In September 2014, hackers from China broke into the U.S. National Oceanic and Atmospheric Administration (NOAA) network in an attempt to disrupt data related to disaster planning, aviation, and much more coming from U.S. satellites. This breach was the latest in a series of cyberattacks on space systems, exposing the Achilles’ heel of such technology: the vulnerability of its computers and the information it creates and transmits. Cyberattacks, which are on the rise in every industry, pose particularly significant threats to space systems as they are used so ubiquitously in corporate and military operations, making them increasingly attractive targets for hackers.
Although only about a dozen countries have the capability to launch a satellite into space, billions of people around the world rely on space systems for nearly every aspect of modern life. Satellites are used to support phones, the Internet, and banking systems. They are also used to monitor land, air, and maritime traffic; facilitate global communications; transmit mass media in real time; monitor the earth for climate change or severe weather threats and natural disasters; gather intelligence; and send early warnings of incoming ballistic missiles. It is no wonder, then, that the global economy depends on communication satellites, navigation systems, and earth-observation satellites.
The backbone of all these services consists of 1,200 operational satellites currently orbiting the earth, which have the potential to cause significant tangible damage by attacking national or global space systems across countries and continents. Even a small glitch can wreak havoc. For example, in April 2014, the Glonass System, the Russian equivalent of the American-designed GPS, malfunctioned due to two small mathematical mistakes in the software. Significantly, fixing the system took more than 13 hours, and the half-day breakdown led to severe disruption of Glonass receivers, which affected iPhone5 users. While the disruption was not caused by ambitious hackers, it is easy to see why space systems are the brass ring of cybercrimes: They are low effort and high return. Therefore, a relatively simple hack can inflict considerable damage.
Although a space system is composed of three connected segments—satellites and spacecraft that orbit the earth, ground stations, and the communication systems that link the two—cybercriminals only need to find the vulnerabilities in one of these segments. For example, for a few hundred dollars, a hacker can buy a small jamming device on the Internet to interfere with satellite signals. “We have to make it (satellite navigation systems) more robust,” warned Colonel Bradford Parkinson, who led the creation of the GPS. “Our cellphone towers are timed with GPS. If they lose that time, they lose sync and pretty soon they don’t operate. Our power grid is synchronized with GPS [and] so is our banking system.”
Space systems have become the target of hacking. In July of last year, the United States identified a 28-year-old British citizen who hacked a number of government networks, including NASA. He attempted to grab highly sensitive data and claimed he would “do some hilarious stuff with it.” Four months later, in November 2013, viruses infected the computers used by the International Space Station. Japan’s space agency also discovered a computer virus inside a few of its computers in January 2012 and Germany’s space center recently suffered an espionage attack, with several of its computers getting hit with spyware. Since 2009, the BBC has complained of disruptions to its Persian-language radio and television programs and has accused Tehran of interfering with international satellite broadcasts beamed into Iran. Only after the EU made a diplomatic complaint to pressure Iran to cease and desist did the attacks stop. When North Korea jammed South Korea’s GPS signals in May 2012, it affected the navigation of over 250 flights. The list goes on.
One of the reasons space systems, especially commercial ones, are such easy prey is that they often operate with outdated software. Developing a space system is generally a long process that, depending on the complexity of the system, takes several years to complete. And once the system is operational, it is expected to last for at least several years—sometimes even more than a decade. This process makes it difficult to update the system’s security software. Moreover, in many cases, the information systems that are being used to manage space systems are mostly based on commercial “off-the-shelf” products, with known vulnerabilities and low levels of protection, especially compared to supposedly better-protected military systems.
In 2014, a number of think-tanks, from the Council on Foreign Relations to London-based Chatham House, as well as the information-security firm IOActive, sounded the alarm on how vulnerable space systems are to cyberattacks. These reports warned of the ease with which backdoors in software—an undetected remote access to a computer—can be exploited, and of the prevalence of unsecured software, non-protected protocols, and unencrypted channels. One of the studies’ recommendations was to immediately remove software updates from the public websites of various companies that provide satellite services and equipment, in order to prevent hackers from reverse-engineering the source code. However, despite these warnings, the space industry is barely aware of these risks and its responses are slow. Herein lies a challenge: to produce and put into practice standards and regulations regarding multinational and commercial activities in space technology and exploration.
In the past year, several space-faring nations have begun to tackle the issue. Three months ago, the U.S. Air Force announced that it hopes to develop technologies that would prevent hackers from jamming its satellites. Russia intends to significantly update the robustness and security of its military and government satellite communication system by 2025.
Despite these positive steps, national governments and international bodies have more ground to cover. First, governments need to increase their efforts to raise awareness regarding the growing threat of cyberattacks against both government and commercial space systems. Second, in order to provide better protection, governments and corporations should take a holistic rather than piecemeal approach regarding the protection of all segments of their systems, and work toward solutions that will ensure the performance of the systems and their services, rather than protecting a specific asset. For example, satellites are and will continue to be damaged by cyberattacks; but the ability of an entire system to operate smoothly and recover rapidly is more crucial than the security and safety of a single satellite.
Third, military, civil, and commercial actors should engage in more dialogue in order to strengthen overall protection. They can do so by sharing information and working jointly toward better standards and regulations. Fourth, governments and international bodies should try to standardize protocols for protecting space systems. For example, when NOAA was breached in September, the Inspector General for the Commerce Department, which oversees the network, had just criticized it for an array of “high-risk vulnerabilities” in the security of its satellite information and weather service systems. It took nearly a month for NOAA to admit it had been hacked. Hiding such information hampers meaningful and timely discussion about the issue and delays the development of preventive measures. Enforcing a standard protocol could help alleviate this problem. And finally, protecting space systems must be an international effort. Space-faring nations should work together to achieve international cooperation on all of the areas mentioned above: raising awareness, sharing information, and developing much-needed standards.
The potential for colossal damage and the relative ease of launching a cyberattack on space systems make them tantalizing targets for cybercriminals. The threat is already at our doorstep, and it will only get bigger. It is time for the international space community to muster the political will to rise to this growing challenge.