The lines between government and the commercial space industry continue to blur. There have been concerning signals across the international community that adversarial nations may consider civilian infrastructure a legitimate target during military conflicts. As governments increasingly rely on commercial space capability, companies big and small are rethinking their cybersecurity posture to withstand nation-state attacks.
The Feb. 22 attack on VIASAT’s commercial satellite network was eye-opening evidence of this new reality. Moreover, the increasing commercialization of space is only broadening the attack surface and increasing the attractiveness of cyberattacks. Significant and immediate steps can be taken to protect commercial space assets and the essential functions they perform impacting critical infrastructure.
The 2022 National Defense Strategy released on Oct. 27 recognizes that the evolution of both the cyber and space domains is changing the security environment, specifically noting that “[c]ompetitors now commonly seek adverse changes in the status quo using gray zone methods– coercive approaches that may fall below perceived thresholds for U.S. military action and across areas of responsibility of different parts of the U.S. Government.”
Moving Beyond Best Practices
At present, there is no overarching policy governing cybersecurity of the U.S. commercial space ecosystem. Space Policy Directive 5 (September 2020) (SPD5) advocates for terrestrial cybersecurity principles and practices to extend to space and directs U.S. federal agencies to work with the commercial space industry to establish cybersecurity-informed norms for space. It calls for risk-based, cybersecurity-informed engineering and cybersecurity plans that will help space systems anticipate, monitor, and adapt to mitigate malicious cyber activities and maintain an effective cyber survivability posture throughout the lifecycle of space systems.
But while the U.S. government and its partners rely upon the Committee on National Security Systems Policy 12 (February 2018) to integrate cybersecurity into space systems, the commercial industry is left to stitch together a number of best practices and balance those recommendations against pressures of cost and schedule (the latter of which is being pressed heavily by Space Development Agency and venture capital firms alike).
The National Institute of Standards and Technology (NIST) has stepped into the void with its Cybersecurity Framework (translated into 9 languages!), Risk Management Framework, and a host of terrestrial cyber standards. Additionally, NIST has put forth a draft internal report, NISTIR 8270, that presents a method for applying the Cybersecurity Framework to commercial space systems.
As noted in the 2022 National Defense Strategy, unclear norms of behavior and escalation thresholds increase the risk of inadvertent escalation. Moreover new applications of technology in cyber and space “have the potential not just to change kinetic conflict, but also to disrupt day-to-day U.S. supply chain and logistics operations.” In order to guard against this burgeoning threat, the space community can build upon this “normentum” – a term coined by Therese Jones of the Satellite Industry Association at the Space ISAC’s Value of Space Summit in October 2022 – to identify overlap and create a higher standard for baseline cybersecurity policy.
Proactive Risk Management
There are tangible steps that can be taken now to help guard against cyberattacks, state-sponsored or otherwise. Critical infrastructure communities are increasingly aware that the supply chain ecosystem expands well beyond logistics and must examine more than major acquisitions. Shifting to an enterprise-wide strategy that covers all materials, products, and services throughout their lifecycle is a key step toward readiness. Additionally, forward-leaning entities understand that cybersecurity is inherently a part of supply chain risk management of the future.
While the consistent application of fundamental cybersecurity practices (namely boundary protection, asset management, and access control) across all the segments and lifecycles of space systems is critical, there are five focal areas that could drastically improve the defensibility of commercial space systems.
- Shift securitization efforts left. The space system lifecycle begins with research. Software development and material selection occurring during this phase impact everything thereafter. Concentrating supply chain risk management efforts during the research, design, and development phases promote greater visibility when knitting space components together later in the lifecycle.
- Intensify testing efforts to validate the intended functionality and performance of space vehicles. Robust testing prior to launch can reveal a host of issues, from malicious code to unintended consequences of patching on interconnected space systems.
- Understand that people are part of the security equation; given the competitive and contested nature of the space environment today, nobody can assume benign intent of operators. That is a luxury of the past. Enforcing access controls like least privilege principles will reduce vulnerability and increase traceability in the event of a breach.
- Plan for the post-quantum world. The inevitable advent of quantum computing poses a threat to any data currently protected by asymmetrical cryptography – meaning that encrypted data stolen today can be decrypted in the future when quantum becomes available. To be quantum resistant, entities must identify their most sensitive intellectual property and data and create a roadmap for transitioning those assets to post-quantum cryptography. The Department of Homeland Security and NIST are already supporting such efforts and NIST has projected it will publish standards for post-quantum algorithms in 2024.
- Invest in cybersecurity. As important as technological innovation is, it is equally critical that such innovation is protected and resilient. Companies must adequately fund cybersecurity mechanisms and practices with the expectation that their investment will be recognized as a differentiator when securing government contracts.
If the steps above are taken, commercial space providers will be better positioned to defend against the onslaught of government, government-sponsored, and independent cyberattacks. Moreover, as communal awareness about and expectations for cybersecurity increase, the space ecosystem as a whole will be less vulnerable.
About the authors
Megan Moloney is an Associate Director with the Defense and Security Segment at Guidehouse, a leading global provider of consulting services to the public sector and commercial markets. She has two decades of legal, investigative, intelligence and risk management experience.
Patricia Lukanich is an Army Space Operations Officer and Senior Consultant with Guidehouse who brings more than 15 years of experience and a Master’s Degree in Space Studies.