Historically, space and terrestrial systems operated in a separate manner, serving different user bases and needs. In recent years systems have become more sophisticated and interconnected. The introduction of new low-earth orbit (LEO) constellations and hybrid terrestrial/non-terrestrial networks has changed the paradigm dramatically. The development of interfaces across systems and the quantity and complexity of ground control and service support infrastructures are expanding the potential attack surfaces.
Cybersecurity in space has become a dynamic enterprise where near-peer adversaries are continually striving to evolve their tactics, techniques and procedures (TTPs). To counter these efforts the U.S. government and satellite operators must collaborate to stay one step ahead.
Central to the U.S. Space Force’s efforts in this area is the development of the Infrastructure Asset Pre-Approval Program, or IA-Pre. IA-Pre is an objective cybersecurity risk assessment process for key self-nominated COMSATCOM assets measured against National Institute for Standards and Technology (NIST) controls/enhancements. IA-Pre offers an opportunity for commercial satellite partners to target investments in additional, specific cybersecurity capabilities valued by the Department of Defense (DoD) community.
IA-Pre contains 477 cybersecurity controls, aligned with the NIST 800-53 High-Impact level. This is far more than the 55 in the legacy security framework, known as CIAQ. Meeting these stringent cybersecurity requirements requires an investment by commercial satellite providers, an investment several are considering due to the increased threat level in space and the opportunity to become an integrated connectivity partner for defense missions. For example, Telesat is investing to become IA-Pre compliant with its Telesat Lightspeed LEO network, as well as offering security capabilities such as jam resistance and low probability of intercept.
However, recently the commercial space industry has raised some concerns about increased cybersecurity measures requested by the DoD. As stated, several space operators are eager to comply with stronger cybersecurity requirements, as long as the government follows through with preferential scoring for those requirements on the source selection/procurement side. Unfortunately, this has not been the standard practice for COMSATCOM acquisition.
A form of contracting known as lowest-price technically acceptable, or LPTA, still seems to be alive despite not being appropriate for space systems. Defense authorization legislation, and subsequent updates to the Federal Acquisition Regulations, were supposed to limit agency use of LPTA. Yet commercial operators continue to see a disconnect where operators who have made significant investments in cybersecurity requirements are not seeing those requirements appropriately scored in awarded contracts.
If differing cybersecurity postures do not meaningfully affect the DoD’s source selection process, commercial space providers cannot continue to incur the cost and operational complexity of planning, implementing, and maintaining these requirements. In order to encourage industry to continue investments in desired cybersecurity protections, DoD needs a cybersecurity relationship with Industry that is transparent and reciprocal – a true partnership.
To achieve such a partnership that advances cybersecurity in space, the SATCOM Industry Group (SIG) has called on the DoD to implement the following:
- Establish a hard-cutoff date for the CIAQ and other non-IA-PRE processes, to facilitate transition to the IA-Pre model
- Publish objective and transparent assessment methodology and scoring of the specific controls relative to residual risk for commercial operators making investment decisions
- Data Protection – the Space Force USSF should consider the data provided in the IA-Pre Database as proprietary information of the asset owner and will not be released by any party except by the asset owner under the provisions of a Non-Disclosure Agreement
- Agency of Security Control Assessors (ASCAs) – If such non-governmental personnel are used to evaluate IA-Pre compliance, clear personal and organizational conflict of interest safeguards should be established and enforced. Also, the cost of assessment needs to be clarified in a transparent manner.
The theatre of space has entered an unprecedented period of rapid technological change and geopolitical competition. Stability in space can no longer be taken for granted.
A strong, transparent and equal public and private partnership is required for the DoD to adapt to this new ear of contested space. Ensuring that cybersecurity investments are considered when procuring commercial capabilities would be a strong start to such a relationship.