Space Force Official Col. Krolikowski Examines the Cybersecurity Mindset
Ahead of CyberSatGov, Col. Jennifer Krolikowski, director of the Chief Information Office (CIO) for Space Systems Command, talks about the current geopolitical environment, cybersecurity challenges and how the U.S. Space Force aims to stay one step ahead of adversaries. September 27th, 2022Space assets play a vital role in modern warfare and keeping them secure is a priority. For the U.S. government and the Space Force, this is a key challenge as it looks to not only invest in capability, but make sure when it uses space assets are secure, whether they are government-owned or commercial.
Space Force Col. Jennifer Krolikowski, director of the Chief Information Office (CIO) for Space Systems Command, will be one of the speakers on the classified program at the CyberSatGov event in November. Ahead of CyberSatGov, Krolikowski talks about the current geopolitical environment, cybersecurity challenges and how the U.S. Space Force aims to stay one step ahead of adversaries.
VIA SATELLITE: Russia’s invasion of Ukraine has put space cybersecurity more in the spotlight, particularly in light of the hack of Viasat equipment. Do you expect an escalation in attacks on space-based assets? Are we entering a new era in terms of space and cyber?
Krolikowski: I’m not sure if it’s as much as we’re in a new era, but more being in a prolific era of cyber attacks and people trying to exploit vulnerabilities that we may have. I can see an increase in those trying to take advantage of the ultimate high ground space offers. It is something we have always been tracking as a possibility. We’ve seen it be a bit more prolific these days, so there’s a heightened focus when it comes to our security posturing and how we are working to counter those types of threats.
VIA SATELLITE: This year, we have seen incidents involving Viasat and Starlink. Does this raise any concerns when it comes to working with the commercial satellite industry?
Krolikowski: It gives a signal to the commercial community about the importance of security. We have been banging the drum about the importance and this just helps reinforce to the commercial satellite industry our cybersecurity concerns. Our mindset needs to shift to where we build it in right from the start so that security is a part of the design, not something bolted on later. Bottom line, we need to ensure we have a sufficient cyber posture, with a solution that can flex as the threat changes, so we can use the capability in whatever contingencies we might be looking at.
VIA SATELLITE: How do you see the balance between commercial space assets versus government-owned systems? Is the dynamic changing?
Krolikowski: I believe in ‘buy before build’ for as many cases as we possibly can. If commercial space is readily available, secure enough, and can meet our use cases and outcomes, then it doesn’t make a lot of sense why we wouldn’t use these products and technologies. Commercial can help us accelerate getting to those outcomes versus our taking years to build the same thing. In a lot of cases, commercial already has the capabilities in place, the infrastructure in place, and the maintenance and services there for us to digest and use. I do think there is still a place for government systems, but we can leverage commercial now and learn what to build on the government side to fill any gaps there may be.
VIA SATELLITE: How important will Low-Earth Orbit (LEO) satellites be for the U.S. Space Force going forward? The whole satellite world seems to be moving toward Non-Geostationary Orbit (NGSO). Is this the future?
Krolikowski: I think people are appreciating the resiliency you can get out of LEO, or maybe the self-healing that can occur when meshing the large numbers of satellites you have to provide coverage and capability. I think there is a lot of goodness there. I tend to focus a lot more on the outcomes and capabilities we are trying to provide, and let's go after the architecture that makes the most sense to achieve those outcomes. So, whether that is LEO or GEO, or a combination, I would go back to ‘What is the problem we are looking to solve?’ and ‘What is the best way to accomplish that solution?’
VIA SATELLITE: Do you have more security concerns with LEO satellites compared to traditional GEO satellites?
Krolikowski: I don’t think it is a case of more or less concern, but that it is a different type of concern. Each orbit has its own risk areas and threats. We need to be mindful of what can take them out given their orbit and account for that when designing and building the constellation.
VIA SATELLITE: How would you characterize the Space Force’s approach towards LEO and working with megaconstellations going forward?
Krolikowski: There is a two-fold to that. Part of it is understanding the domain from an awareness perspective, how it’s behaving, and making sure our assets are staying safe in their orbits. This is something we are very keenly into and working with a lot of those companies, like SpaceX, to maintain awareness in order to keep our satellites safe from conjunctions. The domain awareness piece is something we are very keyed in on. From a capability perspective, that is something we are very much looking at in terms of design. Capabilities need to be delivered in the most effective manner. We are gaining a lot of insight into these megaconstellations — their resiliency, how they communicate with each other, and their speed with launch. That has a lot of goodness. There is more to come as we are shaping what our future looks like through the force design. I see it as a very promising ground for learning and changing some of the old ways we have done things as we continue to use the domain.
VIA SATELLITE: At CyberLEO earlier this year, you talked about offering a non-attributable cybersecurity supply chain and vulnerability scanning services to commercial services and government agencies. What does that look like now? Are you looking to launch other initiatives?
Krolikowski: We still have that initiative out there. Some of it is just a matter of letting companies know that this is a service that is available for people to take advantage of. We have already had a few companies reach out as a result of discussions at CyberLEO. Those initial engagements have started, and we have provided them with recommendations for them to take. For me, it’s about raising our security postures writ large. It’s not meant to be a negative or poke at anything. We are always looking at supply chain as one of the key areas for how we eliminate potential weaknesses. We have to use that information to inform our acquisitions going forward. We encourage companies to eliminate vulnerabilities we might be seeing, or at least show how they are mitigating the risk. Ultimately, I believe in trying to level up the United States industrial base in securing their posture. Whatever we can do to help bring that awareness and ability to address and remediate those vulnerabilities is just goodness for the entirety of the country, even beyond just the military sector.
VIA SATELLITE: If there is one thing you would like from the commercial satellite industry that it does not currently offer, what would it be and why?
Krolikowski: I have been thinking about this a lot. I do appreciate how difficult it can be to work with the government and to ingest tech. I see a lot of really great technology out there and a lot of great ways to get after problems. I think the biggest thing I struggle with is pulling it together, in an integrated way, so that we can take advantage of these niche solutions and include it in the broader ecosystem we are growing. How do we all come together to take advantage of ever changing tech? We need to have flexibility in the architecture, with tech that is containerized, so we can pop these amazing solutions in and out of the ecosystem as tech evolves or the threat changes. I would love to see how we can help bring a lot of these innovative solutions together in a way that takes advantage of the ingenuity.
VIA SATELLITE: Last year at CyberSatGov, Nicolas Chaillan, the former chief software officer of the U.S. Air Force stated ‘We must embrace modern software design practices like agile and DevSecOps if America’s space efforts are to remain ahead of foreign competitors like China’ and that ‘Many of the traditional national security satellite providers are stuck in a Department of Defense (DoD) ecosystem that is burdened by enormous technical debt, and unable to move at the speed of relevance.’ Do you agree with this?
Krolikowski: I don’t know if it is just the industrial base to blame. I think there is an amount to be placed on the government side as well. We each have a share in that, and how we go forward, and how we frame our problems so we get the right solutions for our warfighters. I agree that in a lot of cases we do lack flexibility. We can be focused on one, single problem that produces a static solution versus accounting for how we maintain flexibility and a dynamic solution that can extend out to solve problems we don’t know about or the things changing around us. Flexibility allows you to better overcome tech debt. When I look for a solution to a problem or come up with a design, I like to assume I’m 100 percent wrong, not that I’m 100 percent right. If I have a tendency to assume I’m 100 percent right, I will be more likely resistant to making changes to that design, and will have subsequently accrued a ton of tech debt by the time I am willing to admit I was wrong. Having flexibility in a system allows me to work towards getting to be “more right” in light of the fact I was 100 percent wrong to start with.
Having more of those dialogues and partnerships where the government is proactive and more actively involved in an acquisition versus us just throwing things over the fence and watching is the only way we can also shift the culture on industry’s side as well. Then on the contractor side, they need to be incentivized to actually deliver something so we can do that iteration to get to more right. I am all about focusing on delivery and user acceptance, and I think in some cases we lose sight of that in how we have done business in the past.
VIA SATELLITE: Ahead of CyberSatGov, what would you say is your key message to the commercial satellite industry this year?
Krolikowski: One of things I’ve been thinking about is the culture around cybersecurity. Specifically, the balance we need to bring between functionality and security, and how we go forward with the conversation between the two so that we can actually deliver systems. Yes, these systems need to be secure, retain availability, and not get hacked or have an issue being taken down. Yes, these systems need to provide as much functionality as possible to meet warfighter needs. But, it can’t be one extreme or the other. We need to be able to bring about an approach that is more balanced, something that allows us to take an acceptable amount of risk and still delivers.
VIA SATELLITE: At CyberLEO, Frank Turner, the head of the SDA called on the industry to solve problems that the government is facing. What do you believe are the key challenges facing the commercial industry when wanting to develop a better relationship with the likes of SDA and Space Force?
Krolikowski: People have some great technology that might be solving a very niche problem or a piece of a problem. We don’t have our contracts set up to ingest that very well. So then, how do we work to get them into partnerships with people that are going after the entirety of a system that is being produced? If we see technology that is promising, how do we ingest that better into the overall architecture that we are trying to go after? From a certification perspective, there are challenges in terms of getting things accredited. There is a lot of work being done on the government side to try to help streamline that.
We want to make sure it’s not cost-prohibitive or a super lengthy process for smaller companies to obtain those certifications. But, without those certs, it makes it harder to ingest that tech at the ‘right now.’ I understand and recognize the challenge. I get companies have to maintain balance in their own investments when you have differing public and private sector risk tolerances. It’s about how much pain they want to take on to address the public sector risk (or the lack of appetite for risk sometimes), versus what the private sector is likely to accept because they are looking at it from a different business case. I don’t have awesome answers for all of those, but these are conversations I’m trying to bring forward so that we can get into a better posture both for the industry side and the government side.
VIA SATELLITE: How are you looking to protect the military’s supply chains from cyber compromise? How will you look to maintain a strong posture with supply chains?
Krolikowski: I am looking for us to be more proactive when it comes to supply chain. Traditionally, what tends to happen is that we hit a milestone and produce a big report in order to pass the acquisition milestone and then we may not look at it again until we hit the next milestone. In between that time, the world could have drastically changed causing a whole host of issues the PM now has to mitigate. One of the things I am looking at is how we get a more continuous monitoring of the supply chain so if anything changes, we can be identified instantaneously and take action if we need to. Keeping a healthy and robust industrial base also helps. So, if an issue does come up, we are able to move from one vendor to another. Hopefully if we’ve containerized the architecture (as much as we can), any switches in vendors are not overly impactful to the broader ecosystem.
VIA SATELLITE: What can we expect to hear from the Space Force over the next year in terms of initiatives and collaboration with the commercial satellite industry?
Krolikowski: It’s crucial to have connectivity and accessibility and enable our workforce to be able to do work, be it for an acquisition mission or operational mission. It’s something we have not always had huge investments or focus in but something we need to get after sooner rather than later. We will have issues as our adversaries become more on par with us. We need to have that connectivity anywhere, anytime, with anyone we need to work with to further our missions. I definitely see focus there. If I could predict the future, I would love to be able to say exactly what we need to build, but these things are very difficult to predict and we are usually pretty bad at making accurate predictions when we do. Ultimately, we need the ability to be flexible. Anything we put forward, I will always push modularity or containerization so we can be flexible in the architecture. Security will be very high on the list as an integral part of the design work, not as a bolt on. VS