White House issues cybersecurity space policy
WASHINGTON — The White House released a new space policy directive Sept. 4 intended to improve cybersecurity of space systems.
Space Policy Directive (SPD) 5 is billed as the first comprehensive government policy related to cybersecurity for satellites and related systems, and outlines a set of best practices, but not firm requirements, that agencies and companies should follow to protect space systems from hacking and other cyber threats.
“What this SPD does is establish key cybersecurity principles to guide and serve as a foundation for the U.S. approach for cyber protection of space systems,” a senior administration official, speaking on background, said of the new policy.
The principles outlined in the policy are intended to be best practices that, in many cases, are already widely adopted. They include the use of authentication and encryption in command and control links to and from satellites, protection against jamming and spoofing of communications, and protection of ground systems and information processing systems.
The principles include use of “appropriate cybersecurity hygiene practices” and intrusion detection systems for all aspects of space system architectures. It also calls for managing supply chain risks in the form of hardware incorporated into a space system that could be compromised.
“Implementation of these principles, through rules, regulations, and guidance, should enhance space system cybersecurity, including through the consideration and adoption, where appropriate, of cybersecurity best practices and norms of behavior,” the policy states.
However, the official said there were no plans to direct agencies to codify these principles into regulations, such as in licensing requirements for commercial launches and satellites. “We’re very much trying not to be prescriptive,” the official said, citing evolving practices by both agencies and companies. “There’s a lot of motivation for companies to try to be cybersecure on their own.” The official added, though, that companies that don’t appear to be following the principles should expect to be asked why they are not doing so.
SPD-5 is part of a broader national cybersecurity initiative that includes a National Cyber Strategy published in September 2018 as well as the National Security Strategy of 2017. Space systems received special attention through this new directive because, although not itself considered a critical infrastructure, space does support many other terrestrial critical infrastructures.
“This directive builds upon those other actions,” said another senior administration official on background of SPD-5. “It’s another brick in the wall as we’re trying to build up our defenses to secure our nation in cybersecurity.”
One example of that space cybersecurity effort is the creation last year of the Space Information Sharing and Analysis Center (ISAC), an organization to exchange information on space-related cybersecurity threats. The Space ISAC is part of a broader group of similar organizations that focus on cybersecurity within a range of industries.
SPD-5 specifically endorses the Space ISAC. “They should also share threat, warning, and incident information within the space industry, using venues such as Information Sharing and Analysis Centers to the greatest extent possible, consistent with applicable law,” it says of satellite owners and operators.
Officials said other agencies will have roles in a space cybersecurity effort, including the Department of Homeland Security (DHS) and the National Institute of Standards and Technology. The Cybersecurity and Infrastructure Security Agency within DHS is establishing a cross-sector working group to enhance coordination among various industry sectors that use space. The officials said they see SPD-5 as a means of formally establishing and accelerating such coordination.
SPD-5 follows four other space policy directives issued by the Trump administration. SPD-1 in December 2017 directed NASA to return humans to the moon sustainably with commercial and international partners. SPD-2, in May 2018, outlined a range of regulatory reforms for commercial space activities. SPD-3, in June 2018, addressed space traffic management. SPD-4, in February 2019, called for the establishment of a Space Force.