Through my career I have had the opportunity to be a part of or review many U.S. national security space and cyber acquisition programs. In particular, over the past 20 months, I have been lucky enough to participate as part of the Independent Program Assessment team used by the Department of Defense (DoD) as programs approach milestone decisions.
Given the troubles space acquisition has had and the new emphasis by DoD on cyber security, two questions I frequently get asked are: 1) What is the biggest problem with our space acquisition programs, and 2) What is the most important overlap between space and cyber?
The answer to both questions is the same.
Countless programs — I am unable to recall any exceptions over the past 20 months — have inadequately addressed cyber protection of our space systems to the levels necessary for the future. The problem is more cultural than technical and can be fixed with recognition of the threats and acceptance of a suitable approach. The Space and Missile Systems Center, the National Reconnaissance Office and the National Security Agency must immediately come together to develop such an approach.
Protection of our space systems must become a key focus of the cyber defense efforts. At its core, cyber defense is about protection of critical infrastructure. In the cyber community, we focus on the power grids and plants, financial systems, agricultural development, health systems and transportation systems of the country. Our space systems also should be considered and treated as part of the critical infrastructure.
I am not suggesting that space systems are any more or less important, but space systems affect every facet of our daily lives. Those who design, develop and operate space systems must raise the priority level and take their protection seriously.
Cyber vulnerabilities pose the No. 1 counter-space threat to our national capabilities. Many in the space control community are focused on adversaries who would use kinetic kill vehicles as the main tool against U.S. space systems. But why would potential adversaries use a visible, noisy, messy, expensive, politically unacceptable and attributable kinetic option when they could merely enter the links of a satellite electronically without being detected until it was too late? Worldwide reaction to past actions suggests that cyber attacks during operations are acceptable, while blowing up a satellite and creating debris during a test of a kinetic kill vehicle is not. The reality is that unless the U.S. is engaged with a near-peer enemy in full-scale operations, the probability of a kinetic kill vehicle being used is minimal. More likely and of more concern, during the early phases of the campaign, the U.S. would see cyber probing of its space systems, injection of false and anomalous data to decrease confidence in system function, and cyber attacks to reduce or totally eliminate satellite capability.
Skilled acquisition professionals and program engineers should be properly resourced to address cyber vulnerabilities starting at the initial design of space systems. Information systems security engineers should be integrated within and dedicated to each program office to consider national security implications and to design for information assurance at the onset. This practice would tremendously increase protection and avoid costs in the long run.
Unfortunately, rather than starting on day one, program managers often wait until year five to fully and properly consider cyber protection. Even then, the answers they generate are only a half-step because the focus is limited to cryptographic solutions without addressing broader cyber threats.
In this context, an expansion of the Program Protection Plan — a critical component of every DoD acquisition program — scope and oversight reviews with strong scrutiny on cyber would be an effective step in the right direction. Additionally, programs should put greater emphasis and consideration on development of a secure ground segment. In space acquisition, all too often, interest in the ground segment falls prey to a higher priority placed on the space segment.
Space systems are a part of the nation’s critical infrastructure and should be protected as such. Their capability is most likely to be affected by nefarious cyber activity, but changes to our acquisition programs can be made to address the threat. The key stakeholders in this effort must be the Space and Missile Systems Center, the National Reconnaissance Office and the National Security Agency. Individually, these organizations will not solve the problem. To achieve any lasting success, each of them must accept the reality of the threat, make a significant cultural shift and commit the necessary resources.
Josh Hartman is a principal at the Center for Strategic Space Studies and former director of the Pentagon’s Space and Intelligence Capabilities Office.