Gregory Falco is a cyber research fellow at Harvard University’s Belfer Center and a postdoctoral security researcher at the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory. He is the founder and chief executive of NeuroMesh, a tech security company.
One minute. That’s how long it took me last month to demonstrate to a major broadcasting company and production team how to access and restart a leading satellite Internet provider’s control system. Five minutes is how long it took me to demonstrate how to gain full control of it.
Hackers are always improving their ability to break into our digital infrastructure. Yet the computer systems running our satellites haven’t kept up, making them prime targets for an attack. This makes our space assets a massive vulnerability — and it could get much worse if we’re not careful.
This past weekend, SpaceX won approval from the Federal Communications Commission to increase the number of low-flying satellites as part of its Starlink project so that they can provide faster Internet access to the world. Unfortunately, access will be faster for both legitimate users and hackers alike. The FCC does not require applicants to publicly demonstrate how they will secure these satellites or the Internet they plan to provide. SpaceX, like other private space companies, has shared virtually no information about its cybersecurity efforts or plans.
This is extremely disconcerting, considering the potential ramifications of a satellite being hacked. The most mundane outcome is that the satellite will no longer function, but the other extreme is for an attacker to break into a satellite and take over any thrusters (which SpaceX has insisted its satellites will have) and then propel the satellite into critical infrastructure and military satellites in other orbits. In other words, attackers could possibly use the hacked satellite as a kinetic weapon.
There has long been a void of attention to securing space infrastructure, ranging from space-faring rovers to satellite ground-control systems that manage all the space-based assets. Virtually no policy or oversight agency exists concerning securing space assets — something I’ve discussed with government leadership to little avail. While the FCC regulates communications, it should not necessarily be responsible for all things space security. Perhaps the new Space Development Agency could be.
This leaves space security in the hands of the private sector, which is exploiting the recent ease of access to space. The advent of small satellites known as CubeSats offers the chance to launch a satellite into orbit for as little as $30,000 . And because the government wants to encourage economic activity in this area, requirements to do so are extremely light. This leaves those who are creating the satellites responsible for the cybersecurity of their assets, which is not usually part of the rocket scientist’s traditional skill set.
As a space cybersecurity researcher, I am excited about the renewed interest in space from both the commercial and exploratory perspectives. But we need to be strategic about the security of these space systems. Unlike “Internet of things” devices such as baby monitors, which we purchase for less than $100 and discard or sell once a new model comes out, satellites often remain in orbit for much longer and are less dispensable. So if we don’t consider the cybersecurity of the space asset now, we’ll likely be dealing with the ramifications of that for several years to come. The lack of government intervention in satellite security does not mean that we can ignore cybersecurity as an issue.
Private space companies such as SpaceX, OneWeb and Blue Origin need to join the conversation about cybersecurity and help consumers understand that they are taking it seriously (if they are). (Blue Origin’s founder and owner, Jeff Bezos, also owns The Post.) Right now, there are several job openings for information security analysts at private space companies, indicating that they are likely hurting for talent and are behind in figuring out their security. This isn’t surprising given that space is hard, and traditional IT experts don’t have the right skill sets for a space cybersecurity job. Space systems have unique requirements that are more akin to an industrial control system, such as an energy smart meter, than to an email server.
Private space companies need to start a dialogue with the security research community about their particular challenges so that we can help. They should also be transparent with the FCC that they need help in securing their infrastructure. The last thing we need is for China or Russia to take over SpaceX’s satellites and wreak havoc on our space assets.