CHIRP Security Lessons Pave the Way for Future Partnerships
SAN FRANCISCO — As government and commercial satellite communications networks become more tightly linked than ever before, the task of protecting information becomes increasingly complex. That fact became apparent to U.S. Air Force officials eager to feed information drawn from a sophisticated wide-field-of-view telescope flying as a hosted payload on a commercial communications satellite into secure military networks.
The telescope, known as the Commercially Hosted Infrared Payload (CHIRP), was carried into geosynchronous orbit in September on-2, a commercial satellite built by Orbital Sciences Corp. of Dulles, Va., and operated by Luxembourg-based SES.
“Since we were just on a ride, we did not influence how their information assurance was structured,” said Air Force Lt. Gen. Ellen Pawlikowski, commander of Air Force Space Command’s Space and Missile Systems Center in Los Angeles. “There was good cooperation there but it was a little more challenging than we thought it would be.”
Commercial satellite communications firms and government agencies take extensive precautions to ensure that information traveling throughout the space-based and terrestrial elements of their global communication networks is secure. In addition to warding off hackers, they carefully avoid sources of interference or jamming. However, the two groups have different rules and procedures for structuring their information flow and ensuring security.
Air Force and Defense Department officials are seeking to shed light on those differences and pave the way for even greater government-industry cooperation. “The Department of Homeland Security is leading an interagency effort to assess concerns about protecting information flowing through commercial satellite networks and to develop appropriate mechanisms to deal with these challenges,” a Pentagon official said.
The U.S. military relies on commercial satellites to carry 80 percent of its communications traffic, industry officials said. “I don’t see a future for Defense Department communication without a pretty significant role for commercial satellite communications,” Pawlikowski said.
Often, government agencies limit their most sensitive voice, video and data traffic to their own protected communications networks. In the case of CHIRP, however, Air Force officials wanted to draw wide-field-of-view sensor data off the commercial network and send it into a protected military network. “We want to be able to feed the information that we are getting into some very, very secure capabilities,” Pawlikowski said. “The rules that we have for being able to hook into that [type of network] are different than the way the commercial business has structured their information flow. We had to work through that.”
That experience has heightened interest among Air Force officials in working with commercial satellite companies to improve information security. “We have been engaged with industry in looking at what this [partnership] might look like in the future,” Pawlikowski said in a March 7 interview. “What type of business arrangements could we establish? How could we evolve the information assurance or cyber requirements in working with them?”
Commercial satellite industry executives said they have joined several government-industry forums focused on mission assurance and cybersecurity in recent years. Many of those forums emerged in the wake of the 2009 “Report to the President on Commercial Satellite Communications Mission Assurance” by the National Security Telecommunications Advisory Committee (NSTAC), a group that includes executives from communications, information technology, aerospace and finance companies. That report underscored the need for government agencies to work with satellite communications firms to “share cyber situational awareness” and “institutionalize the time-sensitive processes and procedures to detect, prevent, mitigate, and respond to cyber incidents of national and international consequence.”
The type of information sharing recommended by authors of the NSTAC report has been difficult to achieve, however, due to government security concerns. Government officials, not only in the United States but around the world, have been eager to obtain information from commercial satellite firms concerning information assurance and cyber threats, but have been reluctant to provide information, said Martyn Lewis, group information security leader for mobile satellite services providerof London. When government officials do provide commercial firms with information, it usually is “sanitized beyond levels of usefulness and out of date,” he added.
Nevertheless, Lewis and other industry executives said they still are eager to participate in further efforts to enhance information assurance. Inmarsat is “very interested in working with any current or prospective partner, particularly if both benefit from improved information assurance or increased understanding of mutual requirements and capabilities,” Lewis said in a March 19 email.
James Chambers, engineering vice president for Xtar LLC of Rockville, Md., said the Defense Information Systems Agency (DISA) has taken the lead in working with companies on information assurance. “They have held workshops to address information assurance compliance, but other resources would be helpful,” Chambers said in a March 19 email.
In 2010, DISA and the General Services Administration set up a one-stop shop for government customers seeking satellite services called Future Commercial Satellite Services Acquisition (FCSA). DISA has adopted far more stringent requirements for network reliability, security and availability for companies that participate in FCSA than the agency used for contracts negotiated under the previous program, Defense Satellite Transmission Services-Global, a DISA official said.
The Defense Department’s increasing emphasis on information assurance is necessary given the growing threat adversaries pose to information systems, industry officials said. “Commercial satellite communications are not immune to attacks,” said Tip Osterthaler, a retired Air Force general and president of SES Government Solutions. “SES continues to make investments in this area and is particularly interested in working closely with our government customers to improve mission and information assurance to ensure these critical communications capabilities are secure and less vulnerable.”
For the CHIRP program, the Defense Department set stringent information security requirements. Program officials had to meet Pentagon-approved risk management procedures as part of the Pentagon’s Information Assurance Certification Process. In addition, the Defense Security Service required SES to document rules and procedures to safeguard the CHIRP mission operations center and the CHIRP mission analysis center. The stringent security measures SES followed in the CHIRP program may serve as “an information assurance template” for future hosted payload programs, Osterthaler said in a March 19 email.