Advertisement

There are 16 critical infrastructure sectors, and experts are deeply divided on whether space systems should be the 17th.

Four main components on the Roscosmos segment of the International Space Station are pictured as the orbital outpost soared 261 miles above the north Atlantic Ocean. (NASA)

Every day on Earth, systems in space make the ordinary possible. The constellation of satellites that make up the global positioning system enable precise navigation. Farmers use space systems to manage crops. The global financial system relies on space systems for exact timing of transactions. 

In recognition of their importance — and the devastating consequences if they were to break — these types of systems are typically designated as “critical infrastructure” by the U.S. government. Space systems, however, are not. 

The increasing importance of space systems to everyday economic activity and a rapidly expanding space economy has many experts arguing that these systems ought to be designated as critical infrastructure in order to better protect them. This debate is coming to a head amid the Biden administration’s ongoing rewrite of Presidential Policy Directive 21, which is the key federal policy document governing the security of critical infrastructure, but experts are deeply divided about whether the policies in place are enough to handle threats posed to space systems. 

Designating the space sector as critical infrastructure would task a federal agency to oversee the sector’s risks — choosing what the federal government calls a “sector risk management agency.” It would also create an industry-led council that acts as a go-between for private firms and the federal government, a move that could improve information sharing between government and industry — particularly regarding the threat of satellites being hacked. In short, the designation as “critical infrastructure” is a policy decision to create a structure for the government to work with a sector deemed essential to U.S. interests.

Advertisement

Designating space assets as critical infrastructure would also draw a line in the sand that hostile actors are not supposed to cross at a time when cyberattacks against space systems and GPS jamming are only growing more common. At the outset of Russia’s invasion of Ukraine, Russian forces attacked a Viasat satellite internet system that disrupted communications for the Ukrainian military. SpaceX’s Starlink technology — which provides critical connectivity for the Ukrainian military — has seen its terminals repeatedly jammed. Amid ongoing fighting between Israel and Hamas, Israeli armed forces have engaged in widespread GPS jamming

As launch costs continue to decrease, the space industry is only expected to grow in importance and take on ever more exotic applications, such as the mining of asteroids and other celestial objects. By the 2040s, the industry is predicted to be worth more than $1 trillion

For advocates of designating the industry as critical infrastructure, doing so would bring a welcome measure of coherence and create responsibility within the federal bureaucracy for how to best manage a rapidly growing and increasingly important sector. “There is no single agency in charge,” said Sam Visner, who chairs the board of directors at the Space Information Sharing and Analysis Center and is a fellow at the nonprofit Aerospace Corporation. “There’s no agency at this point which is pressing for a national space system cybersecurity and resilience R&D strategy, which I think is something we very much need.”

Advocates for the designation also argue that existing policies are woefully out of touch with the industry. At a time when space systems are at risk of being hacked, the designation could help to streamline information sharing, such as with the Justice Department’s fusion centers, which are spread throughout the United States. It might also aid in the diffusion of cyber best practices for systems deployed to space. 

Above all, advocates argue, because so many other critical infrastructure sectors are increasingly reliant upon space systems — a trend that will only intensify — not granting critical infrastructure protections to space represents a glaring weakness in how the U.S. protects its most important systems. 

Advertisement

The last time the critical infrastructure sectors were updated was in 2017, when election infrastructure was added as a subsector of government facilities. The Biden administration is currently undergoing a review and rewrite of Presidential Policy Directive 21, which sets the current structure for the 16 existing critical infrastructure sectors. The revised document might designate the space industry as critical infrastructure even though officials have indicated that a change is unlikely. However, the outcome of that revision process is uncertain.

“For rewriting PPD-21 to be worth the effort, it needs to have substantive changes and it needs to address contemporary issues. Not designating the space sector as critical infrastructure in this rewrite will just set the stage for an insufficient document that needs more work in the future,” said Mark Montgomery, former executive director of the Cyberspace Solarium Commission and senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.

It’s uncertain when the PPD-21 rewrite will be released, but administration officials have hinted that it’s forthcoming. In remarks at a Washington event on Feb. 26, Camille Stewart Gloster, deputy national cyber director of technology and ecosystem security, said that the rewrite will be coming “soonish.”

A long list of op-eds, articles and reports would seem to agree with Montgomery, but experts are in fact divided on whether the move makes sense. The interagency Federal Senior Leadership Council — a cross-sector council of agencies in charge of critical infrastructure — recently recommended against the move, Politico reported. The 16 critical infrastructure sectors are defined as those whose “destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” and some experts question whether adding the space sector to the list would make a major difference.

“I would argue that’s going to have way less impact than people think, other than you get your critical infrastructure merit badge that you can put on your sash,” said Nick Reese, co-founder of the cybersecurity firm Frontier Foundry and the former director for emerging technology policy at the Department of Homeland Security.

Advertisement

Reese said one major reason that the impact would be minimal is because being declared as critical infrastructure does not mean that the sector would be subject to binding cybersecurity regulations. Most critical infrastructure assets do not have mandated cybersecurity regulations and instead rely on voluntary measures and guidelines from agencies like CISA. While the Biden administration has said it is moving to roll out binding cybersecurity rules for critical infrastructure, that process has been fairly slow moving. Industry experts are endeavoring to create voluntary technical standards for space systems in an effort to address the cybersecurity gaps in commercial space systems.

Some industry trade groups, meanwhile, say that the designation doesn’t make sense and that while telecommunications satellites orbiting the Earth might seem exotic, they in fact have more in common with terrestrial infrastructure. “We think of space telecom as closer to telecom. We don’t think space telecom is closer to exploring the moon. It’s closer to my cell phone,” said Mike French, the vice president of space systems at the Aerospace Industries Association. In a letter to Jake Sullivan, White House national security advisor, the AIA warned against declaring space as critical infrastructure.

French said he is concerned that any new designation would bring along new regulations while not adding the resources to match. “All resources that are needed have to come out in normal appropriations to the agency that’s in charge,” French said. 

In this debate, one of  the key questions is which agency would be designated as the sector risk management agency for space, taking on the responsibility for helping the sector understand and mitigate threats through training, funding and other federal assistance.

The Cyberspace Solarium Commission argued in a report last year that NASA should be designated the space industry’s SRMA. While the commission also considered the Department of Commerce and the Department of Transportation as potential candidates, ultimately, the commission landed on NASA as it, somewhat obviously, focuses on the space domain and has existing relationships with the industry.

Advertisement

But tasking a science-focused agency with proactive risk management against state hackers and malicious cybercriminals is not as simple a task as it sounds.

“You would be bringing in an agency that is not designed to do this at all and has never done it,” Reese said. “You would have to stand up an entire new division within NASA.”

Whichever agency would be picked if space is declared critical infrastructure, it would be an added advantage for basic coordination, Visner said. “In an emergency, it would, I think, be useful and more efficient and faster if a SRMA was managing the coordination of information,” he argued. “We’d like to be able to share what we’re learning — best practices, new developments — and have that diffused within the public sector. I think, again, having a SRMA would do that.”

Visner agrees that the designation is not a silver bullet but a starting point for making the sector more resilient. “A sector risk management agency needs to be designated. Its responsibilities and authorities have to be defined. Resources have to be made available. Capabilities will have to come into play. Nothing happens with just the flip of the switch,” he said.

Another open question is which space system assets should be considered critical infrastructure, since many assets in the sector already have that designation. Launch facilities, for example, are covered under government facilities, and commercial satellites fall under both the telecommunications sector as well as the defense industrial base. Creating a new space systems sector could pull out those assets, along with the existing communication and coordination structures. Other systems, such as commercial remote sensing operations and scientific satellites like weather tracking and forecasting systems, are not a part of critical infrastructure, according to a report by CSC 2.0, which advocates for the critical infrastructure designation.

Advertisement

Even if the policy rewrite does not declare a 17th critical infrastructure sector, the Biden administration has launched other space-related initiatives. 

In late December, Vice President Kamala Harris announced a new policy proposal that would provide oversight of novel commercial space activities and said that the U.S. will pursue cybersecurity standards for space systems.

NASA recently released a space security practices document that serves as a “translation guide” for space lingo amid ongoing work at the National Institute of Standards and Technology.

CISA Executive Director Brandon Wales said in a statement that the agency “continues to work with our interagency and industry partners to better understand risk to space infrastructure and ensure the space enterprise is taking the necessary steps to improve security and resilience.”

“Many of the most effective measures are the same basic cyber hygiene practices that apply across all sectors — such as employing encryption and ensuring software and firmware are updated,” Wales added.

Advertisement

The Space Systems Critical Infrastructure Working Group, co-chaired by CISA, is studying how existing critical infrastructure is becoming reliant on space systems and expects to assess how cybersecurity performance goals and secure-by-design practices are applied to space assets this year.

The Office of the National Cyber Director has been working with the National Space Council on cyber issues. A series of meetings with industry representatives  led the White House to conclude that “the biggest gap to be filled is the need for more consistent cybersecurity requirements from government space operators,” an ONCD spokesperson said in a statement.

A forthcoming “announcement will ensure that work happens on behalf of the industry and all who rely on the communications, connectivity and exploration of our space systems,” the spokesperson said. “We look forward to working with the National Space Council and our colleagues across the interagency, from CISA to NASA to NIST, to improve the cybersecurity of our critical space systems.”

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

Latest Podcasts

Government

Technology

Geopolitics