States have an obligation to warn satellite operators of cyber threats — IAC paper

SYDNEY, Australia – States have a responsibility to inform citizens, including commercial spacecraft operators, of cyber threats, Diane Howard, former commercial space policy director for the White House National Space Council, said at the International Astronautical Congress here.

“States do have a duty to warn, to share credible threat intelligence proactively and to take all effective steps to avoid the harm,” Howard said Sept. 30, while presenting a paper, “State Responsibility in Orbital Conflicts: Legal Implications of Cyber-Enabled Counterspace Operations under the Outer Space Treaty.”

“We need to dig deeper into how to compel the states to live up to this challenge,” said Howard, a University of Texas adjunct professor and principal of consulting firm sur l’espace.

Howard’s research stemmed from her experience working in the U.S. government during the 2022 Russian invasion of Ukraine. Early in the conflict, hackers targeted commercial satellite infrastructure including Viasat’s KA-SAT network and SpaceX Starlink communications satellites.

Since 2022, the United States military and the armed forces of many nations have grown increasingly reliant on commercial Earth observation and communications satellites, which exposes satellite operators to the threat of becoming military targets.

For example, the U.S. Space Force Commercial Augmentation Space Reserve (CASR), which gives the military to access private sector space assets, “is perhaps blurring the distinctions between the civilian and the military population,” Howard said.

Companies involved in CASR gain access to high-quality threat information. U.S. government agencies also share information with members of the Space Information Sharing and Analysis Center, a public-private partnership, and the National Security Agency’s Cybersecurity Center shares threat intelligence with defense contractors.

Since agencies possess information on threats, which they share with some companies, “what levers and hooks can we use to get the government to provide it to everyone?” Howard asked.

The obligation to warn civilians and companies is rooted in international legal principles, Howard said. In the United States, additional protection is offered by a 2020 National Space Policy memorandum that warns against the “purposeful interference with space systems, including supporting infrastructure.”  

“I would also posit that this is yet another good argument for why operators should want to be licensed, because this would then give them some protection,” Howard said. “Perhaps we need to do a better job of informing them about that.”

In addition, government action to help satellite operators ward off cyberthreats “would help stabilize markets,” Howard said, because investors are aware of the risks to space infrastructure.