2. Challenges
Governments and global economic institutions are seeking to align the need to provide internet-based platforms for financial and business growth with the requirement for increased protection against an increasing number of sophisticated and well-resourced cyber-related threats from nation states, terrorist groups, organized criminal groups and individuals aiming to steal intellectual property, cash or sensitive personal data, or simply to cause damage.
Satellite services are potential targets for a range of cyberthreats, as space supports a growing and increasingly critical level of functionality within national infrastructure across the world, stimulating economic growth. One attack on a key node in the space sector could have the leveraged potential to affect critical national and international capabilities. This dependency on space is not unique to developed states; most countries will have similar vulnerabilities.
A recent Chatham House paper on space and cybersecurity points to the increasingly blurred line between ‘offensive’ and ‘defensive’ activities in cyber and space, given that, technologically, offence is easier and more cost-effective than defence.12 More advanced countries are increasingly vulnerable to attack from less developed states, and from terrorist groups and other actors such as organized criminals. In addition, the technologies for the space sector are developed and sourced from all over the world; the space supply chain can therefore be considered a truly internationalized business environment that is not yet well regulated with cybersecurity in mind. While the overall approach of many governments to cybersecurity is becoming more effective, the paper warns that the conjunction of cyber and space remains vulnerable to exploitation in the context of complex and internationalized supply chains and space-related infrastructure.
Current responses
There is currently no coherent global organization with regard to cybersecurity in space. For example, the UK’s policy response appears to be confined to high-level and classified information-exchange groups comprising select, by-invitation-only entities that coordinate between civil and military agencies but which have only limited reach into the supply chain. This structure is generally replicated in other countries that are ‘space-enabled’, with few if any mechanisms for implementing cybersecurity controls down to the deepest levels.
This systemic challenge at the intersection of cyber and space security therefore requires a radical, innovative approach to build and maintain confidence in the use of the space domain. This in turn will catalyse growth in trade and the wider global economy, help reduce the costs of government, and support safe provision of cultural and recreational activity. The experience gained in resilient satellite communications (SATCOM) and navigation systems, and the development of smaller satellite technologies, mean that the international challenge at the intersection of space and cybersecurity could now be regarded as a strategic opportunity to enhance mission assurance for space assets. Although the value of the space cyber market-in-waiting still needs to be defined, it can be assumed to be large, with rewards accruing to early (and quick) market adopters on both the customer and the supply sides.
New responses
Work is needed to systematically define and analyse each segment of a typical space mission and its supporting functions, and to develop mitigating strategies. Two cyber-related vulnerabilities of space missions are investigated in a later section of this paper: jamming and spoofing of satellite signals and associated data; and the remote takeover of satellite control through a cyberattack.
Development of a flexible international space and cybersecurity regime is urgently required; this arrangement should be managed initially by an international ‘community of the willing’ – a limited number of able states and other critical stakeholders within the international space supply chain and insurance industry. Such a regime would avoid the inevitable delays in agreement and implementation associated with any regulated, centralized and directive approach developed by an international body – the International Telecommunication Union (ITU) for example – that would give the advantage to attackers as latter are unencumbered by compliance with relatively time-consuming legislative controls. The new, agile regime would provide focus to rapid, active response mechanisms, and as a side benefit the body that coordinates and oversees it could also be tasked by the coalition to achieve market traction nationally and internationally for products and services related to cybersecurity in space. The regime could be implemented rapidly and cost-effectively, shifting risk-management activity to the less expensive and vital activities of education, training, exercises and providing situational awareness (understanding the status of people and systems) in the global space supply chain. Over time, the regime could be extended to a wider group of like-minded states.
The proposed regime would thus provide a vehicle for practical leadership in delivering enhanced security within the whole of the global space sector, upstream and downstream and at all levels of the supply chain. It would also act, inter alia, as an independent convener, providing oversight and guidance, and could undertake gap analyses for security processes, review concepts of operations and procedures, determine the roles of associate organizations, assist in insurance risk assessments, and secure funding for capability development projects. It would develop established and trusted connections with the space cyber community, including government agencies, academia and industrial concerns, as well as exploiting existing channels to provide access to commercial markets worldwide.
Initial work would include building on the structures already developed for national infrastructure, in particular the National CERTs (Computer Emergency Response Teams) – for example, in the UK, CERT-UK,13 the Cyber Essentials Scheme14 and the Cybersecurity Information Sharing Partnership (CiSP); in Japan, JP-CERT and JP-CERTCC (Coordination Centre);15 in India, CERT-In;16 in Ghana, CERT-GH;17 and in the United States, US-CERT18 and the Comprehensive National Cybersecurity Initiative.19 Where possible, it would help, through ‘designing for security’, to resolve problems affecting satellites under construction. The regime would add further value by mitigating sector-specific concerns. This is particularly relevant within the current period of dramatic market-led change in the delivery of space-related goods and services and insurance.