Space Cybersecurity in the Age of Defending Forward

Rachael Hanna, Natassia Velez
Tuesday, November 24, 2020, 12:42 PM

A recent policy directive detailing the United States’s cybersecurity principles for “space systems” raises important questions concerning U.S. legal obligations in space under international law.

Picture from a plane window (Kevin Lau, https://flic.kr/p/47MAqv; CC BY-NC-ND 2.0, https://creativecommons.org/licenses/by-nc-nd/2.0/).

Published by The Lawfare Institute
in Cooperation With
Brookings

On Sept. 4, the Trump administration released a policy directive detailing the United States’s cybersecurity principles for “space systems.” Emphasizing the importance of space systems for communication, science, economic prosperity, and national security, the directive highlights the importance of integrating cybersecurity throughout the development and life cycle of space systems. Specifically, the directive calls for agencies to “foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure” and defend against cyber threats.

As a policy document, the directive does not create any new legal rights or obligations in the context of cybersecurity practices in space. But the directive’s language, in combination with the U.S. cybersecurity policy often referred to as “defending forward,” raises important questions concerning the United States’s existing legal obligations in space under international law. More specifically, the directive’s centering of cybersecurity in space creates tension with the international obligation to use space to advance international peace and security for the benefit of all countries. The assertive posture of defending forward may conflict with international space law in the policy’s current iteration.

Defending Forward

In response to the growing array of cybersecurity threats, the United States has developed a policy known as “defending forward,” initially articulated in the 2018 Department of Defense Cyber Strategy. Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, explained how defending forward relies on the doctrine of persistent engagement—actively “compet[ing] with adversaries on a recurring basis” by disrupting and degrading their capabilities to conduct cyberattacks. Defending forward also focuses on halting malicious cyber activity and having the ability to fight digital wars—in short, building “more lethal” cyber abilities. Critics of the policy have argued that defending forward in cyberspace could increase “the risks of escalation” of conflict with adversaries. However, Cyber Command and the U.S. government have decided that a “more proactive approach” will more effectively impose costs on adversaries, while managing the risk of escalation in cyberspace.

Notwithstanding this more assertive posture, the United States accepts that its cyber forces and activities, including in space, are subject to applicable international law. Indeed, a stated goal of the United States is to “promote respect for widely held international norms in cyberspace.” But in space, additional international law obligations and norms may complicate the United States’s ability to defend forward.

International Law Obligations and Norms

Both cyber and space are subject to international law and norms. U.N. Charter principles of state sovereignty, nonintervention, and state responsibility, along with the laws governing the use of force and international humanitarian law (IHL), all potentially apply to transnational cyber incidents. Many, if not most, cyberattacks fall below the traditional threshold for armed conflict that triggers the application of IHL. The other bodies of law are less clearly defined in their application to cyberspace, frequently failing to capture the realities of modern technology or anticipate the consequences of technological developments. While academics and states, including the United States, maintain that international law applies to cyber operations, the reality consists of murky parameters.

The Outer Space Treaty of 1967, the primary international space treaty to which the United States is a party, governs state activities in the exploration and use of outer space. The treaty provides a framework that is crucial for understanding the policy directive in light of the defending forward cybersecurity posture. Article I dictates that the exploration and use of space must be “carried out for the benefit and in the interests of all countries” and that space must “be free for exploration and use by all States ... in accordance with international law.” Article III explains that applicable international law includes the U.N. Charter. State activities in the exploration and use of outer space must be carried out “in the interest of maintaining international peace and security and promoting international co-operation and understanding.”

The Outer Space Treaty also aims to prevent the militarization of space. Article IV prohibits states from placing in orbit around Earth or stationing in space, nuclear weapons or any other weapons of mass destruction.The treaty also mandates that the moon and other celestial bodies be used “exclusively for peaceful purposes” and prohibits “the testing of any type of weapons and the conduct of military manoeuvres on celestial bodies.” Article VI provides in relevant part that states “bear international responsibility for national activities in outer space” by both governmental and nongovernmental entities. Finally, Article IX requires states to engage in international consultation in relation to any planned activity by another state that could “cause potentially cause harmful interference” with peaceful activities in outer space.

New Cybersecurity Principles for Space Systems

The Trump administration’s space systems directive interacts with the dynamics around both defending forward and international law. The directive addresses protocols for preventing, monitoring and responding to potential cyber threats against the backdrop of the international legal obligation to take actions in space only for the collective benefit of states. The intersection of defending forward and applicable international law in space, and their possible conflict, calls for a clearer understanding of how the United States’s cybersecurity policy comports with space law.

The directive outlines cybersecurity principles for “space systems,” defined as systems that “provide[] a space-based service.” This will generally include “a ground control network, a space vehicle, and a user or mission network,” and applies to government and private space systems. Importantly, the directive purports to set policy guidance for both government and private space systems; the relationship the policy directive sets out for the federal government and the commercial space industry is discussed in greater detail below.

First, the directive recommends that space systems and supporting infrastructure be developed to “continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities” that could threaten the systems’ operations. Second, space system developers and operators should have cybersecurity plans that will ensure operators or “automated control center systems” are able to “retain or recover positive control of space vehicles.” In particular, cybersecurity plans should protect from unauthorized or malicious access by implementing authentication or encryption measures and aligning best practices with the National Institute of Standards and Technology’s Cybersecurity Framework. Plans should account for supply chain risks by “tracking manufactured products, requiring sourcing from trusted supplies,” and “identifying counterfeit, fraudulent, and malicious equipment.” Furthermore, plans should adopt appropriate intrusion detection and reduce physical vulnerabilities of space vehicle systems.

Third, the directive encourages the space industry to “share threat, warning, and incident information” as much as possible among relevant government and private actors. And finally, while the directive itself creates no binding legal obligations, it directs several government stakeholders—including the secretaries of defense, commerce and transportation, along with intelligence community directors, the NASA administrator, the director of the Office of Science and Technology Policy, the chairman of the Joint Chiefs of Staff, and the chairman of the Federal Communications Commission—to implement the above principles “through rules, regulations, and guidance” to enhance space systems’ cybersecurity.

Regarding private companies, the policy directive states that federal agencies “will foster practices within government space operations and across the commercial space industry that protect space assets and their supporting infrastructure from cyber threats.” Moreover, it directs federal agencies to work with commercial and other nongovernmental space operators to “define best practices, establish cybersecurity-informed norms, and promote improved cybersecurity behaviors” consistent with the above recommendations. The directive builds on previous efforts to coordinate cybersecurity endeavors with the private sector. Such public-private cybersecurity coordination is becoming increasingly important as private space enterprises are growing. Beyond SpaceX and Blue Origin, there are myriad private companies in the space weather forecasting and risk mitigation field––highlighted in the recently enacted Promoting Research and Observations of Space Weather to Improve the Forecasting of Tomorrow (PROSWIFT) Act, which directs agencies to coordinate with the private sector on assessing the impact of space weather and identifying improvements for forecasting and damage mitigation.

The policy directive responds to previous calls to further secure space systems against cyber threats, in anticipation of the Trump administration’s establishment of the United States Space Force last year. Space systems have already suffered cyberattacks from both nation-states and criminal enterprises, and the Space Force will have a primary role to play in their defense. For example, in 2014 a Russian cyber espionage group known as Turla hacked a satellite internet provider to disguise cyber espionage operations against several countries, including the United States. A 2017 cyberattack targeted GPS satellites, spoofing the reported GPS positions for multiple ships in the Black Sea. The directive places cybersecurity at the forefront of space systems development. Existing U.S. policy on cybersecurity may shed light on just how the relevant government stakeholders may implement this new directive.

Defending Forward in Outer Space

The cybersecurity for space systems policy directive shows how the United States’s defending forward cybersecurity strategy could clash with its international legal obligations in space. A central feature of defending forward is Cyber Command operations in “portions of cyberspace owned or controlled by an adversary or enemy” or operations that occur in third country external networks that are being used or plan to be used by adversaries. Even on Earth, it is unclear and much debated whether such forward positioning runs afoul of the principles of state sovereignty, nonintervention and state responsibility.

In the more legally restricted bounds of outer space, forward positioning and disruptive operations in other states’ networks could place the United States at odds with its treaty obligations. The United States’s cybersecurity strategy in space must contend with the Outer Space Treaty’s narrow allowance for peaceful state activities and requirement of international consultation on any activity that could cause “harmful interference” with another state’s peaceful space activities. However, the language of the policy directive explicitly requires that it be implemented consistent with applicable law, which includes the Outer Space Treaty and other international laws. The United States also has not stated whether it will employ its defending forward strategy in space. If it does, the strategy would likely need to be modified to comply with the treaty.

Private commercial space enterprises also create an additional challenge for the United States. On Earth, the federal government has been reluctant to engage in cybersecurity efforts on behalf of private companies for a variety of reasons, including prohibitions on sharing classified information outside of the intelligence community and concerns that intelligence gathering to protect private companies could be difficult to differentiate from state-sanctioned economic espionage, which the United States has prominently decried. In outer space, the United States is responsible for the activities of private U.S. enterprises—and as a result, it could take a more protective posture of such entities than it does on Earth.


Rachael Hanna is a recent graduate of Harvard Law School.
Natassia Velez is a J.D. candidate at Harvard Law School. She holds a B.A. from the State University of New York at New Paltz in International Relations.

Subscribe to Lawfare