In 2011 a draft report to the US Congress stated that at least two US environment-monitoring satellites had suffered interference four or more times in 2007 and 2008. A Landsat-7 Earth observation satellite built by NASA and managed by the US Geological Survey experienced 12 or more minutes of interference in October 2007 and July 2008. A NASA-managed Terra AM-1 Earth-observation satellite suffered similar interference for two minutes or more on a single day in June 2008, and at least nine minutes on one day in October 2008. And the US National Oceanographic and Atmospheric Administration reported that its Satellite Data Information System was taken offline in September 2014 after a serious hacking incident, denying high volumes of data to weather forecasting agencies around the world for 48 hours.
This is not futuristic science fiction—it is real and it is happening right now.
Satellites that orbit the Earth form the exoskeleton of the world’s critical infrastructure. Global communications, air transport, maritime trade, financial services, weather and environmental monitoring, and defense systems all depend on an expansive network of satellites in space. As the September 2014 cyber attack on the US weather system starkly demonstrated, the strategic space-based assets of America and other nations have serious cyber vulnerabilities. In the maritime arena too, space-based monitoring systems are regularly being jammed or spoofed by vessel operators entering false information in order to disguise their illicit activities.
The vulnerability of satellites, their ground stations, and other space assets to cyber attack is often overlooked in wider discussions of cyber threats to critical national infrastructure. Yet just as with other digital networked systems, satellites are vulnerable to cyber attacks that include data theft, jamming, spoofing, and satellite hijacking. All of these present serious risks for societies and critical infrastructures, and analyzing the intersection between cyber security and space security is essential to understanding this evolving problem. So too is the need for an ogranized global effort to confront these threats. Despite some progress at the United Nations and elsewhere, there is currently no international body dedicated to the issue of cyber security in space. Establishing such a multi-stakeholder regime, with the aim of assessing risks and promoting best practices, would begin to close this critical gap.
The nature of the threat. Cyber risks for space-based systems take many forms. While one attack might involve the jamming, spoofing, or hacking of communications or navigational networks, another might target or hijack control systems or specific electronics for missions, shutting down satellites, altering their orbits, or “grilling” their solar cells through deliberate exposure to damaging radiation. Still another might strike at satellite control centers on the ground.
As in other areas of cyber conflict, players and motivations abound. States or non-state armed groups could use such attacks to create military advantages in space prior to or during a war. Government agencies or corporations with sufficient computing power to crack encryption codes could use cyber attacks on satellite systems to steal strategic quantities of intellectual property. Well-resourced criminal organizations could steal significant amounts of cash. Groups or even governments could initiate catastrophic levels of satellite run-ins with space debris, perhaps even causing a cascade of collisions—called the Kessler Effect—that could deny everyone the use of space for the foreseeable future. Even individual hackers who simply want to show off their skills could create inadvertent mayhem.
Perhaps the most worrying vulnerabilities involve satellite-enabled navigational systems. Many such systems have been developed, from Europe (notably the new Galileo system) to Asia, but the most ubiquitous is the US global-positioning system commonly known as GPS. Much of the world’s infrastructure relies on this system, yet it was not originally intended for civilian use, and therefore not designed with security in mind. A successful spoofing cyber attack could introduce erroneous timing signals, which are used for determining precise locations. Aimed at a power grid, this type of manipulation could potentially trigger catastrophic overloads, leading to cascading equipment failures and even major blackouts. Spoofers could also target banks and stock exchanges by manipulating automated time-stamps on transactions. Earlier this year, when 15 satellites accidentally broadcast signals that were inaccurate by 13 microseconds, telecom companies using Chronos GPS services were hit with 12 hours of thousands of system errors.
The threat to military technology looms large as well. Not enough attention has been paid, at least not in the open literature, to the increasing vulnerability of space-based assets, ground stations, and associated command-and-control systems. Cyber attacks on satellites have the potential to undermine the integrity of strategic-weapons systems and destabilize deterrence relationships. And in the event of a military crisis, the potential for cyber attacks could cast doubt on intelligence and increase the risk of misperception, not to mention threaten missile systems, both strategic and tactical, which rely on satellites and the space infrastructure for navigation and targeting, command and control, operational monitoring, and other functions. Because cyber technologies are within the grasp of most states and non-state actors, they level the strategic field and create hitherto unparalleled opportunities for small belligerent governments or terrorist groups to instigate high-impact attacks.
Your smart fridge isn’t helping. As satellites and satellite constellations continue to grow in number—a very good thing in terms of human connectedness, scientific research, and space exploration—so do entry points and communications pathways for cyber attacks, the so-called Internet of Things (or, as we now like to think of it, Gadgnet) that has sprung up due to our love of digital devices. Yet cyber defenses have failed to keep up with this growth, mostly due to the high cost of (optional) built-in security in a world of smaller and cheaper satellites, even though this is ultimately the most cost-effective and sustainable approach to cyber safety in space.
The international supply chain of satellite components, with the associated uncertainties about provenance and standards of production, along with back-door holes in encryption, is increasingly hard to regulate. The costs associated with cyber security, in both software and hardware, are rising, and in low-cost space missions where the commercial price of implementing security measures rivals the value of the mission, the temptation to neglect them and hope for the best is high. In the rush to get products to market, designers and manufacturers often skip or pay only passing attention to important security controls. This is already causing immense concern for machine designers, manufacturers, and insurance companies. Indeed, the October 2016 Dyn attack that resulted in denial-of-service strikes on major websites such as Twitter, Spotify, and Reddit appears to have harnessed botnets on personal computers through poorly secured home devices connected to each other and the outside world through wireless routers.
Reducing risks, building resilience. The 2011 US International Strategy for Cyberspace stressed that international approaches and cooperation are needed in order to address and mitigate the full range of cyber threats to military systems, and indeed international cooperation will be crucial in any response to space-based cyber threats, both military and civilian.
Currently there are a number of frameworks and agreements for addressing issues of peace and security in space, yet there’s no global organization designed to focus to cyber security there. Recent progress has been made in the Wassenaar Arrangement, in the 2015 cyber agreement between the United States and China, and in two UN processes, the Group of Governmental Experts on Transparency and Confidence-building Measures in Outer Space Activities and the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. In addition, space and cyber guidelines are currently being discussed within the UN’s Committee on Peaceful Uses of Outer Space to protect “foreign space objects” from “unauthorized access to their on-board hardware and software” and to “ensure the safety and security of terrestrial infrastructure that supports the operation of orbital systems and respect the security of foreign space-related terrestrial and information infrastructures.”
The best opportunity for developing a comprehensive response to the threat across the entire space sector would be the development of an international, multi-stakeholder regime that would include industry, governmental, international, and nongovernmental organizations focused on cyber security in space. Government-led approaches are likely to be too slow in developing security capabilities for the private sector, whereas an approach based on industry-led standards, particularly on collaboration, risk assessments, knowledge exchange, and innovation, will be more likely to ensure agility and effective responses.
An international “coalition of the willing” should be formed to act as a focal point for good practice on this critical issue. This like-minded, multi-stakeholder group would be tasked with concentrating on risk-management approaches to cyber security in space, and the formulation of industry-led standards for appropriate responses to the threat. The group, which could grow over time to become more inclusive, would identify actions that can develop the skills, knowledge, and collaborative mechanisms needed to catalyze greater resilience in the international space infrastructure.
The international challenge of cyber security in outer space requires a radical, innovative approach and should be regarded as a strategic opportunity to enhance the performance of space assets, increase cyber security for critical infrastructure, provide safer networked communities, and improve life for millions of people.
Editor’s note: This article was adapted by the authors from their recent paper for the London-based think tank Chatham House, “Space, the Final Frontier for Cybersecurity?”
The Bulletin elevates expert voices above the noise. But as an independent nonprofit organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.