Successful Cyber Policy for Space: What Does That Look Like?

As a managing partner at Renaissance Strategic Advisors, Joshua Hartman frequently makes public appearances to speak on the intersection of space, defense and cybersecurity. Here, Hartman shares his thoughts on how U.S. policymakers are adapting to new cybersecurity threats in the space domain. At the 2017 CyberSat Summit today, Hartman also delivered a presentation titled: “A Cybersecurity Framework for Space: What Needs to be Done.”

VIA SATELLITE: Do policymakers have a good understanding of cybersecurity as it relates to the space domain?

Hartman: Truthfully, no, they don’t. Updating the Foreign Intelligence Surveillance Act (FISA) and similar laws have dominated a lot of the discussion over the last couple of years with respect to technologies in the world that we have to deal with on a regular basis. They’re really struggling to come up with the answers — something that protects privacy, ensures security and still gives us the conveniences and comforts we’re looking for in our every day life.

VIA SATELLITE: So what are some of the biggest priorities when it comes to rules and regulations in space cybersecurity?

Hartman: There’s a void in the space world when it comes to cybersecurity policies. Most of the space community, from my perspective, frankly has their heads in the sand … Most of the policies and strategies have focused on abating and dealing with kinetic weapons in space. They really fail to think about and take proper precautions against the cyber threats that exist.

And what’s interesting is I think that reflects a traditional warfighter perspective, meaning most people who used to wear the uniform are used to thinking about battle space (and action in that battle space) as being a kinetic activity: we blow things up and we break things. That’s how we’ve thought about the threat to our space systems largely. We’re still coming to grips with what it means to have a cyber intruder on our space systems. So there are very few number of voices relative to where it needs to be talking about the importance of dealing with cyber threats.

VIA SATELLITE: Could you talk a little about disaggregation and its role in space resiliency?

Hartman: For years, we’ve flown our space systems as one-size-fits-all: the more we could tack onto a space system the better off we were. That was driven by the fact that space at the time was not full of the threats or congestion that it might be today. The only limiting factor for our space architecture was the life of a satellite. That caused us to integrate multiple missions onto the same satellite because if we could minimize the amount of launches then we could minimize the cost to put things into space. But we realized that breaking that down into smaller systems and disaggregating those missions onto multiple satellites would be a much better way.

One, from a military perspective you’d probably get better satisfaction of warfighter requirements — meaning, for example, revisit of communications systems in Low Earth Orbit (LEO) or remote sensing systems. The more satellites we have, the better, more flexible and responsive infrastructure we have to serve their needs.

If we start to disaggregate, we may not have a higher fidelity system but we’ll certainly have better coverage and more timely and accurate information to provide to the warfighters.

The second piece of that, and this relates directly to cybersecurity concerns, is that if I disaggregate a mission around a multi-satellite architecture … I make it harder for my adversary to take away my capability, whether it’s a kinetic or non-kinetic threat. If I have 200 satellites and they manage to take out two satellites, I still have 198 satellites available — and so the impact is minimized on a per satellite basis, which correlates to overall mission capability. And for many of the missions, even if I lost two satellites I wouldn’t notice much degradation in performance across a constellation because I could redirect those mission requirements through the rest of the network. So my network becomes much more flexible and in some respects self-healing.

VIA SATELLITE: How does the United States compare to other countries in space when it comes to cybersecurity? Would you say we’re ahead of the pack?

Hartman: The truth is we are probably the best among the worst. I think everyone’s shifting as quickly as they can toward the protection of their space assets. They’ve realized that they were vulnerable — it’s not dissimilar to what’s happening in the automobile industry, where for years no one would have ever dreamed of someone hacking into an automobile, but now we realize that it’s not only possible but people are doing it. Similarly, I think there’s a rush to try to put protections in place [on orbit]. Because the U.S. has a strong cyber capability on the ground, it’s going to help us take the lead in the space domain. But there are other countries like Israel, Russia and China who also have strong ground segment capabilities and are just as capable of reflecting that in their space systems in a fairly quick way.

VIA SATELLITE: What role will private companies play in improving the government’s cybersecurity capabilities?

Hartman: There’s two groups of companies I’d focus on: one is the actual cyber companies themselves who will be providing the solutions, knowledge and technologies that we’ll need to protect space assets form cyber threats. There aren’t a lot of space companies that are capable of doing that and that’s quite alright because there doesn’t need to be. Space systems are an extension of our existing networks, so we should be able to take the mindset that we use on terrestrial cyber and project that into space for the most part. There will be some specific engineering for space systems and infrastructure that needs to be designed and implemented but a lot of the same technical approaches will be applicable.

The second and probably more interesting [group] is the space companies building their own satellite architectures — who, in order to gain government customers, need to be able to prove cybersecurity throughout their systems. Many of those companies, whether it’s the remote sensing companies who have been working with the intelligence companies for years or the global Geosynchronous Earth Orbit (GEO) operators … are focused on providing the right level of data integrity and, as a result, cybersecurity. When they can prove they’ve got those solutions in place then there will be more government customers adopting their infrastructure as a core piece of the warfighter capability.