Read the original article: Space Cybersecurity in the Age of Defending Forward
On Sept. 4, the Trump administration released a policy directive detailing the United States’s cybersecurity principles for “space systems.” Emphasizing the importance of space systems for communication, science, economic prosperity, and national security, the directive highlights the importance of integrating cybersecurity throughout the development and life cycle of space systems. Specifically, the directive calls for agencies to “foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure” and defend against cyber threats.
As a policy document, the directive does not create any new legal rights or obligations in the context of cybersecurity practices in space. But the directive’s language, in combination with the U.S. cybersecurity policy often referred to as “defending forward,” raises important questions concerning the United States’s existing legal obligations in space under international law. More specifically, the directive’s centering of cybersecurity in space creates tension with the international obligation to use space to advance international peace and security for the benefit of all countries. The assertive posture of defending forward may conflict with international space law in the policy’s current iteration.
Defending Forward
In response to the growing array of cybersecurity threats, the United States has developed a policy known as “defending forward,” initially articulated in the 2018 Department of Defense Cyber Strategy. Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, explained how defending forward relies on the doctrine of persistent engagement—actively “compet[ing] with adversaries on a recurring basis” by disrupting and degrading their capabilities to conduct cyberattacks. Defending forward also focuses on halting malicious cyber activity and having the ability to fight digital wars—in short, building “more lethal” cyber abilities. Critics of the policy have argued that defending forward in cyberspace could increase “the risks of escalation” of conflict with adversaries. However, Cyber Command and the U.S. government have decided that a “more proactive approach” will more effectively impose costs on adversaries, while managing the risk of escalation in cyberspace.
Notwithstanding this more assertive posture, the United States accepts that its cyber forces and activities, including in space, are subject to applicable international law. Indeed, a stated goal of the United States is to “promote respect for widely held international norms in cyberspace.” But in space, additional international law obligations and norms may complicate the United States’s ability to defend forward.
International Law Obligations and Norms
Both cyber and space are subject to international law and norms. U.N. Charter principles of state sovereignty, nonintervention, and state responsibility, along with the laws governing the use of force and international humanitarian law (IHL), all potentially apply to transnational cyber incidents. Many, if not most, cyberattacks fall below the traditional threshold for armed conflict that triggers the application of IHL. The other bodies of law are less clearly defined in their application to cyberspace, frequently failing to capture the realities of modern technology or anticipate the consequences of technological developments. While academics and states, including the United States, maintain that international law applies to cyber operations, the reality consists of murky parameters.
The Outer Space Treaty of 1967, the primary international space treaty to which the United States is a party, governs state activities in the exploration and use of outer space. The treaty provides a framework that is crucial for understanding the policy directive in light of the defending forward cybersecurity posture. Article I dictates that the exploration and use of space must be “carried out for the benefit and in the interests of all countries” and that space must “be free for exploration and use by all States … in accordance with international law.” Article III explains that applicable international law includes the U.N. Charter. State activities in the exploration and use of outer space must be carried out “in the interest of maintaining international peace and security and promoting international co-operation and understanding.”
The Outer Space Treaty also aims to prevent the militarization of space. Article IV prohibits states from placing in orbit around Earth or stationing in space, nuclear weapons or any other weapons of mass destruction.The treaty also mandates that the moon and other celestial bodies be used “exclusively for peaceful purposes” and prohibits “the testing of any type of weapons and the conduct of military manoeuvres on celestial bodies.” Article VI provides in relevant part that states “bear international responsibility for national activities in outer space” by both governmental and nongovernmental entities. Finally, Article IX requires states to engage in international consultation in relation to any planned activity by another state that could “cause potentially cause harmful interference” with peaceful activities in outer space.
New Cybersecurity Principles for Space Systems
The Trump administration’s space systems directive interacts with the dynamics around both defending forward and international law. The directive addresses protocols for preventing, monitoring and responding to potential cyber threats against the backdrop of the international legal obligation to take actions in space only for the collective benefit of states. The intersection of defending forward and applicable international law in space, and their possible conflict, calls for a clearer understanding of how the United States’s cybersecurity policy comports with space law.
The directive outlines cybersecurity principles for “space systems,” defined as systems that “provide[] a space-based service.” This will generally include “a ground control network, a space vehicle, and a user or mission network,” and applies to government and private space systems. Importantly, the directive purports to set policy guidance for both government and private space systems; the relationship the policy directive sets out for the federal government and the commercial space industry is discussed in greater detail below.
First, the directive recommends that space systems and supporting infrastructure be developed to “continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities” that could threaten the systems’ operations. Second, space system developers and operators should have cybersecurity plans that will ensure operators or “automated control center systems” are able to “retain or recover positive control of space vehicles.” In particular, cybersecurity plans should protect from unauthorized or malicious access by implementing authentication or encryption measures and aligning best practices with the National Institute of Standards and Techno
[…]
Read the original article: Space Cybersecurity in the Age of Defending Forward