Crews at US Space Command’s National Space Defense Center provide threat-focused space domain awareness. (US Space Force photo by Kathryn Damon)
WASHINGTON — As information sharing between allies and partners becomes increasingly important in the space domain, the US needs to create a uniform set of cybersecurity standards for its space systems, government officials said Tuesday.
Right now there are several entities and agencies who have or are working on their own set of cybersecurity standards for space systems. These include the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency, OASIS and commercial providers. Additionally, a Biden-era executive order mandated practices that would protect commercial satellite systems against cyber attacks.
But if all of these standards are siloed, it will be more difficult to share them with international allies and they won’t be useful in protecting space systems against adversarial threats, Lauryn Williams, former chief of staff in the Office of the Assistant Secretary of Defense for Industrial Base Policy, said during a Washington Business Space Roundtable discussion Tuesday.
Williams said that a meeting with Japanese officials during her stint in the Office of the National Cyber Director prior to her most recent post was her catalyst for wanting to develop a clear set of cyber standards for space systems.
“The Japanese government turned to me as the kind of cyber person sitting at the table, and they said, very straightforwardly, ‘What is your cybersecurity policy? What is your cybersecurity standard?’ We could not answer that question. I cannot answer that question,” she said.
“We need to be able to answer that question, so that we can lead because that was the indication that I got, was that the Japanese were looking to us to be able to say, ‘Here it is.’ So that they and many of our other international partners could take and build on it,” she added. “I hope that we’ve got a piece of that answer now, not the entirety of it, but the world really is looking to us on this.”
Erin Miller, executive director of the Space Information Sharing and Analysis Center (Space ISAC), echoed Williams’ need for a cohesive set of cyber standards. She noted that ideally one agency would be in charge of setting these standards; for example, the Department of Homeland Security. This, however, could be tricky since the federal government tends to fall behind commercial industry in terms of understanding cyber threats to space systems.
“There’s a lot of [standards] that are available that we can look at. We actually formed a task force in Space ISAC to look at all of these different standards and see if we can get a comprehensive view of how to address risks for space systems,” Miller told Breaking Defense on the sidelines of the event. “But the challenge is that the commercial sector can do that, and organically we can come to a conclusion on how we’re all going to manage sector risk, but it’s still a commercial sector that’s driving it. We need a complement from the federal government side to drive overall sector risk.”
Both Williams and Miller made clear that such a set of uniformed cybersecurity standards would benefit international cooperation. Miller also used the opportunity to make her argument that space systems should be considered critical infrastructure.
With this, she explained that another benefit to having the DHS in particular take on the responsibility of creating space cyber standards would be allowing space systems to be considered critical infrastructure, something the space community has been advocating for for several years. But the federal government maintains these systems do not qualify as critical infrastructure.
“Human lives depend on the security of space systems, and it’s not just humans in the US. That’s another challenge, is that DHS has primarily been responsible for critical infrastructure that humans in the US rely on, and so risk management is based on US lives, but this is a global conversation,” Miller told Breaking Defense. “People across the whole world are dependent upon the space systems, and we have a lot of international sales and trade and commerce that’s associated with our space systems and the use of them in countries around the world. So it’s dynamic.”
Though Miller said the DHS could be responsible for making the uniformed set of standards, she acknowledged that there is more than one agency capable of tracking critical infrastructure, so the DHS wouldn’t necessarily have to be the agency responsible for creating the standards.
“Space ISAC has heavily advocated that we have a designation of space systems as a critical infrastructure sector, and that’s where DHS’s role is that they have a responsibility for critical infrastructure sectors, and they also share that responsibility with other agencies. So that’s why this conversation of which agency is responsible is so challenging,” she said.
