White House wants cybersecurity built into space tech

NOTE: This story first appeared on FCW.com.

For decades, government and the private sector have built IT systems that treated security as an afterthought. The Trump administration wants to ensure those mistakes aren't repeated in orbit.

In a six-page memorandum scheduled to be published Sept. 10 in the Federal Register, the White House says unfettered freedom to operate in space is "vital" to economic and national security. It lays out guiding principles for protecting U.S. space-based systems from cybersecurity threats and puts federal agencies on notice to build workplace cultures that emphasize security when developing plans or policies for space operations across government. It also calls on those agencies to work with commercial providers and non-governmental entities to establish industry cybersecurity standards and norms for cybersecurity.

While the document notes that many policies and best practices are similar to those used when fending off terrestrial-based cyberattacks, it highlights a critical difference for space-based systems that must be accounted for in advance: there is no Geek Squad or IT help desk waiting in orbit if something goes wrong.

Building security features into these systems at the design stage -- to remotely process updates or conduct incident response activities, for example -- is crucial since "most space vehicles in orbit cannot currently be physically accessed."

"For this reason, integrating cybersecurity into all phases of development and ensuring full life-cycle cybersecurity are critical for space systems," the memo states.

Like on Earth, IT systems in space should be built to continuously monitor for malicious cyber activity, and should be able to anticipate and adapt to attacks that seek to surveil, manipulate or degrade U.S. operations. Government agencies should also set up similar information sharing and collaboration vehicles with industry and supply chain providers to respond to emerging threats and ensure space systems aren't sabotaged before they're launched into orbit.

The guidance lists a number of threats that are particularly dangerous when systems are in space, such as spoofing sensor data or corrupting sensor systems, hacking or jamming command and control infrastructure and unauthorized personnel leveraging insufficient physical security measures to gain access to critical hardware and software.

Because much can go wrong during a space operation, cyber policies must walk a tightrope between doing everything to ensure security procedures are followed while also "permitting space system owners and operators to manage appropriate risk tolerances and minimize undue burden" that could make it harder for personnel to adapt or innovate in the face of a novel threat.