The Ungoverned Space of US Space-Cyber Governance

January 29, 2023
12

The Ungoverned Space of US Space-Cyber Governance

Gregory Falco

This essay is part of Cybersecurity and Outer Space, an essay series that explores space governance through three themes: space security and risk, international governance challenges, and global perspectives and the pursuit of inclusivity.

Infrastructure in the United States is in dire need of a refresh. President Joe Biden’s 2021 Bipartisan Infrastructure Law aims to address some of the mounting infrastructure concerns (The White House, n.d.). Infrastructure improvements proposed by this bill include digitization of aged assets and capitalization on new digitally enabled technologies such as electric vehicles. More recently, the 2022 Inflation Reduction Act,1 which many have called a “climate bill,” aims to similarly improve the outlook of American infrastructure by offering incentives to a variety of stakeholders to invest in sustainable alternatives to the infrastructural status quo.

Both bills fail to explicitly account for the cybersecurity of space systems.

This may sound like a non sequitur; however, sustainable infrastructural improvements rely on space assets for everything from communications to positioning, navigation and timing. In fact, the US Department of Homeland Security has 16 designated critical infrastructure sectors. Each one of these is in some capacity reliant on space systems.

Over recent decades, the growth in prominence of satellite infrastructure has increased the likelihood of and vulnerability to cyberattacks. Despite this, there are no explicit US policies that devote resources to support the cybersecurity posture of space systems.

A History of Cyberattacks on US Aerospace Systems

US cybersecurity of space systems is not a new problem, as Gregory Falco, Arun Viswanathan and Andrew Santangelo (2021) have discussed. With the growth of the space sector and attention to the criticality of satellites for societal function, cyberattacks against space systems have also increased. Attackers target assets across the various operations of space systems, including ground control stations, communications signals and satellites themselves. Some cyberattacks go unnoticed or are miscategorized as software bugs or mechanical failures because space system operators historically were not explicitly monitoring for such attacks. Similarly, faults in space systems could be attributed to cyberattacks when they were instead caused by other means. A case that illustrates the ambiguity of failure attribution for space vehicles is an event that affected the Röntgensatellit (ROSAT) X-ray satellite in 1998 (Wess 2021). After a documented cyberattack at the National Aeronautical and Space Administration (NASA) Goddard Space Flight Center, the US-German satellite directed its solar panels toward the sun, in an apparent malfunction, which destroyed the sensors and caused the power system to fail, incapacitating the satellite. While ROSAT was controlled by the German Space Operations Center, the source code had been stored at NASA Goddard, which makes the timing and nature of the failure highly suspicious. This case epitomizes how attacks against space systems could easily be mistaken for naturally occurring failures, or vice versa — an appealing ambiguity for would-be attackers. While the nature of ROSAT’s demise remains contested, more recent publicly discussed cases confirm the cyber challenge space systems face.

Ground Station Attacks

Ground stations are highly accessible to attackers given that many of their operations are connected to the internet. In addition to the attack against NASA’s Goddard Space Flight Center, there have been several more recent intrusions to other NASA centres, which act as ground stations. A notable intrusion was in April 2018 at NASA’s Jet Propulsion Laboratory (JPL). The attacker accessed JPL’s network via an unauthorized and unsecured Raspberry Pi, an inexpensive compact personal computer (NASA Office of Inspector General 2019). The JPL network was not segmented, which allowed the attacker to move laterally across the JPL network and access and retrieve sensitive mission system data. The direct impacts an adversary may have had beyond stealing data is not clear, but as a precautionary measure, NASA’s Johnson Space Center disconnected their mission systems from JPL’s network gateway from May 2018 until November 2018.

Communication Signal Attacks

Communication channels between ground stations and space vehicles regularly experience disruption due to jamming and spoofing attacks. Most commonly, communication segment attacks are described in relation to global navigation satellite systems (GNSS). GNSS signals are easily interfered with due to their low-power operations, which enable a range of actors to use commercially available devices to disrupt signals. Radio frequency interference (RFI) can result in the inability to receive a signal (jamming) and is a functional denial of service (DoS) attack. For example, RFI could be caused by an amateur radio enthusiast broadcasting content over the wrong channel, or a malicious operator turning on a jamming device purchased online.

Military operators dependent on satellite communications have expressed concern about the ease and accessibility of both jamming and spoofing attacks.

Spoofing attacks are among the more problematic disruptions to communication channels. Spoofing will cause operators to see a sensor value, which is not representative of the actual state. An attacker can manipulate the signal, causing users to see fake data where they would have no means for knowing that the integrity of the signal was compromised. In 2011, the RQ-170 Sentinel US surveillance drone was landed and captured in Iranian territory using a spoofing attack (Keller 2016). The GPS signal engaged for drone navigation was tricked into landing unharmed by Iranian operatives. Commercially available software-defined radios such as the HackRF One have made spoofing attacks simple enough for script kiddies to execute. (Script kiddies are individuals who use malware they find online or buy and deploy it against their intended target. Usually script kiddies are not skilled in malware development.) Military operators dependent on satellite communications have expressed concern about the ease and accessibility of both jamming and spoofing attacks. While communication channel attacks have been widely discussed in academic literature since 2000, anti-jamming GPS technology, named M-Code, only became operational in late 2020.

Space Vehicle Attacks

Cyberattacks can also target space vehicles. Public disclosure of satellite cyberattacks is rare, and when disclosed, attack reports are often shrouded in ambiguity (such as with ROSAT) or lack sufficient detail for further analysis. For example, the 2011 Report to Congress of the U.S.-China Economic and Security Review Commission (U.S.-China Economic and Security Review Commission 2011) offered a glimpse into a cyberattack on a space vehicle in 2008. The report describes attacks against the Terra Earth observation satellite on June 20 and again on October 22, where the attacker achieved all steps to command and control (C2) the satellite for at least two and nine minutes, respectively. China was identified as the threat actor, given that the attack techniques were consistent with explicit Chinese military writings on the topic. As opportunities grow for threat actors to engage with space vehicles through direct communications or the supply chain, it is conceivable that space vehicle attacks will become increasingly common.

Recent Space System Attacks in the Russia-Ukraine Conflict

Most recently, a Russian hack on satellite communications provider Viasat on February 24, 2022, with the aim of compromising Ukrainian communications engaged for tactical military command, left its KA-SAT network inoperable. The attack had significant consequences on Viasat’s terminals — compromising internet users — but also had broader implications on civilian infrastructure. The attack left 5,800 wind turbines in Germany without remote C2 (Boschetti, Gordon and Falco 2022). Hacks to commercial and civilian satellite infrastructure have emerged as a new domain for geopolitical gain.

The Current State of the US Space-Cyber Effort

Despite the body of attacks described, little has been done to introduce cybersecurity protections in policy for US space assets. The only such guidance includes the executive order that launched Space Policy Directive-5,2 also referred to as Cybersecurity Principles for Space Systems, which draws on research such as “Cybersecurity Principles for Space Systems” (Falco 2019) and “Defending Spacecraft in the Cyber Domain” (The Aerospace Corporation 2019), acknowledges concerns for space system cybersecurity, and proposes generic guidance to those developing space infrastructure. Additionally, several US-based government working groups have been established to advise policy makers and industry about space infrastructure cybersecurity. For example, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (2021) has a Space Systems Critical Infrastructure Working Group. This group consists of government and industry members who help to identify and develop strategies to minimize risks to space systems supporting critical infrastructure. Most discussions by this group concern space cybersecurity. Despite the emergence of such government-led working groups, no further policy outside of Space Policy Directive-5 has been crafted on the critical matter of space cybersecurity.

In addition to government initiatives, the Space Information Sharing and Analysis Center (Space ISAC) has been established to advance industry dialogue and information sharing related to space security. A relatively young organization (founded in 2019), the Space ISAC is already making strides setting up a threat “watch centre” in Colorado Springs, Colorado, and facilitating conversations between industry and government agencies. While there is great potential, the Space ISAC is limited by its membership base, which is entirely represented by Western companies. Further, the Space ISAC explicitly cannot engage with certain countries due to its relationship with the US government, which presents significant barriers to necessary global collaboration.

Beyond policy, the United States has also made a point to heighten its protection of space assets through the designation of the US Space Force (USSF). While cyber capabilities are pervasive across USSF mission operations, the USSF’s cyber centre-of-mass is Space Delta 6, also called Cyber Delta, a functional component of the USSF (Prince 2020). Established July 24, 2020, Cyber Delta has two primary mission objectives: “provide continuous space access and availability through the Satellite Control Network” (ibid.) and “protect the integrity and security of all space-based mission systems and assets” (ibid.). Cyber Delta does not generally engage with the commercial space sector unless a commercial entity is engaging as a defence contractor.

While USSF cybersecurity efforts rarely intersect with national space policy, the increasingly dual-use nature of space systems for commercial and defence customers has compelled the US space industry to consider the cybersecurity implications of their designs and operations. Defence sector market demand for space assets with requisite security parameters may ultimately improve the general cyber posture of commercial space assets; however, such cybersecurity requirements are not widely known or universally requested across defence customers, leading to meagre impact.

Complicating current governance issues, space infrastructure and technologies that were once state monopolies are now increasingly being developed by private companies.

Global Space Security Governance Challenges

The inaction of the United States to issue explicit policy relating to space cybersecurity is not unique on the global stage and is likely rooted in a broader issue relating to global space governance.

Global regulation of space activities is ambiguous and rudimentary. Although space law and UN space treaties have limited the deployment of weapons of mass destruction in orbit, major powers have continued to develop weapon systems for space since the first Vostok and Mercury spacecrafts.

Complicating current governance issues, space infrastructure and technologies that were once state monopolies are now increasingly being developed by private companies. Services including military remote sensing, the management of space domain awareness systems and the launch of crewed spacecraft are progressively being outsourced to commercial entities. This is problematic because commercial agents may have distinct cybersecurity, intellectual property (IP) and economic market challenges that are not addressed by outdated space governance treaties. Cyber risks for commercial assets could be exacerbated because commercial space entities may have less experience developing robust cybersecurity programs than defence or intelligence agencies. The USSF’s acquisition strategy for Orbital Prime, which has engaged more than 90 early-stage companies to develop on-orbit servicing, assembly and manufacturing capabilities (Erwin 2022), is an example of how less-experienced commercial organizations are engaging in space activity, potentially presenting significant surface area for cyberattack. These organizations are not protected in any way from attacks under existing norms or statutes.

Challenges to Developing Global Space Governance

There are strong regulatory and political headwinds to developing cooperative space efforts with allies and key economic partners in the space industry. Space is considered a strategic sector and is therefore subject to high levels of security. International cooperation and trade are often hampered by very restrictive regulations. For example, in the United States, International Traffic in Arms Regulations sometimes pose insurmountable obstacles to trade and scientific exchange globally, including between allied countries. Similar regulations are currently in place in almost all spacefaring countries, leading to fragmentation in the space community and a lack of international information exchange.

Corporate engagement in the space sector and corporations’ international operations further muddy the water. International laws are poorly defined, and IP theft, both by companies and nation-states, is anecdotally rampant, yielding a free-for-all environment.

Further complicating governance, private companies are not represented in space regulation discussions. Current international space law is state-centric. The private sector is young, and there is no uniform set of rules for commercial activity in space. These issues are further exacerbated in the cyber context where laws, international regulations and norms are still emerging. This leads to risks for both individual companies and for states that purchase their services.

Given the exponential increase in launches and resulting objects in low-Earth orbit and the growth of the commercial space sector, there is a need for international commercial alignment and governance. Since space laws are outdated, they leave many interpretative loopholes that facilitate the justification of military activities and wrongful commercial practices. Moreover, besides the UN Committee on the Peaceful Uses of Outer Space,3 which was founded immediately after the launch of the Soviet satellite Sputnik, there is no international forum for the settlement of space disputes.

The Way Forward for US Space-Cyber

It would be advisable that the United States, rather than issue its own policy on space cybersecurity in a silo, undertake concerted engagement in international dialogue to inform future domestic policy so that constituent guidance aligns with what becomes the “new space” era’s international norms.

US interest in international cooperation relating to space cybersecurity has been expressed in several recent reports from government agencies, for example, the Defense Intelligence Agency’s (2022) Challenges to Security in Space: Space Reliance in an Era of Competition and Expansion and the White House’s Office of Science and Technology Policy’s “In-Space Servicing, Assembly, and Manufacturing National Strategy” (National Science & Technology Council 2022) (both published April 2022).

A recommended action for the United States to commence space cybersecurity international cooperation includes encouraging government agencies to engage in processes to develop a technical cybersecurity standard for space systems as referenced in “An International Technical Standard for Commercial Space System Cybersecurity – A Call to Action” (Falco et al. 2022). Establishing objective technical guidance for space cybersecurity will help to disseminate concerns about political bias and foster a community to begin broader space cybersecurity governance discussions. Further, focusing first on internationally agreed technical cybersecurity guidance specific to commercial systems can reduce concerns by nation-states that others are attempting to limit their defence capabilities through international norms and political pressure.

The uncertain geopolitical climate and increasing reliance on space systems for both commercial and national security purposes necessitate a dialogue with both allies and competitors to establish engagement expectations for cyberspace in space. An international cooperative effort to align on space-cyber governance is critical to maintain a state of space stability that allows for the continued exploration and use of space to advance civil society.

  1. US, Bill HR 5376, Inflation Reduction Act of 2022, 117th Cong, 2022 (enacted), online: <www.congress.gov/bill/117th-congress/house-bill/5376/text>.
  2. Cybersecurity Principles for Space Systems, 85 Fed Reg 176 (2020), online: <www.govinfo.gov/content/pkg/FR-2020-09-10/pdf/2020-20150.pdf>.
  3. See www.unoosa.org/oosa/en/ourwork/copuos/index.html.

Works Cited

Boschetti, Nicolò, Nathaniel G. Gordon and Gregory Falco. 2022. “Space Cybersecurity Lessons Learned from the ViaSat Cyberattack.” ASCEND 2022, October 24–26, Las Vegas, Nevada, and online. https://arc.aiaa.org/doi/10.2514/6.2022-4380.

Cybersecurity & Infrastructure Security Agency. 2021. “CISA Launches a Space Systems Critical Infrastructure Working Group.” Press release, May 13. www.cisa.gov/news/2021/05/13/cisa-launches-space-systems-critical-infrastructure-working-group.

Defense Intelligence Agency. 2022. Challenges to Security in Space: Space Reliance in an Era of Competition and Expansion. Washington, DC: Defense Intelligence Agency. www.dia.mil/Portals/110/Documents/News/Military_Power_Publications/Challenges_Security_Space_2022.pdf.

Erwin, Sandra. 2022. “Space Force selects 125 industry proposals for on-orbit servicing technologies.” SpaceNews, May 2. https://spacenews.com/space-force-selects-125-industry-proposals-for-on-orbit-servicing-technologies/.

Falco, Gregory. 2019. “Cybersecurity Principles for Space Systems.” Journal of Aerospace Information Systems 16 (2): 61–70. https://arc.aiaa.org/doi/10.2514/1.I010693.

Falco, Gregory, Wayne Henry, Marco Aliberti, Brandon Bailey, Mathieu Bailly, Sebastien Bonnart, Nicolò Boschetti, Mirko Bottarelli, Adam Byerly, Joseph Brule, Antonio Carlo, Giulia De Rossi, Gregory Epiphaniou, Matt Fetrow, Daniel Floreani, Nathaniel Gordon, Duncan Greaves, Bruce Jackson, Garfield Jones, Ronald Keen, Steven Larson, David Logsdon, Thomas Maillart, Kevin Pasay, Nebile Pelin Manti, Carsten Maple, Damiano Marsili, Erin M. Miller, Johan Sigholm, Jill Slay, Chelsea Smethurst, Joseph D. Trujillo, Nick Tsamis, Arun Viswanathan, Christopher White, Ernest Wong, Matt Young and Mattias Wallen. 2022. “An International Technical Standard for Commercial Space System Cybersecurity – A Call to Action.” ASCEND 2022, October 24–26, Las Vegas, Nevada, and online. https://arc.aiaa.org/doi/abs/10.2514/6.2022-4302.

Falco, Gregory, Arun Viswanathan and Andrew Santangelo. 2021. “CubeSat Security Attack Tree Analysis.” 2021
IEEE 8th International Conference on Space Mission Challenges for Information Technology, July 26–30, Pasadena, CA. https://ieeexplore.ieee.org/document/9697673/authors#authors.

Keller, John. 2016. “Iran-U.S. RQ-170 incident has defense industry saying ‘never again’ to unmanned vehicle hacking.” Military+Aerospace Electronics, May 3. www.militaryaerospace.com/computers/article/16715072/iranus-rq170-incident-has-defense-industry-saying-never-again-to-unmanned-vehicle-hacking.

NASA Office of Inspector General. 2019. Cybersecurity Management and Oversight at the Jet Propulsion Laboratory. Report
No. IG-19-022. https://oig.nasa.gov/docs/IG-19-022.pdf.

National Science & Technology Council. 2022. “In-Space Servicing, Assembly, and Manufacturing National Strategy.” Washington, DC: National Science & Technology Council. April. www.whitehouse.gov/wp-content/uploads/2022/04/04-2022-ISAM-National-Strategy-Final.pdf.

Prince, Ryan. 2020. “Space Delta 6 protects space and cyberspace.” Schriever Space Force Base, December 14. www.schriever.spaceforce.mil/News/Article-Display/Article/2445974/space-delta-6-protects-space-and-cyberspace/.

The Aerospace Corporation. 2019. “Defending Spacecraft in the Cyber Domain.” El Segundo, CA: The Aerospace Corporation. https://aerospace.org/sites/default/files/2019-11/Defending%20Spacecraft%20in%20the%20Cyber%20Domain.pdf.

The White House. n.d. “President Biden’s Bipartisan Infrastructure Law.” www.whitehouse.gov/bipartisan-infrastructure-law/.

U.S.-China Economic and Security Review Commission. 2011. 2011 Report to Congress of the U.S.-China Economic and Security Review Commission. Washington, DC: US Government Printing Office. www.uscc.gov/sites/default/files/annual_reports/annual_report_full_11.pdf.

Wess, Mark. 2021. “ASAT Goes Cyber.” Proceedings 147 (2): 1416. www.usni.org/magazines/proceedings/2021/february/asat-goes-cyber.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.