Space Force must address cybersecurity in commercial acquisitions
Space systems have traditionally remained secure due to a relatively low-threat environment. But as space continues to become integral for warfare, U.S. military assets are increasingly at risk of incapacitation or destruction. Creating resilient space systems is imperative for the U.S. Space Force—America’s front line of defense in space.
Now in its fourth year, the service has increasingly turned to commercial solutions for enhancing resiliency. Thus far, Space Force has leveraged private sector contracts to proliferate and diversify its satellite constellations as part of an acquisitions strategy to exploit what it has and buy what it can.
While redundancy and diversification are crucial for resilience, commercial space systems are increasingly vulnerable to digital compromise. Cyberattacks have become the most cost-effective means for adversaries to disrupt satellites, ground stations, and user devices for accessing space-based networks. They are a constant, daily threat that spans competition and conflict. With the acquisition of new space based capabilities, including commercial elements, it is vital that these systems have adequate protections against cyber threats.
Now is the time for the Space Force to address system cybersecurity in commercial acquisitions.
Cyberattacks can target the ground, space, and user segments of space systems. One of the most impactful attacks—the hack of U.S. commercial company Viasat by Russia during its February 2022 invasion of Ukraine — exclusively targeted ground and user elements. Russian operators infiltrated Viasat administrators’ virtual private network (VPN) to access ground management networks and send out data-wiping software to customer modems through a fake update.
After rendering thousands of modems useless, the hackers overloaded Viasat servers with traffic to prevent customers from reconnecting to company services. This disrupted Ukrainian military communications relying on Viasat and caused blackouts for thousands of European customers.
Satellites themselves are also at risk. The Space Force’s recent Moonlighter challenge demonstrated that hacking a live, in-orbit satellite is no fantasy. A similar exercise sponsored by the European Space Agency reinforced the digital insecurity of satellites. More alarmingly, adversaries like China are building cyber capabilities to hijack satellites.
And the options for attackers are growing exponentially. An increasing reliance on commercial off-the-shelf software for internal satellite operation and the proliferation of private sector satellites provide greater incentives for hacking the private sector to access U.S. military data.
Given these challenges, the Space Force can address cybersecurity through acquisition by prioritizing the ground segment, incentivizing secure-by-design procurement, and regularly auditing supply chains for cyber hygiene. First, ground segments require greater emphasis. While “delivering ground before launch” is one of the service’s acquisition tenets, commercial efforts have focused on satellites to the detriment of ground systems.
The aggressive pursuit of launch capabilities without corresponding ground elements means the Space Force cannot fully exploit its new satellites. It also leaves ground systems more susceptible to cyber disruption.
For ground acquisitions, Space Force must design multiple smaller, focused contracts and enforce stricter deadlines leveraging all tools in the acquisitions tool kit. Major development failures and schedule delays only increase the exposure to cyber threats. For example, the Enterprise Ground Services program—meant to develop a unified ground system for military satellites—fell apart last year and was replaced with a smaller-scale plan for satellite command and control (C2).
The Advanced Tracking and Launch System Analysis System (ATLAS), which would replace Space Force’s 1980s-era computer systems for satellite C2, has also faced multiple delays over an inability to coordinate across disparate hardware and software elements. Similarly, the Next-Generation Operational Control Segment (OCX) for the Space Force’s newest Global Positioning System satellites is already seven years behind delivery.
Second, the Space Force’s new commercial acquisitions should prioritize systems that are “secure-by-design.” Cybersecurity standards are explicitly built into products from the outset, not as an afterthought. Secure-by-design should also extend through sustainment and maintenance to include deliberately planned security updates. Designing preemptive security features into product development will only enhance cyber threat-hunting initiatives like Space Force’s Digital Bloodhound program by elevating the baseline for security across systems.
The Space Force must incentivize secure-by-design through contract bonuses and prospects for follow-on work. Secure-by-design will require transparency into commercial satellite design and the software acquired to communicate within and across military space systems. Understandably, the Space Force has prioritized interoperability. Connecting the military’s disparate satellite networks makes for a more effective force. But greater communicability across networks also creates new attack vectors. Secure-by-design is critical to reduce vulnerabilities for new software solutions that must interact with legacy networks operating on outdated and insecure software.
Finally, the Space Force must have deep insight into the cyber risks to its supply chains. The complex and convoluted supply chains for space systems present multiple points of potential compromise for state-sponsored hackers to exploit. Early concerns about exposure to potential Chinese hacking did emerge with the 2014 Chinese acquisition of IBM’s personal computing business that underpinned OCX. The Russian hack of Viasat’s VPN service finally put upstream software vendor risks on the agenda. Despite numerous vulnerabilities, cybersecurity remains a glaring problem for the space industry and contractors have no common framework for network security, user authentication, systems management, and incident prevention and response.
Cybersecurity cannot stop after purchase. The 2020 SolarWinds compromise highlighted the need to regularly audit supply chains. Russian cyber operators infiltrated Fortune 500 companies and U.S. government agencies with existing SolarWinds contracts by corrupting a single software product upstream in supply chains.
The lesson for Space Force is that sustainment requires supply chain security verification at annual or semiannual intervals. The service must ensure that “safe” contractors remain safe over time and that products acquired from those companies are not critically dependent on components or vulnerable to disruptions from geopolitical adversaries.
Even as we get Guardians into orbit, Space Force remains a digital force reliant on satellite data. Prioritizing cybersecurity may result in higher initial costs and longer schedule times that clash with the Space Force’s drive to acquire commercial solutions cheaper and faster. Striking the right balance between these prerogatives will be essential for the implementing the service’s recently released commercial space strategy. But cyber protections are a necessary investment: paying more upfront reduces the costs of an adversarial comprise later through protection and mitigation. In a wartime setting, the last thing the U.S. wants is a collection of satellite networks that are easily crippled due to its own inaction.
Jason Blessing, Ph.D., is a Research Analyst at the Potomac Institute for Policy Studies. His research focuses on cybersecurity as well as transatlantic relations. All views are his own and do not represent the views of the Institute.