5. Promoting International Cooperation and Other Policy Measures
Principles of a space cybersecurity response
The response to a complex and specifically internationalized cybersecurity problem needs to be based on an international coherent approach, which can be defined as a regime – that is, a set of:
… implicit or explicit principles, norms, rules and decision-making procedures around which actors’ expectations converge in a given area of international relations. Principles are beliefs of fact, causation and rectitude. Norms are standards of behaviour defined in terms of rights and obligations. Rules are specific prescriptions or proscriptions for action, decision-making procedures are prevailing practices for making and implementing collective choice.49
There is an urgent requirement to develop a space cybersecurity regime that will inform and organize policy efforts and subordinate strategies, while remaining federally networked rather than controlled from a centre or hierarchically driven.
Too centralized an approach would give the illicit actors, who are generally unencumbered by process or legislative frameworks, an unassailable advantage simply because their response and decision-making time is more flexible and faster than that of their legitimate opponents. To be successful and durable, the space cybersecurity regime should be one that functions intelligently and responsively, and possesses enough flexibility to be able to react in a coordinated way as the environment and circumstances alter.
As noted above, over-zealous central direction by regulators in a market-driven sector tends to lead to the supply chain finding ‘workarounds’, leading to the risk of developing a general culture of cyber insecurity in which the default condition is simply to identify the best way to dodge the rules. This hands another advantage to the adversaries of legitimate users of the space domain.
However, the international space community has not yet acted as a coherent system in the area of cybersecurity. This problem is compounded by the fact that the nature of space and its relationship to society are entering a period of fundamental change. The stakeholders required for the space cybersecurity discourse remain essentially segregated (apart from occasional meetings at events such as conferences), and are only concerned with managing risks within their narrow fields of interest. Left unaddressed, this dynamic will in all likelihood continue unless there is an external stimulus. As a result, there will be little recognition that each stakeholder can be affected by another’s security, or lack of it, unless there is a change in perceptions. A significant element of self-help is required to make up for the shortcomings of the regulatory cadre.
A space cyber regime, based on a lightly regulated initiative from the supply chain, seems to offer the most suitable and sustainable basis for channelling multinational contributions to an internationalized space cybersecurity capability which has to include an ever greater number of different stakeholders.
Such a regime must be agile enough to meet the rapidly evolving security challenge facing the space domain, and to continue to develop as the market is transformed over the next decades.
Policy requirements
Ideally, the policy needed to establish a space cybersecurity regime would align the needs of all the various concerns: on an already complex international stage this would include the millions of end users, individual scientists, the corporate sector and the military; address technical, political, economic and social interests; and combine the tactical with the strategic and the bottom-up with the top-down approach.
To align across and within all sectors, one approach is to adopt a single focus – such as the provision of assured broadband via space – and make that the driving force, organizing all other initiatives around it. But the space domain is now becoming so intrinsic to every human activity, whether government, private-sector or individual, that the foundation of a more robust and coherent space cybersecurity regime requires a common understanding of what is essential to determine both the nature of the problem and threat mitigation responses. The approach must be non-hierarchical, where each stakeholder is empowered by knowledge provided by the regime and feels valued as a contributor.
Ensuring security in space must correspondingly be a common ambition for all concerned players. Thus a common approach to cybersecurity can be developed and encouraged by applying the principles of governance, management and inclusiveness as outlined below.
Governance
There are three paramount dimensions in the governance of a space cybersecurity regime. First, whatever is done to combat space cyber insecurity, policy should be adopted and applied in order to enable legitimate users of space-related capability, while increasing the costs (of entry, for example, or discovery and being subject to law enforcement action) for illegitimate users.
A culture of space cybersecurity must lead to the development of an innate instinct for what is safe and what is risky throughout the supply chain.
Second, the governance of space cybersecurity needs a collective approach, involving as many legitimate stakeholders as possible and practical. This will also create a progressive and dynamic environment where knowledge is a key ingredient; if participants can share experiences and lessons learned, cybersecurity will become increasingly instinctive, from the boardroom down to the shop floor, and its sum will increase.
Third, the regime needs to be based on a self-governing and lightly regulated effort by a wide range of legitimate users of space capability. This is because space infrastructure, with its multiple uses, is a complex and constantly adapting area that defies control, centralized management and oversight by any single stakeholder (except for some very specific processes such as orbit or communications frequency allocation). Experience suggests that there is no other option but to deliver this effort within a business environment of transparency and accountability involving collaboration designed to share knowledge. Effective and durable governance of cyberspace requires a shared awareness that implies a dynamic, common approach to raising cyber capability. A culture of space cybersecurity must lead to the development of an innate instinct for what is safe and what is risky throughout the supply chain.
Management
To achieve absolute, perfect cybersecurity in space and its associated infrastructure and uncountable plethora of applications would require all threats and vulnerable components in an ever-expanding and unmappable ecosystem to be identified and isolated, and certain actions performed to counteract attacks before they develop into harmful events. But to do so – even if it were possible – would be to contradict the concept of ‘new space’ as a business-led, technology-supported global commons; and it would constrain the functioning and development of a worldwide ‘republic’ of communications and data gathering and exchange, and a platform for global economic development.
The requirement is rather to manage rather than try to eliminate threats and risks that reside in cyberspace, or those that use cyberspace as an attack pathway. Furthermore, rather than hoping to be able to prevent every imaginable cybersecurity threat and attack, a more practical approach must be to create a cybersecurity regime that is centred on security-by-design and pre-emptive risk mitigation controls with the flexibility and resilience to handle emergencies as they develop.
Much as in any other environment, risk management in this context of space-related infrastructure is a process of identifying critical vulnerabilities and potential threats or harms, and working out what the likely outcomes would be if an attack were to occur, couched in terms of likelihood relative to impact. The art of risk management is to reduce risk intelligently to an acceptable level by mitigating, excluding, transferring or accepting it, and by doing so to improve the prospects for continued functioning of the capability concerned. Risk management is necessarily an iterative process, and not a ‘tick-box’ exercise.
Risks and countermeasures need to be continually re-evaluated as new factors emerge, priorities and vulnerabilities change and threats proliferate. Additionally, a balance between the cost-effectiveness of a given countermeasure and the value of the capability being protected must be taken into consideration. Furthermore, in complex networks and complex adaptive systems, the risk-versus-reward evaluations by one actor could be very different to those imagined by others – particularly in conflicts of interest between government regulators and commercial organizations which focus on more immediate financial targets.
Bringing these strands together, cybersecurity in the space sector is a matter of risk management on a very large scale, in which monitoring all stakeholders for their approach to cyber risk would be impossible, but there would be confidence that at the very least the whole community was well informed on the implementation of good practices.
Inclusiveness
It may be tempting to shy away from addressing cybersecurity in the current space infrastructure as too complex, too technically sophisticated and too rapidly changing a problem for the diverse set of analysts, users and policymakers. The complexity of corresponding countermeasures could also promote a narrow technical approach, thereby excluding the many system users who could otherwise have made useful intellectual contributions to the cybersecurity discourse.
This tendency to default to a simply technical standpoint has not served cybersecurity well in the past, and should be avoided in any future regime in which technical safeguards and countermeasures will only be part of the overall response. The Chatham House expert roundtables observed that as the space sector evolves, so the threats and challenges that emanate from it will evolve correspondingly.
It is vital to include technical experts in the development and implementation of any regime so that the shifts in space and cyberspace, new technologies and the nature of threats and challenges to society are fully understood and anticipated. The technical community is most likely to envisage potential developments in space-based capabilities. If it can be integrated into space cybersecurity policy development, then everyone involved should achieve a deeper comprehension of the range of likely future technologies and uses of space and of the likely threats and challenges. Furthermore, if for their part technical specialists can develop a better feeling for the requirements and constraints of cybersecurity, space technology might be steered in more benign directions, starting with the component design stage. Simply put, technical experts are best placed to undertake horizon-scanning, to be able to provide the longest possible warnings of new threats, along with the relevant technical solutions. But the organizational aspects of how new controls are to be applied will remain a matter for the non-technical stakeholders in the regime.
Types of regime behaviour
The first step towards a common conception of cybersecurity in space requires agreement on a set of principles – discussed above – by which strategy can be guided and risk assessed. Policy coherence at the strategic level may nevertheless be undermined by inconsistencies in implementation. Furthermore, there must be acknowledgment that a regime will be both driven and accessed by a large and diverse range of stakeholders including individual users, ad hoc communities, the private sector, the public sector, the insurance industry, the national security community and technical experts. And illicit actors will also make their presence felt.
Three key additional principles and types of behaviour for operations and implementation can be identified: agility and initiative, actor neutrality and risk management.
Agility and initiative
Cyberthreats are broad and mutate quickly, so a static, defensive stance by a space cybersecurity regime will result in two things. First, agile, intelligent and well-resourced cyber adversaries are likely to win. They will have the initiative in the contest, and will not have had to invest significantly to gain that initiative – an unaware and ill-prepared user will have surrendered that initiative by default. Second, the defences to cyberthreats are generally more reactive than anticipatory and they are rarely pre-emptive, so the majority of legitimate non-aggressive users of the space domain will only begin to address cyberthreats at the point at which they are fully formed and causing real impacts. Cybersecurity policy must therefore build in agility and focus on gaining and maintaining the initiative. This can only be done by matching or bettering the ‘battle rhythm’ of the adversary.
Actor neutrality
An ‘actor-neutral’ approach to cybersecurity in the space sector can help to ensure that energy and resources are applied promptly and efficiently, and where they can be of most benefit in responses to the threats. That is to say, with a diverse and evolving set of adversaries, not only are there difficulties in attribution, but knowing the identities and ambitions of adversaries is less important than knowing their capabilities and the potential for damage. It follows that it is necessary to have the policies, procedures and equipment in place to meet or anticipate the challenges and attacks, whatever their source and whenever they proceed. Definitions of cybersecurity that correspond to the roles and interests of individual departments of government or private-sector concerns are not as useful as developing a coherent and collective approach to the management of the problem – that is, through the regime approach that seems so far to provide the most appropriate response. A more inclusive response to cybersecurity challenges could be developed by focusing more on those elements of the risk equation – vulnerability and impact within a culture of risk management – that society can do most to mitigate within its own means, and less on the identity of the adversary.
Risk management
As noted above, it is unrealistic to expect to be able to eliminate all cyberthreats in the space sector in the foreseeable future. They are wide-ranging and rapidly changing, and it is impractical to imagine that all criminal or hostile use of the global information and communications technology (ICT) infrastructure, of which space is a major part, can be filtered out, given the widespread and absolute dependence on ICT in the modern world and the increasing role that space plays in delivering ICT-type services. Space technology has created a global common good: the barriers to entry are low, and inexpensive access to space capability has begun to take hold on global markets. Dependence cannot be eliminated in the near term; and neither, consequently, can exposure and vulnerability to cyberthreats. If threats, dependency and vulnerability cannot be excluded, they have to be managed. A risk-management approach to cybersecurity in space would:
- Ensure that participants understand that legitimate uses of space-based systems cannot be assumed to be free of threats and adverse consequences;
- Assess cybersecurity on the basis of cost-effectiveness and proportionality: potential benefits can be weighed against appropriate costs and penalties, including insurance premiums, and benefits can be prioritized and procurement systems put in place;
- Build in adaptability and agility so that as cybersecurity threats change, priorities can be recast;
- Frame space cybersecurity policies at a system level, offsetting the dangers and risks in one sector by advantages and benefits in another.
Emerging policy approaches
Clearly, numerous issues need to be addressed as the space supply chain sets out for the first time to reduce vulnerabilities in the domain. As it does so, some compelling themes emerge.
The first point that must be accepted is that space cybersecurity policy can and should be extended beyond its traditional position, which focused on the protection of critical national infrastructure and a ‘bottom-up’, reactive sectoral concern with computer and network security, information security and assurance. Those policies, which have been implemented in the past two decades as unitary solutions to cybersecurity more generally, have been shown to fail, one after another. But a bottom-up approach does retain value as it includes the activities that contribute to compliance with various ISO standards. It is also the best place to elicit a response when national or international law enforcement agencies are brought into action; there are generally robust links between the two that can be exploited, either from national levels upwards or conversely down into the national agencies from an international coordinating function.
But a space cyber regime has to reach beyond a tick-box mentality that provides comfort yet still allows well-informed adversaries to take up threatening positions against users who remain rooted in a static regulated environment, believing they have done the right thing and risks have been satisfactorily mitigated. In such a fast-evolving domain as space, and reflecting a regime approach that encourages actions to counteract developing threats, it is essential for people, processes and technological issues to be amplified through better organization, better management of business change (i.e. agility) and also (because space vehicles are not generally recoverable for upgrading), constant obsolescence management.
Thus the space cyber regime doctrine needs to incorporate:
- People and organization;
- Processes and business change;
- Technology and obsolescence management.
Second, cybersecurity policy should be based on an agreed set of operational and strategic principles, with the following objectives: to turn the intersection of space and cyberspace from a permissive, ungoverned environment into a self-governing network; to raise the costs of use by illicit actors; to encourage a comprehensive and inclusive understanding of cybersecurity across the user community; and to facilitate and assure legitimate use of the ICT infrastructure supported by space technologies.
Moving from theory to practice, an active strategy for space cybersecurity should incorporate agile organization, coherent planning and deconfliction, creativity and responsiveness.
Reduction of supply chain risk: the task ahead
In a 2006 paper setting out proposals for best practices for the protection of commercial satellite communications infrastructure,50 Richard Buenneke et al. suggested a series of principles aimed at guiding commercial satellite service providers that wished to develop increased resilience and that had also had responsibilities in the US strategy of network-centric warfare. The authors recognized that commercial satellite systems were playing an ‘increasingly important role in supporting US and coalition concepts for network-centric warfare’ and similar military strategies. They noted that this dependency also ‘increases the possibility of a hostile attack on privately owned and operated SATCOM networks’ working within that military ecosystem to provide additional and spare capacity.
To address these potential threats, in 2006 the then US National Security, Space Management and Organization conducted a comprehensive survey of approaches used by commercial operators and integrators to protect SATCOM networks against electronic, physical and cyberattacks. The survey identified a set of seven ‘best practices’ for information sharing and analysis, as well as responses to intentional jamming, physical attacks, cyber/network threats and other hazards.51 These best practices, Buenneke et al. suggest, should ‘form the basis for new incentives in US Department of Defense contracts for commercial SATCOM services’. As a starting position, these practices can also serve as the ‘basis for improved public-private and coalition collaborations for preparing and responding to a full spectrum of hazards’, not necessarily just from cyber adversaries, but also from natural events such as coronal mass ejections and other phenomena found in ‘space weather’.
Further development by the UK Space Agency52 and others has increased the number of best-practice strands to 10. These functions could form the basis of the proposed space cyber regime, as follows:
- Raising awareness;
- Encouraging vigilance;
- Identifying dependencies;
- Recognizing vulnerabilities;
- Building in resilience and measured responses;
- Future-proofing hardware and software;
- Drawing up procurement strategies;
- Identifying regulatory requirements;
- Sharing experience, including military and civilian knowledge exchange;
- Establishing best and good practices.