DOD Moves on Satellite Cyber Guidance After Russian Threats

Upcoming cybersecurity guidance aims to safeguard U.S. commercial satellites against emerging cyber threats amid concerns foreign adversaries will target commercial satellites and cripple U.S. military operations and allies.

The Space Systems Command (SSC) told GovCIO Media & Research that its Commercial Services Office (CSCO) will issue a 30-day request for information (RFI) by December outlining goals and requirements for potential industry candidates to participate in an upcoming pilot for the new satellite cybersecurity guidance.

The cybersecurity guidance, known as the Infrastructure Assurance Pre-Approval initiative (IA-Pre), falls in line with the 2022 National Defense Strategy released last week. The U.S. military and critical infrastructure sectors increasingly rely on commercial satellites for mission-critical communications, such as the Defense Department’s Joint All-Domain Command-and-Control (JADC2) initiative.

The SSC CSCO news also comes one week after a Russian senior foreign policy official threatened to target U.S. commercial satellites if they aid Ukraine, per Reuters.

“What [the war in] Ukraine has shown is that commercial companies and satellites are going to be targets of electronic warfare, jamming, active disruption of the service itself,” Ultisat President and CEO David Myers said during a CyberSatGov 2022 panel in Reston, Virginia, this week. “Then the extreme of it is an increased investment from Russia and China in kinetic anti-satellite technology. The real scary part about that is the ability to pollute an entire orbital plane that creates a debris field that destroys every other satellite in the adjacent plane.”

Richard Buenneke, senior advisor for national security space policy at the State Department’s Bureau of Arms control, Verification and Compliance, described the space supply chain as a major national security priority and part of a “wider resilience approach” in response to recent geopolitical cyber developments.

“Working with the U.S. commercial sector, the U.S. government will strengthen the cyber posture of the space sector and supply chains,” Buenneke said during a keynote at the event.

The 2022 National Defense Strategy highlighted concerns around near-peer adversaries such as China and Russia “using the cyber and space domains to gain operational, logistical and informational advantages.”

“Because the cyber and space domains empower the entire Joint Force, we will prioritize building resilience in these areas,” the strategy reads. “Cyber resilience will be enhanced by, for example, modern encryption and a zero trust architecture. In the space domain, [DOD] will reduce adversary incentives for early attack by fielding diverse, resilient and redundant satellite constellations.”

Jared Reece, branch chief for SSC CSCO, said his office aims to develop strong relationships with industry to provide cybersecure space and satellites technologies to DOD’s Commercial Satellite Communication Services (COMSATCOM) via IA-Pre.

“Anything that’s available that the warfighter is interested in, we want to be able to get access to that,” he said during a keynote at the event. “COMSATCOM and commercial capabilities have been essential and an expanding role in the DOD SATCOM community. We want to provide the DOD with the ability to extrapolate and expand capabilities. We want to take the customers we have and use that collective power to generate a more effective approach to the community.”

IA-Pre, initially launched in May 2022, intends to streamline risk assessments for COMSATCOM vendors while strengthening COMSATCOM’s overall cyber posture with a cybersecurity-first approach.

“We can’t buy the capability and worry about cybersecurity later, we have to worry about it from the beginning as well,” Reece said. “This strengthens COMSATCOM services by giving industry a [cybersecurity] baseline, a goal saying this is what we would like to see. That way we can depend on the services.”

SSC CSCO designed IA-Pre as an approved products list to eliminate the need for vendor self assessments. According to Reece, the goal is to “enable faster capability acquisition” by swapping on-site assessments for self-assessments and developing a program “that does not generate a lot of other steps.”

“What can we do to not reinvent the wheel and get this done as fast as possible?” Reece said. “We know industry invests a lot of time and money in protecting their capabilities, we just want to be able to work with you to understand the level you’re putting into that and flag systems with lower risk that we want to be able to utilize.”

IA-Pre is, in a way, the other side of the coin to DOD’s Cybersecurity Maturity Model Certification (CMMC) program. CMMC evaluates an organization’s cybersecurity posture, while IA-Pre evaluates the cybersecurity posture of the products an organization uses, like a software bill of materials (SBOM).

Satellite industry representatives at the event stressed SBOM-like software tracking, basic cybersecurity hygiene and consistent information-sharing.

“We’ve been playing very close to attention to what software is installed and where so if something comes up we can quickly identify where something sits,” said Alex Kaczmarek, executive director of network infrastructure at Iridium Communications.

Kaczmarek and Quintessence Labs Chief Revenue Officer Silvio Pappalardo also encouraged industry and the DOD community to invest resources in quantum cryptography research because of its potential to break data encryption.

Pappalardo advocated for a “hybrid encryption approach” that balances legacy encryption practices with “post-quantum” security, especially as Russian adversaries try to steal U.S. encrypted data in hopes of breaking encryption with quantum computing.

“Crypto-agility is going to be essential,” Pappalardo said. “If you think about security controls, they’re failsafe encryption — most have a lifespan of 10 years. Controls fail, data is intercepted, last failsafe is encryption. The fact that they’re going after anything they can tells me that breaking encryption is 10 to 15 years down the line, and most encrypted data has a lifespan of 10 years. Quantum computing, sensing — it’s still very, very in the early stage. Encryption is like putting a suit of armor around your king. It deflects everything, then someone invents the crossbow.”

Pappalardo said industry DOD components should consistently bring in and rotate third parties to test security controls on satellites.

“It doesn’t make sense to bring in the same team every time,” since they all have different ways of looking at and testing security controls, Pappalardo said. “It’s great policy to keep rotating and also budget to that as opposed to just buying more gear, buying more security controls.”

Todd Gossett, vice president of corporate development at SES Government Solutions, said the entire satellite industry and DOD should be “tracking” cyber hygiene policy and key cyber guidance from government because of the war in Ukraine.

“We have to be 100% effective every day [because] adversaries just have to have one good day,” he said during a panel on cyber lessons learned from the war in Ukraine. “The cybersecurity posture in many ways is the same, that said, there’s been an increase in technical measures as well as information to get earlier and higher awareness. NIST 800-171, CMMC … all those things continue to help us defend the network, but we have to be vigilant every day and effective every day so that spurs us to action.”