editorial | SOS Space: Why cybersecurity and supply chain risk management must go hand in hand


JThere is no doubt that the realms of space and cyber are currently contested by adversarial behaviors across the world.

Opponents close to peers have already strategically prioritized them as preferred areas of action, both in competition and in conflict. Supply chain cyberattacks are increasingly being used globally as a hybrid warfare tactic to deliver advantages. Predictably, they offer adversaries a relatively cost-effective means of engagement, plausible deniability, and avoid the political backlash that inevitably results from lethal action and physical incursion. Given the emphasis on these areas, the U.S. space, defense, and intelligence communities must focus their efforts to protect space assets, preserve strategic and military advantages, and solidify national security and global stability. . Cybersecurity and supply chain integrity must become integral and elevated concerns for the space community, as well as space consumers and strategic stakeholders.

In 2007, China shocked the world when it shot down one of its own aging weather satellites in an anti-satellite missile test, bringing the planet’s space community to a stark wake-up call. . From this point on, the space realm could no longer be considered benign, but rather a contested arena. Since then, the space community has witnessed other aggressive behavior, such as Russian “inspector” satellites performing maneuvers around classified assets belonging to the United States in 2020. By publicly acknowledging this bad behavior, the general of the ‘US Space Force Chief of Space Operations John Raymond has broken with the space community’s traditional practice of remaining silent in the interest of protecting US capabilities. This transparency is valuable to the general public, so that the seriousness of threats is appreciated and the adversary’s capabilities and interests in this area are understood.

China attaches great strategic importance to the offensive progress of space and counter-space. In 2015, China established a new force within the People’s Liberation Army (PLA) known as the Strategic Support Force, consolidating the PLA’s information operations in space and counter- space, cyber, electromagnetic warfare and psychological operations to provide a military advantage in informational conflicts. Similarly, information confrontation is mentioned in a multitude of Russian strategic documents, including the 2015 national security policy and the 2016 conceptual views on the activity of the armed forces in the information space. Russia’s strategy includes not only cyber activity, but also electronic warfare and psychological operations. While space plays a less overt role in Russia’s information confrontation strategy, the degradation of precision, navigation and synchronization capabilities is seen as a critical information weapon. This reflects the view of Russian leaders that space is primarily a combat domain. Unlike China, Russia lacks resources to devote to space, which requires special attention on offensive capabilities against space assets and ground-based space infrastructure. This is where supply chain cyberattacks emanate.

The space domain is highly susceptible to supply chain cyberattacks due to the uniqueness, longevity, and commercialization of the space supply chain. The United States relies on both allied and competing nations for critical rare earth materials, which presents a vulnerability in supply chain tracing and continuity. Similarly, many space assets in orbit today were designed and built years, if not decades, ago; not all legacy components were designed with today’s technologies and threats in mind. Finally, the rapid commercialization of space has widened the attack surface of threats. Private industry and off-the-shelf commercial products are increasingly used to meet needs because they make fiscal and strategic sense. Industry innovates and produces faster and more cheaply than government. Given current resource constraints, the lean new US Space Force, and the drive for agility and rapid acquisition, commercial dependency is likely to increase. The proliferation of vendors providing data, software, hardware and services in this environment presents an array of opportunities for adversaries with cascading effects, underscoring the importance of immediately elevating cyber hygiene and risk management. supply chain risk (SCRM).

To protect U.S. interests in space, a paradigm shift must occur that not only encompasses cybersecurity and supply chain risk management, but also highlights them as mission critical.

First, cybersecurity and supply chain risk management must be fully integrated, not only in the design, construction and operation of space assets and programs, but also with each other. This can be accomplished by a combination of means:

  • Deliberate consideration of cybersecurity and supply chain threats in strategy development and implementation;
  • Evaluation and review of organizational structures;
  • Integration of cybersecurity and supply chain integrity priorities into efficiency and performance metrics; the maturation of enterprise risk management functions and processes;
  • Accelerated development of information sharing mechanisms.

Exercising some combination of these actions will reframe the role of cybersecurity and supply chain risk management as integral parts of the mission.

Second, the United States must pursue resilience as if the future depended on it. Resilience can take many forms: technical, mission-driven or organizational. Diversification of raw materials and suppliers, redundancy of space components and assets (e.g. microsatellites) and rapid acquisition and advancement of Class B, C and D satellites with shorter lifetimes, all contribute to a stronger resilience posture. But it is also a matter of organizational culture. The space community must forgo the protective, risk-averse isolation of the past for an approach that embraces the value of failure, meaningfully engages partners, and critically looks at risk. In this regard, the fact that the space community is currently going through an important period of transition presents an opportunity. As new organizations, new business processes and new international standards are established, now is the perfect time to drive meaningful change management, pushing the community to embrace both resilience and risk. In addition, it provides the opportunity to try new things, for example identifying a resilience manager for large programs or even possibly creating a resilience manager position within the echelon. superior of the organization.

Third, the space community must create and develop enterprise-wide supply chain risk management programs. The traditional focus on major acquisitions must shift to all critical acquisitions, including software and data. Reviewing Tier 1 vendors is no longer enough; lighting for the entire supply chain must be contractually required and verified. Likewise, supply chain integrity should be a priority throughout the lifecycle of any mission-critical acquisition, not just before award. (It should be noted that AI and machine learning have a lot to offer when it comes to continuous monitoring). While significant progress has been made in recent years to establish and fund several enterprise-wide programs, there is external pressure to mature quickly from consolidated intelligence guidance and law. federal government on information security modernization. Additionally, as the workforce becomes more familiar with these programs, operational demand will increase. Accordingly, budget prioritization and resizing programs for the future should be key objectives for senior management.

Finally, collaboration is key. Organizational boundaries and narrow programmatic channels cause fragmentation within the space community. Although likely developed out of a desire to protect sensitive government information, these organizational boundaries have calcified in detrimental ways, providing exploitable seams for modern adversaries. To break out of this mold and share timely threat intelligence and best practices to advance our collective defense, the space community must emphasize focused collaboration. Investing in intra-governmental and public-private technologies, offering joint cross-agency assignments dedicated to cybersecurity and supply chain integrity, standardizing taxonomies, and clarifying roles and responsibilities, would significantly improve visibility and understanding of vulnerabilities and threats, would reduce the national security cost of disorderly information transmissions and create meaningful stakeholder engagement. An example of this could be a national supply chain intelligence center, as requested by the Homeland Security Advisory Council, the Cyberspace Solarium Commission and the MITER Corporation. Whatever the mechanism, meaningful and organized collaboration is urgently required to close exploitable seams and foster much-needed information sharing.

Integrated cybersecurity and supply chain integrity are essential to maintaining US dominance in space. Our adversaries are well aware of the existing weaknesses and will continue to exploit them. Supply chain cyberattacks against space assets are part of their strategy to gain economic, military and strategic advantage in the future. To address the scale and speed of this threat, government and commercial space entities must act quickly to integrate and elevate cybersecurity and supply chain risk management into strategy, design, construction and space exploitation; prioritize resilience; mature supply chain risk management programs; and collaborate with intention.

Dan Lewis, Megan Moloney and Nicole Usery are national security experts with Guidehouse, a leading global consultancy. Leveraging deep and diverse experience in both the public and private sectors, their teams tackle challenging problem sets across the DoD and intelligence community with a focus on transformational change, cybersecurity, business resilience and technology-driven innovation.

This article originally appeared in the November 2021 issue of SpaceNews magazine.


About Author

Comments are closed.