Remarks from CyberSat Digital Week

On June 12, Office of Space Commerce Director Kevin O’Connell delivered the closing keynote speech for CyberSat Digital Week (June 8-12, 2020), an online event dedicated to space cybersecurity. Below are his remarks as prepared for delivery.

Good morning and thank you for having me here today to close out the 2020 CyberSatCom. This of course, has been different then past CyberSatComs, but the fact that we can still all come together for this event and discuss some of the most pressing topics of the day is a sign of the dedication of the industry and to its resiliency. One of the most inspiring things that we are seeing, even as we deal with the effects of the COVID-19 pandemic, is how much industry remains focused on the future.

I’d like to extend a huge thanks to the organizers for making this an exceptional event despite the challenges we are currently facing.

As you know, my name is Kevin O’Connell and I am the Director of the Office of Space Commerce at the Department of Commerce. That Office name might sound like a modern creation, but it is actually an Office that was created over 30 years ago at the advent of space commercialization. The Office is responsible for fostering the conditions for the economic growth and technological advancement of the U.S. commercial space industry.

Of course, I’m not going to talk to you today about technical issues. But I will touch on issues that lie at the critical nexus of cyber and space systems that are deeply relevant to our mission.

From the outset, I should tell you that we represent only one part of the tremendous capabilities of the Commerce Department in both of these areas. One aspect of OSC’s work is to leverage the entire Department on behalf of the commercial space industry. So we naturally have great relations with NIST, the Commerce organization responsible for developing the Cybersecurity Framework. Working with stakeholders, NIST develops voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. The Framework is also designed to foster risk and cybersecurity management communications among internal and external organizational stakeholders.

The Office of Space Commerce also houses the National Coordination Office for Space-Based Positioning, Navigation, and Timing, which deals with related issues.

Certainly, space presents a unique set of cybersecurity challenges that are deeply relevant to our mission.

There have been some exceptional panels and keynotes this week addressing opportunities and challenges related to software defined satellites, supply chain security, cyber threat modelling, and many others.

What is clear is that as the commercial space industry develops, the cyber threat will develop with it. More and more, our society’s economic prosperity and security are reliant on space technology. We need to make sure that we are protecting that technology to the best of our ability.

Space systems enable key functions such as global communications; positioning, navigation and timing; scientific observation and exploration; weather monitoring; and vital national defense applications. These systems, networks, and channels are vulnerable to malicious activities that can deny, degrade, or disrupt space operations, or even destroy a satellite. Bryce Space and Technology, a leading analysis firm, estimates the economic impact of space at over $5T.

The National Cybersecurity Strategy, released in September 2018, listed “improving space cybersecurity” as a priority action – a key element – of safeguarding our nation’s critical infrastructure.

In the 2017 National Security Strategy, “Keeping America Safe in the Cyber Era” falls under the first pillar of national security – Protecting the American People, the Homeland, and the American Way of Life.

The National Security Strategy recognizes the vulnerability of our critical infrastructures to cyberattack and asserts that our actions now will determine our future prosperity and security.

The United States considers unfettered access to and freedom to operate in space vital to advancing the security, economic prosperity, and scientific knowledge of the Nation. To ensure continued freedom of access, the Administration has taken to heart the need to enhance efforts to protect space assets. A lot of work is underway in this area, and you will be hearing more about the results from that in the near future.

To do this, the U.S. Government is working with industry and international partners to strengthen cyber resilience for both current and planned space systems.

The rise of commercial space has changed the space cybersecurity landscape. Once the exclusive purview of governments, roughly 80% of space activity is commercial in nature, and that number is increasing. We rely on commercial space-based communication systems, position, navigation, and timing, and other technologies.

As a result, in February, President Trump signed an Executive Order 13905, on Strengthening National Resilience through Responsible Use of Position, Navigation, and Timing Services.

The Executive Order established the first comprehensive national policy promoting the responsible use of PNT and directs the government to work with industry to strengthen national resilience through responsible use of positioning, navigation, and timing services.

Responsible use is code for, “Don’t depend on GPS as a sole means of navigation or timing in critical applications.”

Although the Space Force is spending billions of dollars to secure the GPS constellation and its control segment, it turns out that much of the user equipment on the market is designed more like a radio than a computer with proper cyber protections.

The policy identifies and promotes approaches to manage risk to critical transportation systems and supporting commercial infrastructure from potential disruption or manipulation of PNT services. This is a key step in recognizing and safeguarding our dependence on space systems.

In response to this order, NIST recently issued a request for information on the uses of PNT services, as well as cybersecurity risk management approaches to protect them.

NIST will use the RFI responses to inform the creation of a profile document intended to improve the resilience of PNT technologies and services. This is one of many profiles that NIST is building to help apply the Cybersecurity Framework that I mentioned earlier to particular economic sectors, such as manufacturing, the power grid and the maritime industry. These profiles will provide common guidance for ensuring the cybersecurity and resilience of systems that typically depend on GPS for position, navigation, and time.

The RFI, which was issued in late May, will be accepting responses until July 13th. Additional information on the RFI, as well as how to submit responses, can be found on the NIST website.

NIST plans to release a public draft of the PNT profile later this summer and will accept comments on that profile following its release.

However, I’d like to recognize here that nobody is more concerned with the cybersecurity of the commercial space industry than the commercial space industry itself.

Industry and government are working together to define cyber best practices, establish cybersecurity informed norms, and promote improved cybersecurity across the space industry.

Recently, industry took a huge step towards enhancing space cybersecurity by creating the Space Information Sharing and Analysis Center (ISAC), the first dedicated space ISAC.

The ISAC was established to facilitate collaboration across the space industry, on a global scale, and as a place to share information and best practices. Even more importantly, it serves as a critical means of industry communication for space cyber information.

It is also a direct line of communication between industry and government. This is one of many proactive steps that the commercial space industry has taken to combat the cyber threat.

The pursuit of improved space safety and sustainability is another area where cybersecurity will play a key role in the protection of information about the space environment.

Space Policy Directive-3, signed by the President in June 2018, directed the Department of Commerce to establish a civil system for space situational awareness and space traffic management. We plan to have this system fully operational no later than 2024, and much earlier if possible.

Currently, the civil and commercial SSA mission is handled by the U.S. Air Force at Vandenberg Air Force Base. Transitioning this mission to the Department of Commerce allows the Air Force and the Space Force to focus on national security missions and allows the Department of Commerce to develop a system that addresses the growing and changing SSA and STM needs of the commercial space industry. Explicit in SPD-3 is the notion that many commercial technologies – both from the space industry but also from adjacent industries – can play an important role in quickly working to mitigate space debris and space congestion.

One part of our strategy is to create an Open Architecture Data Repository of space data. The foundation of that repository will be the publicly releasable portion of the DOD authoritative catalogue of space objects.

But we are not stopping there. We will also be pulling in commercial SSA data, owner/operator ephemeris data, civil databases such as the NOAA Space Weather Data and NASA micro-meteoroid database, as well as commercial analytic and visualization technologies.

We are also inviting allies and like-minded nations to participate in this system, and plan to include international civil and commercial SSA data in our system.

Our goal here is to aggregate as much high quality data as possible to provide trusted, basic, space safety and collision avoidance products and services to commercial and civil operators across the globe.

We are still defining what “basic services” will include, but these collision avoidance notifications will be provided free of charge in the interest of space safety.

In parallel, we will also be creating what we call the “sandbox” where commercial SSA providers can develop, market and deliver exquisite, tailored SSA products to operators who require highly precise data. SPD-3 tells us to help enable a space safety industry. Cyber security and intellectual property protection will be important keys to that happening quickly.

At the moment, we are working on rolling out the first instantiation of the OADR with the its inaugural data sets so that we can begin testing and establish an initial concept of operations.

To do this, we are taking advantage of the NOAA Big Data Program which currently provides public access to NOAA open data on commercial cloud platforms through public-private partnerships.

I won’t need to tell any of you here that this mission comes with significant cybersecurity considerations. To complete the mission effectively, we will need many different kinds of data from multiple sources. But of course, this comes with its own set of challenges and concerns.

The space safety data that is delivered to satellite operators across the globe must be absolutely trusted in order for it to be effective and acted upon. It needs to be a proven source of high quality, reliable space safety data.

In order to achieve this, we will need a way to reliably validate the data before they are ingested into our system. The data will need to be vetted rigorously and we will need to ensure that our means of storage and transmission are secure from cyber intrusion.

We will also need to ensure that our analytics and visualization software is secure. Software is inherently vulnerable to cyberattack, and a denial of service attack on the system could lead to devastating consequences for the entire space community.

One benefit of the using the NOAA Big Data Program is the rigorous cybersecurity measures that have been put in place to safeguard data stored through the program. This satisfies part of the challenge.

While we will begin initially ingesting U.S. Government data sets, we will ideally be bringing in more and more data sets from diverse providers in the next few years. We will need a much more rigorous security architecture to ensure that we can vet and then secure the data through the transit and within our system.

We are working with government and industry partners to address data security concerns, understand cybersecurity best practices, and identify cybersecurity needs specific to our system.

Ultimately, the more space cybersecurity measures that are put in place across the government and commercial space industry, the easier our job becomes.

Obviously, there’s a lot going on in space cybersecurity at the moment, and I don’t expect that to subside in the near future. In fact, I expect the opposite.

To that point, events like these becoming more and more critical to ensure that space operators, both government and commercial, are aware of threats and adequately protecting their systems and their data.

Data are the modern currency. They have significant input to different portions of our lives, and more and more, data drive our economy. We see that at the Commerce Department every single day. Protecting that data, and the systems that generate them is critical.

I’d like to again thank the organizers of this event, the other speakers that we have heard from all week, and of course the participants. Thank you.