The report, which is titled Outer Space Cyberattacks, is from California Polytechnic State University's Ethics + Emerging Sciences Group think tank, and it highlights different manners and motivations for cyber attacks in space. It also includes a tool that can help cybersecurity teams create hypothetical threat scenarios. Technologies and threats are constantly evolving, and as such, it's important to consider a wide variety of hypothetical near- and far-future concerns. Doing so can help in developing resiliency and response measures that stand up to adversary surprises. It can also help shape space cybersecurity policies that remain relevant long term.
“Outer space is the next frontier for cybersecurity,” the report authors write. “To guard against space cyber attacks, we need to understand and anticipate them, and imagination is at the very heart of both cybersecurity and frontiers.”
Securing satellites, the ground stations that control them and other aspects of the space ecosystem is important for protecting technologies woven through much of modern life. Satellites are used to forecast weather, provide navigation services for vehicles, support credit card processing and more.
Attackers may seek to spy on communications, disrupt systems or force them to provide falsified data. Perpetrators may be driven by motives like political or ideological agendas, economic competition for space-based resources, curiosity or desire to wreak havoc, the authors note.
International law currently falls short of providing clarity or enforceability around space cyber norms, the report also says.
Some international agreements may address parts of the landscape. For example, the United Nations' International Telecommunication Union constitution seems to prohibit jamming and spoofing, but the union lacks enforcement capabilities. Meanwhile, several international treaties regarding expected behavior in space — like the Outer Space Treaty — were crafted years before space cybersecurity became a concern and so they do not specifically discuss it.
Laws also haven’t traditionally considered that private companies might enter outer space, so they offer little guidance on how to govern commercial activities. Companies might become targets of ideologically motivated attacks if their actions are perceived as controversial. Some companies may be targeted for plans to build religious iconography or place advertisements on the moon.
Part of holding hackers accountable — in space or on the planet — requires determining whether a problem was caused by a cyber attack or a different kind of system failure. Investigating issues impacting space-based objects is challenging, because it’s difficult to collect information about the event.
To help technology and policy teams brainstorm threat scenarios, report authors also created a table listing possible elements of an attack. This includes different types of threat actors, motivations, victims, impacted services, or capabilities and attack methods. Different elements can be combined to help generate hypothetical threat situations.
And to prompt more ideas, the authors also describe possible scenarios ranging from current threats like signal jamming that disrupts satellite-ground communications to theoretical future threats like attempts to damage a hypothetical space elevator.
Some examples deal with disinformation campaigns. For example, malicious actors might spoof signals from satellites that monitor asteroids, using them to spark false fears of a collision. This could cause panic and unnecessary evacuations. Hackers who cause satellites to transmit false positives could also destroy public trust in the satellites’ monitoring capabilities, prompting people to later ignore its accurate warnings.
Another concern: Keeping satellites’ cybersecurity up to date is especially difficult. Satellites can remain in orbit for a decade or more, and efforts to remotely update their software are constrained by what the legacy hardware they were launched with will allow. Additionally, it’s common to avoid attempting major system updates to avoid the risk of a failure disabling the device. All this can leave older satellites underdefended against modern threats. Newer satellites bring risks too: CubeSats, for example, are a kind of small, low-budget satellite that’s often designed without cybersecurity components at all, to reduce costs and size.
Supply chain and third-party risks remain important, too. Government space projects must consider the cybersecurity measures of their vendors and the risk of losing support for an already-deployed component should the technology provider fold.
Human-made threats aren’t the only ones to consider. The report warns that space radiation could cause “bit flips — turning 1s into 0s, and vice versa — that corrupt the storage of cryptographic keys onboard, which could cause a valid credential to cease working and deny access.”