The Trump administration's approach to bolstering the cybersecurity of space systems should be multifaceted through a mix of supporting information sharing, research and public-private collaboration, according to a former Office of the National Cyber Director official who focused on space policy.
“With the importance of space increasing, it is no surprise that threats are growing as well, and cyber capabilities are malign actors’ preferred tools to target space systems,” former space systems lead Lauryn Williams writes in an April 22 Lawfare article.
Williams joined ONCD in 2022 as senior advisor for strategy and research and spent time working on space and defense industrial base policy issues at the Pentagon. At ONCD, Williams led a series of technical workshops with the space industry and supported the development of a January 16 report reflecting lessons learned from industry engagements.
Lauryn Williams, Nonresident Fellow, Carnegie Mellon Institute for Strategy and Technology
Williams is currently a senior fellow at the Cornell Brooks School Tech Policy Institute and a nonresident fellow at the Carnegie Mellon Institute for Strategy and Technology.
The Lawfare article highlights how the Biden administration worked to understand “ecosystem-wide cyber challenges facing space systems that the current administration should address.”
Williams encourages the Trump administration to build on those efforts through addressing a need for streamlining info-sharing, improving cyber research efforts and building out channels for public-private collaboration.
On info-sharing, Williams says space sector stakeholders “frequently highlighted challenges sharing cyber threat information between public and private sectors” partially due to classification.
There are solid reasons for classifying information on space and cyber threats, according to Williams, but government must play a role in ensuring industry can “access the information they need to defend against the day-to-day cyber threats they experience.”
Williams provided an example of an issue related to classification. She said, “Some companies reported that they had shared information with government intelligence agencies that then became classified after they shared it -- meaning that some companies that freely shared information in the first place could no longer access it unless their workers possessed a security clearance.”
The White House must prioritize briefing space sector stakeholders on security threats, Williams says, in a manner similar to Biden’s “Space System Cybersecurity Executive Forum with leading U.S. space executives” in March 2023.
“The more durable solution, however, would be for the current administration to continue driving space threat information out of highly classified compartments into more accessible information spaces whenever possible,” Williams writes.
Policymakers should additionally work toward establishing “a single federal agency as the primary point of contact” for the space industry, Williams says. She notes this could be part of a discussion around space systems potentially being designated as critical infrastructure.
Space systems were not included as a new critical infrastructure sector as part of Biden’s revamp through a 2024 national security memorandum. Many stakeholders pushed Biden to designate a sector risk management agency for the space industry.
Trump ordered a new review of critical infrastructure policies in a March 18 executive order, which has the potential to shake up existing critical infrastructure risk management processes and may offer an opportunity for the space sector to lobby once more for its own SRMA.
On the need for technological innovation, Williams writes that space operators are “challenged” to find cyber equipment “such as sensors and intrusion detection systems” that meet the limited engineering constraints of space use cases.
The Trump administration should “partner with champions on Capitol Hill, including committees with space in their jurisdictions; and ensure sustained resources for developing and deploying these systems on future U.S. government and commercial satellites,” Williams argues.
She says, “When and where possible, the administration should also collaborate with industry innovators on common technical solutions. With the PRC and Russia actively targeting space assets today via cyber means, technologies necessary to detect and mitigate anomalies in space are already overdue -- but existing solutions cannot just be bolted onto satellites right before launch.”
Finally, Williams says the Trump administration should be prioritizing “long-term investment” in creating public-private partnerships that bring together space and cyber policy stakeholders.
“During the Biden administration, bringing together space and cybersecurity experts for a series of technical workshops quickly revealed different professional languages and cultures,” Williams says.
Trump officials should “continue to bring government and industry experts together to bridge these technical divides and develop tailored policy solutions,” according to Williams, while maintaining Biden-era “interagency structures to force the integration of the divergent space and cyber policy communities, identify cross-cutting space-cyber threats, and drive necessary policy solutions.”
Biden’s second cyber executive order
The Biden administration set the stage through a Jan. 16 EO for the Trump administration to make important decisions on building minimum cyber standards for space systems used by the federal government and whether to apply FISMA requirements to ground components of space assets.
While Trump’s approach to implementing the Biden EO is unclear, Williams points to a strong through-line to Space Policy Directive 5 from the first Trump administration.
The 2020 space directive highlighted space cybersecurity issues and outlined a need to implement secure design principles for space systems.
The Biden EO directs NASA to work with the National Oceanic and Atmospheric Administration and the U.S. Geological Survey to review the Federal Acquisition Regulation and recommend updates for “civil space cybersecurity requirements and relevant contract language.”
ONCD is also tasked with conducting a study on ground systems to determine whether they should be held to standards required by the Federal Information Security Modernization Act that were established in Federal Information Processing Standard 200 and expanded on in the National Institute of Standards and Technology’s Special Publication 800-53. -- Jacob Livesay (jlivesay@iwpnews.com)