7. Conclusions and Recommendations
Although cybersecurity is a technical issue, technology alone cannot provide the basis for driving policy. Entirely or largely technological approaches will not have the necessary breadth or depth to allow comprehensive participation in addressing the full range of cybersecurity challenges. They would exclude many stakeholders who could otherwise contribute usefully to responses to the variety of threats propagated through the internet. An over-reliance on technical fixes is why cybersecurity controls failed to make an effective impact on cyberthreats in the late 1990s and early 2000s. It is only in recent years that cybersecurity is being recognized as central to an organization’s operations.
Yet if cybersecurity policies had inadvertently marginalized those with technological expertise, the pendulum would have swung too far the other way. Thus an effective regime requires a comprehensive technological response that is integrated into a wider circle of knowledge, understanding and collaboration.
The research for this project has led to a number of clear conclusions:
- Satellites and the commensurate space infrastructure, which also includes space vehicles and ground stations, are potentially vulnerable to a wide range of cyberattacks. They can be susceptible to the more common and well-understood cyberattacks such as data theft and data corruption, as well as to more sector-specific attacks including cyber-jamming, cyber-spoofing and hostile cyber-hijacking.
- Because so much of human activity is now dependent on space-based assets and infrastructure, most countries’ critical infrastructure is potentially vulnerable to cyberattacks in that domain. An insecure environment in space will hinder economic development and increase risks to societies, particularly in crucial sectors such as communications, transport (air, maritime and land), energy (conventional, renewable and nuclear), financial transactions, agriculture, food and other resources management, environmental and weather monitoring, and defence. Space-related cybersecurity gaps and weaknesses therefore need to be addressed as a matter of urgency.
- Highly regulated institutional responses such as government-led approaches are likely to lack the agility and flexibility required for these cybersecurity capabilities.
- Lightly regulated multi-stakeholder approaches to cybersecurity in space that develop industry-led standards, particularly with regard to collaboration, knowledge exchange and innovation are more likely to ensure the required agility, creativity and speed of response.
- An international multi-stakeholder space cybersecurity regime – based on an international community of the willing, and shared risk assessments and threat responses – is likely to provide the best opportunity for developing a sectoral response to match the range of threats.
Producing a set of options to mitigate the risks would bring foreseeable, tangible benefits for the space infrastructure by increasing the resilience of the global economic infrastructure to cyberthreats, and enhancing confidence in space-related goods and services, including those associated with new global markets in space cybersecurity.
By developing an international multi-stakeholder cybersecurity regime, the space industry would enhance its existing reputation as a forward-thinking, market-leading community. It could also play an increasingly influential role in developing international standards and establishing a strong sustainable knowledge base in the cybersecurity domain.
An international community of the willing should be formed to act as a focal point for good practice in the space–cyber intersection. This like-minded, multi-stakeholder group would be tasked with concentrating on risk management approaches to space cybersecurity, and the formulation of industry-led standards in order to develop pace and agility in response.
The group, which could grow over time to include any state concerned with space cyber risks, would identify actions that can develop the skills, knowledge and collaborative mechanisms needed to catalyse greater resilience in the international space infrastructure. This would include the development, manufacture, deployment and operational management of space vehicles along with associated data systems and communications links.
In parallel, other work, commissioned by national authorities, should seek to identify and mitigate risks in infrastructures, concentrating not only on ground stations but also on working with manufacturers and insurance providers to protect satellites more effectively from the potential for unauthorized interference.
Recommendations
To develop the required end-to-end competence in a space cybersecurity regime, a number of capability development needs can be identified under each of the following functions. The research project from which this paper has been developed did not set out to capture a full set of requirements, but many were identified during the roundtables. Examples are noted here as recommended attributes of the individual functions of the envisaged space cyber regime.
Raising awareness
- Ascertain the minimum levels of knowledge required to develop an instinct for cybersecurity throughout the supply chain.
- Identify communications platforms that can be used to develop a common collaborative environment.
- Decide on communications platforms and paths, languages, lexicon and right of access.
- Agree on whether the authority should be regional or international, and how the authority should function.
- Develop an educational infrastructure that can spread throughout the internationalized supply chain into the user communities and adjacent sectors.
- Delineate what governments can do to help, such as providing threat briefings on a trust basis.
- Establish ways to maintain concepts of trust and operational security in a very broad and potentially large community.
- Agree on the qualifications needed to join a community of interest, and how to ensure that all members of the community add value.
- Establish a virtual knowledge platform with agreed security levels and operational redundancy.
Encouraging vigilance
- Ascertain specific needs in terms of identifying symptoms of an attack, or preceding reconnaissance.
- Provide threat briefings to explain what vigilance is needed.
- Train experts in how to notice unusual activity, and how to verify suspicions and then alert the community.
Identifying and mapping dependencies
- Establish procedures for identifying dependencies within relevant timescales.
- Assess dependencies for criticality and for lack of redundancy.
- Identify ecosystem connections that are driven by commercial considerations and configured for agility.
- Develop a sustainable, near-real-time, cloud-based system for mapping space ICT configurations.
Recognizing vulnerabilities
- Develop and maintain a risk matrix by matching vulnerabilities to threats, paying attention to the alignment of commercial and national infrastructure vulnerabilities and regularly updating the matrix.
- Identify the vulnerabilities that will not be commercially compelling to resolve, and ensure that regulators are aware.
Building in resilience and measured responses
- Agree what levels of resilience are required and how to ensure these are regularly revisited and updated.
- Find the right mix of market and governmental risk and reward judgments.
- Develop a funding stream for increased resilience and new technologies to achieve critical infrastructure levels of protection at both national and international levels.
- Build in incentives for investment in cyber resilience in satellite vehicles for cases where the value of the satellite and payload is comparatively low.
- Develop regulatory controls and standards (including templates as needed) for critical national and international systems, including minimum acceptable availability levels.
- Ensure a reporting mechanism is established to report changes in critical network configurations with monitoring and regulatory facilities.
- Delegate cyber controls into the supply chain at agreed standards so as to facilitate investment.
- Develop well-understood penalties for non-compliance under established legal frameworks.
- Work with the insurance sector to increase incentives.
Hardware and software future-proofing
- Develop approaches to future-proofing of existing hardware and software, given the often long life cycle of satellites and the problems of obsolescence in some ground systems as well.
- Invest in new ‘hack-proof’ or ‘hack-resistant’ technologies, including ‘blue-sky’ approaches such as quantum technologies for communication.
Procurement strategies
- Develop cooperative mechanisms whereby cybersecurity in space is made equivalent to physical safety in space and is not part of the commercially competitive agenda.
- Identify the procurement processes and legislative frameworks that should be used for public procurement in an international supply chain.
- Draw up security-conscious procurement strategies that match the speed of the market.
- Develop industry standards so that cybersecurity rigour can be ensured and insured through the entire supply stack, from the highest boardroom level all the way down to microchip level, with penalties for default.
- Establish clarity with regard to implementing national and international controls such as on international trafficking in arms regulations vis-à-vis the development and sharing of cybersecurity technology.61
Regulatory requirements
- Develop an international discussion on how the regime might function as an international community of the willing, and its relationship with international bodies such as COPUOS.
- Develop the regime in the form of a ‘general obligation to cooperate’ mechanism, deciding whether it should be a regulated or non-regulated information management environment, or both; and whether industry, academia or government should lead, or whether a multi-stakeholder approach could be more effective.
- Balance regulated and non-regulated instruments within the regime.
- Incorporate mechanisms beyond the regulated environments so that organizations are not inhibited from sharing knowledge, and ensure that this is understood by the regulatory bodies.
- Install mechanisms that enable legislative and regulatory requirements to be passed back to national and international authorities as needed.
Sharing experience, including civilian–military knowledge exchange
- Establish mechanisms for communications processes to share experience and knowledge, including agreeing a common lexicon.
- Demonstrate that participation in the regime leads to significant advantage whereas non-participation is detrimental.
- Build confidence in the process so that traditional military reluctance to share technical data and threat information is overcome; this is particularly important given the considerable number of overlaps in civil and military capabilities.
- Develop understanding within the military authorities on the need for light-touch regulation in the commercial domain and increase the comfort level for the military authorities to work in, and contribute to, a low-regulation environment.
- Establish mechanisms for analysis and sharing of sensitive information.
- Implement established practices for international quality control.
- Develop collaborative mechanisms required for raising awareness and operational responses.
- Determine which communities should have access to the shared experience data.
- Identify an impartial player who can monitor inputs and outputs and share information safely and securely.
- Develop incentives for sharing information across the divides.
Establishment of good practice
- Determine what is good practice and good-enough practice.
- Aggregate good practice into a single system of guidance.
- Adapt working models for good practice and bring in mechanisms specific to the cyberspace community of interest.
- Agree on models for risk management.
- Set up mechanisms to determine the appropriate current and future requirements for cybersecurity in the various satellite missions.