New CSC report advocates designating space systems as critical infrastructure, as current approach ‘insufficient’

​​The U.S. Cyberspace Solarium Commission (CSC) 2.0 assessed that America’s adversaries recognize the importance of space systems to U.S. national security and economic prosperity and have tested capabilities to destroy them. The threat from Russia and China is growing, with both those authoritarian powers having placed American and partner space systems in their crosshairs, as demonstrated by their testing of anti-satellite (ASAT) capabilities. The U.S. needs a more concerted and coherent approach to risk management and public-private collaboration regarding space systems infrastructure.

In its latest report, titled ‘Time to Designate Space Systems as Critical Infrastructure,’ authored by Frank Cilluffo, Mark Montgomery, Kelsey Shields, and Sharon Cardash, the CSC said that designating space systems as a U.S. critical infrastructure sector would close current gaps and signal both at home and abroad that space security and resilience is a top priority. The move came after interviewing over 30 industry and government experts.

Against the backdrop of rising threats, the U.S. government’s current approach to safeguarding space and working with private industry to secure critical systems is insufficient, the CSC report identified. “While pieces of the industry fall under communications infrastructure or the defense industrial base (DIB), too much is left uncovered. Recent government efforts to rectify the problem are promising but remain in their infancy. While not without its challenges, designating space systems as a critical infrastructure sector would begin to rectify these problems.”

The CSC report said that components of some space systems are currently designated as critical infrastructure within the framework of other critical infrastructure sectors. Commercial communications satellites are considered part of the communications sector, while military reconnaissance satellites and GPS systems are part of the DIB. Meanwhile, the critical manufacturing sector includes aerospace parts and manufacturing, while the Federal Aviation Administration (FAA) governs launch and re-entry from space as part of the transportation sector. 

However, important components of space systems (particularly those operated by commercial remote sensing enterprises) are not represented in any critical infrastructure sector, the report said. “Some satellites — particularly those used for scientific and other research purposes, including weather tracking and forecasting systems — are not part of either the communication or the DIB sectors, which could also soon be true of other emerging space-based systems for transportation, remote sensing, manufacturing, mining, and cislunar operations.” 

For the executive branch, the CSC report recommended designating space systems as a critical infrastructure sector. It also suggests NASA as the SRMA for the space systems sector, creating two directed subgroups within the sector, not assigning the SRMA a regulatory role, articulating and offering industry a clear value proposition, strengthening international norms and standards, and integrating the National Space Council into the governance of the space systems sector.

For Congress, the report recommends giving NASA, the lead SRMA, the resources to effectively accomplish the mission. It also directed the Congressional Research Service (CRS) to undertake a legislative review.

For industry, the CSC report proposed marshaling and organizing the commercial space community to play an instrumental role in governance. It also suggests establishing a space systems sector coordinating council (SCC), tasking the SCC, through its charter, with working to reduce risks to the security and resilience of the commercial space sector, while leveraging and building upon the existing work of Information Sharing and Analysis Centers (ISACs), including the Space ISAC.

For industry and government together, CSC suggested creating a co-led risk management enterprise. It also recommends jointly elaborating and widely implementing cybersecurity best practices, pairing commercial and government capabilities to model a dynamic risk environment; and adding space assets positioned outside of traditional operational areas to enhance U.S. resilience.

The CSC report identified that the systems that launch and operate communications and other satellites, as well as ‘the companies that manufacture, launch, or operate space vehicles or the supply chains that sustain all these systems,’ are also not represented in the current framework governing critical infrastructure sectors, according to the industry-led group, the Space ISAC. “With space commerce set to expand, the argument that only marginal activities remain outside current critical infrastructure designations will become increasingly tenuous.” 

The report also addressed those who support retaining the status quo, and will be overtaken by events. “Some experts in favor of maintaining the current governance structure also argue that CISA and DoD are highly capable SRMAs for the communications and DIB sectors, respectively. These experts argue that creating a space systems sector could (or would) undermine something that works well. Even the respondents who favor designating space systems as a new critical infrastructure sector emphasized that any new construct must avoid damaging elements of the current configuration that work well. Some experts supported a ‘carveout’ within the space systems sector for communications and the DIB.”

It added that even without thoroughly assessing the track record of DHS (CISA) and DoD as SRMAs, it is clear that there is room for improvement. A 2021 Government Accountability Office (GAO) study, for example, warned that DHS has not updated the communications sector-specific plan since 2015. Thus, the ‘plan lacks information on new and emerging threats,’ including ‘disruptions to position, navigation, and timing services.’ DoD, meanwhile, has not updated the DIB-specific plan since 2010. Proponents of the existing structure worry that designating space systems as a standalone sector could heighten the burdens borne by industry. 

The creation of a new sector inadvertently (or inevitably) could result in overlap and duplication of extant efforts and new requirements — potentially regulatory — could be introduced.

The CSC report said that short of designating space systems as critical infrastructure, there is one other potential path forward, including leveraging CISA’s identification of national critical functions (NCFs). The NCF framework translates the functions of critical sectors into actions, such as ‘generate electricity’ or ‘supply water,’ to address risk in a holistic way by better incorporating ‘cross-cutting risks and associated dependencies.’ At least within certain quarters of government, there is a distinct appetite for taking a functional (NCF) approach rather than issuing a new sector designation, because of a focus on cross-sector risk in the form of critical interdependencies. 

While cross-sector risk is undeniably important, the NCF approach has a significant shortcoming in that there is not yet a natural way for government and industry to collaborate around functions. The NCF rubric focuses on ‘how entities come together to produce critical functions, and what assets, systems, networks, and technologies underpin those functions,’ and it is therefore company-agnostic. 

Critical infrastructure sector designations, by contrast, center on the companies that fall within a sector’s ambit. Those companies, in turn, have forums to collaborate with one another and with the government to manage risks. This structure provides the foundation for the public-private partnership that is essential to safeguard space systems. Whether for or against the designation of a new sector, interviewees broadly agreed that the federal government must better support the commercial space community by marshaling resources and sharing information related to threats, vulnerabilities, and incidents. 

The report said that protecting space systems will require an enhanced model of public-private partnership with genuinely shared risk management responsibilities. On the government side, the agency that serves as lead sector risk management agency (SRMA) for this sector will have a demanding task — but one that NASA is well suited to fulfill so long as it receives the extra resources necessary to develop its capacity to protect national security, civil, and commercial systems, the report said. 

Additionally, there will need to be subgroups within the sector that maintain relationships with other government agencies. One subgroup should deal with defense and intelligence systems, and another with communications systems already regulated by the Federal Communications Commission (FCC). But no alternative candidate for lead SRMA possesses the same range of requisite capabilities as NASA.

It added that fostering security and resilience in the space systems sector will require mitigating unique cybersecurity challenges that stem from the geographic and technological particularities of space, as well as new and emerging space-based missions. Substantial investment through congressional appropriation will be imperative because policy without resources is merely rhetoric.

In the National Cybersecurity Strategy, released last month, the administration also committed to ‘enhancing the security and resilience of U.S. space systems.’ A forward-leaning posture regarding space systems, which takes into account the coming of ubiquitous space operations and routine human and robotic spaceflight, will put the country firmly on the path to continued leadership in the 21st century. 

Additionally, within the Executive Office of the President, the National Space Council advises on ‘the formulation and implementation of space policy and strategy.’ The council’s work spans the civil, commercial, and national security space. The council is currently considering how to structure oversight of emerging on-orbit activities, such as servicing satellites, and hosted the Space Systems Cybersecurity Executive Forum in conjunction with the Office of the National Cyber Director at the end of March. 

To date, however, the council has not had the benefit of a partner in the form of a lead government agency or SRMA for space systems. The result is that policy and strategy have been promulgated at a certain level, removed from the operators that take the lead on implementation. Consequently, high-level guidance on sectoral priorities is not as deeply integrated as it could be, resource allocation is not optimized, and the government’s overall effort is not as coherent or effective as it should be. Revising the current sector structure to include a space systems sector would help to address these shortcomings.

Some lawmakers have also weighed in on how best to protect space infrastructure. Senators Gary Peters, a Democrat from Michigan, and John Cornyn, a Republican from Texas introduced the Satellite Cybersecurity Act during the previous Congress. If reintroduced and passed, this bipartisan bill would direct CISA to ‘develop voluntary satellite cybersecurity recommendations to help companies understand how to best secure their systems.’

Earlier, in June 2021, representatives Ted Lieu, a Democrat from California, and Ken Calvert, a Californian Republican,  introduced the Space Infrastructure Act, which would have designated ‘space systems, services, and technology as a critical infrastructure sector.’ 

Also notable is section 1613 of the FY2021 NDAA, which requires the government to produce a ‘strategy to strengthen civil and national security capabilities and operations in space.’ Section 1614 mandates a ‘report and strategy on space competition with China.’

Meanwhile, the private sector has initiated its efforts to remedy some shortcomings. The Space ISAC, which is industry-led and was created in 2019, is setting up a watch center whose initial operating capability is designed to foster not just a bilateral (public-private cross-sector) flow of information, but a multilateral flow that integrates partners worldwide. 

Last month, the Space ISAC launched its Operational Watch Center and its initial operational capability. Supported by a dedicated team of ten in-person analysts with additional virtual support enabled by a secure cloud architecture, Space ISAC’s Watch Center represents a monumental step forward for the space community.

The Space ISAC is also setting up a cyber vulnerability lab to test hardware and software, to put into place a ‘community expectation for cybersecurity for commercial space systems.’ These and other industry-led efforts are undoubtedly valuable, but membership in the Space ISAC is voluntary and government initiative is required, for example, to amplify and implement the results of research and development and vulnerability testing for the protection of space systems.

In March, the CSC published a report providing additional analysis of cyberattacks against the maritime transportation system (MTS) with recommendations to the U.S. Congress to resource the subsector’s cybersecurity more fully. It also highlights the need for better government-industry cybersecurity collaboration and better resourcing of government efforts to support the private sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.