Cybersecurity is an enduring issue for federal agencies, and not just here on earth. Now a presidential executive order has handed the Department of Homeland Security responsibility for cybersecurity of space assets on which so much modern information and technology depends. With what they’ll be up to, the Acting Assistant Secretary for Cyber Infrastructure Risk and Resilience Policy, Matt Hayden joined Federal Drive with Tom Temin.
Insight by Veritas and Carahsoft: Learn about the range of data practices and strategies needed for today’s policy and compliance environment in this free webinar.
Tom Temin: Mr. Hayden, good to have you on.
Matt Hayden: Thanks. Good to be here.
Tom Temin: What are the cyber vulnerabilities in space that we need to worry about first of all?
Matt Hayden: Well, specific to where we’re talking in the the Space Policy Directive Five, we’re looking at cyber vulnerabilities to the onboard systems of our space space assets. Since the United States through its hat in the ring for the space race, and took that lead and maintained it through our launches and our infrastructure that are now up there, between putting humans and machines into space, each of those vehicles got there with computers on board. So we’re looking today to make sure that those space assets are the most secure we can offer, and make sure that any potential vulnerabilities to unauthorized access, or any malicious actors, just don’t occur.
Tom Temin: So in other words, satellites are software controlled, and they are sent signals from Earth to tell them what to do and so on. And that’s the issue.
Matt Hayden: Correct.
Tom Temin: What is the specific purpose of SPD-5? How did this all come about?
Matt Hayden: So we wanted to have a comprehensive policy for all these systems that are used in outer space, not just from a military application or from a private sector application, but just the combined resources that are up there. We wanted to make sure we’re all on the same page. So it outlines six principles to protect the cybersecurity integrity of space and the assets up there based on risk assessments. And as you know, the Space Council has been hard at work renewing and reimagining the role in space since this administration reinvigorated the council, and our secretary is an active member of that council, and we’ve been an active part of it since the first day. One of those challenges is that the recognition that space is now a contested military domain. And when we have adversaries that both have the capability and intent to disrupt some of our systems, we needed to have a common sense, whole of government approach to really address this and to make sure that we had our commercial space partners at our side to do that. And that’s through that great public private partnership that the National Space council offers.
Tom Temin: And will DHS work this order through the cybersecurity and infrastructure security agency, CISA?
Matt Hayden: So CISA will be a big part of that. A lot of what we’re going to be doing is left of launch. If you’ll stick with me for a moment there — the basics are we want to make sure as people are developing their space assets and looking at engineering principles for space, that they’re really focused on cybersecurity is of concern and making sure that they have what are the best in class principles in front of them. That being said, since I will be working with some information sharing as well as we’ll be partnering with this Space ISEC, which is an information sharing and analysis center dedicated to the space cybersecurity mission status.
Tom Temin: Is it more of a policy role it sounds like then an operational role for satellites and communications back and forth?
Matt Hayden: Correct. So we’ll be looking at an ability to get the information in engineers and developers hands so that they have the best measures in place. So from a policy perspective, it’s a coordinated whole of government look ahead so that everybody is on the same page.
Tom Temin: And a lot of space assets are under the control or at least the authority of the Space Command, the newest military service. So where does DHS leave off, and they pick up because there’s a lot of military satellites out there too?
Matt Hayden: So we are starting from the approach of, as stated earlier, the the design elements, so we’re looking to make sure before something gets up into space, it has the correct cybersecurity principles applied. At the same time, once a vehicle is in orbit, the vulnerabilities are unauthorized access to that challenge us greatly. But at the same time, those principles of SPD-5 would still apply, we’re just going to leverage the individuals within the Space Force and NASA to do what they do best. So we’re going to be on the pre-launch side of things and Space Force and NASA will take care of it to get it up there and then manage it from that point forward.
Tom Temin: Because these things do run together, the bloodlines, commercial launches or military launches. Sometimes they’re built by commercial outfits. Sometimes they’re built by NASA, and they might be carried aloft on a commercial vehicle or on a government vehicle. And then sometimes the information streams are used by both sides. So I mention it gets kind of complicated.
Matt Hayden: It does. But the cooperation with the Space Command is critical, and prior to launch, they know what kinds of measures are built into the system to make it resilient. And we’re here to make sure that they have a seat at the table for that as well when we’re working together with industry and our partners. And if there’s any concerns once an asset is in orbit, we envisioned coordination with Space Command after the assets launched as well, just so everybody has the up to date information in how we do our information sharing with our partners.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: Is there some kind of a risk assessment framework, if you will, because not every satellite is equal in terms of importance or sensitivity?
Matt Hayden: It is a risk based model that we are looking at for the development all the way through the supply chain. So as we work with vendors and partners in the space-air arena, we do look all the way down that supply chain from a risk modeling perspective. That gives us the ability to look at sensitive components and to make sure that all these processes have the right framework as they move forward.
Tom Temin: And DHS has a lot of experience monitoring internet traffic, you know, through the TIC program, and so on. And they’ve deployed lots of these tools throughout the agencies. Is it also possible to do some kind of monitoring program on communications and interaction with software in space? Does that capability exist now?
Matt Hayden: Well, parts of where TIC lie will also apply just because a connection to a network is a connection to a network. So just because the location happens to be in orbit, and it has a sensitive nature to it, doesn’t drop any of the sensitive network rules and regulations. So the good news is is those experiences and authorities would stand similar as they would terrestrial versus space, the only challenge would be when we look to new devices to make sure that they’re supportive of the evolution of that tech model.
Tom Temin: And what about the international aspect of this because we have friendly nations that have satellites, and then we have people we don’t trust very much that also have satellites. So what about, say France, Great Britain, India, other space capable countries that we would I imagine want to coordinate with?
Matt Hayden: It doesn’t stop with the US and our partners across the board are going to be contributing to this. We do have an international focus to make sure that we’re not going in alone on any of these standards and principles. But at the same time, we’re not being prescriptive. So a lot of what we’re putting forward in SPD-5 is a framework that allows for cybersecurity to be a focus. And that’s a supported model by all our partners that are looking to do the same.
Tom Temin: And from a simply operational standpoint, will there be a unit created within DHS that is just dedicated to space?
Matt Hayden: Right now, space covers a significant arena within our critical infrastructures. So we have engagement directly with the space ISEC. But to the degree that it crosses over a lot of our critical infrastructure councils, that it’s not likely to have a dedicated space office as of yet, because currently, as we mentioned earlier, you’re going to have network specialists, you’re going to have communication specialists and alike, and those cross over a lot of domains. And we’re going to leverage those existing assets to make sure we’re best supporting this effort.
Tom Temin: In other words, there are 17 or 18 cybersecurity infrastructure domains. And then beyond that, I think it’s 99 or something critical functions in the country, many of those already have a space element to them. Is that a good way to put it?
Matt Hayden: Correct. Yes, those critical functions are going to, again, share a lot of that workload.
Tom Temin: By the way, have there been any successful cyber attacks that we know about in space?
Matt Hayden: Well, what we’re looking to do with SPD-5 is to look ahead of these emerging risks. What I can say is that there are nation state actors and others that do have capability to cause problems in the space area. And while we don’t have any offerings of existing events, what we do have is to know with that capability being there, we want to make sure we’re prepared. And that includes looking forward to make sure that that adversarial posture is there as well, to know that that is a contested domain in space. It’s not something that you can send up and forget.
Tom Temin: So you’ll need some cooperation from industry as they assemble and program these devices to think about cybersecurity maybe a little bit more front of mind than they’ve been used to.
Matt Hayden: I would actually say we would go completely down their supply chain, so it would not stop at even the software development level. It would go through the complexity and wholeness of their supply chain for developing space assets.
Tom Temin: Wow. Matt Hayden is acting assistant secretary for cyber infrastructure risk and resilience policy at the Homeland Security Department. Thanks so much for joining me.
Matt Hayden: Great to be here. Thank you.