The weakness of security in outer space is a growing common threat to the whole of society and it is only going to get worse if we do not take action, writes Didier Schmitt, in his personal capacity.
Didier Schmitt is a Space security analyst at the European External Action Service (EEAS).
As recent events in Paris have shown, asymmetrical attacks are a cost-effective way for terrorists to cause immense impact. This was also the case for the cost ratio between the 9/11 attacks and the subsequent invasion of Iraq. But there are other threats coming, beyond these cowardly actions, in the future. Space is an obvious next target, as an increasing number of vital services depend on it.
Taking control of satellites, making them collide, damaging their critical sub-systems or ground stations, or spoofing and jamming their signals is no longer just science fiction. In addition, space assets are particularly vulnerable because of their long life cycles. It is not unusual forten years to pass between the design and launch of a satellite. When it’s in space for the next decade, you cannot simply go and fix it, or put an armed guard in front of it.
The magnitude of the emerging threat may be beyond what had been anticipated, and hardening space equipment is expensive. Owners of military satellites have little to fear from amateur, unprofessional hackers, but civilian systems, like most European programmes, are far from being properly protected. Some online stores actually have better cybersecurity than some satellites.
Space is not just a bunch of satellites far, far away. Positioning, timing and communication satellites are vital for our economy, the safety of citizens and our modern way of life. Space assets provide a master-infrastructure which supports many other activities. As an example, dysfunctional satellites or signals can lead to power-grid black outs, severely impact stock exchanges, or disable mobile phone networks.
The civil space community is slowly waking up to this new menace posed by cybercrime and cyberterrorism. A decade or so from now, the weaknesses will have worsened significantly, considering the certain proliferation of autonomous vehicles and the billions of devices, mostly in homes, that will be linked up by swarms of mini-satellites through the internet. Provoking a “space cataclysm” could become a reality for the fanatics as they seek to return us to their vision of the Middle Ages.
However, reaction times are much longer, and the possible damage is potentially much higher, for satellite systems, than ground infrastructures. Cyberattacks on networks hit the news every other day, but these are only in their infancy compared to what is in front of us as their progression will not be linear but exponential. We should all be concerned about this, and join forces in identifying the risks and defining common solutions.
One of the main challenges is to know what cybercrime or cyberterrorism will look like in 10-15 years, as the next generation of space assets need in-design hardening and current assets need better resilience based on software updates. But in the meantime, one needs to raise the awareness of the service providers, the users and the public opinion on this broad issue that should concern each and every one of us.
Cyber communities and space communities largely ignore each other, mostly because of very different cultures. Even at a military level, the US has now identified their GPS satellites as an “Achilles heel” to their aim for space supremacy. For obvious reasons it is difficult to get much information on vulnerability and countermeasures out of the defence sector. But for civilian programmes, we need to trust one another and share information more to allow vulnerability disclosure exchange from which we will all benefit.
Like all cyberattacks, attribution is difficult, but in this case it does not actually matter so much. What does matter is to identify and merge cyber-events about the actions of a common enemy. The main source of information is the space industry itself, and public and private operators as they are the main targets of disruption. We need to ensure that we are all working together, holistically.
At a time when the EU’s Galileo (European GPS) and Copernicus (European earth observation) programmes start their operational services and other programmes are in the making, resilience must become a priority. First and foremost, an awareness gap must be filled within the policy world as well as between cyber and space security experts.
Then, to start fixing the problem effectively, member states and EU Institutions could trigger the establishment of a common cyber-events repository. This could lead to shared assessments of vulnerabilities, benchmarking, and best practice, leading to the implementation of countermeasures, from conception to actual operations of current and next-generation satellite systems.
The potential for a catastrophic event is increasing every day. We cannot wait for a wake-up call to start implementing such preventive measures. The tradeoff for the additional costs calls for a level playing field. This can be achieved by imposing common minimal standards for governmental and commercial assets, especially when the operation of critical infrastructures is at stake.
This reliability must be seen as an investment that can only be beneficial for our industry in the long run. Only an interlinked approach can make the difference as the issue is a global one: space services have world-wide reach which makes this global commons even more vulnerable. Once Europe has shown the way ahead, others will join.