Op-ed | SOS Space: Why cybersecurity and supply chain risk management must go hand in hand
There is little doubt that the domains of space and cyber are currently being contested through antagonistic behavior across the globe.
Near-peer adversaries have already strategically prioritized these as preferred domains of action, both in competition and conflict. Cyber-enabled supply chain attacks are increasingly and globally being used as a hybrid warfare tactic to provide advantages. Predictably, they afford adversaries a relatively cost-effective means of engagement, plausible deniability, and avoid the political backlash that inevitably results from lethal action and physical incursion. Considering the emphasis placed on these domains, the U.S. space, defense, and intelligence communities must concentrate efforts to safeguard space assets, preserve strategic and military advantages, and solidify national security and global stability. Cybersecurity and supply chain integrity must become integral and elevated concerns for the space community, as well as space consumers and strategic stakeholders.
In 2007, China shocked the world when it shot down one of its own aging weather satellites in an anti-satellite missile test, bringing the planet’s space community to a stark realization. As of that moment, the space domain could no longer be considered benign, but rather a contested arena. In the time since, the space community witnessed other aggressive behaviors, such as the Russian “inspector” satellites performing maneuvers around U.S.-owned classified assets in 2020. By publicly acknowledging this bad behavior, U.S. Space Force Gen. John Raymond, chief of space operations, broke from the traditional practice of the space community to remain silent in the interest of protecting U.S. capabilities. This transparency is valuable to the broader public, so that the seriousness of the threats is appreciated and adversarial capabilities and interests in this domain are understood.
China puts heavy strategic emphasis on offensive space and counterspace advancements. In 2015, China established a new force within the People’s Liberation Army (PLA) known as the Strategic Support Force, consolidating the PLA’s information operations of space and counterspace, cyber, electromagnetic warfare, and psychological operations to provide military advantage in informationalized conflicts. Similarly, information confrontation is called out in a host of Russian strategic documents, to include the 2015 National Security Policy and the 2016 Conceptual Views on the Activity of the Armed Forces in the Information Space. Russia’s strategy not only includes cyber activity, but also electronic warfare and psychological operations. While space plays a less overt role in Russian information confrontation strategy, the degradation of precision, navigation, and timing capabilities is seen as a critical information weapon. This reflects the view of Russian leadership that space is very much a warfighting domain. In contrast to China, Russia lacks the resources to dedicate to space, requiring focused attention on offensive capabilities against space assets and ground-based space infrastructures. This is where cyber-enabled supply chain attacks emanate.
The space domain is highly susceptible to cyber-enabled supply chain attacks due to uniqueness, longevity, and commercialization of the space supply chain. The U.S. relies on both allied and competitive nations for critical rare earth materials, presenting vulnerability in supply chain tracing and continuity. Similarly, many space assets orbiting today were designed and built years — if not decades — ago; not all the legacy components were designed to account for today’s technologies and threats. Lastly, the rapid commercialization of space has expanded the threat attack surface. Private industry and commercial-off-the-shelf products are increasingly employed to satisfy requirements because they make fiscal and strategic sense. Industry innovates and produces more quickly and at lower cost than government. Given current resource constraints, the leanness of the new U.S. Space Force, and the push for agility and rapid acquisition, commercial reliance is likely to increase. The proliferation of vendors providing data, software, hardware, and services in this environment presents an array of opportunities to adversaries with cascading effects, which punctuates the importance of immediately elevating cyber hygiene and supply chain risk management (SCRM).
To protect U.S. interests in space, a paradigm shift must occur that not only embraces cybersecurity and supply chain risk management, but also highlights them as critical to mission.
First, cybersecurity and supply chain risk management must be fully integrated — not only in design, building, and operation of space assets and programs, but also with each other. This can be accomplished through a combination of means:
- Deliberate consideration of cybersecurity and supply chain threats in strategy development and implementation;
- Evaluation and reconsideration of organizational structures;
- Incorporation of cyber and supply chain integrity priorities in measures of effectiveness and performance; maturation of enterprise risk management functions and processes;
- Accelerated development of information-sharing mechanisms.
Exercising some combination of these actions will reframe the role of cybersecurity and supply chain risk management as integral parts of the mission.
Second, the U.S. must pursue resiliency like the future depends upon it. Resiliency can take several forms: technical, mission-oriented, or organizational. Diversification of raw materials and vendors, redundancy of space components and assets (e.g., microsatellites), and rapid acquisition and advancement of Class B, C, and D satellites with shorter life spans, all support a stronger resiliency posture. But it is also about organizational culture. The space community must eschew the risk-averse and protective insulation of the past for an approach that embraces the value of failure, meaningfully engages partners, and critically leans into risk. In that regard, the fact that the space community is currently undergoing a significant period of transition presents an opportunity. As new organizations, business processes, and international norms are established, it is an ideal time to drive meaningful change management, pushing the community to embrace both resiliency and risk. Moreover, it presents the chance to try new things, for example identifying a resiliency officer for major programs or even possibly creating a position for a chief resiliency officer within the top echelon of the organization.
Third, the space community must build and grow enterprise-wide supply chain risk management programs. Traditional focus on major acquisitions must shift to all mission-critical acquisitions, including software and data. Examination of first-tier vendors no longer suffices; illumination of the entire supply chain must be contractually required and verified. Similarly, supply chain integrity must be a priority throughout the life cycle of any mission-critical acquisition, not just pre-award. (It should be noted AI and machine learning have much to offer in the way of continuous monitoring). Although significant strides have been made in the past few years to stand up and resource several enterprise-wide programs, there is external pressure to mature rapidly from the Consolidated Intelligence Guidelines and Federal Information Security Modernization Act. Moreover, as the workforce becomes familiar with these programs, the operational demand will increase. Accordingly, budgetary prioritization and right-sizing programs for the future should be key goals for senior leadership.
Lastly, collaboration is paramount. Organizational boundaries and narrow programmatic channels cause fragmentation across the space community. Although likely developed from a desire to protect sensitive governmental information, these organizational boundaries have calcified detrimentally, providing modern adversaries with exploitable seams. To break free of that mold and share timely threat intelligence and best practices to advance our collective defense, the space community must emphasize purposeful collaboration. Investing in intragovernmental and public-private technologies, offering cross-agency joint duty assignments dedicated to cybersecurity and supply chain integrity, standardizing taxonomies, and clarifying roles and responsibilities, would greatly improve visibility into and understanding of vulnerabilities and threats, reduce the national security cost of messy information handoffs, and build meaningful stakeholder engagement. One example of this could be a National Supply Chain Intelligence Center, as called for by the Homeland Security Advisory Council, the Cyberspace Solarium Commission, and the MITRE Corporation. Regardless of the mechanism, meaningful and organized collaboration is urgently required to close exploitable seams and drive much-needed information-sharing.
Integrated cybersecurity and supply chain integrity are essential to maintain U.S. dominance in space. Our adversaries are keenly aware of and will continue to exploit existing weaknesses. Cyber-enabled supply chain attacks on space assets are part of their strategy to gain economic, military, and strategic advantage in the future. To meet the breadth and speed of that threat, government and commercial space entities must act quickly to integrate and elevate cybersecurity and supply chain risk management into space strategy, design, construction, and operation; prioritize resiliency; mature supply chain risk management programs; and collaborate with intention.
Dan Lewis, Megan Moloney and Nicole Ussery are national security experts with Guidehouse a leading global consultancy. Leveraging deep and diverse experience in the public and private sectors, their teams address hard problem sets across the DoD and intelligence community with a focus on tranformational change, cybersecurity, business resiliency, and technology-driven innovation.
This article originally appeared in the November 2021 issue of SpaceNews magazine.