Add Space to Critical Infrastructure List, House Space Subcommittee Is Told
Outer space should be added to the Department of Homeland Security's list of the nation's 16 critical infrastructure sectors, space cybersecurity experts told House Space Subcommittee members Thursday during a hearing regarding space cybersecurity issues. It's "unquestionable" space qualifies to be on the list alongside communications, dams and financial services, as all 55 critical national functions have some space dependence, said Brandon Bailey, Aerospace Corp. senior project leader-cyber assessments and research. But such a designation without planning could just result in bureaucratic rules that stifle innovation, he said. Theresa Suloway, Mitre space cybersecurity engineer, said there are concerns in the commercial space universe that such a designation would represent a costly regulatory burden.
Pointing to such approaches as the Cybersecurity and Infrastructure Security Agency last year forming a space systems critical infrastructure working group of government and industry representatives to develop strategies for space systems, Subcommittee ranking member Brian Babin, R-Texas, said such a "bottoms-up approach" focused on information sharing rather than prescriptive rules "is the correct path." He said as part of Congress' oversight, it needs to reach out to space operators, launch providers, ground station operators and all their various providers to get input on how lawmakers should approach cybersecurity issues, including a possible critical infrastructure designation.
One of commercial space's most-urgent risks is the possibility of a satellite being hijacked and being piloted into another, destroying both and removing that orbit or region of space from use due to debris, said Suloway. She said encryption could help protect against the vulnerability to corrupted commands. She said a cyberattacker can be successful regardless of all the preventative steps taken, so ongoing monitoring of space assets is needed. She urged encryption of satellite tracking, telemetry and control links as well as formalizing the government's relationship with the Space Information Sharing and Analysis Center. That formalization would let companies know they are plugging into an appropriate part of the space ecosystem, since there's not one central location for space cyber information, she said.
DOD and civil agencies can fund the cost of security measures on their satellites, but commercial vendors might not have as much latitude, Suloway said. She said commercial entities are wary of pricing themselves out of competition with other operators that might not have such investments in cybersecurity. She said federally sponsored R&D and guides that could help the commercial space community adopt cybersecurity tools without a lot of experimentation beforehand on their part would be a help.
Disjointed oversight and lack of binding space cyber policy or widely adopted technical policies are all creating space tech vulnerabilities, said Aerospace's Bailey. He said cyber information sharing is insufficient, particularly between DOD and commercial space operations. A lot of cybersecurity efforts "are siloed and fragmented," he said. "There needs to be some breaking down the barriers there." A possible solution would be temporary clearances for individuals, he said. The White House's 2020 cybersecurity space policy directive (see 2009040042) hints that generally accepted cyber principles could be made into binding policy, Bailey said. He said most commercial space operators are already doing what's listed in the directive, but it's not a requirement.
Among cyberthreats, nation-state actors are typically particularly well resourced and motivated to disrupt infrastructure, said Matthew Scholl, National Institute of Standards and Technology chief-computer security division.