It’s Unanimous: Space Already Functions as Critical Infrastructure

Space may not officially be the United States’ 17th critical infrastructure sector. But in practice, experts across government, academia, and industry say it already functions as one — deeply embedded in the systems that power modern life.

From GPS-enabled financial transactions to airline navigation, precision agriculture, emergency response, electric grid synchronization, and military operations, space-based services quietly underpin nearly every other sector formally recognized as critical infrastructure.

“Most people don’t really think about space,” says Bruce McClintock, senior researcher at the RAND Corporation and lead of its Space Enterprise Initiative. “It’s kind of in the background.”

That invisibility is part of the challenge. Space is so seamlessly integrated into daily life that its criticality can be overlooked — until something goes wrong.

Yet as commercial constellations proliferate, cyber threats intensify, and orbital debris mounts, the debate over whether space should be formally designated as critical infrastructure is gaining urgency. Many experts argue the real question is no longer whether space qualifies, but whether policymakers can afford to delay recognition any longer.

A ‘Horizontal Enabler’ Across Every Sector

Unlike energy or transportation, space does not fit neatly into a single vertical category. Instead, it operates as what McClintock calls a “horizontal enabler” — infrastructure that supports all others.

Positioning, navigation, and timing (PNT) signals timestamp financial trades to the millisecond. Satellite communications link rural hospitals, maritime vessels, and disaster response teams. Remote sensing informs crop management, weather forecasting, and supply chain logistics.

Even routine transactions rely on assets in orbit. Swiping a credit card at a gas pump depends on satellite timing synchronization.

Aviation offers one of the clearest examples of systemic reliance. “In the United States, we put a million people in the air safely every day. Those airlines and the OEMs and all the support that goes along with that rely heavily on space technology,” says Clay Mowry, CEO of the American Institute of Aeronautics and Astronautics (AIAA).

Satellites also serve as a resilient backup when hurricanes, wildfires, or cyberattacks disable terrestrial networks. They support national defense, global banking, maritime shipping, precision agriculture, power systems, and climate monitoring.

For Sam Visner, chairman of the Space Information Sharing and Analysis Center (ISAC), that cross-sector dependence is precisely why the designation debate matters.

Visner argues that space capabilities now underpin almost every other critical infrastructure sector—aviation, maritime shipping, precision agriculture, power systems, climate monitoring, and national security—yet space systems have still not been formally designated as a U.S. critical infrastructure sector. He stresses that the traditional, informal “norms” that once kept many space systems relatively safe no longer apply as space and cyber become tightly interdependent and commercial constellations dramatically expand the attack surface.

The United States formally recognizes 16 critical infrastructure sectors. The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security (DHS), designates the critical infrastructure sectors, which include communications, defense industrial base, and food and agriculture.

While space is not officially designated as CI, “space-based assets are part of the nation’s

critical infrastructure and are increasingly integrated into daily life, from national security to finance, education, and communications,” explains Steve Casapulla, executive assistant director for Infrastructure Security and interim assistant director for the National Risk Management Center at CISA.

For Visner, formally designating space as critical infrastructure would be both symbolic and operational.

“We have drawn a line,” Visner says of what formal recognition would represent. “We have said space systems are a critical infrastructure sector, and we intend to defend those systems — because they’re critical to our national security, our economic security, our homeland security.”

Without that clarity, he suggests, adversaries may miscalculate U.S. resolve.

A Growing Attack Surface

As space becomes more commercial and more connected, vulnerabilities multiply. RAND estimates that by 2031, nearly 25,000 satellites are expected to be on orbit, roughly 70 percent of them commercial. At the same time, counterspace threats and orbital debris are growing, while governance mechanisms lag behind.

Mowry stresses that the real vulnerability often lies on the ground, in the terrestrial nodes of satellite networks. “The ability to disrupt on the ground is far simpler and easier than disrupting satellites in space,” he notes.

That vulnerability became clear in February 2022, when Russia attacked satellite ground infrastructure as it invaded Ukraine. The cyberattack against Viasat’s KA-SAT satellite network disabled network modems, disrupting internet access for tens of thousands of people in Ukraine and Europe.

Not surprisingly, constellation providers “spend an awful lot of money on the ground, making sure their networks are robust and secure,” Mowry says.

Researchers at the University of Maryland and the University of California, San Diego, further demonstrated the risk by intercepting satellite communications using roughly $800 in commercial equipment.

In a paper published in October 2025, the researchers detailed how their consumer-grade satellite dish was able to intercept highly sensitive, unencrypted IP traffic from 39 Geostationary Orbit (GEO) satellites.

By passively scanning as many GEO transmissions from a single vantage point on Earth as possible, they were able to capture voice calls and text messages, emails and login credentials, data from critical infrastructure systems, including SCADA traffic, ATMs, and corporate machine-to-machine communications, and communications from both the U.S. military and Mexican military.

Dave Levin, associate professor of computer science at the University of Maryland and a core faculty member of the Maryland Cybersecurity Center (MC2), told Via Satellite that his team contacted all parties whose traffic was affected and they have since fixed the security issues. He notes that the biggest finding was that “nobody was really monitoring or auditing whether encryption controls like IPSec were running.”

For Visner, the lesson is clear: the traditional norms that once provided a degree of safety no longer hold in a tightly interconnected cyber-space environment.

“Industry cannot and should not handle major threats alone,” he says. In the event of a significant attack, only the federal government has the authority and capability to marshal a coordinated national response.

Regulation Fears

According to Jake Braun, former White House Principal Deputy National Cyber director, both the Trump and Biden administrations seriously debated designating space as a U.S. critical infrastructure sector (including initiatives like the 2023 Space Infrastructure Act and National Security Memorandum-22), but the move ultimately stalled due largely to industry fears of heavy-handed regulation.

Many in the space sector, he says, wrongly assumed that designation would automatically trigger banking-style rules and oversight. In reality, most banking regulations stem from separate legislation, not from the critical infrastructure label itself.

“Designating something as critical infrastructure does not necessarily come with all these regulations, but it does enable information sharing to be formalized,” he explains.

Formal designation of space as critical infrastructure, in Mowry’s view, is a double-edged sword: it could bring heavier regulation, but it could also unlock needed support and protection for an infrastructure that is now woven into the fabric of the global economy.

“As an industry, we would love it if we got more support from the government for extending telecommunications services in areas that are too expensive to reach and to provide backbone services for disaster recovery,” Mowry says of ways a critical infrastructure designation might benefit the industry.

Karen Schwindt, a RAND research analyst specializing in cyber, space and emerging technologies, contends that space “easily could become the 17th critical infrastructure sector,” and many believe it should, but the more urgent task is implementing effective resilience, debris mitigation, and risk management across the community — whether or not a new sector is created.

She says one of the main reasons it hasn’t been designated as critical infrastructure is structural: space cuts across existing sectors rather than fitting within one. “It isn’t easy to designate space as its own critical infrastructure given the interdependencies between space and all other sectors,” she explains.

Schwindt says the bigger issue at hand concerns “how we significantly improve and implement effective resilience measures across the community sooner rather than later.”

Collaboration Already Underway

Even without a formal designation, the space ecosystem is increasingly acting as though it is critical infrastructure.

The Space ISAC, established in 2019 following a White House push for industry collaboration, now includes roughly 120 corporate and academic members. It operates a 24/7 watch center in Colorado Springs and maintains global hubs in Australia and the UK, with a planned hub in Japan to enable continuous “follow‑the‑sun” monitoring.

ISACs were originally created to encourage industry-led collaboration on the security and resilience of critical infrastructure sectors. Space ISAC extends that model to orbital systems and their terrestrial connections.

Formal designation, Visner argues, would strengthen these efforts by clarifying roles, streamlining information sharing and reinforcing deterrence.

“It would say to adversaries that we regard these systems as essential,” he says, “and that we will defend them accordingly.”

Braun also contends that the space ecosystem already acts as though space were critical infrastructure: agencies like CISA and key industry players are treating it as such, even without the formal designation. In his view, the failure to act so far is a policy “miss,” especially given the well-documented cyber vulnerabilities of commercial space systems and their growing centrality to the global economy and security.

Governance Gaps and Escalating Risks

Daniel Gerstein, former acting undersecretary for Science and Technology at DHS and author of a RAND report on the space domain, contends that space is already critical infrastructure in practice.

Future resilience, he argues, will depend on multi-orbit architectures that distribute assets across Low-Earth Orbit (LEO), Medium Earth Orbit (MEO), and Geostationary Orbit (GEO) — combined with hybrid terrestrial-orbital systems to reduce single points of failure.

At the same time, risks are mounting: Orbital debris continues to accumulate. Counterspace capabilities are advancing. Debris-generating anti-satellite tests have shown how quickly the orbital environment can be contaminated.

“Very few things would be more catastrophic than a war fight in space,” Gerstein warns, given the long-term damage debris could inflict on satellites, human spaceflight and commercial operations alike.

He also notes that governance remains fragmented across DHS, Commerce, Defense, NASA, and other agencies — complicating coherent risk management.

In addition, Gerstein says federal disinvestment in science and technology, including at NASA and key labs, is eroding U.S. capacity to lead in space and advanced technologies over the long term. Formal CI designation for space, he suggests, may matter less than ensuring robust regulatory frameworks, resilient architectures, and structured information‑sharing across government, industry, and academia to manage the mounting risks in an increasingly congested and contested orbital environment.

McClintock agrees that governance fragmentation is the core problem. He advocates a three-pillar approach focused on technical resilience through diversified and proliferated architectures, stronger international norms of behavior, and market-based mechanisms such as insurance and liability frameworks.

According to Casapulla, CISA already collaborates with critical infrastructure and government partners, including the Information Sharing and Analysis Center (ISAC) and many of the companies that build and operate space-based assets are integrated into U.S. information-sharing programs.

“CISA encourages the space community to develop sound strategies and well-informed risk management processes. We also encourage implementation of robust cyber hygiene and the application of basic cybersecurity principles at all levels, including the ground, link, and space-based aspects of the enterprise,” Casapulla says.

CISA has published Recommendations to Space System Operators for Improving Cybersecurity, which urges space system stakeholders to consider common cyber risks outlined in the report to inform their profile and carefully analyze the risks for each segment of their space system. Another CISA paper, Space System Security and Resilience Landscape: Zero Trust in the Space Environment, provides analysis and opportunities for applying zero-trust tenets across space infrastructure, including emerging technology such as homomorphic encryption, distributed ledger, and quantum communication.

The rapid rollout of Artificial Intelligence (AI) systems across industries has created a new layer of systemic risk that is difficult to manage or control.

RANDS’s Schwindt says the growing use of AI-agentic systems for autonomous operations for activities like in-space manufacturing, active debris removal and cislunar operations is one example of this heightened risk.

“As AI becomes more deeply embedded into how these systems operate — particularly when informing or autonomously directing operational decisions — the consequences of manipulation, malfunction, or misuse become even more critical and systemic. And governance is lagging behind both commercial innovation of AI systems and the integration of AI into critical infrastructure,” she stresses.

Because of this, the industry needs coordinated governance, shared norms of behavior and clear roles for governments and industry in managing threats.

“If space were formally recognized as a critical infrastructure sector, then the AI systems embedded within space architectures would necessarily become part of national critical infrastructure risk management frameworks,” observes Schwindt, and that “could help shape standards for algorithmic transparency, data provenance, model validation and verification, cybersecurity and AI-specific security requirements, redundancy mandates, and structured information sharing between government and industry.”

Inevitable Recognition?

Braun believes formal designation is ultimately unavoidable. “It’s a foregone conclusion that it will be designated eventually,” he says. “It just depends on when.”

In the meantime, agencies such as CISA and organizations like Space ISAC are already coordinating cybersecurity defenses, sharing threat intelligence, and strengthening resilience — effectively treating space as critical infrastructure without the official label.

For Visner, designation would simply align policy with reality.

“Space systems are critical to our national security, our economic security, our homeland security,” he says. “They’re critical to all of our other critical infrastructures.”

That step, he says, would clarify red lines for adversaries, improve government–industry information sharing, and give allies confidence that the U.S. is serious about defending the space systems everyone increasingly depends on.

Felipe Fernandez, federal CTO of cybersecurity firm Fortinet Federal, says the current sector-based treatment of space is sufficient for now, but an official designation for space as critical infrastructure could yield important benefits if it is done with clear authority and structure.

"A formal critical infrastructure designation for space really does matter,” concludes Fernandez. “It would push us to look for blind spots in how we address space-based capabilities and the threats to them and force a more holistic view of all the assets that depend on space. Most importantly, it creates an official structure with clearly assigned roles and authorities, so the right organizations can actually act and get the results we need when something goes wrong.” VS