U.S.-French Commitment to Secure Space Assets Shines a Light on Cyber Vulnerability

In a joint statement with French President Emmanuel Macron, President Joe Biden committed on Thursday to strengthening the cybersecurity of commercial space systems. The vulnerability of these systems stems from their physical and technical characteristics as well as the U.S. government’s fragmented approach to risk management.

Recognizing the “growing use of commercial space capabilities to support” functions critical to national security, economic stability, and public safety, the United States and France pledged to enhance bilateral collaboration to increase the cyber resilience of space systems. The statement echoes the Biden administration’s October National Security Strategy which committed the U.S. government to “enhanc[ing] the resilience of U.S. space systems that we rely on for critical national and homeland security functions.”

Space systems are critical to national security, economic prosperity, and the daily activity of American citizens. For example, Global Positioning Systems (GPS) services enable not only car navigation systems but also the function of U.S. military assets and the time-stamping of ATM transactions. Thus, the commercial space industry is one of the fastest-growing industries today, generating more than $440 billion of economic activity in 2020 and projected to surpass $1 trillion in the next 10–15 years.

America’s adversaries recognize the importance of commercial space systems and have begun launching cyberattacks — sometimes via proxies — to degrade or destroy them. In October 2022, Konstantin Vorontsov, a senior Russian foreign ministry official warned that commercial satellites could become a retaliatory target if America continues supporting Ukraine. In fact, Russian hackers have already targeted these systems. Just one hour before its armed forces invaded Ukraine in February, the Russian government hacked U.S.-based satellite company Viasat, disrupting Ukraine’s military communications as well as internet service across Europe. Earlier, in 2018, Russian hackers targeted the global navigation satellite system (GNSS), sending faulty coordinates and navigational data to disrupt thousands of airplanes and ships’ movements via jamming and spoofing techniques. Meanwhile, China is testing capabilities to strike adversarial satellites through cyber and electronic warfare.

While the cybersecurity of all U.S. infrastructure is critical for national resilience, hardening cyber components of space systems is particularly challenging. These systems are difficult to monitor due to physical distance and mission length. Many space-based assets have dated technologies that are difficult to update and have not been recalled due to expense and lack of policy standards. Meanwhile, because space systems are not a distinct critical infrastructure sector, the industry does not have dedicated risk management support within the U.S. government.

This structural problem within the U.S. government, however, may soon change. Last month, the White House endorsed the findings of a statutorily-required Department of Homeland Security report assessing public-private collaboration to secure U.S. critical infrastructure. Among the findings was a recommendation to consider designating the space sector as a critical infrastructure sector and an agency within the U.S. government to serve as its sector risk management agency (SRMA). For each critical infrastructure sector, an SRMA is responsible for creating programs to help owners and operators identify and mitigate risk, facilitating information sharing between the government and the sector, and contributing to emergency response planning, among other tasks.

As the Biden administration considers this designation, it should leverage existing institutions — like the industry’s Space Information Sharing and Analysis Center — to better share information and resources and existing methodologies (like the Department of Energy’s Cyber-Informed Engineering) to build equipment and technology that is secure by design. As part of a larger national, bilateral, and multilateral effort to secure commercial space systems, these two steps will likely facilitate a better understanding within the industry of the cyber threats and create systems that are more resilient against these threats. Until that time, Russia, China, and other adversaries will continue to take advantage of the fragmented U.S. approach to cyber risk management of space systems.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Kelsey Shields is a Research Analyst at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and contributes to research on the cybersecurity of space systems at CSC 2.0, an initiative to continue the work of the congressionally mandated Cyberspace Solarium Commission. For more analysis from the Annie and CCTI, please subscribe HERE. Follow her on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI and the McCrary Institute @McCraryCyber. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.