To compel satellite operators to better protect their networks from malicious hackers, a new report from CSC 2.0 – the successor to the Cyberspace Solarium Commission – is arguing that space systems should be officially designated as critical infrastructure by the Department of Homeland Security (DHS).
In the new report released on April 14, CSC 2.0 said that designating space systems as critical infrastructure would help close cybersecurity gaps in the growing satellite industry.
In 2013, Presidential Policy Directive-21 designated 16 critical infrastructure sectors “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Yet, while space systems meet this threshold, major portions are not designated by the Federal government as critical infrastructure and do not receive the attention or resources that such a designation would entail, the report says.
Most of today’s space systems were developed under the premise that space was a sanctuary from conflict, but according to the commission, this is no longer the case.
For example, at the start of the Russian invasion of Ukraine, Russian hackers targeted U.S.-based satellite company Viasat to disrupt communications. And just last year, the Cybersecurity and Infrastructure Security Agency found the notorious Russian hacker group Fancy Bear snooping inside U.S. satellite networks.
“The threat from Russia and China is growing. Both those authoritarian powers have placed American and partner space systems in their crosshairs … The United States needs a more concerted and coherent approach to risk management and public-private collaboration regarding space systems infrastructure,” the report states.
In addition, the report points out that other designated critical infrastructure sectors – such as energy and water – rely heavily on space technology for services like controlling remote facilities, timing tech for grid monitoring, and other uses for industrial control systems. That dependence, the report says, makes the need to protect space systems that much more critical.
“Quite simply, space is an indispensable critical infrastructure, and it’s time it should be treated as such. Labels are important to show it’s a priority,” said Brian Harrell, former assistant secretary for infrastructure protection at the DHS. Harrell was one of the more than 30 experts consulted on the report.
“It’s infrastructure on which the United States depends and relies upon. The disruption or destruction of space assets and access would have a debilitating effect on national and economic security that would ripple across the globe … The technologies and capabilities in the space sector are unique and not replicated in other sectors of the economy, so they should be better protected,” he said.
In addition to designating space systems as critical infrastructure, the report recommends that NASA be the sector risk management agency for space systems. For NASA to take on that responsibility, the agency would have to “scale up” to better protect those systems, the report says.
Notably, CSC 2.0 does not recommend giving the space agency a regulatory role, saying that “space systems are already regulated through other rule sets.”
The commission is recommending that Congress provide NASA with an initial investment of $15 million per year with 25 full-time employees to take on any added responsibilities of being a sector risk management agency. The Congressional Research Service should also undergo a legislative review to identify gaps in existing laws, the report notes.
The commission also recommends that there be two subgroups within the new designation, much like the energy sector which includes both electricity and oil and natural gas.
“The Department of Defense would continue its role as the [sector risk management agency] of defense and intelligence systems and the Federal Communications Commission for the space-based communications systems,” the report suggests.
But protecting space systems will require an enhanced model of a public-private partnership with genuinely shared risk management responsibilities, the report says. It recommends that industry should organize the commercial space sectors to “play an instrumental role in governance” and establish a Space Systems Sector Coordinating Council similar to the Electric Sector Coordinating Council, which is made up of industry executives.