around durable legal frameworks, not aspirational regulatory futures.

Conclusion

The authority gap is not a procurement problem; it is a legal constraint embedded in federal statute. Detection systems are widely available and legally defensible. Mitigation systems are restricted to government operators with explicit federal authority.

Organizations evaluating C-UAS investments should assume detection-only as the baseline and plan operational responses accordingly. This means integrating with law enforcement, budgeting for sustained monitoring, and accepting that organizational response to detected threats will be law-enforcement-dependent rather than independently controlled.

For federal operators and those with explicit statutory authority, mitigation systems offer asymmetric capability advantages. For all other organizations, detection-only systems represent the legal and operationally defensible approach to counter-drone risk management.

The future may hold expanded private operator mitigation authority. Current law does not. Organizations should make procurement decisions based on current legal frameworks, not anticipated regulatory evolution.

Related Reading

• Country-by-Country Legal Authority Guide
• SAFER SKIES Act
• Airport Drone Incidents
• Commercial C-UAS Market