Cybersecurity Threats in Space: A Roadmap for Future Policy

The MUOS 2 satellite launches from Cape Canaveral

Much of the world’s critical infrastructure is heavily dependent on space, specifically space-based assets, for its daily functioning. Essential systems -- such as communications, air transport, maritime trade, financial services, weather monitoring and defense -- all rely heavily on space infrastructure, including satellites, ground stations and data links at the national, regional and international level. This dependence poses a serious, and yet frequently underrecognized, security dilemma -- especially cyber threats -- for critical infrastructure providers and policymakers alike.

Like any other increasingly digitized critical infrastructure, satellites and other space-based assets are vulnerable to cyberattacks. These cyber vulnerabilities pose serious risks not just for space-based assets themselves but also for ground-based critical infrastructure. If not contained, these threats could interfere with global economic development and, by extension, international security. What's more, these concerns are no longer merely hypothetical. Within the past decade, more countries and private actors have acquired and employed counter-space capabilities in novel applications, which now pose a greater existential threat to critical space assets. 

This week, the Wilson Center’s Science and Technology Innovation Program hosted an event, Seeking Strategic Advantage: How Geopolitical Competition and Cooperation are Playing Out in Space, with the Aerospace Corporation to assess geopolitical competition and cooperation in space. Preventing and managing cybersecurity threats was obviously part of the conversation, and a timely one as October is National Cybersecurity Month. Here’s a snapshot of cyber threats in space as well as the reasons why certain systems are vulnerable, stemming from a larger research project probing cybersecurity concerns in space.

Why are space systems vulnerable?

Many space systems are old, created before cybersecurity became a top policy priority. They have vulnerabilities like hardcoded credentials — used by ships, planes and the military — making access by sophisticated actors fairly easy.

We are witnessing a transformation of spaceflight from a public endeavor to a commercial industry. As more commercial actors can access space through commercial providers, they can provide a variety of services in space increasing the scope and scale of activity in this domain. The successful completion of NASA’s SpaceX Demo-2 mission on August 2, 2020 made history by proving that space exploration is no longer a domain confined to the government agencies of wealthy space-faring nations and their academic affiliates. Not only will NASA no longer have to rely exclusively on Russia’s Roscosmos to transport its astronauts to the International Space Station (ISS) — saving more than $30 million per astronaut per trip — but SpaceX’s Crew Dragon spacecraft will become the first certified commercial launch vehicle for operational human space transport. Today, modern technology is enabling states, international organizations, corporations and individuals alike to harness space capabilities when, just a decade ago, such a triumph was unthinkable. But this transformation of spaceflight from a public endeavor to a commercial industry raises questions about how to regulate the activities of private entities in space. 

And more means more: the attack surface is becoming exponentially larger as more spacecraft connect with ground-based assets and users. But absent implementation of cybersecurity best practices by all companies operating in space, this poses a risk.

What are the vulnerabilities?

Vulnerabilities to space systems and infrastructure vary across a range of potential attack surfaces. As the Aerospace Corporation explains in a recent paper, there are four main segments of space infrastructure that need to be hardened against cyber attack. Spacecraft could be vulnerable to command intrusions (giving bad instructions to destroy or manipulate basic controls), payload control and denial of service (sending too much traffic to overload systems). Malware could be used to infect systems on the ground (like satellite control centers) and for users, and links between the two and spacecraft could be spoofed (disguising communication from an untrusted source as a trusted one) or suffer from replay (interrupting or delaying communication by malicious actors). 

On an individual level, it might be easy to dismiss the dangers posed by vulnerabilities to space assets located hundreds or even thousands of miles away. But as Brian Weeden, Director of Program Planning at the Secure World Foundation, reminded us at the recent event, our inability to deter such interference could have large-scale and catastrophic effects. For instance, take GPS, a technology whose precision is often taken for granted. All it takes is the production of a relatively inexpensive spoofer, and an attacker is able to command and control the uplink signal to a satellite. If the downlink from a satellite is spoofed, false data can be injected into a target’s communications systems, fooling the receiver — GPS — into calculating an incorrect position.

In the near-term, these kinds of attacks will likely remain posed by nation state actors but as more communications capabilities come online via space, the group of actors could expand to well-resourced non-state actors (e.g. criminal groups) seeking financial gain.

How should policymakers address them?

Rep. Kendra Horn (OK-5) said in this week’s event that "...it's finding that proper balance of mitigating risk with knowing what is acceptable risk. I think that's where we are in an unknown territory because we both have a great deal of experience and also we're doing things or approaching things for the first time."  Policymakers need not look far to estimate the evolution of cyber threats against space assets. 

The multi-decade history of ground-based critical infrastructure protection against cyber attack will be useful and the Space ISAC — or Information Sharing and Analysis Center — is part of that network (created because of nation state reconnaissance hacking) sharing data and lessons learned. Empowering this ISAC will be critical; so will standard-setting. Mitigating today’s threat landscape, both in space and cyberspace, will require understanding the challenges and difficulties that are coupled with the rapid pace of commercial innovation and advancement, such as modern communications infrastructure and broadband — which are separate and different from the challenges represented by human spaceflight, as Congresswoman Horn said.

There are a number of space cybersecurity standards and a few regulations that already exist, including the Committee on National Security Systems' information assurance standards for commercial satellites that carry classified or otherwise sensitive data and the National Oceanic and Atmospheric Administration manages licensing for commercial remote sensing satellite systems, which includes information assurance requirements. Just last month, the Trump Administration released Space Policy Directive 5 to offer the US Government's comprehensive cybersecurity policy principles for space. While it mandates nothing, establishing guidelines is an important step forward. But there needs to be a framework extended to all four segments identified by the Aerospace Corporation.

Given what we have already observed with government regulation of existing critical infrastructures, regulatory action will similarly be slow to move to enable effective responses to space-based cyberthreats. We must look beyond historic strategies of deterrence and come up with creative and innovative threat solutions. This will require a regulatory approach which prioritizes industry led and directed standards — especially in terms of collaborating across sectors, sharing information, and assessing what is acceptable versus non negotiable risk. Further, international cooperation and partnership with both traditional and non-traditional allies — including states and international space supply chain stakeholders — to create sustainable norm frameworks will be crucial to mitigating risk in the long-term. American, and global, essential systems depend on it.

 

Science and Technology Innovation Program

The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders.   Read more

Science and Technology Innovation Program

Digital Futures Project

Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build.   Read more

Digital Futures Project