September 28, 2021
Getting ahead of the next catalyst: A new paradigm for cybersecurity in the space domain
Consider the terms “cyber attacks”1 https://csrc.nist.gov/glossary/term/Cyber_Attack and” information and influence activities2Manheim, J., 2011. Strategy in information and influence campaigns. New York: Routledge.” These two terms were relatively infrequently used before the computer malware Stuxnet and the 2016 US presidential election3 https://www.dni.gov/files/documents/ICA_2017_01.pdf , respectively. Yet these events and the terms characterizing the emergence of new threats mark a threshold where a traditional government issue transcended into the commercial arena, and when nation-state actor capabilities became commercialized and publicly available. Each of these events, in its own way, forced commercial companies to change their security methodologies and postures to mitigate risk and control potential blowback stemming from these types of incidents.
In the current post-Stuxnet era, there exists a much-expanded digital infrastructure, tremendous diversity in the types of threat actors and their motivations, and exponentially more capabilities that can be leveraged for substantial impact. Similarly, in a post foreign influence environment, information and influence activity is now not only a threat to western political bodies and their ideologies, but also to the commercial domain due to the proliferation of disinformation-as-a-service4 https://www.pwc.com/us/en/tech-effect/cybersecurity/corporate-sector-disinformation.html (DaaS) and related destabilizing offerings5https://www.gartner.com/en/documents/3974933/how-disinformation-as-a-service-affects-you. The cyber ecosystem established as a result of the digital infrastructure built post-Stuxnet was not designed to support the addressal of such malign information and influence activity. Hence, outside of recent advancements in detection, there is no consolidated solution to effectively counter the full scope and sophistication of malicious information and influence activity.
Why do these events matter? Simply put, they provide illustrative examples of how new, cross-domain threats result from the emergence of novel cyber activities and the proliferation of related capabilities. It is only natural to wonder what domain might be next. In this post, an argument is made explaining the space sector’s unique vulnerabilities to such cross-domain threats. This post further explores how lessons learned from previous cross-domain catalysts can be applied in the space domain. The equivalent of a Stuxnet or foreign influence-like event in space would make space the third cross-domain issue in recent time to transcend from the government into the commercial arena. And while traditional nation-state actors, capabilities, and intents would again no longer remain under the purview of the government, anticipation of such an event can enable the identification of various commercial applications, as well as produce an unprecedented security posture to prevent foreign adversaries and threat actors from exploiting space as the next domain for malicious activity.
Cyberattacks and information and influence activities provide critical insights into how both foreign adversaries and non-state threat actors will likely use space in nefarious ways to advance their agendas. These insights can shed light on how to monitor threat indicators; how to develop cyber and related (physical, etc.) security postures; and how novel assessment methods of key threat events may provide opportunities to mitigate risks while simultaneously advancing space technologies.
This post views space as an emerging threat domain displaying early vulnerabilities to pernicious cyber activities, as well as a new vehicle to support advancements in a variety of fields. It also analyzes and discerns between foreign adversaries and threat actors. Specifically, foreign adversaries are nation-state actors advancing policy objectives through overt and covert means. Whereas, by comparison, threat actors include domestic entities, shadow proxies, and criminal enterprises engaging in activities against various sectors for financial or reputation gain.
Why does Stuxnet matter?
Understanding Stuxnet is critical to developing an understanding of how to anticipate, through assessment, the threat surfaces that the space domain introduces, and how to develop proactive strategies to mitigate its vulnerabilities. Stuxnet’s use against industrial infrastructure was the catalyst that both brought cyber to the forefront of the world as an attack mechanism and transformed it from a government priority to a global threat. 6 https://spectrum.ieee.org/the-real-story-of-stuxnet Stuxnet initiated a series of events (expansion of cyber threat landscape, awareness to cybersecurity, etc.) leading to the establishment of digital infrastructure reaching global audiences irrespective of geographic region, an aspect of information security not previously prioritized, and a springboard for today’s technology companies to monopolize digital communication and connection.
Over the course of the last 10-15 years since Stuxnet, this digital infrastructure continues to exponentially evolve by increasing in scope, size, and utility. The quantity of commercial applications, companies, and cyber incidents continues to increase, as well as the sophistication and complexity of these activities (E.g. Colonial Pipeline ransomware attacks7 https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password , US State Department cyber attack8 https://www.infosecurity-magazine.com/news/us-state-department-cyber-attack/ ). Compounding this is that regulation and security are always second to innovation. In other words, it was not until recently that significant strides in cybersecurity were made from a regulatory and security perspective9https://www.cisa.gov/news/2021/08/05/cisa-launches-new-joint-cyber-defense-collaborative to position companies more effectively and authoritatively against threat actors. These strides help decrease the delta between threat actor impact and having the appropriate tools to defend against such threats. From the types of defensive tools and software to advancements in foreign threat actor analysis, companies can adhere to a much higher standard to protect their business models while leveraging the diverse digital infrastructure.
Why does the 2016 U.S. presidential election matter?
Like Stuxnet, Russia’s campaign to influence the outcome of the 2016 U.S. presidential election was an incident where a traditionally government-centric topic transcended into the commercial space. The primary difference this time was that the mature digital infrastructure that existed in a post-Stuxnet era was not built to detect, mitigate, anticipate, or respond to malicious information and influence activities.
In addition, the delta between incident and capability development was significantly less than post-Stuxnet. In this instance, foreign adversaries and threat actors manipulated the digital infrastructure already established to launch successful malicious information and influence activities. The mediums to reach various target audiences already existed and were in place to deliver tailored messaging to change behavior and outcomes.
How do threat actors evolve?
Foreign adversaries’ and threat actors’ capabilities, modus operandi (MO), and methods continually evolve to advance their interests. Traditionally, this is a classic cat and mouse game as nation-state actors engage in espionage-like activities to inform their evolution. Expressly, as nation-state actors conduct covert and clandestine activities, it is always a race to detect and attribute the activity. However, there are certain instances where operations are discovered and tools or capabilities are compromised. Each time a compromise occurs, actors are forced to consider the potential risk of continued use of compromised capabilities and whether a change in their offensive posture is necessary. To avoid detection, adversaries may improve their tools, technique, and procedures (TTP) or MO. More importantly, nation-state actor tools have become more broadly known and available for commercial use.
In each instance where a traditionally prioritized government topic (cyber, influence, etc.) transcends into the commercial space, the timeline of its otherwise natural evolution is compressed. There are countless instances where commercial entities uncover various threat actor tools, techniques, and capabilities. In these instances, and in that exact moment, threat actors lose their competitive advantage to send a phishing email, execute malware or spyware, or penetrate a network 10https://us-cert.cisa.gov/ncas/alerts/aa21-116a . This rapid expansion of discovery causes previously proprietary and sophisticated tools to become more commonplace.
How does threat actor evolution transcend into the commercial sector?
Foreign adversaries and threat actors must now position themselves with increasingly sophisticated capabilities and further prioritize the use of those capabilities given the higher chance of discovery. What does this exactly mean? This means that as the delta between commercial and government capability continues to decrease, the suite of tools and capabilities of non-government foreign adversaries and threat actors will increase in sophistication, incentivizing foreign government threat actors to innovate and reprioritize their efforts given the noisy digital battlefield.
In both Stuxnet and the 2016 U.S. presidential elections, threat actor capabilities, TTP, and MO eventually transcended into the commercial space. This is critical to recognize because each time this type of activity occurs, the commercial world enhances their capabilities and foreign adversaries and threat actors lose a capability. Ultimately, foreign adversaries and threat actors are required to evolve and change their TTPs, MO, and capabilities as commercial entities attempt to predict where threat actor behaviors will trend11https://us-cert.cisa.gov/ncas/alerts/aa21-116a .
Why is cybersecurity specific to space more important than ever?
Security is always second to innovation. This dynamic must change in order to proactively protect infrastructure, institutions, and processes across industry and government. This means that companies must prioritize cybersecurity from inception and leverage best practices when building their solutions. This is especially important because space will be a domain with new types of infrastructure that foreign adversaries and threat actors can manipulate to advance their own agenda. With each commercial iteration of technology improvement, foreign adversaries and threat actors increase the number of ways to launch their capabilities in their proverbial toolbox.
Foreign adversaries and threat actors continually hunt for pain points to identify and manipulate. This is no different with space. As such, implementing a robust security posture will serve multiple purposes. Firstly, robust security will help ensure that when a space infrastructure element is compromised, the damage is limited. Secondly, robust security will limit the foreign adversaries’ ability to utilize space infrastructure for covert and/or clandestine operations. Thirdly, more intentional security protections will help prevent threat actors from profiteering and using space infrastructure for nefarious purposes, including ransomware, spyware, and espionage.
We are currently at a critical juncture to maintain a competitive advantage where, unlike before (e.g., pre-Stuxnet and preceding the 2016 US presidential election), we can leverage learned historical lessons to implement cybersecurity postures from inception for space-based technologies to prevent nefarious activities.
How can we ensure the proper cybersecurity practices and standards are implemented to support innovation while balancing protection in space?
There are two key constant themes that have emerged over the past two decades as government issues transcended into the commercial arena. One, there is a lack of true partnership between the industry and government, which leads to breakdowns in communication and a lack of fulsome insight. Two, there is a tremendous body of academic research on cybersecurity practices and standards with solutions that have not yet been implemented. This post identifies three primary ways to ensure the proper cybersecurity practices and standards are implemented to support innovation while balancing protection in space.
• Lead by example. As new technologies are developed and advances in space infrastructure occur, the individuals at the helm need to lead by example. Establishing sound cybersecurity practices from inception and demonstrating a level of responsibility commensurate with the potential impact of these technologies is essential. Time and time again, major corporations and companies have been seen leading by negative example with mixed up priorities. Obviously, profits are a significant factor. However, companies now more than ever need to manage risk both from a proactive and reactive posture. Complex infrastructures, such as that for space, include too many shared dependencies that risk security, and therefore profit, for all industry and government entities; as such, a more collaborative, community-based approach is required.
• Anticipate through assessment. Augmented intelligence12https://www.gartner.com/en/information-technology/glossary/augmented-intelligence is a growing expectation in the AI/ML field. To overcome challenges resulting from increasing amounts of data, subjectivity, and confirmation biases due to the human condition, and foreign adversary and threat actors continually evolving, the domestic posture needs to shift to anticipation through assessment. Studying foreign adversaries’ and threat actors’ past tendencies and histories illuminate which indicators to monitor to proactively protect critical assets and infrastructure. Space is no different. When looking at space as involving a new type of infrastructure to deliver services, it will inherently have multiple points threat actors attempt to exploit.
• Quick to cauterize. The final piece is to accept that an attack or penetration is only a matter of time, and no company is immune. That said, it boils down to how quickly malicious activity can be detected; the quality and confidence of the data used to identify indicators to monitor; the capacity to conduct root cause analysis; and the ability to swiftly cauterize attacks and limit blowback. This is more of a mindset and realistic expectation to maintain.
What about space ethics?
Regulation is always second to innovation, and following regulation is ethics. Ethics specific to space might not be developed in a realistic timeframe unless a significant event occurs. With that said, there have been two previous moments in time where government issues transcended into the commercial space overnight, as well as past lessons learned can be used to inform the proper way to secure space infrastructure in a robust manner. There are a few foundational assumptions that the U.S. needs to make to support the development of a system of principles and rules regarding space behaviors.
Both threat actors and foreign adversaries abide by their own rules and only play nicely when the outcome benefits their own self-driven interests. These same entities also leverage different types of infrastructure, including space, in illegal ways. These two assumptions will help determine that those who live within the letter of the law develop a standard set of norms specific to space to not only operate soundly, but also ensure a robust security posture exists to protect from malicious intent and activity.
Conclusion
Space introduces new types of infrastructure, new types of vehicles to deliver information, new pathways to technological advancements, and new needs to support innovation. Furthermore, space as a government issue has not transcended fully into the commercial arena yet, meaning a significant catalyst has not yet forced the hand of commercial entities to change their current security postures. As we’ve seen with Stuxnet and the 2016 US presidential election, it took a significant event for commercial entities to reevaluate the importance of cyber and information and influence activity, issues the government prioritizes every day. Space is also one of those priorities. Since space exploration first began, space is, and will always be, a race to the finish. Who will get to the moon first? Who will get to Mars first? Who will colonize space first?
The U.S. is proactively postured to develop and implement innovative techniques based on cybersecurity best practices to protect this new type of infrastructure. Foreign adversaries and threat actors will use space as another means to advance their self-interests. In order to protect national interests, stakeholders will need to prioritize cybersecurity from inception and anticipate through assessment understanding past practices, monitoring key indicators, and continually maintaining a competitive advantage.
The views expressed in this article are based on the experiences of the individual authors and do not necessarily represent those of the Atlantic Council or the authors’ organizational affiliations.