Time to Get Serious About Cybersecurity in Space

This column has previously discussed the hacking threat to U.S. satellites (see, “A New Threat: Satellite Hacking and China’s Role,” Via Satellite, December 2011). At that time we assessed the U.S.-China Economic and Security Review Commission’s draft annual report, which concluded that computer hackers, possibly affiliated with China’s military, had interfered with two U.S. government earth terrain and climate surveillance satellites, Landsat-7 and Terra AM-1, several times in 2007 and 2008. In one 2008 case, according to the draft report, the hackers achieved command and control of the Terra AM-1 spacecraft, although they did not exercise that control.

In March, The New York Times reported that NASA had shut down a large public database and decided to limit access to agency facilities by foreign citizens to hinder efforts by China and others to obtain sensitive space technology information. NASA administrator Charles Bolden announced the moves following the arrest of a Chinese citizen, Bo Jiang, at Dulles airport after he boarded a Beijing-bound flight. Jiang had been working as a contractor at NASA’s Langley Research Center in Virginia, and was arrested on board his flight in possession of an allegedly undeclared laptop computer, hard drive and SIM card.

The database in question is the NASA Technical Reports Server, a giant repository of public-access scientific and technical information compiled in the form of technical and scientific journal articles, videos, presentations and other materials. While several prominent members of the scientific community asserted that the database shutdown was an overreaction to the Jiang arrest, Major General Bolden stated that the Agency review was necessary to evaluate whether materials controlled under U.S. technology export laws and regulations had accidentally been put on the server. At issue, as usual in the United States, is the balancing of the critical free and fair exchange of information in an open society with the need to prevent intellectual property theft and industrial, military and government espionage that threatens critical national security and other interests.

Plainly, Landsat-7 and Terra AM-1, which were not “hardened” against cyber attacks to the extent that more sensitive military and government satellites are, were unnecessarily vulnerable. However, it is not clear how safe even the best-protected assets are, and the necessary level of cyber security is an always moving, always receding, target. Satellite networks are wireless networks, and wireless networks are intrinsically more vulnerable to attack than closed landline networks. While public-key cryptography using asymmetric algorithms has been highly successful, the use of a public key by the sender of a transmission renders the encryption susceptible to “brute force” attacks by use of extreme computational power that is available to state players if the potential gain in information is justified by a cost-benefit analysis. A lot of satellite software does not come up to this standard. In February 2012, Network World and other publications reported that researchers had cracked the GMR-1 and GMR-2 satcom encryption algorithms of the European Telecommunications Standards Institute (ETSI), used to secure civilian satellite telephone communications.

The fact that NASA operates Landsat-7, Terra AM-1 and the Technical Reports Server may highlight an issue of security consciousness at NASA itself. NASA is a civilian agency not part of the intelligence community, and has an express research and dissemination of knowledge and information mission that arguably is unlikely to coincide with a culture of best security practices. Indeed, the mission of an agency like NASA may be intrinsically incompatible with best security practices. However, NASA may be the canary in the coal mine in this situation, for if its land-based and in-orbit security protocols are lacking, it is unlikely that the commercial fleet is more secure. And the commercial fleet transmits untold amounts of sensitive civil information from the worlds of finance, science, navigation, media and otherwise.

The increasing reliance of the military and other government agencies on “hosted payloads” and other capacity of the commercial fleet means that hacking and other cyber attacks on in-orbit satellites, ground stations and associated networks have more than civil implications, as serious as those might be. It is clearly time to get serious about cyber security in space.

Owen D. Kurtin is the founding member of New York City-based law firm Kurtin PLLC and a founder and principal of private investment firm The Vinland Group LLC. He may be reached at [email protected].