1. Introduction
The vulnerability of satellites and other space assets to cyberattack is often overlooked in wider discussions of cyberthreats to critical national infrastructure. This is a significant failing, given society’s substantial and ever increasing reliance on satellite technologies for navigation, communications, remote sensing, monitoring and the myriad associated applications. Vulnerabilities at the junction of space-based or space-derived capability with cybersecurity cause major national, regional and international security concerns,1 yet are going unaddressed, apart from in some ‘high end’ space-based systems. Analysing the intersection between cyber and space security is essential to understanding this non-traditional, evolving security threat.
Cybersecurity and space security are inextricably linked. Technologies in satellites and other space assets are sourced from a broad international supply base and therefore require regular security upgrades. And the upgrades via remote connections could serve to make space assets vulnerable to cyberattacks.2 In everyday life, satellites are regularly used to provide internet services and global navigation satellite system (GNSS) technologies which are increasingly embedded in almost all critical infrastructure.
Vulnerabilities at the junction of space-based or space-derived capability with cybersecurity cause major national, regional and international security concerns, yet are going unaddressed, apart from in some ‘high end’ space-based systems.
Because cyber-related technology is relatively new and is often multi-purpose and dual-use in nature, legislation lags behind. For example, two global utilities – the internet and GNSS – are driven by dual-use technology and are thus potentially deployable for military and civilian use. The United States, in particular, recognizes this and strives to cope with this challenge through its International Trafficking in Arms Regulations (ITAR).3 These utilities have a plethora of military and security applications, and are integral parts of critical national infrastructure. However, in the military context it is also hard to establish when they are used for defence or for offensive actions.
The United States has recently described the space environment as ‘congested, contested and competed’,4 and has developed a corresponding policy to ‘deter, defend and defeat’. Russian defence policy states that the information domain is one of war,5 pointing to an urgent need for rules of engagement and rules of prevention and prohibition, which do not yet exist. Moreover, international cooperation can generate dependency risks, which could have a negative impact on national security interests; consequently, sound policy concepts do not readily translate into political will, and international rule-based solutions may be hard to develop.
For the insurance sector, the systemic risks are at once evident and potentially unquantifiable, as noted by one industry expert in 2014:
The challenge is that insurers have to contend with a new and potentially catastrophic class of risk, with limited historical loss data on the nature and severity of the threat. To some extent therefore it is a jump into an unknown world where criminal, business and political/strategic interests could be at play.6
Hackers, who represent the front end of the threat, currently constitute a major problem; their culture is entirely different from that of government or the military. Therefore, analysis of cyberattacks needs to take into account the fact that at a national level future attacks will be mostly generated by complex interests, from sources that are not immediately apparent to legitimate actors. To compound the problem, GNSS systems, which are now used by many stakeholders worldwide, are relatively insecure because until recently civil applications have not been designed with security in mind (although more modern systems such as the European ‘Galileo’ have secure technology).
In addition, the huge amount of data disseminated through satellites makes it possible for criminals to corrupt accuracy and reliability with a low probability of discovery. In particular, preventing spoofing (see section on technical aspects of cyberthreats to satellites, below) requires integrity checks in which large amounts of data are transferred between interested parties. In the maritime arena, space-based monitoring systems are regularly being jammed or spoofed by vessel operators entering false information in order to disguise their illicit activities. The need for integrity checks applies to many other aspects of the maritime domain such as distress calls, data and information. In principle, lack of integrity and availability can cause a great deal of damage to confidence in systems. However, proposed solutions are seen as expensive and are therefore unlikely to be adopted universally – unless there is a compelling reason such as legislation or a major incident, or new competition; in this context, perhaps the August 2016 launch of China’s ‘quantum satellite’, said to be ‘designed to establish ultra-secure quantum communications by transmitting uncrackable [i.e. hack-proof] keys from space to the ground’, will change the game.7
Project background
The International Security Department at Chatham House has undertaken a multi-year, multidisciplinary study of the intersection between cybersecurity and space security. In 2013–14, in partnership with Finmeccanica UK, it held a number of expert discussions and published a paper on the challenges.8 From 2015 Chatham House has partnered with the Sasakawa Peace Foundation to study the specific ways in which cyberattacks can be used to disable satellites and their functions, and the impact of such attacks on the military uses of satellites and international security.9 The project, on ‘Satellite Security – Vulnerability to Cyber Attack’, addresses:
- How cyberattacks can be used to destroy or impede the functions of satellites and other space assets, either by taking remote control of a satellite itself or by jamming its signals; and
- The way forward and potential solutions, including increased international cooperation requiring a blend of policy and technical inputs.
As part of the project, Chatham House held two expert roundtables in London, under the Chatham House Rule, in which over 30 participants from government, academia and the private sector participated, with the aim of fostering discussion on awareness of the mutual vulnerabilities of cyber and space assets, and potential policy solutions. In addition, in collaboration with the Synergia Foundation, Chatham House ran an expert high-level roundtable in Bangalore. The meeting was co-hosted with Tobby Simons of Synergia Foundation,10 Bangalore, and co-chaired with Raji Rajagopalan of the Observer Research Foundation,11 Delhi.
This paper identifies the key issues associated with the management of cybersecurity in the space supply chain across the world, and recommends appropriate actions to mitigate wide-ranging vulnerabilities in the space infrastructure.