Pages

15 June 2023

The Gray Rhino in space: US must update military requirements for satellite cyber defense

SANDY WINNEFELD and ELLEN PAWLIKOWSKI

The Space Force is moving fast to develop a new set of missile warning/tracking satellites in MEO. (Graphic: Raytheon Technologies)

When it comes to the security of space assets, there is widespread agreement the greatest threat will come in the cyber domain. In the following op-ed, former vice-chairman of the Joint Chiefs of Staff Sandy Winnefeld and former Air Force Materiel Command head Ellen Pawlikowski lay out their vision of how to introduce greater cyber resiliency for space.

Catastrophic events, such as the terrorist attacks of 9/11, sometimes arrive as so-called “black swans.” These are events completely unforeseen, largely due to failures of imagination. Other times, catastrophes have arrived in the form of so-called “gray rhinos” — equally impactful events that were actually envisioned by leaders who failed to take preventive measures.

Inaction can be caused by analysis suggesting a low probability of the event, miscalculation of the resources necessary to address the threat, or simple denial that something so bad could actually occur. It doesn’t take much to find a recent example: the government knew for a long time that a pandemic was a serious possibility, but nonetheless was almost completely unprepared when COVID arrived. These gray rhinos stare us in the face, but we too often find it difficult to do anything about them in advance.

The potential for great power conflict is certainly on everyone’s minds, and some would suggest that the US and its allies are not treating it as a gray rhino this time. While change in the military is maddingly slow due to outdated concepts and sclerotic legacy procurement systems, the military is beginning to shift its focus from counter-insurgency operations to more challenging near-peer competitors.

However, there is at least one element of such a conflict that persists as a gray rhino. It is highly likely that an adversary like China or Russia would use cyberattacks in addition to, or even in lieu of, kinetic attacks to neutralize the satellites on which we depend so much for communications, surveillance, and precision navigation and timing. Whether it involves intrusion in satellite networks’ control links or tampering with the data they move, a successful attack would have a near-catastrophic impact on our ability to fight. Moreover, depending on the target set it would also have collateral effects on capabilities essential to everyday life in Western nations.

Some of our leaders already perceive this “gray rhino in space.” Indo-Pacific Command’s Adm. John Aquilino recently testified to Congress that “For counter-space, [China] is delivering capabilities that seek to deny use of our own space architecture despite their statements opposing the weaponization of space. [China’s] cyber capabilities deliver both gray zone coercion and an enabling function to achieve decisive military advantage.”

It’s good that Aquilino is calling out the issue. But, speaking from one of our combined experiences as a military combatant commander and an acquisition leader, it’s hard to change acquisition policy from the front lines. Clearly, we need to make cyber-attacks on friendly space networks—which soon will include tens of thousands of private satellites in addition to the government and commercial birds already in orbit—far more difficult for our adversaries.

Fortunately, relatively low-cost software solutions employing end-to-end encryption, zero-trust principles, and decentralized cryptographic-key management are available today and proven on terrestrial networks. In effect, by applying these capabilities to satellites and ground stations, flows of information and command links would be inherently secure rather than trying to provide lock-tight perimeter defense of the associated networks.

Doing it this way will ensure the military can work confidently with diverse, relatively untrusted networks. It would also mean the ability to recover quickly by shifting to other satellites when some are disabled and rekeying and restoring the software on satellites that are subject to cyber-attack. There would be no need to trust the “perimeter” or rely on manpower-intensive methods to detect an adversary’s penetration of a network. The perimeter would be nearly irrelevant. (Full disclosure, both of us serve on the board of advisors of SpiderOak, a space cybersecurity company; however, other firms would be able to provide similar capabilities as well.)

The beauty of this approach to cyber defense is that it’s relatively inexpensive and can be rapidly deployed. It imposes minimal space, weight, and power requirements on satellites that are becoming smaller all the time and have less capacity for bulky encryption systems. And vitally, as the weakest link can bring down a whole constellation the appropriate software can be retrofitted to ground systems and most satellites that are already aloft. This offers the ability to ensure that both new and most existing government and private space networks meet the same criteria for security.

Traditional approaches to defining cyber resiliency requirements for Defense Department systems have been problematic. Sometimes they are oversubscribed in technical requirement documents and become impossible to interpret and implement. At other times, zero-trust protocols are dropped due to the misconception they might drive unnecessary cost into a program. Yet the military has the opportunity to address this challenge today.

In summary, we need to introduce the requirement to implement zero-trust software design principles with decentralized encryption-key management on all Defense Department space systems and for all commercial systems integrated into the department’s operations. The costs should be minimal as the implementation could be a software upload on most existing systems and straightforward incorporation of commercial products into the design of new systems.

This would shift thinking about cybersecurity from merely being an add-on feature for hardware and software to having it inculcated literally from the ground up in everything we do. It will speed up efforts by the military to leverage commercial space capabilities, thereby improving cyber resiliency for peacetime operations..

The benefit of a gray rhino is that we can all see it coming. Rather than letting it run over us, let’s take the chance we have now to stop it in its tracks.

Adm. Sandy Winnefeld, USN (retired) was vice chairman of the Joint Chiefs of Staff and commander of Northern Command. Gen. Ellen Pawlikowski, USAF (retired) was the commander of Air Force Materiel Command and commander of the Space and Missile Systems Center.

No comments:

Post a Comment