Threats of Cyberattack Loom as Space Assets Not ‘Critical Infrastructure’

WASHINGTON — Despite our reliance on space technology for things like communication, transportation, food, and health care — not to mention national security — our national space assets aren’t officially designated as critical infrastructure.

Humanity is already dependent on space, but neglecting to protect space technology is putting us in a precarious position, as the increasingly digitized infrastructure we use daily is vulnerable to nefarious actors that could strike with kinetic or cyberattacks.

“Our national security and economy… are dependent on space to a degree that most people just don’t fully appreciate,” Jamie Morin, executive director of the Center for Space Policy and Strategy at the Aerospace Corporation recently told the non-profit Wilson Center.

“Space is really fully integrated into society, and it’s becoming more so every day. If you’ve even moderately been following the news… it’s clear that cyberattacks are using increasing sophistication and having a wider impact than ever before.”

Cyberattacks are a threat to space systems especially due to the low costs and low barriers to entry as we move toward a more commercialized space frontier. And these types of attacks are harder to rapidly attribute, are open to a greater number of bad actors, and have the potential to strike multiple targets simultaneously.

But despite the unique threats that could result from a cyberattack on space assets, which range from ordinary day-to-day life disruptions to complete mission failure in our space programs, America’s space technology is not deemed critical, and there is no legal definition of a cyberattack for American military purposes.

“We’ve got a lot riding on our space system and it would really behoove us to take that seriously,” said Erin Miller, executive director of Space ISAC, the only all-threats security information source for the public and private space sector.

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on America. While space systems play a part in the larger picture of almost every sector, they do not automatically trigger any type of regulation or have a dedicated risk management agency, as these other critical sectors do.

“Space ISAC has a watch center that will open next year for near real-time sharing,” Miller said, but lower barriers to entry to get into the space market — like commercial space tourism flights — and the increasing dependency of commercial companies on space technologies, has her beseeching the government and private industry to come together to collaborate on standards.

“What the government can do is designate space systems as critical infrastructure,” Miller said. But while that designation awaits, she is pushing for solid guidance for the protection of space systems.

“We need to empower them, those spaces and critical infrastructure owners and operators, and give them the information they need. The information needs to start flowing, and that is one of the byproducts of the designation as critical infrastructure… designing security into space assets and starting to anticipate space attacks.”

“So, just think about a commercial company who spends, you know $100 million, launching a satellite for whatever, and then they lose the ability to command it because some adversary hacked into the ground system and sold the encryption keys,” Brandon Bailey, Cybersecurity senior project leader at The Aerospace Corporation said.

“SolarWinds opens your eyes to [the] likelihood that this could affect me,” Prashant Doshi, associate principal director of the Cyber Security Subdivision at The Aerospace Corporation said. “The government [also] has to adapt to be security-minded when it comes to purchasing and designing their assets.”

While the simple solution might seem to be adopting those terrestrial applications, or the safety measures we take for earth-bound technology and applying them to spacecraft. But unfortunately, it’s just not that easy. Satellites, for example, come in all shapes and sizes. They have a limited amount of hardware, memory, and storage capacity on board. And then there’s the problem of the legacy systems that were launched decades ago, yet are still essential to modern operations and can’t be updated.

“We need to ensure we have different defenses at multiple layers,” Bailey insisted, suggesting that redundancy in defenses could help at the obvious entry points, though “no defense is impenetrable, especially when you have potential for insider threat.”

In the end, the best defense is going to be a strong offense, taking a proactive instead of a reactive posture toward threats.

Said Doshi, “If we don’t really come together as a community and really start thinking about that and get ahead of this problem, we’re going to run into a problem because we’re so dependent on space systems.”