The White House Adopts Cybersecurity Policy for Activities in Outer Space

On September 4, President Donald J. Trump issued Space Policy Directive-5 on Cybersecurity Principles for Space Systems (SPD-5). The White House described [PDF] SPD-5 as the “nation’s first comprehensive cybersecurity policy for space systems.” The policy responds to concerns that U.S. government and commercial space activities face cyber threats, such as hacking spacecraft guidance and control systems, “that can deny, degrade, or disrupt space operations, or even destroy satellites.”

SPD-5 represents the Trump administration’s latest effort to elevate cybersecurity in public and private space endeavors. The administration has transformed U.S. space activities through, among other things, the Artemis lunar program, support for commercial space activities, and creation of the U.S. Space Force as a new branch of the military. In elevating the importance of space, the administration confronted industry worries, such as in the satellite sector, and policy analyses highlighting that space operations, like other government and commercial activities, depended on cyber technologies and were vulnerable to cyberattack.

Space Policy Directive-3 on National Space Traffic Management Policy (June 2018) encouraged satellite owners to conduct a pre-launch certification process that should consider, among other things, “encryption of satellite command and control links and data protection measures for ground site operations.” The National Cyber Strategy [PDF] (September 2018) identified “growing cyber-related threats to space assets and supporting infrastructure” that provide critical navigation, communication, and intelligence services. The strategy committed the U.S. government to enhancing “efforts to protect our space assets and support infrastructure from evolving cyber threats.”

SPD-5 declares that “executive departments and agencies will foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure from cyber threats and ensure continuity of operations.” The policy seeks to strengthen cybersecurity across all components and critical functions of a “space system”—the space vehicle, ground-control facilities, and the mission communication network—operated for national security, civil space exploration, or commercial purposes. SPD-5 emphasizes that strategies developed for terrestrial systems, including the National Institute of Standards and Technology’s Cybersecurity Framework, should inform space activities. However, some aspects of space operations, such as the lack of physical access to orbiting vehicles, require space-specific cybersecurity measures.

To guide U.S. efforts to strengthen cyber protection of space systems, SPD-5 identifies guiding principles. Space system owners and operators should:

• Develop and operate systems using “risk-based, cybersecurity-informed engineering” that enables adaptation to cyber threats to achieve “an effective and resilient cyber survivability posture throughout the space system lifecycle”;
• Develop and implement cybersecurity plans that, among other things, protect against unauthorized cyber access to space vehicles and manage supply chain risks, so that operators can “retain or recover positive control of space vehicles” and “verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they enable and provide”;
• Use rules, regulations, and guidance to enhance implementation of cybersecurity measures, including adoption of “cybersecurity best practices and norms of behavior”;
• Collaborate on developing best practices and sharing “threat, warning, and incident information within the space industry” through information sharing and analysis centers (ISACs) (e.g., the Space ISAC established in 2019); and
• Design cybersecurity measures to manage “risk tolerances and minimize undue burden” consistent with specific mission objectives and requirements.

SPD-5 does not identify how the U.S. government will implement these principles and monitor space system cybersecurity across public and private space activities that serve national security, civil space exploration, and commercial purposes. In keeping with the Trump administration’s approach to cybersecurity, the directive does not assign responsibility for interagency coordination and oversight of the new policy to a specific White House official or government department. Nor does it contain requirements for federal departments and agencies to report on their implementation of the directive. Following the administration’s strategy of reducing regulatory burdens on commercial space enterprises, SPD-5 does not indicate that new laws or regulations are needed to ensure that space companies improve their cybersecurity practices.

As more states launch satellites or become spacefaring nations, how SPD-5 addresses cyber threats to space systems will draw interest around the world. The directive reiterates the Trump administration’s willingness to work with “international partners to strengthen the cyber resilience of existing and future space systems.” However, for some countries, the United States represents the greatest cybersecurity threat to their space endeavors. The United States has declared cyberspace and outer space as warfighting domains and developed cyber capabilities to threaten and conduct intelligence and military operations against perceived adversaries, including potentially their space activities and assets. Difficult UN negotiations on both cyberspace norms and space issues, including the “militarization” of space, suggest that multilateral cooperation on space system cybersecurity is unlikely to be productive.

Space is hard, the old adage goes. Taking cyber threats to space systems seriously, as SPD-5 takes another small step to do, will not make slipping “the surly bonds of earth” easier. Moreover, the pace, innovation, and ambition of space activities in the United States and other countries could subordinate cybersecurity to considerations of speed, cost, capability, and competition, as has happened time and again with cybersecurity in the terrestrial realm.