by Hugh Taylor and Marc Feldman

In April of this year, the United States Space Force (USSF) released its Commercial Space Strategy. The strategy, announced with the intention of “accelerating the purposeful pursuit of hybrid space architectures,” seeks to create partnerships between the USSF and commercial entities. This strategy is probably wise, given the innovativeness of the US private sector in space and the inherent limitations of the USSF in this regard. It should be pointed out, however, that the kinds of partnerships envisioned in the strategy have the potential to expose the USSF, and by association, US national security and the US economy, to increased levels of risk.

The goal is to integrate commercial space solutions with the USSF’s systems in mission areas that include Space Domain Awareness (SDA), Positioning, Navigation, and Timing (PNT), Cyberspace Operations, and more. The strategy also encompasses ground operations and launch support. In practical terms, this translates into private corporations playing an integral role in USSF operations affecting SDA, PNT, and so forth.

The industrial base that supports the US military, now inclusive of the USSF, comprises a broad network of partnerships between corporations and government entities. This is necessary and inevitable. Such arrangements create risk exposure, however. Adding partners adds attack surface area. For example, the recent breach of nearly all AT&T customer data, one of the worst incidents of its kind in history, occurred because attackers were able to compromise Snowflake, a third party platform storing AT&T data. Comparable attack chains have occurred in defense industry settings.

The more expansive the partner network, the greater the risk. As a cybersecurity expert explained to me regarding the F35, which has 350,000 parts supplied by 1,500 vendors around the world—such a setup is insecure by definition. Indeed, as we saw, China stole the digital plans for the F35 and F22 by breaching Lockheed Martin’s networks. In another example that should serve as a cautionary tale for the USSF’s commercial strategy, Chinese hackers breached a US Navy defense sub-contractor and stole hundreds of gigabytes of top secret data related to undersea warfare programs, including codes used by submarines.

By partnering with commercial space companies, the USSF is exposing itself to comparable risks. These risks likely fall into two broad categories: conventional and unconventional. In terms of conventional risk, the USSF and its commercial partners face threats of attack and infiltration from traditional nation state adversaries like Russia, China, and Iran. These countries’ intelligence services will be probing USSF commercial partners for weaknesses they can exploit to steal information or compromise operations.

Unconventional risks might include attacks by non-state actors like ISIS or Hezbollah, which want to disrupt American surveillance. Criminal organizations might also attack USSF commercial partners, such as with ransomware, for financial gain. It’s essential to note, however, that non-state and criminal actors could be working in the service of nation states. This is already happening in the cyber domain, e.g., Russian cyber gangs attack American corporate assets at the (deniable) suggestion of the Russian government. The Colonial Pipeline hack, for example, suspected to be the work of Darkside, a Russian or Eastern European hacking gang, cut off fuel supplies to US Air Force bases.

The USSF Commercial Space Strategy does address security issues in a serious way. By default, any defense contractor working with the US government must meet certain security standards. They must be certified for the National Institute of Standards (NIST) cybersecurity frameworks for the defense industry. They must be certified for the DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0.

This is all fine, but the question is, will it be enough? It may be unfair, but our position is that existing countermeasures and DoD standards will not be adequate to mitigate conventional and unconventional risks affecting USSF space assets and commercial partners. Experience shows that attackers have an advantage and that sprawling networks of corporate partners are inherently vulnerable.

What can be done to enable the USSF to benefit from its proposed commercial partnerships while preserving security? A number of possible ideas emerge. One is to leverage secure engineering principles in the totality of the design and construction phases of any project that comes out of the USSF’s Commercial Space Strategy. It would be a wise policy to insist on sourcing commercial components only from American suppliers, as well.

Another idea is to move beyond the largely perimeter-based security models embodied by NIST and CMMC. Instead, working from the Israeli cyber model, as exemplified by firms like XM Cyber and Radiflow, simply assume breach—work from the assumption that the attacker has already entered the network and proceed from there. Finally, more comprehensive monitoring and AI-driven threat analytics can watch for signs of breach that may elude standard cybersecurity tools like firewalls and intrusion detection systems (IDS’s).

The USSF Commercial Space Strategy is a smart move for the Force, but it is one that brings about additional risks. To succeed in their strategic goals, the USSF would be wise to make security the foundation of the strategy, not a component. With unconventional threats compounding an already serious risk landscape, the need for comprehensive security is all the more urgent.

Photo by SpaceX: https://www.pexels.com/photo/grass-nasa-people-rocket-60126/

Space Piracy Blog © 2024 by Hugh Taylor and Marc Feldman is licensed under CC BY-NC-ND 4.0