Op-ed | Space system cybersecurity: Challenges ahead translating policy to practice

A recent White House memo on Space Policy Directive-5 is a step right direction, but we have a long road ahead.
SpaceNews/Adobe Spark

While in residence at Harvard University’s Belfer Center, I published a policy white paper  in 2018 called “Job One for Space Force: Space Asset Cybersecurity.” After receiving some positive feedback inside the Beltway, I followed up with an academic version of the paper that provides succinct principles that should be followed by organizations launching assets into space. This paper was called “Cybersecurity Principles for Space Systems” and was published in the Journal of Aerospace Information Systems in December 2018. In case I still did not reach the right audience, I published an OpEd with The Washington Post in May 2019 while I was at Stanford in response to the first Starlink satellite launch called “Our satellites are prime targets for a cyberattack. And things could get worse.” 

Thankfully, our government took action.

On Sept. 4, the White House released their Cybersecurity Principles for Space Systems (curiously, the same title as my paper) as part of Space Policy Directive 5. Each of the suggested principles seems to draw from my previous work and that of a collection of colleagues. The principles of SPD-5 are grounded in science and evidence, which is reassuring especially given the rapid pace of expansion of the U.S. space program. I wanted to mark this as an important milestone in our country’s evolving efforts for space dominance, but also caveat this achievement with how we are not quite done yet.

Issuing a policy with space system security guidance is absolutely critical, but stops short of requiring anything of the private sector. This poses a considerable risk to our nation’s national security interests. Having advised smallsat and “NewSpace” companies about cybersecurity, I see firsthand some of the challenges the emergent space economy is going to have protecting their intellectual property and business interests. I know that there are increasingly robust efforts to secure space systems on behalf of military and government-sponsored organizations. I have seen the important work being done in mission system security by organizations such as NASA’s Jet Propulsion Laboratory and the U.S. Army Space and Missile Defense Command. However, the private sector needs help. Badly.

Given the reduced launch costs for small satellites enabled by improved technology and the privatization of the sector, many companies are implementing a range of use cases for space systems ranging from typical positioning, navigation and timing (PNT) to local surveillance solutions or even art projects. There are hundreds of such projects in the works, not to mention the armies of Starlink satellites that SpaceX is launching. Some of these satellites will have vast arrays of sensors that allow for data collection and retrieval while others will have features such as propulsion. While some efforts to accelerate the space industry such as Maine’s SpacePort Complex have security front-of-mind, others are not so forward thinking. 

Satellites, even small ones, are not toys.  

They often contain sophisticated technology or collect data that our adversaries will be highly interested in. There will ultimately be so many satellites launched in space that we will have an even worse collision-avoidance issue than is currently presented. A Starlink satellite had a close call with a European Space Agency (ESA) spacecraft last year. My lab at Johns Hopkins University along with collaborators at the Applied Physics Laboratory and UT-Austin were recently selected to participate in the Space Force and Air Force Research Lab’s Hyperspace Challenge, where startups and universities were called upon to help figure out how to help avoid collisions and hazards in space. Now, let’s not only consider the day when we have thousands of satellites hurtling through low Earth orbit that could hit critical infrastructure-reliant assets in space, but imagine a cyber-compromised satellite that cannot be controlled on a trajectory to hit a military system. Cyberattacks on satellites are not science fiction and we are not far from a future where adversaries are launching cyberattacks from satellites and causing debilitating damage, as I discuss in my paper, “When Satellites Attack: Satellite-to-Satellite Cyber Attack, Defense and Resilience.”

There needs to be some basic considerations in place for cybersecurity, just as there are for safety and reliability for space systems. The U.S. government should establish cyber readiness requirements for launch of private assets. Toward this, the National Institute of Standards and Technology (NIST) has a draft out for comment for their Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. The profile applies the gold standard NIST Cybersecurity Framework to PNT — and does a nice job of it. Such guidance needs to be made into regulation — the same way that the National Energy Regulatory Commission (NERC) took the NIST framework and developed NERC’s Critical Infrastructure Protection (CIP) requirements. NERC CIP is needed for space systems.

How can we move forward? As I argued early on in “Job One for Space Force: Space Asset Cybersecurity,” space systems should be deemed critical infrastructure. While this designation does not magically solve anything, certain protections and requirements could more easily be applied to critical infrastructure assets. This idea has been picked up by the current administration and the decision seems to be in Acting Homeland Security Secretary Chad Wolf’s hands. 

Regardless whether space systems are designated critical infrastructure (although I do hope they are), there are low- or no-cost requirements the government can begin to place on space systems. Perhaps it is as simple as requiring cyber insurance for these assets. Other requirements may be to refine or repurpose existing monitoring systems to not only check for functional health of satellites, but their cyber health by monitoring communications or CPU cycles that could be indicative of an attack.  

Ultimately, SPD-5 is the start of something big. However, the hard work has just begun. We cannot afford to have hundreds of private sector satellites floating around that cannot be easily updated for security without the risk of bricking or losing the system. Further, we cannot risk these small satellites hurting space systems that enable terrestrial critical infrastructure. I commend the White House for taking an important first step. Now comes the hard work for industry to follow through with this guidance. 

Gregory Falco is an assistant research Professor at Johns Hopkins University’s Civil & Systems Engineering Department where his research is on space system cybersecurity and critical infrastructure. He is also a postdoctoral scholar at Stanford University’s Cyber Policy Center, a Cyber Research Fellow at Harvard’s Belfer Center and a Research Affiliate at MIT CSAIL.