At first glance the new US Space Policy Directive 5, Cybersecurity Principles for Space System, released last Friday seems innocuous enough with common sense principles. However, there may be issues with the supply chain portions of the policy.
So what is Space Policy Directive 5? When the White House sent out the email regarding the Memorandum on Space Policy Directive 5 it included the following highlights:
- Space systems enable key functions such as global communications; positioning, navigation and timing; scientific observation; exploration; weather monitoring; and multiple vital national defense applications. These systems, networks, and channels can be vulnerable to malicious activities that can deny, degrade, or disrupt space operations, or even destroy a satellite. It is essential to protect space systems from cyber incidents in order to prevent disruptions to their ability to provide reliable and efficient contributions to the operations of the Nation’s critical infrastructure.
- Space Policy Directive-5 fosters practices within U.S. Government and commercial space operations that protect space assets and their supporting infrastructure from cyber threats.
- SPD-5 furthers the policies and objectives of the National Security Strategy, the National Cyber Strategy, and SPD-3 (National Space Traffic Management Policy) to ensure the Nation maintains its leadership and freedom of action in space. It provides guidance on the protection of space assets and supporting infrastructure from evolving cyber threats and mitigates the potential for the creation of harmful space debris resulting from malicious cyber activities.
- SPD-5 recognizes that cybersecurity principles and practices that apply to terrestrial systems also apply to space systems; encourages integrating cybersecurity into all phases of space systems development; and stresses that effective cybersecurity practices stem from cultures of prevention, active defense, risk management, and the sharing of best practices.
- SPD-5 directs U.S. Government agencies to work with commercial companies consistent with the principles in the SPD to further define best practices, establish cybersecurity informed norms, and promote improved cybersecurity behaviors throughout the Nationโs industrial base for space systems.
- SPD-5 establishes the following cybersecurity principles for space systems:
- Space systems and their supporting infrastructure including software, should be developed and operated using risk-based, cybersecurity-informed engineering;
- Space systems operators should develop or integrate cybersecurity plans for space systems that include capabilities to: protect against unauthorized access; reduce vulnerabilities of command, control and telemetry systems; protect against communications jamming and spoofing; protect ground systems from cyber threats; promote adoption of appropriate cybersecurity hygiene practices; and, manage supply chain risks;
- Space system cybersecurity requirements and regulations should leverage widely-adopted best practices and norms of behavior;
- Space system owners and operators should collaborate to promote the development of best practices and mitigations; and
- Space systems operators should make appropriate risk trades when implementing cybersecurity requirements specific to their system.
How does that compare to what we know about Canadian cybersecurity space policy?
Canada’s space cybersecurity policy
Canada’s new space strategy doesn’t directly address cybersecurity, though it does mention the QEYSSat mission which will demonstrate secure communication using quantum encryption. Cybersecurity and space is however part of the Department of National Defence’s the Strong, Secure and Engaged defence policy.
There are several initiatives related to cyber and space in the defence policy including the following which pertains to our allies:
Initiative 83. Defend and protect military space capabilities, including by working closely with allies and partners to ensure a coordinated approach to assuring continuous access to the space domain and space assets.
Initiative 84. Work with partners to promote Canadaโs national interests on space issues, promote the peaceful use of space and provide leadership in shaping international norms for responsible behaviour in space.
Initiative 86. Conduct cutting-edge research and development on new space technologies in close collaboration with allies, industry, and academia to enhance the resilience of space capabilities and support the Canadian Armed Forcesโ space capability requirements and missions.
Clearly Canada’s policies with respect to cybersecurity and space that are publicly known appear to align with US policy. Except perhaps when it comes to the supply chain.
The potential supply chain issue
Towards the end of the Memorandum on Space Policy Directive-5, Section 4b (Principles) are these two points:
(v) Adoption of appropriate cybersecurity hygiene practices, physical security for automated information systems, and intrusion detection methodologies for system elements such as information systems, antennas, terminals, receivers, routers, associated local and wide area networks, and power supplies; and
(vi) Management of supply chain risks that affect cybersecurity of space systems through tracking manufactured products; requiring sourcing from trusted suppliers; identifying counterfeit, fraudulent, and malicious equipment; and assessing other available risk mitigation measures.
While these two points seem appropriate enough, they do open the door to exclude suppliers who may get singled out, or suppliers from nations such as China where the US has concerns. There’s still nothing wrong with the policy. Though where it could tricky is with suppliers from nations like Canada who might use components from suppliers from countries like China. It may seem like a small point, but it is something to be aware of.
At the moment the policy directive is a policy without enforcement. Suppliers however will have to keep a close eye on any new regulations that might come out of this new policy.