WASHINGTON: A new Trump Administration policy on space cybersecurity does not mandate any regulatory changes but does put pressure on commercial operators eyeing 5G communications to beef up their satellite networks against jamming and spoofing.
“It should be a wakeup call for those who haven’t really considered space cyber matters in detail,” said one industry expert heavily involved in government-industry consultations in crafting Space Policy Directive-5 (SPD-5), released by the White House on Friday.
DoD is rushing to integrate 5G communications at bases and to figure out how to exploit the coming space-based Internet for future all-domain operations. And while the Pentagon already requires that all contracted satellite operators encrypt their data links to ground stations using NSA-approved methods, it is eyeing how to expand its access to bandwidth by relying on commercial providers.
For example, SpaceX’s Starlink satellites is playing a big role the Air Force’s “on-ramp” demonstrations of its evolving Advanced Battle Management System (ABMS), the second of which was held last week.
“There are occasionally discussions of things that you can do relative to the Internet — direct connection from the Internet to a spacecraft is one of those practices and probably seems unwise. Because something is technically possible doesn’t mean that we should do it,” one senior administration official told reporters in a late Friday background briefing on SPD-5.
He added that “space is not separate from” the Internet, and that growing cybersecurity threats and the growing importance of space to critical infrastructure — with GPS in particular ever more integrated into many economic sectors — mean more prudence is necessary.
“We can do a better job of what things we do going on into the future. And we can try to be careful with the things that are out there now,” he said.
As Breaking D readers know, many in the traditional space community have been worried about the scramble by newer space operators — including SpaceX, as well as others such as OneWeb and Amazon — to catch the 5G wave and integrate their satellite operations into the Internet of Things (IoT). But not only the newbies are pursing 5G networking, since IoT connectivity is expected to explode over the next few years and satcom providers want to stay competitive vice their terrestrial wireless competition.
SPD-5 shines a focus on what is known as “positive control” of spacecraft and systems — meaning that they have ways to ensure that hackers do not take over their satellites. This is particularly important for those operators who are relying heavily on autonomous operational capabilities, where a person may not be monitoring satellite functions and movements 24/7.
“Space system owners and operators should develop and implement cybersecurity plans for their space systems that incorporate capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles. These plans should also ensure the ability to verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they enable and provide,” the policy says.
It recommends that operators, at a minimum, should adopt “appropriate cybersecurity hygiene practices, physical security for automated information systems, and intrusion detection methodologies for system elements such as information systems, antennas, terminals, receivers, routers, associated local and wide area networks, and power supplies.”
SPD-5’s does not fill regulatory gaps left by Department of Commerce and the Federal Communications Commission in recent rule revisions on remote sensing and communications satellites that worry many in industry. Nonetheless, it has been welcomed as top-level support for public-private efforts to ensure better satellite cybersecurity.
“I applaud the Presidential-level focus and leadership recognizing the importance of establishing and promulgating risk- based space cybersecurity principles aligned to address the expected threats to the unique operational environment of space,” Andrew D’Uva, president of Providence Access Company and US industry chair of the Space Force/National Security Agency’s Commercial Space INFOSEC Working Group (CSIWG), told me in an email today.
“Rather than imposing specific requirements, SPD-5 affords all government stakeholders a policy framework to implement prudent practices to enhance resilience, including specific efforts to work with the commercial space sector overall and promote information sharing. That’s an improvement from the status quo,” he said.
Neither does it weaken current national security rules for cybersecurity, D’Uva stressed.
“For critical environments, e.g., commercial satellite communications support of national security space missions, well-established, more stringent requirements and collaboration mechanisms will continue to apply – SPD-5 doesn’t relax those essential protections one bit,” he said.
Another senior administration official on Friday said that one of the key tools for expanding public-private space cybersecurity efforts is the Critical infrastructure Partnership Advisory Council (CIPAC). This, he explained, is “a mechanism to facilitate interaction between government entities and representatives from the critical infrastructure communities.”
There are 16 sectors deemed “critical infrastructure” by the USG, and a number include space-related industries. Various government agencies interact via the partnership with those sectors on cybersecurity, including DoD, Commerce, NASA, the Department of Homeland Security and NASA, the official said.
The officials said that the Space Information and Analysis Sharing Center (Space-ISAC), an industry-led group that works with government agencies, is another important vector for implementation of SPD-5. As I reported in December, the National Security Council has made supporting the Space-ISAC a key priority.
“The release of SPD 5 is clearly aligned, apparently deliberately so, with the Space ISAC mission of collaboration and engagement among industry and government to avoid onerous regulations yet achieve cyber security for critical space systems. Space ISAC is ideally situated to be the convening entity that will help the space industry execute on the vision set forth in the SPD for industry wide collaboration to avoid directive regulations, and to enable the industry to continue to innovate,” Edward Swallow, senior vice president Civil Systems Group at The Aerospace Corporation and member of the Space ISAC Board, said in an email today.