The views expressed by contributors are their own and not the view of The Hill

Space race needs better cybersecurity 

Things are heating up in space in more ways than one. Recently, Russia conducted an anti-satellite (ASAT) test and launched a missile at one of its old spy satellites. The explosion hurtled debris through space, forcing the crew of the International Space Station to take shelter in a spacecraft for protection. ASAT tests are a growing threat to satellites, but they’re not the only threat. Gen. David Thompson of U.S. Space Force told The Washington Post that Russia and China are launching attacks on U.S. satellites every day — using digital attacks, lasers, and radio frequency jamming.

The rise in satellites, rockets and shuttles is creating an expanded attack surface. Just like transportation, energy, and other vital industries, space systems need protection. And while we probably won’t see civilians launching into space anytime soon, Blue Origin and Virgin Galactic are making such travel more feasible by the day. A proposed bill in the U.S. House of Representatives — the Space Infrastructure Act — would designate space as a critical infrastructure sector. It would be a good first step.

Given how much equipment is in space and how dependent we are on it, it makes sense to classify it as critical infrastructure. There are more than 6,500 satellites in orbit; a record 1,283 launched in 2020 alone. They are integral to cellular communications, Global Positioning System (GPS) navigation, monitoring weather and climate, managing Internet of Things systems for agriculture, and keeping energy and other critical infrastructure running. And this infrastructure is disconcertingly fragile.

Outages have widespread, cascading, and potentially catastrophic consequences. One disabled satellite can affect vast networks on earth, leaving regions without cellular and other services. This makes them attractive targets for malicious attackers. The risk is so great that the director of the Defense Department’s Space Development Agency has cited cyber attacks against satellites as a greater threat than missiles.

The threat is not theoretical

Attacks have been going on for many years and have recently ramped up. In 2018, hackers infected U.S. computers that control satellites. Iranian hacking groups tried to trick satellite companies into installing malware in 2019. And one report concluded that Russia has been hacking the global navigation satellite system (GNSS) and sending spoofed navigation data to thousands of ships, throwing them off course. While there haven’t been any public reports of direct hacks on satellites, vulnerabilities in ground stations have been exploited to try to alter satellite flight paths, among other aims.

There are a number of ways satellites can be attacked. Hackers could compromise ground control systems to take control of space equipment remotely or inject malware into communications between terrestrial computers and satellites. They can spoof, or snoop on communications for espionage purposes, or disrupt signals. Imagine a weather data outage during a hurricane or data glitches that lead to power blackouts or supply chain delays. The economic costs would be vast. A cyber attack on the Global Positioning System alone could cost the U.S. $1 billion a day, according to Brian Scott, director of critical infrastructure cybersecurity for the National Security Council.

Federal initiatives are a good starting point

Lawmakers in Washington, D.C., are taking notice of this fast-growing threat. The 2020 National Defense Authorization Act established a new military branch — Space Force. Meanwhile, President Biden is reviewing the first comprehensive cybersecurity policy for space systems, dubbed Space Policy Directive 5. It requires capabilities to prevent jamming and spoofing of communications and unauthorized access of equipment in orbit.

The Space Infrastructure Act, proposed by U.S. Reps. Ted Lieu (D-Calif.) and Ken Calvert (R-Calif.) this summer, is another key measure that would put space on par with other industries by classifying it as a critical infrastructure domain. This move would enable more private and public collaboration on cybersecurity for space assets.

One critical infrastructure sector that has dealt with similar cybersecurity concerns is transportation. Transportation operators that have invested in IT security measures have taken first steps, but efforts are on the rise to bolster proactive risk management that demonstrate a more complete understanding of infrastructure security. Under DHS Secretary Alejandro Mayorkas, the TSA has introduced regulations that urge operators to appoint a cybersecurity coordinator, report incidents to CISA within 24 hours, complete vulnerability assessments within information technology (IT) and operational technology (OT) systems, and develop an incident response plan based on security issues discovered.

Another critical infrastructure that has work to do is the U.S. military. The Government Accountability Office released reports in 2018 and 2021 chiding the DOD for the poor to non-existent cybersecurity protection on its most critical fleet assets, ranging from fighter jets to tanks to aircraft carriers. These systems were never designed with cybersecurity requirements. As these systems have become more networked and interconnected, the DOD has an enormous, latent problem on its hands that it’s only beginning to grapple with.

Other steps to take 

These initiatives addressing cybersecurity in space are important, but more is needed to get ahead of the cybersecurity problems while the market is still relatively nascent.

With SpaceX, Amazon, and others launching new satellites weekly and commercial space travel on the horizon, the stakes will only get higher if we don’t work to secure these systems.

Satellites aren’t just communication equipment; they are infrastructure we rely on to keep our hospitals open, streets lit, internet on, food delivered and emergency systems working. It’s time to make security for these systems a national priority before a disaster strikes.

Josh Lospinoso is an ex-Army sergeant and Oxford-educated cybersecurity expert who is CEO and co-founder of Shift5, which protects planes, trains and tanks from cyber threats.