September 4, 2020.  Today President Trump signed Space Policy Directive-5 (“SPD-5”) establishing cybersecurity best practices for the U.S. Government and commercial space operations.  The directive seeks to protect critical space systems from cyber threats by incorporating cybersecurity into all phases of space system development and developing a culture of prevention, active defense, risk management, and the sharing of best practices.

The effort couldn’t be more timely.  The United States increasingly relies on space-based systems for, among other things, global communications, positioning and navigation, scientific observation, exploration, weather monitoring, and national defense.  While this reliance has grown, so too has the threat posed by unfriendly governments and other bad actors.  SPD-5 highlights vulnerabilities of space systems, including spoofing or corrupting of sensor systems, jamming, unauthorized guidance commands, injection of malicious code, and denial-of-service attacks.  Such attacks result in lost mission data, decreased lifespan or capability of space systems, or even the loss of control over space vehicles and the creation of orbital debris.

In response to these threats, SPD-5 provides guidance on how government agencies and commercial operators can protect space assets and supporting infrastructure from cyber threats and mitigates the risk posed by harmful space debris resulting from malicious cyber activities.  SPD-5 builds on earlier efforts including the National Security Strategy, the National Cyber Strategy, and SPD-3 (National Space Traffic Management Policy) in seeking to foster practices within Government space operations and across the commercial space industry to ensure continuity of operations.

SPD-5 establishes the following cybersecurity principles for space systems:

  1. Space systems and their supporting infrastructure including software, should be developed and operated using risk-based, cybersecurity-informed engineering, and be developed to continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt, destroy, surveil, or eavesdrop on space system operations;
  2. Space systems operators should develop or integrate cybersecurity plans for space systems that include capabilities to protect against unauthorized access; reduce vulnerabilities of command, control, and telemetry systems; protect against communications jamming and spoofing; protect ground systems from cyber threats; promote adoption of appropriate cybersecurity hygiene practices, and manage supply chain risks;
  3. Space system cybersecurity requirements and regulations should leverage widely-adopted best practices and norms of behavior;
  4. Space system owners and operators should collaborate to promote the development of best practices and mitigations, including sharing of threat, warning, and incident information within the space industry; and
  5. Space system operators should allow space system operators to manage risk tolerance and minimize undue burden when implementing cybersecurity requirements specific to their system.

While the Administration does not currently plan for agencies to codify the principles set forth in SPD-5, the directive is another step towards protecting critical space infrastructure and commercial space assets.  Ultimately, SPD-5 urges U.S. Government agencies to work with the commercial space industry to further develop best practices and establish cybersecurity-informed norms and behaviors throughout the United States’ industrial base for space systems.