Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
The Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly) highlighted in a report that outer space represents the next frontier for cybersecurity. Although public awareness may be limited, space cyberattacks pose an increasingly critical threat due to the essential functions that space systems perform in today’s global infrastructure. Addressing these threats demands a deep understanding and proactive anticipation of potential attacks, emphasizing the importance of imagination in cybersecurity and exploratory frontiers.
In its 95-page report on the increasing threat of cyberattacks on space systems, Cal Poly identified that “As many critical services and infrastructure are based in space, it’s not an exaggeration to say that the modern world wouldn’t exist without space capabilities, the loss of which could be fatal to vulnerable people. Economic and national security would be at serious risk, among other things we care about.”
“Hackers are already thinking very creatively, and our project applies structure to the dark art of anticipating those cyber threats—a method to the madness. This helps defenders to avoid tunnel-vision and stay ahead of would-be attackers,” Patrick Lin, the project’s principal investigator and director of the Ethics + Emerging Sciences Group, explained in a media statement. He also serves on the National Space Council’s Users’ Advisory Group.
Authored by Patrick Lin, Keith Abney, Bruce DeBruhl, Kira Abercromby, Henry Danielson, and Ryan Jenkins, the Cal Poly report delves into the factors driving space cyberattacks, identifying seven key contributors to the trend. These include the new space race, remoteness of outer space, space debris, and sustainability, complexity of space systems, lack of clarity in cyber and space law, economic and political advantages of cyberattacks, and outsized stakes involved in space security.
According to data from the United Nations Office of Outer Space Affairs, for nearly the 50 years between 1965 to 2012, the total number of registered space objects (primarily satellites) launched worldwide has held steady, averaging around 130 per year. But that suddenly changed with an average of more than 220 space objects from 2013 to 2016, which then doubled to nearly 500 objects from 2017 to 2019. That figure tripled over the two years to more than 1,500 objects from 2020 to 2021. And the world is on pace to double that before long, launching an average of nearly 2,600 objects in the last two years, 2022 and 2023.
“This exponential growth in space launches is partly driven by new, more capable technologies, notably artificial intelligence (AI) and robotics,” the Cal Poly report revealed. “With greater access and capabilities in space, the global competition for space resources and research sites is heating up.”
The report comes following the wake-up call for outer space cybersecurity in 2022 when, as a prelude to invading Ukraine, Russia hacked the satellite-internet equipment of Viasat to disrupt communications, create confusion, and prevent a coordinated response to its attacks. The attack was recognized as the first ‘space war,’ where both parties utilized space systems for their military operations, as it targeted Viasat’s modems and routers, aiming to disrupt both the uplink and downlink connections, affecting the user segment of the network. Though no space-based assets were directly targeted by this cyberattack, it still counts as a space cyber attack because the target was part of Viasat’s space ecosystem.
The Cal Poly report identified that the ongoing militarization of space, with few guardrails, is still concerning to many, and miscalculations could accidentally lead to physical battles in space. “For instance, projects to give satellites the defensive ability to autonomously track, disable, or destroy other satellites need to seriously consider their impact on the environmental sustainability of orbits as well as on escalation dynamics, especially in the event of a wrongful defensive decision by either an AI or human and in the event of a conflict with adversarial satellites in the future that also have autonomous defenses,” it added.
Even limited-scale kinetic conflicts, even a single incident, could quickly escalate into a wider conflict in space and/or create new debris that has cascading effects, pushing us closer to the Kessler syndrome. At the least, a limited-scale kinetic conflict in space would set a dangerous precedent and perhaps lower barriers for the next kinetic battles, once the proverbial floodgates are open.
Beyond the governable state actors, cyberattacks can come from non-state actors who might not care about space sustainability, e.g., chaos agents and other extremists, who would be happy to bring about the Kessler syndrome. For instance, their cyberattack might target a critical component of a spacecraft, the failure of which could result in an explosion and thousands or more pieces of dangerous space junk. Furthermore, to the extent that cyber warfare can be governed, the governance of space cyberwarfare should be addressed.
The challenge, however, is that terrestrial cyberwarfare and cyberattacks have been stubbornly resistant to international agreements, though the special circumstances of outer space may provide hope for better progress.
The Cal Poly report also provides a framework for imagining novel scenarios that help to plan and avoid being taken by surprise. The project fills in key gaps in space cybersecurity discussions which typically consider only a couple of generic scenarios, namely something vague about satellite hacking and signals spoofing or jamming.
With the project’s ICARUS matrix—an acronym for ‘Imagining Cyberattacks to Anticipate Risks Unique to Space’—more than 4 million unique scenarios can be generated in considering a much wider range of threats. The report offers a starting set of 42 scenarios, briefly describing each one, to begin priming the imagination pump so that many more researchers can bring their diverse expertise and perspectives to bear on the problem.
Unlike other taxonomies of cyber vulnerabilities, the ICARUS matrix also captures the diversity of threat actors, their motivations, their victims, and the space capabilities affected. These help to establish the core elements of a full scenario—answering the who, what, where, when, why, and how questions.
The report noted that ICARUS as a scenario-prompt generator does not offer a comprehensive list of variables but only a robust starting list to help spur ‘imagineering’ of scenarios. There are undoubtedly more variables that can be considered, but we’ve limited ourselves to the major ones here as an initial offering. Moreover, new cyberattack methods, new space capabilities, new threat actors, and so on will emerge over time, especially as space and cyber technologies continue to evolve.
To that end, Cal Poly identifies five major categories of interest (columns A-E) for any scenario in space cybersecurity. The basic idea is to select one of the 20 variables (rows 1-20) from two or more of the columns to create a prompt or basic structure for a novel scenario, and the five columns representing key elements including threat actors or agents (who is perpetrating the cyberattack?); motivations (why are they launching a cyberattack?); cyberattack methods (how would the attacker penetrate a system?); victims or stakeholders (another who question); and apace capabilities affected (what is the damage or effect intended by the attacker?)
It should be noted that where the cyberattack takes place and when the cyberattack might occur aren’t included in the ICARUS matrix, as those aren’t so much variables but dependencies of a scenario.
In conclusion, the Cal Poly report said “Because large organizations are targeted by cyberattacks daily, it can be a numbers game and therefore only a matter of time until a serious breach in space cybersecurity disrupts life on Earth.”
But to anticipate those future cyberattacks on space systems, we need to have more than some vague notion of GPS or satellite hacking in mind, as serious as those two scenarios may be. A failure to imagine more possibilities can promote tunnel-vision at the expense of countless other scenarios. This would be very bad for cyber defenders, as attackers can already be counted on to be exceptionally inventive and resourceful.
“To help close that gap and prime the imagination-pump for cyber defenders, this report offers a roadmap (or star map) to many more possibilities: to more threat actors, more motivations, more cyberattack methods, more victims, and more space capabilities affected,” it added. “With our scenario-prompt generator, the ICARUS matrix, over 4 million unique prompts are possible, and each prompt can also lead to multiple scenarios. Users can also add their own variables of interest to generate even more scenario possibilities, and other variables will likely emerge over time.”
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting the rapid integration of satellites, spacecraft, and ground-based infrastructure into daily life, driven by substantial private investment in space. These space systems enable essential services, including healthcare, telecommunications, internet infrastructure, transportation, energy, and financial systems.
