Cyberspace Solarium Commission says space systems should be considered critical infrastructure
The Cyberspace Solarium Commission wants space systems to be considered critical infrastructure sector number 17, a move the influential group says will compel a growing industry of satellite operators to take action to better protect their networks from malicious hackers.
In a new report released Friday, the commission said that the official critical infrastructure designation would close cybersecurity gaps in the industry such as “uneven” defenses and an approach to safeguarding hardware that is often more focused on harsh weather conditions than cyberattacks.
“Major portions of American space systems are still not designated as critical infrastructure and do not receive the attention or resources such a designation would entail,” according to the commission, which Congress established in 2019 to the develop a strategic approach to defending U.S. cyberspace. “The majority of today’s space systems were developed under the premise that space was a sanctuary from conflict, but this is no longer the case.”
Over the past several years, at least 18 of the commission’s 82 recommendations are set to be implemented, according to its 2021 annual report.
Space technology is far from immune from cybersecurity threats. For instance, at the start of the Ukraine war Russian hackers targeted U.S.-based satellite company Viasat in an attempt to disrupt communications in one of the more significant cyberattacks so-far during the way. Additionally last year, the Cybersecurity and Infrastructure Security Agency found the notorious Russian hackers Fancy Bear snooping inside U.S. satellite networks.
Other critical infrastructure, such as energy and water, rely heavily on space technology for services like controlling remote facilities, timing for grid monitoring, and other uses for industrial control system.
The report also attempts to avoid “conceptual debates” around whether space should be considered infrastructure or simply a domain by using “space systems” — a term taken from the Trump administration’s memorandum on space cybersecurity policy — which includes “ground systems, sensor networks, and space vehicles.”
“Quite simply, space is an indispensable critical infrastructure, and it’s time it should be treated as such. Labels are important to show it’s a priority,” said Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security, who was one of the more than 30 experts consulted on the report.
“It’s infrastructure on which the United States depends and relies on. The disruption or destruction of space assets and access would have a debilitating effect on national and economic security that would ripple across the globe,” Harrell said in a statement. “The technologies and capabilities in the space sector are unique and not replicated in other sectors of the economy, so they should be better protected.”
The commission recommends that the National Aeronautics and Space Administration should be the sector risk management agency for space systems. However, the report also notes that even though NASA undoubtedly has the industry expertise and private partnerships needed, the agency “has yet to demonstrate interest in becoming an SRMA” and would have to “scale up” to better protect those systems.
Additionally, the commission does not recommend giving the space agency a regulatory role as “space systems are already regulated through other rule sets.”
The report calls for two subgroups within the new designation, similar to the energy sector which includes both electricity and oil and natural gas. The Defense Department would continue it’s role as the SRMA of defense and intelligence systems and the Federal Communications Commission for the space-based communications systems.
The commission recommends that Congress should give NASA an initial investment of $15 million per year with 25 full-time employees to take on any added SRMA responsibilities. The Congressional Research Service should also undergo a legislative review to identify gaps in existing laws, the report notes.
Industry, meanwhile, should organize the commercial space sectors to “play an instrumental role in governance” and establish a Space Systems Sector Coordinating Council similar to the influential Electric Sector Coordinating Council that is made up of CEO’s and executives.
Additionally, the sector should begin working to reduce risks and increase resilience of commercial space technology, the report notes. The industry is maturing in cyberspace. The Space Information and Sharing Analysis Center announced in March the launch of a 10-person analysis team, a first for the relatively young ISAC which started in 2019.
This isn’t the first call for space as critical infrastructure, or even the second. There have been plenty of op-eds over the years calling for the designation. Additionally, lawmakers have also introduced legislation to make space critical infrastructure.
CISA also suggested that space should be considered critical infrastructure in a report to President Biden that assessed the framework for protecting critical infrastructure.
Marking space systems as critical would “stimulate policy and stakeholder attention and resources needed to secure the space systems that support the (national critical functions) which is a current gap for the United States,” Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at Aerospace Corporation, told Congress last July.
“Without this designation, space technology will be diluted and subordinate to the other sector specific protection,” Bailey said at the time. “Without a critical mass of focus on space technology, there is not likely sufficient focus to protect the critical space-based capabilities.”
However, there have also been roadblocks. Chris Inglis, then-National Cyber Director, said last year that “we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”