Most of the world’s critical infrastructure is greatly dependent on Space, specifically assets based in Space, for its daily operations. Essential systems such as air transport, communications, maritime trade, financial services, weather monitoring, and defense — rely stiffly on space infrastructure, including satellites, ground stations, and data links at the national, regional, and international levels. This dependence poses a severe yet frequently underrecognized security dilemma — especially cyber threats — for critical infrastructure providers and policymakers alike.
Like any progressively digitized critical infrastructure, satellites and other space-based assets are prone to cyberattacks. These cyber vulnerabilities pose severe risks for space assets themselves and critical infrastructure based on earth. If not dealt with, these threats could intervene with global economic development and, by extension, security at the international level. In addition, these concerns are no longer merely hypothetical. More countries and private actors have gained and employed counter-space capabilities in novel applications within the past decade, posing a more significant threat to critical space assets at a metaphysical level. The innovations in various developing and developed countries have resulted in significant improvements in the capacity and capabilities of the supercomputers and hence the same pose a gigantic potential threat to the digital infrastructure. For example China has been in news in previous decade as they have tried to hack the main servers of the US govt both economical and defensive, and have been fairly successful in planting various viruses in the Pentagon and NORAD servers causing havoc in the nations cyber and national security.
Why are space systems so vulnerable?
Many space systems are dated, created before cybersecurity became a top policy concern. They have vulnerabilities such as hard coded credentials — used by ships, planes, and the military — making access by sophisticated actors reasonably easy. Today, modern technology is allowing international organizations, states corporations, and individuals alike to control space capabilities when, mere a decade ago, such a triumph was beyond possible. We are witnessing a transgression of spaceflight from a public venture to a commercial industry. As more commercial actors gain access to Space through retail vendors, they can provide a diversity of services in the Space sector, increasing the extent and scale of activity in this domain. The successful accomplishment of NASA’s SpaceX Demo-2 mission recently made history by proving that space exploration is no longer limited to the government agencies of affluent space-faring nations and their scholastic affiliates. Not only will NASA no longer need to rely solely on Russia’s Roscosmos to haul its astronauts to the (ISS) International Space Station — saving $30 million on each astronaut for every trip, but SpaceX’s Crew Dragon spacecraft will become the first certified commercial launch vehicle for active human space transport. But this change of spaceflight from a public venture to a retail industry raised questions about regulating the activities of private entities in Space. The attack surface is growing rampantly larger as more spacecraft connect with ground-based users and assets. But poor implementation of cybersecurity best practices by all companies operating in Space constitute risks. It is also critical to note that the first country to have put a man on moon was so cautious of being hacked in the future that for the longest time the whole code for the Lunar Mission was kept on hardbound paper and not on any storage device and even later the code was stored in bits and pieces and under heavily encrypted security systems, it is also interesting to note that the nuclear launch mechanism of USA has been still based on the analogue systems in order to prevent any hindrance from any digital sphere tool or ant supercomputer.
Vulnerabilities to infrastructure and space systems vary across potential attack surfaces. Spacecraft could be prone to command intrusions (giving wrong instructions to wreck or manipulate basic controls) and denial of service (sending way too much traffic to overwhelm systems). Malware could be utilized to infect ground-based systems like centers for satellite control and links. Users between the two and spacecraft could be feigned (disguising communication from an unreliable source as a reliable one) or suffer from replay (interrupting or delaying transmission by malicious actors). The four main segments of space infrastructure need to be hardened against cyber attacks. It might be easy to disregard the dangers posed by vulnerabilities to space assets located hundreds or even thousands of miles away on an individual level. Our inability to avoid such interference could be catastrophic. For instance, take GPS, a technology whose accuracy is often taken for granted. All it needs is the production of a relatively cheap spoofer, and an attacker can control and command the uplink signal to a satellite. Suppose the downlink from a satellite is spoofed. In that case, false data can be administered into a target’s communications systems, deceiving the receiver — GPS — into calculating a wrong position.
These kinds of attacks will plausibly remain posed by nation-state actors in the near term. Still, as more communications capabilities go online via Space, the actors could grow into well-resourced non-state actors, e.g., criminal groups seeking financial gain.
How should policymakers address them?
Policymakers need not look far to gauge the evolution of cyber threats against space assets. Finding the proper balance of mitigating risk with knowing what an acceptable risk is. Mitigating the current threat landscape, both in the cyber and Space sector, will require a better understanding of the challenges and difficulties that are paired with the rapid growth of commercial development and innovation, such as modern communications, broadband, and communications — which are separate and different from the challenges represented by human spaceflight. The rich history of ground-based critical infrastructure protection against cyber-attack will be helpful. The Space Information Sharing and Analysis Center, or ISAC, is part of that network created because of nation-state reconnaissance hacking sharing data and lessons learned in real-time. Empowering SAC will be critical. The Space Policy Directive 5 offer’s the US Government’s extensive principles of cybersecurity policy for Space. While it mandates nothing, establishing guidelines is a critical step forward, something adopted by ISRO. There are many space cybersecurity standards and a few regulations, including the National Security Systems’ committee on information assurance norms for commercial satellites that carry classified or otherwise sensitive data. Given what is there and observed with government regulation of present critical infrastructures, regulatory action will similarly be gradual to move to warrant effective responses to space-based cyberthreats. The National Oceanic and Atmospheric Administration manages to license commercial remote sensing satellite systems, including information assurance requirements. But there needs to be a framework expanded to all four sections identified by the Aerospace Corporation.
We need to look beyond historical deterrence strategies and develop creative and innovative threat solutions. This will require a regulatory approach that prioritizes industry-led and directed standards, especially in collaborating across sectors, sharing information, and assessing what is acceptable versus non-negotiable risk. Global essential systems depend on it. The Outer space sector is evolving rapidly, and with each new advancement, it is getting more vulnerable to potential hostilities, including cyber threats. It is high time for academic institutions, Civil society organizations, and the government to cooperate and formulate effective strategies to mitigate the upcoming issues. Further, international cooperation and partnership with both traditional and non-traditional allies — including states and international space supply chain stakeholders — to create sustainable norm frameworks will be crucial to mitigating risk in the long term.
Author – Shrey Madaan, Research Associate – CyberPeace Foundation