A presidential directive aimed at implementing cybersecurity in space systems is under review but will likely remain in effect as the Biden administration looks to sustain commercial enterprise in the domain.
“The government needs the private sector and the private sector needs the government,” said Brian Scott, director of critical infrastructure cybersecurity for the National Security Council. “Space Policy Directive 5, SPD 5, cybersecurity for space systems issued last September, outlines key cybersecurity principles to guide and continues to serve as the foundation for the U.S. approach to the cyber protection of space systems.”
Scott spoke Wednesday along with officials from the departments of Commerce and Homeland Security as well as the intelligence community at a symposium on cybersecurity in space that was attended by participants from around the world. The officials promoted the Trump-era directive that instructs the government to work with commercial companies to define best practices, establish cybersecurity-informed norms, and promote better cybersecurity behaviors throughout the country’s industrial base for space systems.
“We depend on the nation’s space-based systems across almost every critical infrastructure sector and industry. Our financial services, energy, communications, transportation, emergency services sector, and other industries all rely on the services that our space systems provide,” Scott said, asserting that a cyber-enabled attack on the Global Positioning System alone would result in a $1 billion a day impact on the United States. He added that recent major cybersecurity incidents have reinforced the need to apply important lessons learned, including in space.
On May 1 the administration also announced plans to retain the National Space Council—which President Donald Trump reinstated—under the chairmanship of Vice President Kamala Harris, who has said her foreign policy work will include cybersecurity and technology.
“The vice president intends for the council to have a particular focus on enhancing cybersecurity and space systems, and the council will work closely with the National Security Council to address issues related to cybersecurity in space,” Scott said.
The administration has not yet identified the members of the council. And within the government, there is uncertainty about which agency should be specifically designated to oversee cybersecurity in space, something Rep. Jim Langevin, D-R.I., has suggested needs to be addressed.
Asked which agency would be most appropriate to serve in the role, James Platt, chief of strategic defense initiatives at DHS, referenced an interim public-private working group at the department and said that’s still an open question given the range of entities involved.
“One of the things that we are continuing to work on is what is the ultimate end state for how we manage risk to space systems and space systems infrastructure. So that question is still out there,” Platt said. “We will continue to work that through the space systems cross-sector working group, but it’s really about working with the private sector and making sure that we fully understand the mission space so that we organize properly because this really does touch many, many sectors, and we have to make sure that we address all of the concerns there.”
Jaisha Wray, associate administrator for international affairs at the National Telecommunications Information Administration, worked on the development of Space Policy Directive 5 as director of international cyber policy on Trump’s National Security Council.
She said while the policy is under review but, that is “just in case there’s any additional updates needed.”
Wray and other officials said cybersecurity in space requires all of the practices that are generally applicable but noted some unique factors for space systems.
“Because space systems are difficult to physically access when they are in orbit, these [general] cyber principles can become more difficult to implement and since they cannot be easily accessed, cybersecurity activities, including updates and incident response must be performed using remote capabilities, which must be integrated into the design of the system prior to launch,” Wray said. “As a result, satellite developers should be thinking about integrating cybersecurity into the full lifecycle of the spacecraft, right from the start.”
David Luber, deputy director of the National Security Agency’s Cybersecurity Directorate, noted that all space systems supporting national security systems are required to use NSA-approved cryptography under Committee for National Security Systems Policy Number 12.
He directed participants to the NSA’s cybersecurity advisories on Russian and Chinese threat actors in addition to one focused on the importance of encrypting very small aperture terminal, or VSAT, networks.
“Companies should encrypt all links from their spacecraft, regardless of data classification,” Luber said referring to the networks for ground station satellites outfitted with antennae to communicate with those in space. “Encryption can impede a successful exploitation of a satellite by cyber actors and, when implemented properly, can also prevent an adversary from denial of service or insertion of bad commands.”
Luber also pointed to the National Institute of Standards and Technology’s Federal Information Processing Standard 140-3 as appropriate guidance on encryption and the Defense Department’s Instruction 8420-2 for help with configuration of terminals and mobile communications devices for secure communications.
“What we need to focus on collectively together really, as satcom network owners and users of satcom networks, is implementing those best practices and following the applicable policies,” he said, adding, “we also have to make sure that we have great IT hygiene.”