Our dependence on satellite communications and the networks that enable them is increasing. Satellite-Mobile integration may further extend this reliance, as well as the potential for malicious actors to cause significant harm. Formidable threats to the space sector include:
- Tracking and monitoring satellites and their transmissions.
- Electronic attacks against space-based services at the transmission site, the satellite, and the user’s equipment.
- Physical attacks against satellites and spacecraft.
These threats not only impact the planning timelines and execution of space operations in a multi-billion-dollar industry but can also result in the loss of valuable assets and human life.
Response to cyber threats
Governments, industry, and standards organisations have implemented various cybersecurity assurance practices as a general response. These are legal frameworks that seek to protect networks, data, and other infrastructure. Alongside these frameworks are measures that should be taken by operators to ensure their networks are secure. Cybersecurity assurance practices can take many forms, including industry-led self-regulation, guidelines issued to consumers or industry by national and international bodies, or regulations imposed on manufacturers. The practices can be both technical as well as organisational and can be voluntarily implemented or mandated under law or regulation, depending on the practice.
Cybersecurity in the space industry is a multistakeholder issue. While much is made of assurance responsibilities that lie with the public sector, a joint effort is required – from associations, organisations to aircrews, and mission planners – in appreciating the threats to space operations and chartering an effective mitigation path.
The Impact of D2D
A key and emerging example to illustrate the relevance of cybersecurity issues and assurance responsibilities is taking stock of the current D2D era. Traditional mobile phone communications can be broken into three primary role players: original equipment manufacturers (OEMs), such as Apple and Samsung; mobile network operators (MNOs), such as AT&T and Vodacom; and the consumers who purchase the device and subscribe to the network. In the case of D2D handsets, the original three role players are still present, but with the addition of a satellite operator, such as AST SpaceMobile or Globalstar.
Cybersecurity assurance practices
The cybersecurity assurance practices for OEMs and MNOs are well established and continue to evolve with advancements in capabilities. Many of these practices are voluntary standards that OEMs and MNOs can subscribe to, ensuring a high level of security. Other standards may be enforced by regulators from the jurisdiction in which the OEM or MNO is based. Additionally, there are a plethora of recommendations and practices targeted at consumers to ensure they are informed on cybersecurity risks. Naturally, any such material targeted at consumers is wholly voluntary. Additionally, there are mounting considerations for cybersecurity practices in space and space-based infrastructure.
Issues for D2D services
Mobile phone manufacturers are accountable for adhering to standards
The interaction between the OEMs, MNOs, and satellite operators is a unique one for jurisdictional consideration. OEMs tend to be large multinational companies that sell devices in many different jurisdictions. As such, they are well-versed in industry-standard security at the device level. MNO infrastructure is, however, locally based within a jurisdiction. As such, MNOs must comply with the network security provisions of the country within which the infrastructure is located. Many countries classify communications infrastructure as critical infrastructure and impose high standards of cyber security and physical security on operators. Satellite operators are unique – they are both local and multinational. A ground station will be based within a jurisdiction from which services can be provided to many neighbouring jurisdictions. These neighbouring jurisdictions have no control over the ground station or its security. Similarly, the jurisdiction with the ground station has control over the security measures of the neighbouring countries. As such, in the event of an attack, without harmonised standards and regulations it is difficult to know how the matter will be resolved or what recourse the end-user has.
While numerous cybersecurity assurance models are well established and evolving, particularly in the telecommunications sector, there are not many frameworks that apply regionally or are globally accepted. Some of these frameworks can be applied to satellite operators on a voluntary basis. However, they are ill-suited in their current form to account for the unique position and technology in global satellite networks.
Policymakers should consider the needs of consumers, satellite operators, and manufacturers together with the unique risks of satellite networks and their transborder applications. Whichever framework ultimately prevails and is adopted, it is important that it is harmonised and reflects the views of the satellite industry and the capabilities of the manufacturers.
One case not uniquely related to satellite networks, which could provide the pathway to a solution, is the development of data privacy laws formulated on principles of privacy. Data protection laws are cross-jurisdictional and often based on the same principles, resulting in a high degree of harmonisation between countries that have them.
Access Partnership provides its clients with a deep understanding of the macro geopolitical environment at the strategic level while driving outcomes on the ground through relationships and targeted engagement with decision-makers internationally and locally – from Johannesburg to Washington and Singapore to London.