Brian Scott, Deputy Assistant National Cyber Director for Critical Infrastructure Cybersecurity Policy in the Office of the National Cyber Director speaks at CyberSat on Nov. 18, 2024. Photo: Via Satellite

RESTON, VIRGINIA — The cybersecurity of space systems in terms of on orbit assets, ground systems, and data links is a critical issue for U.S. national security, and the federal government is working to provide operational requirements for the space industry to secure these systems. 

“The cyber threat to our satellites, space systems, and the data and functions they provide is clear, and it demands the full attention of the government and the space community,” Brian Scott, deputy assistant National Cyber Director for Critical Infrastructure Cybersecurity Policy within the Office of the National Cyber Director said while opening the CyberSat conference in Reston, Virginia, on Nov. 18. 

The Trump administration provided high-level guidance for cybersecurity principles for space systems in Space Policy Directive-5 in 2020. The Biden administration has worked to operationalize the directive. Scott said the principles of SPD-5 are sound, but there is a need for additional direction to implement and operationalize these principles.

“SPD-5 for all of its merits as a positive step forward, lacks the specificity and implementation guidance that’s needed,” Scott said. “It included no specific accountability for who’s responsible for doing what. Great principles. But how do we now operationalize them?”

With the presidential transition underway, Scott believes the second Trump administration will continue the Biden administration’s work to operationalize this directive. 

“Cybersecurity work is pretty much a bipartisan, non-partisan issue. I think folks recognize the threat environment and recognize the importance of cybersecurity specifically relative to space assets,” Scott said. “We need to keep moving forward and be ready when the next administration comes in to provide them with the best transition possible so that they can pick it up and run with it.”

Over the past 20 months, the White House convened a series of discussions with space industry leadership and technical experts, engaging more than 300 stakeholders, 125 companies, including international industry and governments.

These discussions were focused on space systems that are cyber secure by design, and threat-informed operational practices to mitigate cyber risks, with the goal of identifying gaps that require White House and federal government agency action. Feedback from these sessions is being leveraged to develop actions to implement SPD-5. 

Scott said feedback from the industry included dealing with a highly fragmented landscape of cybersecurity requirements for government and commercial contracts. Each individual government customer has its own cyber requirements that are not necessarily outlined in contracting language. 

Industry also said that threats are over-classified, and voluntary guidelines like in SPD-5 are not enough to motivate companies to invest in cybersecurity. 

At the December 2023 National Space Council meeting, Vice President Kamala Harris tasked the interagency team with developing minimum cybersecurity standards for space systems.

Scott said the new minimum standards are intended to articulate a common baseline that all U.S. government systems must meet, bringing together disparate and fragmented guidance and addressing the gaps. 

He recognizes that not all space systems are the same and certain systems perform more critical functions than others, and that brings a challenge. 

“Cybersecurity requirements for various types of tiers of systems is a challenge, but it is a challenge that can be met,” he said. “Tiers could be defined by level of risk — the highest risk for national security systems and the most critical systems, moderate risk for general service lifetimes and the lowest risk for systems with lower liability needs and short surface lifetime.” 

He made a bold statement that cybersecurity for space systems on orbit, on the ground, and data links is a critical issue for national security. 

“Space Systems, although not formally designated as a standalone critical infrastructure sector, are in and of themselves critical infrastructure and they are a key enabler to critical infrastructure and virtually every sector. Our modern day transportation, energy, farming and agriculture, financial services, communications and other critical infrastructure sectors are and will continue to be increasingly reliant on satellites and space systems.”

The U.S. government will not be able to close the capability gap in space cyber without the innovation of the private sector and government working together. 

“Our goal is to narrow and operationalize the principles outlined in SPD-5,” Scott said. “As we work to develop cybersecurity requirements and systems, we need to work with allies and like-minded countries to craft an approach that will advance needed cybersecurity measures, but do so in a way that will not unduly inhibit innovation and rapid development of space systems.”