6. Implementation of a Space Cybersecurity Regime
An international response is required to the cybersecurity challenges of space, but there are no relevant international organizations or agreed mechanisms that could conceivably constitute the basis for that response. A framework needs to be developed quickly to harmonize the space supply chain and its offerings, which are now being market-led. However, government-to-government dialogue in international security matters works slowly, particularly through UN and ITU structures, as does the academic discourse. In the international structures, there are a number of frameworks and international agreements for addressing international peace and security in space, including the Committee on the Peaceful Uses of Outer Space (COPUOS); the UN Office for Outer Space Affairs; the Disarmament Commission; the Conference on Disarmament and the UN Office of Disarmament Affairs; the Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies (the Outer Space Treaty); the Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space; the Convention on International Liability for Damage Caused by Space Objects; the Convention on Registration of Objects Launched into Outer Space; the Constitution and the Convention of the International Telecommunication Union and its Radio Regulations (amended).
An international response is required to the cybersecurity challenges of space, but there are no relevant international organizations or agreed mechanisms that could conceivably constitute the basis for that response. A framework needs to be developed quickly to harmonize the space supply chain and its offerings, which are now being market-led.
Recent progress has been made in the Wassenaar Arrangement53 and two UN processes: the Group of Governmental Experts on Transparency and Confidence-building Measures in Outer Space Activities (GGE-Space);54 and the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE-Cyber). In addition, space and cyber guidelines are currently being discussed within COPUOS,55 including, for example, Guideline 9 (formerly guideline 43) to ‘implement policy aimed at precluding interference with the operation of foreign space objects through unauthorized access to their on-board hardware and software’ and Guideline 18 (formerly guideline 35) to ‘ensure the safety and security of terrestrial infrastructure that supports the operation of orbital systems and respect the security of foreign space-related terrestrial and information infrastructures’.
Box 1: UN Group of Governmental Experts on Transparency and Confidence-building Measures in Outer Space Activities (GGE-Space)
The 2013 report from GGE-Space56 agreed on a set of substantive transparency and confidence-building measures (TCBMs) for outer space, conclusions and recommendations. The main points were as follows:
1. Categories of transparency and confidence-building measures for outer space activities:
(a) General transparency and confidence-building measures aimed at enhancing the availability of information on the space policy of States involved in outer space activities;
(b) Information exchange about development programmes for new space systems, as well as information about operational space-based systems providing widely used services such as meteorological observations or global positioning, navigation and timing;
(c) The articulation of a State’s principles and goals relating to their exploration and use of outer space for peaceful purposes;
(d) Specific information-exchange measures aimed at expanding the availability of information on objects in outer space and their general function, particularly those objects in Earth orbits;
(e) Measures related to establishing norms of behaviour for promoting spaceflight safety such as launch notifications and consultations that aim at avoiding potentially harmful interference, limiting orbital debris and minimizing the risk of collisions with other space objects;
(f) International cooperation measures in outer space activities, including measures aimed at promoting capacity-building and disseminating data for sustainable economic and social development, that are consistent with existing international commitments and obligations.
2. Specific TCBMs that include the following that could be used in enhancing the cybersecurity of space:
- Exchanges of information on the principles and goals of a State’s outer space policy;
- Exchanges of information on major military outer space expenditure and other national security space activities’;
- Exchanges of information on orbital parameters of outer space objects and potential orbital conjunctions;
- Notifications in the case of emergency situations;
- Demonstrations of rocket and space technologies;
- International cooperation and coordination;
- Consultative mechanisms, including for preventing or minimizing potential risks of physical damage or harmful interference.
3. Conclusions and recommendations:
- Universal participation in, implementation of and full adherence to the existing legal framework relating to outer space activities including the:
- Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies;
- Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space;
- Convention on International Liability for Damage Caused by Space Objects;
- Convention on Registration of Objects Launched into Outer Space;
- Constitution and the Convention of the International Telecommunication Union and its Radio Regulations, as amended;
- Convention of the World Meteorological Organization, as amended;
- Treaty Banning Nuclear Weapon Tests in the Atmosphere, in Outer Space and Under Water;
- Comprehensive Nuclear-Test-Ban Treaty.
- Endorsing efforts to pursue political commitments such as unilateral declarations, bilateral commitments or a multilateral code of conduct, to encourage responsible actions in, and the peaceful use of, outer space.
- Proposing that voluntary political measures be a basis for concepts and proposals for legally binding obligations.
- Implementing transparency and confidence-building measures to the greatest extent practicable and in a manner that is consistent with states’ national interests. As specific unilateral, bilateral, regional and multilateral transparency and confidence-building measures are agreed to, states should regularly review the implementation of the measures and discuss potential additional ones that may be necessary, including those necessitated owing to advances in the development of space technologies and in their application.
- Adhering fully to the existing legal framework relating to outer space activities and the principles and guidelines endorsed on the basis of consensus by the Committee on the Peaceful Uses of Outer Space and the General Assembly and other internationally recognized space-related principles.
Box 2: UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE-Cyber)
The 2014–15 GGE-Cyber57 noted that common understandings on how international law applies to state use of ICTs are important for promoting an open, secure, stable, accessible and peaceful ICT environment, and put forward a set of views on how international law applies to the use of ICTs that include:
- State jurisdiction over the ICT infrastructure located within territory;
- Existing obligations and principles of international law to respect and protect human rights and fundamental freedoms, the principles of humanity, necessity, proportionality and distinction, state sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other states and the inherent right of states to take measures consistent with international law and as recognized in the UN Charter;
- The requirement that states must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-state actors to commit such acts, noting that the accusations should be substantiated.
The GGE-Cyber addressed the critical infrastructure, of which the satellite networks form a vital part. This included taking appropriate measures to protect to critical infrastructure from ICT threats; the creation of a global culture of cybersecurity and the protection of critical information infrastructures; responses by states to requests for assistance when critical infrastructure is subject to malicious ICT acts; responses by states to requests to mitigate malicious ICT activity aimed at the critical infrastructure of another state if emanating from their territory; the integrity of the supply chain so that end users can have confidence in the security of ICT products; and the prevention of the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions. The GGE-Cyber also agreed a set of conclusions and recommendations for future work that included recognizing that ICTs are a driving force in development and calling for:
- Concept development and research on ICTs in international peace and security;
- Increased cooperation at regional and multilateral levels to foster common understandings on risks posed by the malicious use of ICTs and on the security of ICT-enabled critical infrastructure;
- Identification of mechanisms for the participation of the private sector, academia and civil society organizations;
- Dialogue on security and common understandings on the application of international law and norms, rules and principles for responsible behaviour.
The new dialogue on cybersecurity at senior official levels between the United States and China could be the start of a process that will operationalize the GGE-Cyber’s call to establish ‘dialogue on security and common understandings on the application of international law and norms, rules and principles for responsible behaviour’. The 2015 US–China cyber agreement was part of a wider group of measures to strengthen bilateral relations and build trust and confidence between the two countries. The agreement includes: i) timely responses to requests for information and assistance concerning malicious cyber activities; ii) cooperation in the investigation of cybercrimes, including the collection of electronic evidence, and mitigation of malicious cyber activity emanating from the territories of either party; iii) agreement not to conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information; iv) identifying and promoting appropriate norms of state behaviour in cyberspace within the international community; v) a high-level joint dialogue mechanism on cybercrime and related issues; and vi) a hotline for the escalation of issues that may arise in the course of responding to such requests.58
Any proposed organization to address cybersecurity in space needs to reflect the multi-stakeholder character of the cyber and space communities.59 Its structure would need to be fundamentally non-regulatory and sensitive to national perspectives in cybersecurity policies, accepting the need for regulation where necessary, and yet being nimble and responsive – in other words, everything that most governmental organizations are not. To begin with, and to ensure sensibilities are protected, the regime should set out simply to instil a culture of ‘getting the basics right’ – which, according to experts in the field, constitutes 80 per cent of the strategic response.60
All participants and stakeholders in this regime need to understand this objective. The essence of the regime is that it works from all perspectives – organizational, business change and obsolescence management – to give it competitive advantage over its adversaries. The regime must be agile and act with initiative; actor-neutral; risk-based; and able to understand that a system level of response (i.e. based on technology alone) is not the answer. Not only that, but its core deliverable is to increase collaboration and cooperation in this highly dynamic environment in order to enhance knowledge. The outputs it generates will be hard to measure, as its success depends on a reduction in the number of attacks, in a domain where these have not been reported widely, making it hard to ascertain their absence.
The response to space cyber insecurity should be based on soft power, rather than controls underpinned by an international diplomatic community moving at glacial pace with a series of ‘sticks’ wielded by national regulators. The approach required must be from an international community of the willing responding to ‘carrots’, who have a shared awareness of the problem and a shared goal. Such an approach offers the most appropriate basis for an international space cybersecurity strategy that includes – rather than mandates – a wide variety of stakeholders with the necessary agility and flexibility. The regime would develop the essential ‘top-down’ approach needed to complement the ‘bottom-up’ security measures being developed by technological experts and state organizations assisting with intelligence and threat information and with highly complex forensics work.
The regime needs to be a platform for communication and collaboration rather than taking any operational steps, or even overseeing tactical procedures, to increase security. From the outset, those functions would be left to national regulation and law enforcement authorities that may already be able to work with other states via existing bilateral and multilateral instruments designed to tackle other risks to society. However, research in other cybersecurity domains suggests that there is little history of successful institutional sharing, and this is perhaps the most critical failure of all. The regime’s philosophy should therefore be based on a sharing economy. This may not suit some national authorities, however, given their traditional concern with security, which is principally directed at threats to the state and terrorist attacks.
Nevertheless, some states that already work in multilateral risk-reduction and multi-stakeholder enterprises may be more relaxed about participating in an international community of the willing. Such a regime would focus on cooperation and information-sharing in its early phases, if only to explore and set up systems for joint working and collaboration that can be expanded incrementally over time, and include more stakeholders as confidence increases. The regime would, however, have to recognize that any analysis it undertakes of cyberspace and related security threats is a problem that concerns all of society; not the exclusive concern of governments, commercial enterprises or international organizations. As noted above, in cyberspace security, different interests and constituencies are challenged by a variety of interconnected actors and actions. And if society – for all its diversity – cannot respond in a similarly interconnected way, then the sum of security diminishes overall and becomes dangerous.
This prospective multi-stakeholder alliance should initially be made up of those states and non-state entities that already have a relatively high national-level awareness of cyber risks and commensurately mature countervailing strategies, and that also accept the need for a decentralized approach. Such a group will be able to swiftly and collectively identify sets of core capabilities, particularly in best practices within each of their national strategies, and to produce those as industry-led standards for the benefit of an expectant community of interest. This will constitute the beginnings of a space cybersecurity regime.