Cyberspace in Outer Space: New Challenges, New Responses

The central and vital role of satellite systems in human societies, together with the growth of attacks against satellites, has shown that the security aspects of satellite systems cannot be overlooked. Indeed, an attack against a satellite (as well as to its ground stations and communication links) can have profound negative impacts on a set of diverse sectors and activities that rely on satellites.

Such security aspects are all the more important not only due to the increasing reliance, cross-sector and cross-borders, on satellite systems, but also in light of the dual-use nature of satellite technology, the use of IP-based technologies in the space sector, as well as the recourse to the private sector for procurement of sensitive technology and management of critical infrastructures.

Alas, there is no comprehensive and coordinated approach to cybersecurity in outer space. What is more, the cybersecurity and outer space communities seem only now to have started to realize the interdependence between these two areas and the need to avoid compartmentalized approaches with relation to cyber in space. At the United Nations level, for instance, the Committee on the Peaceful Uses of Outer Space’s (COPUOS) guidelines for the long-term sustainability of outer space activities (A/AC.105/C.1/L.354) recognize the importance of security measures for achieving this purpose (see Part B, especially guidelines 9, 18 and 19 under discussion). In addition, the measures approved for the security of Information and Communication Technology (ICT) by the UN Working Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, as well as on Transparency And Confidence Building Measures (TCBMs) by the UN GGE on TCBMs in Outer Space Activities, should also be taken into account when dealing with cybersecurity in outer space.

However, a streamlined approach to this issue is still missing. This is true at the international level, state/regulatory levels, as well as at the market level. On the one hand, despite the fact that the international community is fast realizing the importance of cybersecurity in outer space, there is no international body that is focused on this issue (unlike the situation in cybersecurity in general, with, e.g., ITU-IMPACT). In addition, despite the fact that states —including developing countries — are increasingly approving cybersecurity policies and strategies, these policies do not address the security of satellite systems. Even in the European Union, the Network and Information System Directive (Directive 2016/1148 of July 6) does not mention satellite systems. At the market level, there is no international network or initiative that brings together all actors in the satellite supply chain for the discussion and adoption of a shared approach to these challenges.

Bringing together the cybersecurity and outer space communities, as well as bringing together all actors involved in outer space activities, would be essential steps for achieving a structured, effective and responsive framework to cyber-threats to outer space systems. In fact, the outer space community would benefit from learning from the challenges and the measures adopted by the cybersecurity community, as many of the risks and challenges in outer space and cyberspace are common. Additionally, it is essential that all actors in the space community (from market agents to governments and regulators) come together and cooperate in this area, also because outer space activities face specific risks of their own.

This cooperation at different levels could hopefully lead to the creation of a framework or guidelines on cybersecurity in outer space that could strike a proper balance between the need for security and the need, on the one hand, to keep promoting research, development and innovation and, on the other hand, not prevent developing countries from accessing space. This framework or guidelines could cover best practices and strategies for risk assessment and mitigation, management of incident responses and recovery, sharing of information, early warnings, capacity building and promotion of awareness.

This approach could, in addition, also increase the use of reliable private systems including for public tasks, thus mitigating the issues arising from dual-use technologies and guaranteeing that cybersecurity could be an effective business enabler.

It is a long held objective of the outer space community, including of the United Nations, that the use of outer space is done in a sustainable and transparent manner, which is all the more important in light of the fact that Earth orbits are increasingly contested, congested and competitive. Cybersecurity is an essential tool for achieving these objectives, as it will help to protect satellites against cyber threats that can disrupt their operation and, in the most extreme cases, turn a satellite non-operational — and thus debris. Complying with the international rules and provisions applicable to outer space (the UN Space Treaties and Principles, as well as the ITU rules and the provisions applicable to freedom of information) requires that satellites remain secure. The adoption of a framework that helps ensure that cybersecurity measures, threats and responses are discussed, shared and, to the extent possible, jointly defined and implemented, will definitely be an important step for the security, the safety and the long-term sustainability of outer space. VS