The U.S. Cyberspace Solarium Commission (CSC) wants to create a sense of urgency around the cybersecurity issues plaguing space-based systems by designating these systems as an official U.S. critical infrastructure sector.
Space systems - which consist of components from the ground up to satellites in orbit, including sensors, signals, data and more - underpin critical military operations, have surveillance and intelligence applications and permeate many important sectors. Concerns about the cybersecurity of these systems have been discussed for years, with researchers in 2014 raising the alarm on the ability to reverse engineer firmware for a number of satellite terminals, for instance. These concerns came to a head last year after the cyberattack by Russian hackers on the Viasat satellite network before the invasion of Ukraine.
The CSC, created by Congress to make recommendations for how the U.S. should approach its cybersecurity strategy, in a report released Friday said space systems need the attention and resources that come with the critical infrastructure label, which has been applied so far to 16 other sectors. These include the energy, water and transportation sectors, which have been designated as “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
“We need to strengthen the space system, name it a U.S. national critical infrastructure, and in doing so we would close the current gaps and signal to both home and abroad that the United States is committed to the security and resilience of its space systems,” said Mark Montgomery, with the Foundation for Defense of Democracies (FDD), during a Friday event by the McCrary Institute that occurred in conjunction with the release of the report.
“The cybersecurity threat isn’t just disruption... What happens if the information coming down has been corrupted in some way?"
Space systems face a multitude of security challenges. Satellites have been built for longevity rather than security, leveraging old software that may be difficult or impossible to update and relying on on legacy systems and protocols. Communication between satellites and stations often occurs over unencrypted networks. The fact that space systems include technologies in orbit adds further complication, as they are more difficult to repair or replace. And much of the infrastructure for space systems owned by the U.S. is actually abroad, muddling risk management.
“The cybersecurity threat isn’t just disruption,” said Mike Rogers, former congressman and chair of the U.S. House Permanent Select Committee on Intelligence. “What happens if the information coming down has been corrupted in some way? So your positioning system has you in one place, and the folks who are making the battlefield decisions or sea-born decisions are getting information that’s getting that battlefield, or that ship, in a very different place, because [attackers] have been able to disrupt the information flow and insert packets that lead to bad decisions on both sea and land? It’s a real possibility unfortunately.”
The public sector has made some efforts to improve the security of space systems, including the introduction of the Satellite Cybersecurity Act in 2022 that would direct CISA to create voluntary recommendations for securing these systems and the Space Infrastructure Act in 2021 that aims at designating space systems as critical infrastructure. In 2021, CISA also developed a working group that brought together government and industry experts to create recommendations for best managing space system risks.
“This challenge should not be underestimated, but it is not insurmountable if the case is made strongly, the imperative is clear, and a workable action plan is offered."
CSC says a critical infrastructure designation would fast-track these efforts by giving space systems a tangible sector risk management agency (with NASA being the recommendation) to lead the charge on cybersecurity matters. The CSC also suggested Congress dole out $15 million annually in funding for the agency.
However, similar to other critical infrastructure sectors, significant private investment and public-private partnership is also needed, the report said. Sue Gordon, former principal deputy director of National Intelligence, said that because the space system threat surface now does extend across the private sector, it’s important to find a balance between cybersecurity measures that don’t slow down industry innovation efforts.
“What’s interesting about this moment is that it’s a very busy space, its benefit has been recognized, technology advantage has really been diminished… the control of it extends beyond government control and so the security of it, which is disproportionately important to free and open societies, has to be shared between the private sector and the U.S.,” said Gordon.
Challenges remain in actually securing a critical infrastructure designation for space systems, and upon interviewing more than 30 industry and government officials the CSC found that opinions also varied on how to best support critical space systems.
“This challenge should not be underestimated, but it is not insurmountable if the case is made strongly, the imperative is clear, and a workable action plan is offered,” according to the report. “No other option holds greater potential for enhancing U.S. resilience and cybersecurity and kick-starting a whole-of-nation effort to support and advance continued U.S. leadership in the space domain — and the multitude of endeavors dependent upon it.”