SBS Blog > Cyber Policy: the need for executive education by Sharon Lemac-Vincere

Cyber Policy: the need for executive education

By Sharon Lemac-Vincere - Posted on 2 October 2024

With World Space Week (October 4-10) approaching, Dr Sharon Lemac-Vincere looks at how satellites are at risk of cybersecurity threats which would impact our modern way of living and argues that cybersecurity education is essential for those in business.

Many citizens and decision-makers continue to underestimate how reliant their daily lives and the economy at large have become on space infrastructure. Often, this is because the services powered or enabled by space are invisible or unknown to many. Yet satellite services have become thoroughly enmeshed with the global economy. They are the driving force behind countless applications – from rideshare and delivery services to precision agriculture – as well as our ubiquitous connectivity.

Severely impaired satellites would cease to emit positioning signals, causing all flights to be grounded and transport via rail or water to cease. Financial transactions would grind to a halt due to the absence of highly accurate time coordination. Money could no longer be withdrawn from ATMs. Stock trading would come to a standstill, leaving financial markets on the brink of collapse. Energy networks and power grids would also be hit by the lack of time synchronisation, leading to blackouts and impacting critical infrastructures such as hospitals. Many of the defence capabilities that armed services normally rely upon would be rendered inoperable.

Our extreme reliance on the space sector means it must be protected from threats; natural threats as well as those which are man-made. In particular, cybersecurity threats must be anticipated and mitigated to avoid the nightmare scenario that would result from “a day without space.” In a not-too-distant future, space missions will be jeopardised not by mechanical failures or space weather, but by cyberattacks. This threat has already manifested itself as illustrated by the incident with the Viasat. On February 24th, 2022, the day of Russia’s invasion of Ukraine, a cyberattack disrupted broadband satellite internet access. This attack disabled modems that communicate with Viasat Inc’s KA-SAT satellite network, which supplies internet access to tens of thousands of people in Ukraine and Europe. The aim was clearly to disrupt Ukrainian Command units during the invasion.

The Viasat incident is one of the most visible cases of cyberattacks against space activities but many others exist, often going unreported or even undetected. With the rapid expansion of the commercial space sector, cybersecurity has become a pivotal concern, but one which has avoided public discussion, perhaps out of fear of alarming the general public. However not talking about the issue will not make the threat go away. Protecting sensitive data, ensuring mission integrity, and mitigating potential threats are essential for both commercial success and national security. However, many senior executives and decision-makers lack the necessary experience and awareness of cybersecurity’s critical importance for their organisation and activities.

Why does space cybersecurity matter?

Effective cybersecurity in the commercial space sector hinges on informed and proactive leadership. Senior executives are responsible for setting the strategic direction, making critical decisions, and allocating resources. However, there is a significant gap in awareness and expertise among many decision-makers. Without a deep understanding of cybersecurity threats and best practices, leaders may inadvertently expose their organisations to vulnerabilities. Thus, equipping senior leaders with the necessary knowledge and skills is essential for the sector’s resilience and growth because of their management role in any space organisation.

Generic cybersecurity training programmes often fail to address the unique challenges of the commercial space sector.

The US military’s Commercial Augmentation Space Reserve (CASR) initiative highlights the necessity of integrating commercial equipment into military space operations to enhance cybersecurity for military satellites. However, this initiative also underscores the critical need for leaders to comprehend the complexities and risks of such integrations, which can introduce new vulnerabilities into military systems. The reliance on commercial technology necessitates a rigorous evaluation of its security implications, something that is often overlooked due to the rapid pace of technological advancement.

Nearly 20 years ago, significant gaps in US space policy were identified, particularly concerning the integration of third-party space assets and the complexities of space globalisation. These issues remain unresolved, necessitating a re-evaluation of strategic doctrines to address evolving threats. The current fragmentation in cybersecurity standards across jurisdictions allows adversaries to exploit regulatory gaps, posing significant risks.

Understanding the regulatory and legal frameworks governing space activities is crucial for leaders in the commercial space sector given the interconnectedness of international peace and security, national security, human security, and the security of the space environment. However, the current legal frameworks are often reactive rather than proactive, addressing cybersecurity threats after they have materialised.

There is a pressing need for legal reforms that anticipate future challenges and incorporate proactive measures to enhance cybersecurity resilience. France’s Law on Space Operations (2008, amended 2023) is a pioneering regulation that includes specific cybersecurity provisions: Article 27 mandates cybersecurity measures to prevent unauthorised commands to spacecraft while Article 39-3 requires space operators to implement a comprehensive cybersecurity plan.

These amendments underscore France’s commitment to securing its space activities against emerging cyber threats. However, some commentators have argued that the broad and somewhat vague requirements of these articles could lead to inconsistent implementation and compliance issues among operators. Enforcement of these provisions may also be challenging due to the complexity and rapid evolution of cybersecurity threats.

The UK’s Space Industry Regulations 2021 also include cybersecurity measures such as the development of a spaceflight cybersecurity strategy and mandates reporting notifiable cybersecurity incidents to the regulator. These regulations aim to protect spaceflight activities and critical national infrastructure.

Several cybersecurity policy announcements relevant to outer space have underscored the growing recognition of these challenges. The European Space Agency (ESA) published “ESA Security for Space: Shaping the Future, Protecting the Present” in November 2023 to protect critical space infrastructure. In December 2023, NASA released the “Space Security: Best Practices Guide” to bolster mission cybersecurity efforts for both public and private sector space activities. These documents highlight the evolving threat landscape, with U.S. intelligence agencies warning of foreign infiltration through cyberattacks and strategic investments aimed at the space industry.

Many senior executives and decision-makers lack the necessary experience and awareness of cybersecurity’s critical importance for their organisation and activities.

The Cyberspace Solarium Commission (CSC) report (2023) further emphasises the need for enhanced cybersecurity measures, recommending that outer space be recognised as the 17th critical infrastructure sector. This recommendation underscores the interconnectedness between space and cybersecurity, advocating for the development of norms and standards in collaboration with international partners. The report’s stakeholder-specific recommendations aim to prioritise cybersecurity across all space activities, highlighting the urgent need for comprehensive and coordinated efforts to secure space infrastructure.

The need for bespoke interdisciplinary cybersecurity training

Generic cybersecurity training programmes often fail to address the unique challenges of the commercial space sector. However, the space sector needs to be aware that private companies can be the target of cybersecurity attacks against the assets on Earth or in space, as well as the data gathered, transferred, or stored. Bespoke training tailored to the specific needs of space industry leaders is therefore crucial.

Leaders must comprehend the gravity of these threats and the importance of robust cybersecurity measures. Informed and proactive leadership can enhance national security by protecting space assets from cyber threats, contributing to the nation’s overall security posture. Ensuring the cybersecurity of commercial space operations attracts investment and fosters economic growth within the space sector. Staying ahead in cybersecurity helps maintain a country or organisation’s position as a leader in space technology and innovation.

Executive Space Cyber Education at ISU and the University of Strathclyde

The International Space University (ISU), the only university dedicated exclusively to the study of space, provides an executive space education programme designed to offer an overview of space and space-related subjects. In May 2024, with the collaboration of the University of Strathclyde, it launched a three-day executive course held at Strathclyde Business School, one of the first to provide postgraduate-level micro-credentials in space cybersecurity, focusing on:

An overview of the Space Sector and Cyber Security in Space
Satellite building and programming overview
Understanding threats, vulnerabilities, detection, and response
Emerging space technology, policy, law/regulation, and compliance with a cybersecurity focus
International cooperation, space diplomacy, and geopolitical context
Entrepreneurship in space and opportunities in space cyber
Simulation and decision-making exercises

This programme underscores the necessity of bespoke cybersecurity training as it provides leaders with comprehensive knowledge and practical skills essential for safeguarding space operations. Leaders must be educated about the current and emerging cyber threats specific to the space sector, including satellite jamming, spoofing, and cyber-physical attacks. They need to be informed about the latest advancements in cybersecurity technologies and the importance of investing in research and development to stay ahead of evolving threats. Emphasis should be placed on the importance of securing the entire supply chain, from component manufacturing to satellite. Understanding the regulatory frameworks and compliance requirements is essential for ensuring that organisations meet national and international cybersecurity standards. Training covered the development and implementation of incident response plans, crisis management strategies, and recovery protocols to minimise disruptions and restore operations swiftly. The course was attended by representatives of the space sectors from many disciplines: legal, data, cyber, government, manufacturing showing the need to bring people with different background and expertise in the sector looking at the same issue from different vantage points.

This course was just the first and will be repeated in the future to reach the necessary audiences while keeping up with technological evolutions and the new threats that will undoubtedly exploit their weaknesses.

This amended blog was co-written with Nicholas Peter, acting President of the International Space University (ISU)