Cyber is perhaps the most challenging part about space interaction

Prof. Gregory Falco has been at the forefront of space system security in both industry and academia for the past decade. His research entitled Cybersecurity Principles for Space Systems was highly influential in the recent Space Policy Directive-5, which shared the same title.

He has worked closely with NASA’s Jet Propulsion Laboratory to help secure mission systems and advance the cyber security of space assets for other governmental and military organizations. Dr. Falco leads a research team selected as the inaugural university cohort tasked with improving automatic hazard detection and avoidance for Space Force’s Hyperspace Challenge.

He has been listed in Forbes 30 Under 30 for his inventions and contributions to critical infrastructure cyber security. Falco has been published in Science for his work on cyber risk.

He is currently an Assistant Research Professor at Johns Hopkins University’s Institute for Assured Autonomy and the Civil and Systems Engineering Department. Falco will begin his appointment as an Assistant Professor at the same in 2021. He is also a Cyber Research Fellow at Harvard University’s Belfer Center, Research Affiliate at MIT’s Computer Science and Artificial Intelligence Laboratory and Postdoctoral Scholar at Stanford University. Falco completed his PhD at MIT’s Computer Science and Artificial Intelligence Laboratory, master’s degree at Columbia University and bachelor’s degree at Cornell University.

Interview by Alfonso Delgado-Bonal.

Space is well known for being an extremely regulated environment. Besides national regulations, there are international agreements and guidelines that have to be respected, for example the registration for launching or the allocation of spectrum by the ITU. Is space equally controlled and regulated in the US from a cybersecurity perspective?

The regulatory landscape of space cybersecurity is equivalent to the wild west. In 2018 I published the report “Job One for Space Force: Space Asset Cybersecurity” while I was at Harvard University’s Belfer Center for Science and International Affairs, which contained several technically focused policy recommendations that could bring some order to the space security landscape. This work and my subsequent paper called Cybersecurity Principles for Space Systems caught the attention of several highly motivated members of the U.S. National Security Council and other federal agencies who did the hard work of adapting this research and that of my colleagues into national policy – materializing as Space Policy Directive – 5: Cybersecurity Principles for Space Systems, which was issued by the White House in September 2020.

The materialization of this policy was acknowledgement from federal authorities that space cybersecurity is a real problem, especially given the increased militarization of space. Despite the progress of officially acknowledging the issue, there are still major challenges ahead. Perhaps the main problem is that while we have high-level strategic guidance on what is needed for space assets, there is no roadmap to actually implement any of this.

The good news is that space component vendors no longer do a double-take when asked about security. However, the actionable guidance and steps that they need to take to prove that their systems are secure is ambiguous as best. There is this disconnect between the national policy and what software developers, manufacturers and systems engineers actually need to spec out when it comes to building these systems.

We have all these exciting new features that are appearing as part of the “new space” startup ecosystem, and ultimately from future infrastructure as a service providers for space systems, and it is still unclear what, if any, fundamental requirements should be baked into these technologies from a security standpoint. There is quite a lot to figure out still.

Are those questions being considered at all?

I appreciate how the Trump Administration really brought some of these space cybersecurity topics front and center. I think much of this happened as a necessity because of the formalization of the Space Force. It is unfortunate that we do not have a clear understanding yet of the Biden Administration’s priorities in terms of space cybersecurity. We will have to wait to see how they can help move the industry forward through policy or if we are going to stay status quo for the next four years.

The fact that the Biden Administration is very focused on climate and using space to forward that mission is wonderful, but just because the focus may shift from “boots on the moon” to a better understanding of our own planet does not mean cybersecurity can be temporarily bumped to the back of the line from a funding and focus standpoint. It would not be the first time that scientific satellites are hacked, like Landsat-7 and Terra AM01 in 2007 and 2008, when the hackers were suspected to be Chinese military. You can use hacked satellite systems for things you didn’t intend to use them for; hackers are creative by nature.

There is momentum in terms of driving more space exploration and that momentum is going to carry forth into this Administration. You can see that in multi-year contracts that have already been awarded or to be awarded shortly for lunar base work. People are thinking about space but if no one is actively thinking of having security as the priority, then much of our efforts will be for naught because China is going to steal our capabilities through their successful IP theft campaigns or Russia is going to overtly demonstrate their cyber capabilities by hacking our space infrastructure – just as they did for the DHS and other gov agency attacks in 2020; that’s kind of the status quo that we are seeing these days in security.

I guess many people are focused on landing on the moon; so how are we going to sustain that and be safe in the security regard.

That’s a really interesting point. I’m working now on how smart cities here on Earth can help us inform how we build smart space lunar habitats for resilient human existence. If we are going to stay on the Moon, we have to make sure that these systems are not something that can be compromised over time. If we have enough trouble securing our Smart City infrastructure on Earth, how do we expect to do this on the moon? That is a much harder landscape and it is not like we can do a copy/paste for how we do things here. Yes, we will be using similar kinds of control systems, but they will need to be considerably more resilient to the elements (including intentional cyber attacks). These are problems that should be front and center as we scope some of this out and, luckily, we are in the early days of designing these habitats so there is still time to bake in security from the ground up.

We are now in the middle of the privatization and commercialization of space. What is the private sector doing with respect to cyber security?

One of the frustrations I have is that the private sector who is landing these major contracts for future space exploration haven’t been clear on their security posture either. It’s not like they have done any better job than the government has in facilitating this conversation. Space companies may claim they can’t disclose anything about their security due to strategic or competitive importance – but there are still ways to engage on the topic. For example, tech companies had historically been quiet about security issues but over the past decade they realized the benefits of figuring out how to work with security researchers through programs like bug bounty programs.  The security research community, made up of both independent researchers and academic scholars could help with space system stress testing in controlled environments. If the space companies are not doing this, our adversaries will and our private sector will be caught by surprise.

Companies with deep pockets need to openly engage on these topics and help facilitate these conversations. They can’t assume that because they own Tesla or Amazon that they have everything covered from a security standpoint. It doesn’t work like that. Space is different than IT, or even OT infrastructure security.

What about smaller private companies?

The startup ecosystem and small satellites environment are becoming more important to other space infrastructure. We are increasingly relying on small satellites as ancillary components to important complex missions, and many of these satellites are just IoT devices in space. We have a disastrous security landscape already for IoT systems here on Earth and that is translating into orbit. That’s a problem, especially in the context of how we have these dual-use space systems that are both used for defense and for commercial purposes. Just like multi-million dollar space assets, small satellites also need security stress testing, which is definitely not common practice yet. There are hundreds of these systems being sent up to space as we speak given the affordability and value they provide, but there is no conversation about their security and it is problematic.

How do you see the future with respect to cybersecurity in space?

I think the government is trying to help kick-start this conversation. I know the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) are working towards establishing a concerted effort around this. But assembling government infrastructure and support systems take time. On the other hand, the private sector is now making progress in spades and they can act more quickly when it comes to organizing around these issues. For example, we are all looking forward to the progress that can be made by organizations like the Space ISAC which is driven largely by private-sector engagement.

Progress is happening – it’s just a bit slow. The reality is, thanks to the formalization of the Space Force, there is at least a broader acknowledgement that cyber is perhaps the most challenging part about space interaction.There have been some quotes by senior officials in the Space Force describing how they are less concerned about traditional kinetic attacks in space and more worried about cyberattacks. DoD is taking notice, and they are training experts in this multidisciplinary area of space cyber. Hopefully, this acknowledgement that cyber is a major issue will trickle down to the commercial and scientific sectors as well.  

Gregory Falco Author
Assistant Research Professor

Prof. Falco is currently an at Johns Hopkins University Institute for Assured Autonomy and the Civil and Systems Engineering Department; a Cyber Research Fellow at Harvard University Belfer Center; and Research Affiliate at MIT Computer Science and Artificial Intelligence Laboratory.

follow me
Current status of China's National Space Law
International law is all about reacting to technology

Leave Your Comment