Space hacking risks pose cyber policy test for Biden admin
The White House won’t be defining the space industry as critical infrastructure, despite mounting pressure from business and lawmakers. README explains why.
The Biden administration has no plans to designate space systems as a new critical national industrial sector, despite the economy’s increasing reliance on space-based capabilities like GPS and growing concerns about possible cyberattacks on satellites that could shut down U.S. businesses and cripple its military.
Speaking at a recent satellite industry event, White House National Cyber Director Chris Inglis poured cold water on the idea of adding space to the list of 16 vital industries the U.S. government has maintained since the 1990s.
“I don’t think so,” he said in response to a question on whether space would be designated as the 17th official critical infrastructure (CI) sector.
He said the administration would instead seek to address the protection of space assets through a new policy approach, adding that the decision on designating space was not his alone to make.
“Risk does not neatly align to sector boundaries,” Inglis told README later by email. “So we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”
At stake is more than just semantics: Federal agencies have special mechanisms to pass on intelligence warnings about hackers and terrorist threats to industry leaders in the 16 CI sectors; and develop plans to coordinate with them during natural disasters and other emergencies.
For more than two years, space industry executives — through the Space Information Sharing and Analysis Center (Space-ISAC) and other industry forums — have been pressing to join that exclusive CI club.
“If we view space systems as critical to national and economic security, competitiveness and global commitments, we should protect the security and resilience of those systems and a critical infrastructure designation is one possible tool to meet that challenge,” Space-ISAC Executive Director Erin Miller told README by email.
“The protection of our space systems is vital to our national interests,” she said. “When President Biden or any future president communicates the list of infrastructures that should be protected, space systems ought to be on that list.”
But README’s reporting strongly suggests that Biden won’t update the Obama-era presidential directive that lays out the 16 sectors.
“The administration has not taken a position on designating space systems … as a critical infrastructure sector or subsector,” a spokesperson for the White House National Security Council told README. He noted that “portions of space systems are already encompassed in one or more of the currently designated critical infrastructure sectors,” like communications, which includes “terrestrial, satellite, and wireless transmission systems,” according to the Department of Homeland Security.
“Juicy targets”
In recent years, America’s military leaders have warned in increasingly strident tones about the threat to U.S. space assets from Russia and China. Gen. John Hyten, vice chairman of the Joint Chiefs of Staff, has referred to military satellite constellations as “big, fat, juicy targets.”
Last year, Lt. Gen. Stephen Whiting, now in charge of Space Operations Command, predicted those targets would most likely be attacked online, Breaking Defense reported. “We know that cyberattack is where we are most likely to face the enemy in space,” he said. Experts consider cyberattacks the most likely kind of military strike against satellites, because they are much lower cost and typically reversible in their effects, compared to kinetic weapons.
And as the U.S. military integrates commercial satellite providers into its communications and surveillance architectures, those private sector systems are also liable to be attacked, experts say.
The IT systems of the companies manufacturing, launching and operating those satellites remain, for the most part, woefully insecure, according to two space industry executives.
“Inadequate cybersecurity requirements and governance have led to a variety of major cybersecurity vulnerabilities throughout space system infrastructure,” warned Edward Swallow of the Civil Systems Group and Sam Visner of MITRE Corp., founding members of the Space-ISAC. Those vulnerabilities include “insider threats, supply chain vulnerabilities, communications cryptography, cyber best practices for ground systems, and diminished situational awareness,” the executives added in a recent op ed.
On Capitol Hill, there’s even a House bill — H.R. 3713, the Space Infrastructure Act — that would direct the homeland security secretary to “designate space systems, services, and technology as a critical infrastructure sector.” The bill has been referred to the Science, Space and Technology Committee, and its fate is unclear.
A new approach
The list of 16 critical sectors “served us well” as a way to engage with industry, Inglis told an audience of satellite industry security executives and specialists at CyberSatGov on Oct. 6. But a sector-based approach “leads us to a false conclusion,” he added — the idea that each sector could be defended separately from the others. It was an illusion to think “that we can get one of those right in the absence of [getting] the other 15 right,” he said.
He pointed out the most important threats — extreme weather events or mass-effect terror attacks, for example — almost always involve impacts across multiple sectors.
That’s why the administration is developing a new approach based on the idea of functions rather than infrastructure, Inglis explained — one that focuses on the inter-reliant nature of U.S. industries.
“You want to know what it takes to run an economy in the United States? It requires telecommunications; requires financial systems to support that; requires water systems because those underpin the energy system, so on and so forth,” he said. “So you have to actually think about what are the critical activities that cut across those sectors.”
Given that approach, designating space as the 17th CI sector doesn’t make sense, Inglis said. “We’re therefore less likely to define a new critical sector than we are to say, what are its implications for the critical functions that we’ve got?”
Visner, a founding board member of the Space-ISAC who clarified he was speaking only for himself, said “the question of whether you designate space as a CI sector is less important than the question of what you are doing to secure U.S. interests in space.
“That could include designation, but it could include other governmental leadership as well” like a risk-based critical functions approach, he added.
“What you need to avoid,” Visner said, “is trying to simply defer the issue to one of the existing sectors.” Space, he pointed out, has “too many unique missions” to make that workable.
“Space systems are critical for more than just communications,” he said. There is earth observation, weather forecasting, Internet-of-Things management for agriculture and industry. Moreover, any policy would need to account for “the associated services and supporting industries,” like launch companies, ground station management and satellite manufacturing, according to Visner.
Miller said the Space-ISAC would continue to push for designation, even while working with the administration on practical ways to secure space assets.
“We will press forward,” she said. “This designation is useful for a formal organized response to incidents of compromise … but it is not required for Space-ISAC to continue to make progress organizing US government agencies and the private sector to conduct information sharing using our threat intel platform and Watch Center, opening in 2022.”
She added that risk management and functions-based approaches would work better alongside a CI designation.
National Critical Functions
The Cybersecurity and Infrastructure Security Agency, the DHS element responsible for protecting critical infrastructure, defines 55 National Critical Functions, in four groups:
- Connect, which includes nine functions like “Operate Core Network,” “Provide Internet Routing, Access, and Connection Services” and “Provide Satellite Access Network Services.”
- Distribute, which encompasses another nine, from “Distribute Electricity” to “Transport Cargo and Passengers” by rail, air, road and vessel.
- Manage, which features 24 functions ranging from the governmental, such as “Conduct Elections,” “Educate and Train,” and “Enforce law;” to “Provide Medical Care” and “Provide Insurance Services.”
- Supply, which covers the final 13 functions, including “Generate Electricity,” “Supply Water,” and “Produce and Provide Agricultural Products and Services.”
A functions-based approach helps prioritize protection, Inglis said.
“Whether it’s 25, or 155 [National Critical Functions]… We’re not going to be able to defend everything and every critical sector, acting as if they’re all of equal value,” he said.
CISA Director Jen Easterly said at a think tank event in Washington last week that authorities should zero in on what she called PSIEs — primary systemically important entities.
She said PSIEs — pronounced PIE-sees — would be identified by CISA’s National Risk Management Center “based on economic centrality, network centrality, and logical dominance in the National Critical Functions.
“All the sectors are connected, so we have to look at these from a cross-sectoral critical functions perspective,” she added.
From that point of view, space becomes more critical than ever, according to Ron Keen, a senior advisor at CISA. Last year, he was part of a review process looking at how many National Critical Functions (NCFs) depend on space, he said at another CyberSatGov panel.
“In the end, when we got done, all 55 National Critical Functions have direct dependency in one way or another on space based assets, though the level of that dependency can range depending on the NCF itself,” said Keen. “In that brief examination, we noted only two other sectors, energy and communications, seem to have the same criticality to [all of] the NCFs.”
Worse still, Keen said, a “napkin analysis” — where officials looked at the dependencies of space-based assets — found a “spider web” of inter-dependencies. Taking out a single space asset “in one very easy scenario” could impact up to 25 other functions, Keen said. “It gets very complex very quickly,” he said of the spiraling effects of attacks on space infrastructure.
The DHS press office did not respond to requests for an interview with Keen.
Continuity in space policy
The Biden administration is following the lead of its predecessor in deciding not to designate space systems as critical.
“One of the best things about my job was that space policy has strong bipartisan or rather non-partisan elements,” said Scott Pace, who worked in the Trump White House as executive secretary of the National Space Council — revived by the last administration after a two-dozen year hiatus and continued by Biden.
Pace told README that much of the policy architecture for space he helped to build in the Trump White House has survived the change of administrations.
“We involved multiple stakeholders [in policy development] and I’m confident that policies we produced are relatively stable,” he said.
Pace, who now directs the Space Policy Institute at George Washington University, said calls for space systems to be labeled as a new CI sector came up “periodically” during his tenure.
“Some people argued for the whole [space systems] sector to be designated,” he said, noting that many key space assets were already included in the communications CI sector. “We didn’t go in that direction and that was the right decision,” he said.
“There are components of space [infrastructure] that are CI, but not everything, by virtue of being in space, is critical,” Pace said. The emergent space tourism market, or even the International Space Station, couldn’t be properly described as critical, he said.
“Space-based capabilities are essential for multiple CI sectors, and we decided that designation wouldn’t really change anything and might actually confuse matters,” he said.
The functions-based approach originated under the Trump administration, he recalled. “We were more comfortable with that DHS approach,” Pace said.
A new policy is all very well, one space industry executive told README, requesting anonymity to speak candidly on government policy — but the real task is rewriting federal emergency response plans to reflect the new approach.
“When you have a bad day in space, who do you call? That’s the question,” the executive said.