The Office of the National Cyber Director is embarking an interagency process alongside the National Security Council and the National Space Council to bolster cybersecurity for space systems, according to ONCD official Anjana Rajan.
“This is a significant step because it shows that the Biden-Harris administration considers space cybersecurity a priority, and that we believe in taking a user-centered, technocratic approach to policymaking,” Rajan said on Tuesday at a summit hosted by the Space Information Sharing and Analysis Center.
Rajan serves as the assistant national cyber director for technology security in the ONCD.
Anjana Rajan, Assistant National Cyber Director for Technology Security at The White House
The “Value of Space Summit” is a three-day event in Colorado Springs, where the Space ISAC operational watch center is located. Tuesday’s agenda included keynotes from government and industry speakers, as well as panels on protecting commercial space systems from cyber incidents and White House efforts to ensure space systems are secure.
Former President Trump’s Space Policy Directive 5 outlined cybersecurity design principles for space systems in 2020. Rajan said the White House now intends to “put those principles into action.”
ONCD held space-focused workshops in “five key regional space hubs” – California, Colorado, Florida, Texas and the District of Columbia – to gain technical insights into how to secure space system components, Rajan explained.
Rajan said ONCD is aiming to “assess next steps beyond SPD-5” through the interagency process, as well as influencing “a wider aperture of cyber policy” using input generated from a series of stakeholder workshops held to “identify gaps that require White House policy action.”
The ONCD hosted the first of its kind space cyber forum with the National Space Council in March. Rajan said the forum included “industry CEOs across the space cybersecurity ecosystem” who participated in a “classified threat briefing and roundtable discussion.”
Rajan said the forum sent a message to CEOs that the future of global conflict “will include galactic arenas,” and that defending complex space systems against cyber attacks will require “a networked approach.” The forum emphasized “that space systems are critical infrastructure” and must be defended, according to Rajan.
Space ISAC board of directors vice chair Samuel Visner spoke at the summit about the need to designate space systems as critical infrastructure. Visner is also a tech fellow at the Aerospace Corporation.
He said the discussion “is underway right now,” as the NSC is taking on a rewrite of Presidential Policy Directive 21, an Obama-era directive which identified 16 critical infrastructure sectors and assigned sector risk management responsibilities.
Visner said designating space systems as a critical infrastructure sector is “overdue” and “certainly needs to happen right now.
He noted the EU and U.K. have already made the designation, and said recent Russian and Chinese attacks on space assets should demonstrate that U.S. adversaries “have also decided that space systems are critical infrastructure.”
Visner emphasized the role a sector risk management agency would play in research and development, as well as helping industry identify and adopt standards. He said, “Right now there is no single agency that coordinates information about threats, vulnerabilities and mitigation.”
The Aerospace Industries Association in September urged the NSC in a letter to conduct a “cost-benefit analysis” before opening the door “to additional regulation and requirements of space industry activity.”
Visner, however, clarified that a presidential policy directive “is not a regulatory instrument.” He said, “There are people who fear that this is a regulatory move. It is not.”
Today’s summit schedule features two tracks on cyber and workforce development. The cyber track includes discussions on zero trust, securing critical infrastructure and supply chain risk management. There is also a small business expo on Thursday. -- Jacob Livesay (firstname.lastname@example.org)