Policy Solutions for Cybersecurity in Space

For this new Space Law article on Space Legal Issues, let us have a look at Policy Solutions for Cybersecurity in Space. On the 4th of September, the President of the United States signed Space Policy Directive-5 (SPD-5) which establishes a set of principles designed “to protect the nation’s valuable space assets from a burgeoning variety of cyber threats”. The Deputy Assistant to the President was quoted as saying that Americans rely on capabilities provided by space systems daily, which highlights the need to preserve their functionality and designs. This new policy is a dedicated legal instrument which will protect space systems from cyber vulnerabilities and malicious attacks, providing a “whole-of-government framework to safeguard space assets and critical infrastructure”.

Modelling from this progressive step, it can be gleaned that an adequate space policy solution to address state security issues is one that would incorporate cybersecurity measures into all stages of space system development and operations. This would include provision for protective software, which is a significant feature of the U.S. directive. This is not the only concern, however, as other primary measures include ensuring a strict vetting process for anyone who comes into contact with the command lines of a spacecraft; monitoring the ground-based networks for any breaches, and also making sure that telemetry links between the satellite and the ground equipment are adequately encrypted. The central premise is that the policy should reflect a comprehensive end-to-end framework for maximum security, with appropriate adjustment depending on the nature and mission of the satellite (for example, a university CubeSat would not necessarily require the same levels of protection as a government-owned, military reconnaissance satellite).

A dedicated space and cybersecurity policy, as opposed to a general cybersecurity bill, will enhance a state’s ability to be more resilient to the particular risks posed to space services and capabilities, including space weather. It also enhances national security interests through space. Most importantly, however, it promotes a safe and secure space environment for all stakeholders. Where there is already a culture of regulatory intervention and compliance, the incidence of cybersecurity attacks is reduced. Hence, even as the space market becomes more commoditized, placing checks and balances to mitigate against evolving cyberattacks will not be difficult where the legal environment is already comprehensive. However, the situation is quite tenuous in the African context where, not only do the majority of African states (including some space-faring) do not have a national space policy, but related legal instruments are also devoid of the robustness and legal certainty needed to support cyber-secure measures.

One core market trend-savvy measure would be to incorporate a culture of cybersecurity even within the commercial satellite and space supply chain, in a way which is sympathetic to the quick-paced market environment. This would enable innovation which also has a normative function, such as quantum computing. This way, business interest and security would become the main driver of the cybersecurity reform within the space sector, which is reflective of the up and coming NewSpace industry.

The ideal cybersecurity regime is one that would encompass all of the respective interests of the various stakeholders, that is: corporate; military; scientists; end-users, and needs to address the myriad technical, economic, social and political interests, using a pragmatic combination of both bottom-up and top-down approach. It is essential to determine the priority aspect to be protected, whether that be broadband access or other, and form related policy interventions around this. And most importantly, the approach should be non-hierarchical but instead equitably address the concerns of all the stakeholders, ensuring each is individually knowledgeable and empowered as a valued contributor within the sector.

As with any aspect of space law and policy, space governance is an important consideration, which can be summarized in three points. Firstly, a cybersecurity regime requires enforcement of a system, backed by policy, which enables legitimate users, while increasing the costs for illegitimate ones. Secondly, governing the cyberspace is a collective action, and should be a multi-stakeholder initiative. Thirdly, to be sustainable, the regulatory regime should include a self-governing body and a lightly regulated effort from all stakeholders.

An international response is the best option to achieve a truly coordinated approach to protecting our shared cyberspace, which is in line with the fundamental principle of international cooperation and collaboration in space. The fact that there no international organizations or mechanisms which exist in this regard is even more justification for this kind of intervention. To this end, it is ideal that a global framework is established to standardize the space supply chain and regulate what has become an increasingly market-led domain.