[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
EXPLORING CYBER SPACE:
CYBERSECURITY ISSUES FOR CIVIL
AND COMMERCIAL SPACE SYSTEMS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON SPACE AND AERONAUTICS
OF THE
COMMITTEE ON SCIENCE, SPACE,
AND TECHNOLOGY
OF THE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
JULY 28, 2022
__________
Serial No. 117-66
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
48-138 PDF WASHINGTON : 2023
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman
ZOE LOFGREN, California FRANK LUCAS, Oklahoma,
SUZANNE BONAMICI, Oregon Ranking Member
AMI BERA, California MO BROOKS, Alabama
HALEY STEVENS, Michigan, BILL POSEY, Florida
Vice Chair RANDY WEBER, Texas
MIKIE SHERRILL, New Jersey BRIAN BABIN, Texas
JAMAAL BOWMAN, New York ANTHONY GONZALEZ, Ohio
MELANIE A. STANSBURY, New Mexico MICHAEL WALTZ, Florida
BRAD SHERMAN, California JAMES R. BAIRD, Indiana
ED PERLMUTTER, Colorado DANIEL WEBSTER, Florida
JERRY McNERNEY, California MIKE GARCIA, California
PAUL TONKO, New York STEPHANIE I. BICE, Oklahoma
BILL FOSTER, Illinois YOUNG KIM, California
DONALD NORCROSS, New Jersey RANDY FEENSTRA, Iowa
DON BEYER, Virginia JAKE LaTURNER, Kansas
CHARLIE CRIST, Florida CARLOS A. GIMENEZ, Florida
SEAN CASTEN, Illinois JAY OBERNOLTE, California
CONOR LAMB, Pennsylvania PETER MEIJER, Michigan
DEBORAH ROSS, North Carolina JAKE ELLZEY, TEXAS
GWEN MOORE, Wisconsin MIKE CAREY, OHIO
DAN KILDEE, Michigan
SUSAN WILD, Pennsylvania
LIZZIE FLETCHER, Texas
------
Subcommittee on Space and Aeronautics
HON. DON BEYER, Virginia, Chairman
ZOE LOFGREN, California BRIAN BABIN, Texas,
AMI BERA, California Ranking Member
BRAD SHERMAN, California MO BROOKS, Alabama
ED PERLMUTTER, Colorado BILL POSEY, Florida
CHARLIE CRIST, Florida DANIEL WEBSTER, Florida
DONALD NORCROSS, New Jersey YOUNG KIM, California
C O N T E N T S
July 28, 2022
Page
Hearing Charter.................................................. 2
Opening Statements
Statement by Representative Don Beyer, Chairman, Subcommittee on
Space and Aeronautics, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 8
Written Statement............................................ 9
Statement by Representative Brian Babin, Ranking Member,
Subcommittee on Space and Aeronautics, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 11
Written Statement............................................ 12
Written statement by Representative Eddie Bernice Johnson,
Chairwoman, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 13
Witnesses:
Dr. Theresa Suloway, Space Cybersecurity Engineer, The MITRE
Corporation
Oral Statement............................................... 14
Written Statement............................................ 17
Mr. Matthew Scholl, Chief, Computer Security Division,
Information Technology Laboratory, National Institute of
Standards and Technology
Oral Statement............................................... 24
Written Statement............................................ 26
Mr. Brandon Bailey, Senior Project Leader, Cyber Assessments and
Research Department, The Aerospace Corporation
Oral Statement............................................... 32
Written Statement............................................ 35
Discussion....................................................... 44
Appendix: Answers to Post-Hearing Questions
Dr. Theresa Suloway, Space Cybersecurity Engineer, The MITRE
Corporation.................................................... 58
Mr. Matthew Scholl, Chief, Computer Security Division,
Information Technology Laboratory, National Institute of
Standards and Technology....................................... 71
Mr. Brandon Bailey, Senior Project Leader, Cyber Assessments and
Research Department, The Aerospace Corporation................. 73
EXPLORING CYBER SPACE:
CYBERSECURITY ISSUES FOR CIVIL
AND COMMERCIAL SPACE SYSTEMS
----------
THURSDAY, JULY 28, 2022
House of Representatives,
Subcommittee on Space and Aeronautics,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to notice, at 10:04 a.m., in
room 2318 of the Rayburn House Office Building, Hon. Don Beyer
[Chairman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Beyer. This hearing will come to order. Without
objection, the Chairman is authorized to declare a recess at
any time.
And before I deliver my opening remarks, I want to note
that, today, the Committee is meeting both in person and
virtually. And I want to announce a couple of reminders to the
Members about the conduct of this hearing. First, Members and
staff who are attending in person may choose to be masked, but
it is not a requirement. However, any individual with symptoms,
a positive test, or exposure to someone with COVID-19 should
wear a mask while present.
Members who are attending virtually should keep their video
feed on as long as they are present in the hearing. Members are
responsible for their own microphones. Please keep your
microphones muted unless you are speaking. And finally, if
Members have documents they wish to submit for the record,
please email them to the Committee Clerk, whose email address
was circulated prior to the hearing.
So good morning, and welcome to today's hearing ``Exploring
Cyberspace: Understanding Cybersecurity Issues for Civil and
Commercial Space Systems.'' I want to welcome our witnesses,
both in person and virtual. We're pleased to have you with us.
Getting to space and operating there involves risk. From
the launch itself to micrometeoroids, orbital debris, and
geomagnetic storms, space system developers and operators must
mitigate against multiple risks that can impact their
satellites. But today's hearing focuses on a much more
nefarious risk: cyber threats to civil and commercial space
systems. These risks have taken a center stage since the public
announcement of a malicious Russian attack in February 2022 on
Viasat's satellite internet user modems. The hack affected
thousands of customers in Ukraine and tens of thousands across
Europe. Other reports cited jamming of Starlink space broadband
ground terminals, which were sent to Ukraine when its
communications were disrupted by the Russian invasion.
While the recent hacks have highlighted the issue, cyber
threats to space systems are not new. In 2015, the
Congressionally-established U.S.-China Economic Security and
Review Commission reported on hacks in 2007 and 2008 to the
Landsat-7 satellite. The Commission also noted that cyber
actors targeted NASA's (National Aeronautics and Space
Administration's) Terra Earth observation satellite on two
occasions in 2008. The actors demonstrated, quote, ``the steps
required to command the satellite,'' unquote, but did not do
so.
In 2014, a cyber attack on the National Oceanic and
Atmospheric Administration's, NOAA's, satellite information and
weather service systems actually led the agency to stop
satellite transmission of weather data to the National Weather
Service for two days while it responded to the incident.
These hacks perpetrated by bad actors are chilling and
serious. The importance of addressing them is amplified as our
reliance on space for in-space and terrestrial infrastructure
and services continues to grow.
As examples, NOAA plans to procure space situational
awareness data from commercial providers, and NASA plans to
procure commercial space-based communication services to meet
many of its communications requirements.
To date, the government and Congress have taken steps to
address the matter.
In December 2020, the government issued Space Policy
Directive (SPD)-5, ``Cybersecurity Principles for Space
Systems.'' In May 2021, Chairwoman Johnson, Ranking Member
Lucas, myself, and Ranking Member Babin requested that the GAO,
the Government Accountability Office, conduct a review of the
cybersecurity risk to the sensitive data associated with NASA's
major projects and spaceflight operations. That review is now
underway.
Other Members of Congress have introduced legislative
proposals on space and cybersecurity.
More recently, following the Viasat incident, the
Cybersecurity and Infrastructure Security Agency (CISA) and the
FBI (Federal Bureau of Investigation) issued an alert on
strengthening cybersecurity of satellite communication network
providers and customers. The National Security Agency also
issued a cybersecurity advisory to protect small ground
terminals used to transmit and receive satellite
communications. And the Department of Commerce's National
Institute of Standards and Technology (NIST) has issued
guidance on cybersecurity for commercial space systems.
Today's hearing will give us an opportunity to review these
efforts and the overall landscape of cybersecurity for civil
and commercial space systems, including, what is the range of
threats today? What is the status of the implementation of
space director--Space Policy Directive-5? What role should the
Federal Government have, and is there an agency in charge of
space cybersecurity? And what are the issues for Congress?
We need to make every effort to understand what further
actions can be and should be taken to strengthen cybersecurity
for civil and commercial space systems, including commercial
space systems that provide mission-critical government data and
services. Malicious disruptions to such systems would have
significant impacts to critical services, our economy, and the
growing $447 billion global space economy, including everything
from weather and environmental forecasting, to forestry
management, to communications, space science, and national
security.
I look forward to hearing from our expert witnesses on this
important issue. And before I close, I want to note the
groundbreaking progress that will be made with the House's
voting on the Senate-passed CHIPS and Science Act of 2022. This
act includes the first NASA authorization in five years. And I
think I'm very proud that this NASA authorization includes many
of the changes, the recommendations from both the GAO report on
NASA and the Inspector General (IG) report on NASA. The core
set of provisions provide direction across NASA's portfolio
that will support the agency in continuing to lead, inspire,
discover, explore, and carry the ambitious and challenging
space and aeronautics missions.
[The prepared statement of Chairman Beyer follows:]
Good morning, and welcome to today's hearing, Exploring
Cyber Space: Understanding Cybersecurity Issues for Civil and
Commercial Space Systems.
I want to welcome our witnesses. We are pleased to have you
with us both in person and virtually.Getting to space and
operating there involves risk. From the launch itself, to
micrometeoroids, orbital debris, and geomagnetic storms, space
system developers and operators must mitigate against multiple
risks that can impair their satellites.
Today's hearing focuses on a more nefarious risk--cyber
threats to civil and commercial space systems. The risks have
taken center stage since the public announcement of a malicious
Russian attack in February 2022 on Viasat's satellite internet
user modems. The hack affected thousands of customers in
Ukraine and tens of thousands across Europe. Other reports
cited jamming of Starlink's space broadband ground terminals,
which were sent to Ukraine when its communications were
disrupted by the Russian invasion.
While the recent hacks have highlighted the issue, cyber
threats to space systems are not new. In 2015, the
Congressionally-established U.S.-China Economic Security and
Review Commission reported on hacks in 2007 and 2008 to the
Landsat-7 satellite. The Commission also noted that cyber
actors targeted NASA's Terra Earth observation satellite on two
occasions in 2008. The actors demonstrated the ``steps required
to command the satellite'' but did not do so.
In 2014, a cyber-attack on the National Oceanic and
Atmospheric Administration's satellite information and weather
service systems led the agency to stop satellite transmission
of weather data to the National Weather Service for two days
while it responded to the incident.
These hacks perpetrated by bad actors are chilling and
serious. The importance of addressing them is amplified as our
reliance on space for in-space and terrestrial infrastructure
and services continues to grow.
As examples, NOAA plans to procure space situational
awareness data from commercial providers and NASA plans to
procure commercial space-based communications services to meet
many of its communications requirements.
To date, the government and Congress have taken steps to
address the matter.
In December 2020, the government issued Space Policy
Directive-5, ``Cybersecurity Principles for Space Systems.''
In May 2021, Chairwoman Johnson, Ranking Member Lucas,
myself, and Ranking Member Babin requested that Government
Accountability Office conduct a review of the cybersecurity
risks to the sensitive data associated with NASA's major
projects and spaceflight operations. That review is now
underway.
Other Members of Congress have introduced legislative
proposals on space and cybersecurity.
More recently, following the Viasat incident, the
Cybersecurity and Infrastructure Security Agency and the FBI
issued an alert on strengthening cybersecurity of satellite
communications network providers and customers. The National
Security Agency also issued a cybersecurity advisory to protect
small ground terminals used to transmit and receive satellite
communications. And the Department of Commerce's National
Institute of Standards and Technology has issued guidance on
cybersecurity for commercial space systems.
Today's hearing will give us an opportunity to review these
efforts and the overall landscape of cybersecurity for civil
and commercial space systems, including
What is the range of threats today?
What is the status of implementation of Space
Policy Directive 5?
What role should the Federal government have, and
is there an agency in charge of space cybersecurity?
And, what are the issues for Congress?
We need to make every effort to understand what further
actions can be and should be taken to strengthen cybersecurity
for civil and commercial space systems, including commercial
space systems that provide mission-critical government data and
services.
Malicious disruptions to such systems would have
significant impacts to critical services, our economy, and the
growing $447 billion global space economy, including everything
from weather and environmental forecasting to forestry
management, communications, space science, and national
security.
I look forward to hearing from our expert witnesses on this
important issue.
Before I close, I want to note the ground-breaking progress
that will be made with the House's voting on the Senate-passed
CHIPS and Science Act of 2022.
This Act includes the first NASA Authorization in five
years. The core set of provisions provide direction across
NASA's portfolio that will support the agency in continuing to
lead, inspire, discover, explore, and carry out ambitious and
challenging space and aeronautics missions.
Chairman Beyer. Let me now turn to my friend, the good
doctor from Houston and the Ranking Member, Mr. Babin.
Mr. Babin. Thank you, Chairman Beyer. I really appreciate
that very much. Good morning. Thanks for holding this important
hearing.
We've held a number of hearings on space cybersecurity over
the last several years and unfortunately learned of many
cybersecurity incidents related to civil and commercial space.
The 2011 U.S.-China Economic Security Review Commission report
to Congress indicated that hackers interfered with USGS's
(United States Geological Survey's) Landsat-7 satellite in
October 2007 and also in July 2008, and NASA's Terra satellite
in June 2008 and October 2008. In 2014, we also heard of
intrusions into NOAA's weather and satellite network. A 2019
report from the NASA IG indicated that NASA Information
Technology Security Managers remain concerned about potential
infiltration into NASA's spaceflight systems to acquire launch
codes and flight trajectories of spacecraft. More recently,
senior NASA officials stated that the hack of a SolarWinds
software of--excuse me--of SolarWinds software was a big wakeup
call. Just a few months ago, the Secretary of State issued a
formal statement attributing a cyber attack on a commercial
satellite communication network to Russia.
With the proliferation of commercial space operations and
NASA's increased use of commercial services, this hearing is a
timely update on the topic of cybersecurity in civil and
commercial space. It is a continuation of longstanding,
bipartisan oversight. Last year, the Committee and Space
Subcommittee Chairs and Ranking Members jointly asked GAO to
review NASA and NASA contract cybersecurity, and we look
forward to reviewing that work very soon.
The executive branch is also focused on space cybersecurity
issues. In September 2020, the Trump Administration issued
Space Policy Directive-5, which outlined the U.S. Government's
first cybersecurity policy for space systems. Earlier this
year--excuse me--earlier this spring, the Department of
Homeland Security (DHS) updated their space policy for the
first time since 2011. Last year, the Cybersecurity and
Infrastructure Security Agency, or CISA, announced the
formation of the Space Systems Critical Infrastructure Working
Group to bring together stakeholders from across the sector to
minimize risks to space systems. Industry coalitions are
emerging to provide private sector information sharing and
collaboration without government intervention.
And last but not least, NIST continues to provide world-
class services and standards, as they have done since the
1970's on cybersecurity. All of these activities promote a
bottoms-up approach to private sector cybersecurity issues that
are focused on information sharing rather than proscriptive
regulations. This is the correct path, as it ensures the
industry remains at the cutting edge of innovation rather than
generations behind our adversaries like China.
As we continue our bipartisan oversight of this important
topic, we should also reach out to space operators, launch
providers, prime contractors, component subcontractors,
software providers, antenna and ground station operators, and
even end users to ensure that we understand the breadth of this
topic. This will help inform how Congress responds to future
questions such as whether space should be listed as an
additional critical infrastructure protection sector. This is a
complex question. Many aspects of space are already covered by
other sectors like communications, defense industrial base,
critical manufacturing, information technology, government
facilities, emergency services, financial services, and even
food and agriculture. Some space activities like suborbital
tourism may not rise to the definition of critical. For this
reason, both the Trump and Biden Administrations have chosen
not to add space as an additional sector, instead focusing
instead on critical functions.
I look forward to hearing from our witnesses and continuing
our conversation on how we as a nation can best secure our
space cyber domain while also maintaining our leadership in
space commerce. So thank you, Mr. Chairman, and I yield back
the balance of my time.
[The prepared statement of Mr. Babin follows:]
Good morning and thank you Mr. Chairman for holding this
important hearing.
We've held a number of hearings on space cybersecurity over
the last several years, and, unfortunately, learned of many
cybersecurity incidents related to civil and commercial space.
The 2011 US-China Economic Security Review Commission report to
Congress indicated that hackers interfered with USGS's Landsat
7 satellite in October 2007 and July 2008 and NASA's Terra
satellite in June 2008 and October 2008. In 2014 we also
learned of intrusions into NOAA's weather and satellite
network. A 2019 report from the NASA IG indicated that NASA
information technology security managers remain concerned about
potential infiltration into NASA's space flight systems to
acquire launch codes and flight trajectories of spacecraft.
More recently, senior NASA officials stated that the hack of
SolarWinds software ``was a big wakeup call.'' Just a few
months ago, the Secretary of State issued a formal statement
attributing a cyber-attack on a commercial satellite
communication network to Russia.
With the proliferation of commercial space operations and
NASA's increased use of commercial services, this hearing is a
timely update on the topic of cybersecurity in civil and
commercial space. It is a continuation of long-standing
bipartisan oversight. Last year the committee and space
subcommittee chairs and ranking members jointly asked GAO to
review NASA and NASA contractor cybersecurity, and we look
forward to reviewing their work soon.
The executive branch is also focused on space cybersecurity
issues. In September 2020, the Trump Administration issued
Space Policy Directive-5 (SPD-5), which outlined the U.S.
Government's first cybersecurity policy for space systems.
Earlier this spring, the Department of Homeland Security
updated their space policy for the first time since 2011. Last
year, the Cybersecurity and Infrastructure Security Agency
(CISA) announced the formation of a Space Systems Critical
Infrastructure Working Group to bring together stakeholders
from across the sector to minimize risks to space systems.
Industry coalitions are emerging to provide private sector
information sharing and collaboration without government
intervention. And last, but not least, NIST continues to
provide world-class services and standards--as they have done
since the 1970s on cybersecurity. All these activities promote
a ``bottoms-up'' approach to private sector cybersecurity
issues focused on information sharing rather than proscriptive
regulations. This is the correct path, as it ensures the
industry remains at the cutting-edge of innovation rather than
generations behind our adversaries.
As we continue our bipartisan oversight of this important
topic, we should also reach out to space operators, launch
providers, prime contractors, component subcontractors,
software providers, antenna, and ground station operators, and
even end-users to ensure we understand the breadth of the
topic. This will help inform how Congress responds to future
questions, such as whether space should be listed as an
additional Critical Infrastructure Protection sector. This is a
complex question. Many aspects of space are already covered by
other sectors like communications, defense industrial base,
critical manufacturing, information technology, government
facilities, emergency services, financial services and even
food and agriculture. Some space activities, like suborbital
tourism may not rise to the definition of ``critical.'' For
this reason, both the Trump and Biden Administrations have
chosen not to add space as an additional sector, instead
focusing instead on critical ``functions.''
I look forward to hearing from our witnesses and continuing
our conversation on how we as a nation can best secure our
space cyber domain while also maintaining our leadership in
space commerce. Thank you and I yield back the balance of my
time.
Chairman Beyer. Dr. Babin, thank you very much.
If there are other Members who wish to submit additional
opening statements, your statements will be added to the record
at this point.
[The prepared statement of Chairwoman Johnson follows:]
Good morning,
Thank you, Chairman Beyer, for holding today's hearing on
cybersecurity for civil and commercial space systems. And
welcome to our witnesses who will be testifying today on this
important topic.
Unfettered access and freedom to operate in space are vital
to the advancement of the security, economic prosperity, and
scientific knowledge of the United States, as emphasized in the
United States National Cyber strategy. The growing threats to
space assets and their supporting infrastructure is a matter of
great concern for this Committee and Subcommittee.
Commercial space systems play a crucial role in the United
States and world economy, and one that is expected to grow as
the government realizes plans to increasingly leverage
commercial space capabilities.
As was seen during the war in Ukraine with the hacking of
Viasat's ground stations and subsequent communications outages,
commercial space systems are exposed to cybersecurity threats
that can degrade critical functions.
In addition to cyber hacks to ground systems, cyber threats
to satellites and their spacecraft, users, and the links
between the two could cripple many of the services necessary to
modern life in the United States. Those services include remote
sensing and position, navigation, and timing systems that
support many sectors of our economy and national security.
We need to ensure that we understand this threat and what
options we have to mitigate and address it.
As Chairman Beyer noted, the government has begun taking
steps to address cybersecurity in space systems with Space
Policy Directive-5, which directs the government to work with
the commercial space industry to establish cybersecurity norms
and behaviors. In addition, the National Institute of Standards
and Technology is applying its cybersecurity framework to
different segments of commercial space systems.
However, more needs to be done in this area. There are no
universally accepted standards for cybersecurity in space
systems. More work is also needed to translate high-level
policy and guidance into practical engineering standards that
commercial companies can apply to their systems.
The issues and risks surrounding this topic are numerous. I
look forward to hearing from our expert panelists on what is
needed to increase cyber resilience in commercial and civil
space systems. Preventing the crises that would result if cyber
risks were to be realized must be a priority.
Thank you, and I yield back.
Chairman Beyer. At this time, I'd like to introduce our
witnesses. Dr. Theresa Suloway is a space cyber subject matter
expert at the MITRE Corporation. Dr. Suloway previously served
as the Department Manager at the National Cybersecurity
Federally Funded Research and Development Center (FFRDC) at
MITRE, sponsored by the National Institutes of Standards and
Technology, or NIST. She worked with NIST on developing several
NIST Interagency Reports on commercial space and also serves as
an alternate board member to the Space Information Sharing
Working Group. Dr. Suloway has 15 years of technical experience
in the DOD (Department of Defense) and the U.S. intelligence
community, guiding R&D (research and development) and
operational effort--activities. So, Dr. Suloway, welcome.
Dr. Matthew Scholl, who's with us virtually, is the Chief
of the Computer Security Division in the Information Technology
Laboratory at the U.S. Department of Commerce's NIST. Mr.
Scholl oversees a research program that cultivates trust in
information technology and metrics by developing and
disseminating standards, measurements, and testing for
interoperability, security, usability, and reliability of
information systems, including cybersecurity standards and
guidelines for Federal agencies and U.S. industry. He also co-
leads NIST's participation with the Cybersecurity National and
International Standards Development Organization. He is a U.S.
Army veteran and currently has more than 20 years of Federal
service. Welcome, Mr. Scholl.
Finally, Mr. Brandon Bailey is a Senior Cybersecurity
Project Manager within the Cybersecurity Subdivision at The
Aerospace Corporation. Mr. Bailey has spent much of his
professional career supporting space agencies such as NASA,
where he led various cybersecurity efforts. More recently, Mr.
Bailey has published several articles and reports focusing on
adding cybersecurity in the space systems to meet the evolving
threat landscape, including a set of products that define risk-
driven requirements. So, Mr. Bailey, welcome.
And as our witnesses should know, you will each have five
minutes for your spoken testimony. Your written testimony,
which can be much longer, will be included in the record for
the hearing. When you've all completed your spoken questions--
your spoken testimony, we will begin with the difficult
questions. Each Member will have five minutes to question the
panel.
We will start with Dr. Theresa Suloway. Dr. Suloway, the
floor is yours.
TESTIMONY OF DR. THERESA SULOWAY,
SPACE CYBERSECURITY ENGINEER,
THE MITRE CORPORATION
Dr. Suloway. Thank you. Good morning, Chairman Beyer,
Ranking Member Babin, and distinguished Members of the
Subcommittee on Space and Aeronautics. Thank you for inviting
me to testify before you on commercial space cybersecurity.
Successful adoption of cybersecurity in the commercial space
industry is a critically important issue, and I appreciate the
opportunity to share insights from my work on this topic.
My name is Theresa Suloway. I am a Space and Cybersecurity
Engineer and Project Lead with MITRE. My testimony today comes
from my 15 years of technical experience working at MITRE and
in the industry-guiding research and development and
operational activities across government. I also serve as an
active member of the Space Information Sharing and Analysis
Center or ISAC.
My role with MITRE has involved support to NIST's National
Cybersecurity Federally Funded Research and Development Center.
This FFRDC administers NIST's National Cybersecurity Center of
Excellence, or NCCOE, which MITRE has operated since 2014. I
would like to make a brief statement and to submit my full
remarks for the record.
When discussing space systems, it is useful to divide the
landscape into three manageable distinct components: the user
segment, the ground segment, and the space segment. The user
segment is the community that uses the services that the
satellite provides, such as global navigation systems--for
example, GPS (Global Positioning System) --and internet
services. The ground segment is defined by the infrastructure
that supports the tasking and operation of the satellites and
its payloads, including the computer networks, antennas, and
industrial control systems that support transmission to the
satellite. The space segment represents the satellite that is
in orbit. NIST has published interagency reports to address
each segment, which I co-authored in my role with MITRE.
The NIST cybersecurity framework consists of five core
functions: identify, protect, detect, respond, and recover, all
applicable to the space domain. First, we must identify the
risks and vulnerabilities to the space ecosystem. For example,
one of the most urgent cybersecurity risks that must be
addressed from--for commercial space is the possibility that
one or more satellites could be hijacked to cause a collision.
A collision between satellites would not only destroy the
satellites involved, but the resulting debris will permanently
remove that orbit or region from use by any other satellite.
This risk requires preemptive rather than reactive action.
As dependence on commercial space services grow, our
critical infrastructure is exposed to further cascading risks
from our Nation's food supply to hospital communications to
energy delivery. Rural locations, which are solely dependent on
commercial satellite connectivity, are at higher risks if these
services are disrupted.
The ground segment is vulnerable because it is the easiest
to access through traditional means. While harder to access,
the space segment is vulnerable to corrupted commands or
software being sent from either a trusted or malicious source.
Adding encryption to the ground space link would mitigate some
of the vulnerabilities by making it harder for malicious
sources to send commands to the satellites.
An attacker can be successful, regardless of the measures
you put in place, making monitoring key. Monitoring and cyber
situational awareness need to be built in now as part of the
fabric of commercial space. You can't respond to and recover
from an attack you're unaware of.
The commercial space industry operates within the
constraints of size, weight, power, and cost and needs to serve
both customers and investors. Introducing burdensome, costly--
potentially costly cyber requirements into this already high-
risk, high-cost environment without a full understanding of the
impacts of those requirements could force companies to move
their operations abroad, affecting our Nation's standing as a
leader in this burgeoning domain.
Based on my experiences and observations, I recommend the
Committee consider the following actions: Incentivize adoption
of best practices by investing in R&D for cybersecurity
technologies for space systems. If only one requirement is
applied, ensure that it is encryption and encryption modules
that can upgrade to postquantum algorithms. Formalize and
strengthen the government's relationship with the space ISAC.
In addition, incentivize commercial space companies to share
information with the space ISAC. The space ISAC's watch center,
coming online in Q-4 of this year, could provide both
government and industry with needed awareness. Consideration
should be given to the designation of space systems as critical
infrastructure, which would provide additional emphasis to the
cybersecurity and resilience of civil and commercial space
systems.
I remain committed to the success, safety, and growth of
the commercial space domain through my work at MITRE and the
space ISAC with--and with academia and private industry. I
greatly appreciate the opportunity to come before you today and
to provide my insights, and I look forward to your questions.
[The prepared statement of Dr. Suloway follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Beyer. Dr. Suloway, thank you very much.
Let me now introduce Mr. Matthew Scholl from NIST.
TESTIMONY OF MR. MATTHEW SCHOLL,
CHIEF, COMPUTER SECURITY DIVISION,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Mr. Scholl. Chairman Beyer, Ranking Member Babin, and
Members of the Subcommittee, I am Matthew Scholl, Chief of the
Computer Security Division at NIST. Thank you for the
opportunity to testify today.
NIST is the home to five Nobel Prize winners with programs
focused on our Nation's priorities such as AI (artificial
intelligence), advanced manufacturing, the digital economy,
precision metrology, quantum sciences, biosciences, and of
course, cybersecurity.
In the area of cybersecurity, NIST has worked with our
partners since 1972 when we published the data encryption
standard. NIST's role is to provide standards, guidance, tools,
data references, and testing methods that protect our Nation's
information and information systems.
As stated in the 2021 U.S. Space Priorities Framework,
access to and use of space is of a vital national interest.
However, cyber-related threats to space assets pose increasing
risk to the commercial space emerging market. Space is a high-
risk environment, so cybersecurity risks involving commercial
space needs to be understood and managed to ensure safe and
successful operations. Physical risks to space are generally
quantifiable and have the most likely potential to adversely
impact businesses that operate commercial satellites. While
physical risks are generally the primary risk, continued growth
in commercial space operation allows us the opportunity to
address cybersecurity risks as well.
As mentioned earlier, Space Policy Directive-5, the
``Cybersecurity Principles for Space Systems,'' has established
some key principles for cybersecurity in space. And it states
that space systems are reliant on information systems and
networks from design through launch and flight operations.
These systems can be vulnerable to malicious activity. That
includes spoofing of sensor data, corrupting sensor systems,
jamming and sending unauthorized commands for guidance and
control, the injection of malicious code, and conducting
denial-of-service attacks.
In order to assist with the need to address these issues,
NIST has taken some actions. Now, NIST is not a space agency,
but rather a measurement and metrology agency with a long
history in cybersecurity. We provide our expertise to mission
owners like space operators, where we couple our cybersecurity
experience and expertise with their understanding and context
of the mission area in order to create our applicable and
effective resources. These resources include a foundational PNT
(position, navigation, and timing) profile, applying
cybersecurity framework for the responsible use of position,
navigation, and timing services. Executive Order (EO) 13905,
strengthening our Nation's resilience through responsible use
of position, navigation, and timing services, directed NIST to
develop this cybersecurity profile to assist with managing
risks to systems that are dependent on PNT services.
We also created the ``Introduction to Cybersecurity for
Commercial Satellite Operations.'' This guidance provides a
general introduction to cybersecurity risk management for
commercial satellite operators. While it's not intended to be
comprehensive, it presents basic concepts and provides sample
references for additional information on cybersecurity risk
management for use by this industry.
We also created the ``Satellite Ground Segment'' applying
the cybersecurity framework to assure satellite command and
control. This guidance addresses risks specifically to the
ground segment of space operations. It defines the ground
segment and its components and presents mappings to relevant
cybersecurity informative references to assist in the
management of risk to this part of space operations.
NIST also works with our partners and has co-hosted a
series of external events, for example, the Space Cybersecurity
Symposium Series. NIST, working with the Department of
Commerce's Office of Space Commerce and the Department of
Homeland Security, work together on a series of jointly hosted
symposiums where we learn and share information about the
latest cyber threats to space infrastructure. We learn from the
industry's cybersecurity experiences, we hear about their needs
and their acceptable mitigation strategies.
Commercial space operations and opportunities continue to
grow and provide an engine for our economy and expand our
understanding of the world and the universe. This emerging
nature of commercial space technologies gives us this new
opportunity.
Thank you for the opportunity to discuss NIST's activities
today, and I'm pleased to answer any questions you might have.
[The prepared statement of Mr. Scholl follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Beyer. Mr. Scholl, thank you very much.
We'll now hear from Mr. Brandon Bailey, a NASA veteran and
now with The Aerospace Corporation. Mr. Bailey?
TESTIMONY OF MR. BRANDON BAILEY,
SENIOR PROJECT LEADER,
CYBER ASSESSMENTS AND RESEARCH DEPARTMENT,
THE AEROSPACE CORPORATION
Mr. Bailey. Thank you. Chairman Beyer, Ranking Member
Babin, and distinguished Members of the Subcommittee, thank you
for inviting me to join the discussion. Within the last decade,
Aerospace Corporation has been performing analysis and research
on space systems cybersecurity to protect against an evolving
threat landscape. I've personally spent the majority of my 16-
year career focusing on cybersecurity issues with commercial
and civilian space systems. My submitted written testimony goes
into much more detail, but I would like to cover several
aspects within this testimony describing the current gaps in
relation to cybersecurity of space technology.
There's a critical need to protect space technology, which
can lead to creating critical infrastructure sector for space
technology. There's currently disjointed oversight in
governance of cybersecurity, in addition to the lack of binding
space cyber policy or widely adopted technical standards for
commercial space, which is lagging behind the growth of the
cyber threat. There continues to be significant gaps in
technical cybersecurity solutions, technical-oriented standards
and best practices for space technology, as well as the lack of
cybersecurity information sharing, and research and development
for space technology, as many efforts within space cyber are
siloed and fragmented. This lack of research and information
sharing has led to a significant lack of security-focused
defensive capabilities onboard the satellites. There continues
to be too much existing focus on the ground segment protections
to limit access to the satellite.
The release of Space Policy Directive-5 in September 2020
and the fact we're having this hearing testifies to the
importance of space technology, and cybersecurity. Space Policy
Directive-5 stated that space systems contribute to the
operation of the Nation's critical infrastructure, and when
leveraging Presidential Policy Directive 21's definition for
critical infrastructure, it's unquestionable that there is
space technology that qualify for this definition.
Space technology is important for industry and government
activity, as well as everyday people activities. In fact,
according to the Department of Homeland Security, all 55 of the
national critical functions have some sort of dependency or
enabled by space technology. However, simply stating thou shalt
be a critical sector without proper planning on implementation
could ultimately lead to creating unnecessary bureaucracy that
could stifle the innovation that is necessary to ensure the
United States remains the leader in space-based capabilities,
along with it being secure.
The space technology sector must contend with harsh
environmental conditions of space, accommodate strict size,
weight, and power constraints for operating in space.
Therefore, ensuring a proper sector risk management agency is
selected, along with support from other applicable Federal
departments, agencies, and space domain-aware entities who
understand the nuance of cybersecurity in addition to the space
environment will be crucial to the successful implementation of
identifying space technology as a critical infrastructure
sector. If done properly, having a space domain-knowledgeable
governance structure can help establish better cybersecurity
standards and sharing information across the community.
It has been openly communicated by the Defense Intelligence
Agency that adversarial nations plan to target United States-
based technology via cyber means. And we're entering into an
era of space-based capabilities that are not driven by
government, therefore, do not fall under existing regulation or
governance. With this rapid commercialization of space-based
capabilities, government-owned assets are no longer the only
space systems being targeted by adversaries. As was witnessed
during the Russia-Ukraine conflict, cyber attacks have no
boundaries, and commercial entities will be targeted as well.
Security considerations and solutions must be established
as the United States continues to leverage commercial
capabilities to augment or replace traditionally provided
government space-based capabilities. The United States cannot
simply hope for the best when it comes to security on
commercial space systems. Action is needed to ensure commercial
space systems have been built securely using threat-informed,
risk-based engineering. It is also imperative that these
security principles are flowed down appropriately through
subsidiaries in the supply chain.
One recent effort to fill standards and best practices gap
was through the government agency-sponsored publicly releasable
technical operating report by The Aerospace Corporation. This
report documented the threat-informed risk-mitigation strategy
to protect satellites. The report, titled ``Cybersecurity
Protections for Spacecraft: A Threat-Based Approach,'' provides
government and industry a background on space cybersecurity and
the state of existing standards, the concept of technical
defense-in-depth protection necessary to protect satellites,
and the threat-oriented approach to space cyber risk
assessment. This report has been submitted as a part of the
record with this testimony.
In summary, the need to protect space technology is very
apparent. Therefore, we need to foster a whole-of-government
solution working with industry to establish proper guardrails,
creating binding policy and a new critical infrastructure
sector for space technology and levering the space cyber-aware
Federal agencies and entities like the Information Sharing and
Analysis Center to improve cyber across the board will be
imperative. The government sector has knowledge on how to
protect space-based capabilities, but we need to foster better
information sharing across the board. The United States needs
to work toward a global consensus through stronger
collaboration among space system manufacturers, suppliers,
owners, and operators. Information sharing to the entire space
technology sector about threats, vulnerabilities, corrective
action is a must, which can lead to improved security across
all segments of the space architecture.
Thank you again for this opportunity to testify on this
important topic, and I look forward to your questions.
[The prepared statement of Mr. Bailey follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Beyer. Mr. Bailey, thank you very much.
We'll now begin a round of questions. I first want to make
sure that you're not discouraged that there's not a full dais
up here. You know, with--Congress goes out--the House goes out
tomorrow in theory for five or six weeks, so everyone's packing
everything in to these last days. And especially with the huge
CHIPS and Science Act of 2022 bill, which is dramatic in so
many different ways, and which in theory will be coming for a
vote later today. But so--but please know that there are tens
of thousands of people watching C-SPAN across the country, and
many--this is on TV in many offices across the Hill right now.
And hopefully, more people will come up to answer--ask
questions. Otherwise, Brian and Mr. Posey and I will grill you
for a long time.
Dr. Suloway, let me start with you. You mentioned three
following actions. One was the incentive bias option--adoption
of best practices, and you specifically said encryption modules
that can upgrade to post-quantum algorithms. Do the encryption
modules exist right now that--at industrial scale that can be
adopted by the commercial and the government users? And since
no one's broke through on the quantum algorithms yet, I don't
think, how do you ensure that your encryption is going to be
upgradeable when you don't know how the quantum computing is
yet going to work?
Dr. Suloway. Thank you for the question. So as far as the
the need for encryption, there are often software-only
encryption systems that you can deploy on your satellite, so
you wouldn't have to physically buy a piece of hardware and and
put it on your satellite. You would still need to be able to
support the compute functions of that encryption software.
From a perspective of post-quantum encryption, the
algorithms have actually already--are being published by NIST,
and so there are some of these available. I think the the
concern with the post-quantum encryption and why I put that in
my testimony is because we want to be able to upgrade in the
future so satellites being launched cannot be physically
altered once they're in space. And so the driver to try and get
the capability in there, even if the technologies aren't
available yet.
Chairman Beyer. Yes, we certainly--we've had a lot of
hearings in this Committee on blockchain, for example, which is
just fascinating until you realize that blockchain's strength
and impenetrability may go away right away once quantum
computing happens.
But, by the way, we're all a little intimidated by a Ph.D.
in aeronautics and applied physics at Caltech, you know. Almost
nothing more needs to be said.
Mr. Scholl, you talk about the--how NIST did the
introduction to cybersecurity, a bunch of really interesting
things that NIST has done. And it says that the introduction
has to move to the next big place, which is actual standards.
Will NIST develop that? Are they the best people to develop it?
And when do we go from just sort of suggesting, here's a way to
approach, to actually mandating or laying out the very clear
guidance needs that both the commercial and the government
sector have to take? When do we move from an introduction to
something that's actually real?
Mr. Scholl. Yes, thank you for the question. So the intent
of the document that we wrote on the introduction was to lay
out the process steps that an individual organization will walk
through in order to make it real for the technologies that
they're using or the type of space operation that they're
working under, either purely owned or outsourced or maybe some
hybrid, as well as for the context of their business. Now,
these all have wide variations and many differences, so our
initial document was to introduce how an organization works
through that risk management process to develop something
that's real and that will be meaningful for their business and
their mission to assure what their operations need to secure.
The next steps, then, are to ensure that individual
organizations really understand how to implement these
processes and then potentially for us to work in an open
standards body alongside industry to develop those next step
things, so not necessarily NIST, internally, but now externally
in a participative standards body alongside industry to grind
out the next level of detail.
Chairman Beyer. Thank you, Mr. Scholl.
And, Mr. Bailey, let me pivot on almost--just follow up to
that question. You talk about the lack of a binding space cyber
policy for commercial space technology, and the Space
Directive-5 exists, but it's nonbinding. Can it be--can we get
a binding policy, cyber policy, for space for commercial and
noncommercial? And is NIST the folks to develop that? Or is it
Aerospace?
Mr. Bailey. Thanks for the question. So I think we can
create some binding level of policy to some degree based on--
there's probably--there's definitely some minimum standard type
of implementation for security that we could look to leverage,
and Space Policy Directive-5 actually hints to many of those
principles that we would--no one would disagree with that are
good and can be binding. But it's--like I said, it's
nonbinding, so you can't really force people to do it.
Now a majority of people that are developing these systems,
commercial and government, are doing many of the things that
are listed in Space Policy Directive-5, but it's not
necessarily a requirement. So there are some level--and NIST
could be helpful, as well as some of the communities that are
popping up within like the space ISAC, for instance, could help
drive some of those policy implementation details, as well as
aerospace being an FFRDC continue to help and assist with that
as well because there definitely are some minimum standard
things I think we could get into a policy document.
Chairman Beyer. Great. Thank you very much. Let me now
recognize the Ranking Member of the Space Subcommittee, Dr.
Brian Babin.
Mr. Babin. Thank you, Mr. Chairman.
First question to all witnesses--and thank you for being
here with us--the Cybersecurity and Infrastructure Security
Agency, or CISA, is the primary Federal agency tasked with
addressing the cybersecurity of our Nation's critical
infrastructure. In May 2021, CISA announced the formation of a
Space Systems Critical Infrastructure Working Group to bring
together stakeholders from across the whole sector to minimize
risk to space systems. And a very--just a short answer if you
don't mind. How are each of you working with CISA on this
effort? Let's start with Mr. Scholl.
Mr. Scholl. Yes, certainly. So I have attended some of
those meetings and discussed cybersecurity standards and tools
that NIST has that could be applicable to space operations with
this working group. But in general, we have an extensive
partnership and collaboration with the DHS, the National Risk
Management Center (NRMC), mostly through their space weather
and space risk organization in the NRMC. So even outside of the
work that--this specific working group, we do collaborate and
work extensively with DHS, who is focused on this issue.
Mr. Babin. OK. Mr. Bailey?
Mr. Bailey. Yes, The Aerospace Corporation is involved in
those working groups and meetings, so there is involvement
there from The Aerospace Corporation side of the house. I've
yet to see necessarily any output from that organization quite
yet to understand what their--you know, what the goal will be
in the end and how it's going to affect change in the future,
but there is involvement with aerospace and that group.
Mr. Babin. All right. Thank you. And Dr. Suloway?
Dr. Suloway. Yes. We're supporting--I am supporting the
CISA working group, as well as are the--one of the sub-working
groups that is publishing a paper either end of this month or
early next month around how to further the work from the NIST
profiles that have been published within CISA, so that work is
coming. And there's a lot of debate in that working group on
the adoption of the critical infrastructure as a sector. So I
think--there are reports going to be published in the next few
months.
Mr. Babin. All right, thank you. And, Mr. Scholl, the
smaller companies in the space launch industry may not be
familiar with the NIST cybersecurity framework, but it's been a
sector that NIST has focused on through the National
Cybersecurity Center of Excellence, the NCCOE. How is NIST
engaging the space sector during the current process to update
the new cybersecurity framework 2.0?
Mr. Scholl. That's a great question. And so we've done some
active and targeted outreach to some of these communities,
especially as you said, small space operators, to ensure that
we understand and get their feedback on the usability of the
framework for their mission areas. And we reach out to both
individual companies, as well as through organizations like the
Satellite Industry Association, which helps us bring them
together into one organization and it also amplifies our
message back out to their members as well. The Chamber of
Commerce has also been extremely helpful in reaching this
community for us as well.
Mr. Babin. OK. And then again--or once again, there, Mr.
Scholl, in May 2021, President Biden signed Executive Order
14028, ``Improving the Nation's Cybersecurity.'' As part of the
EO, the Executive order, NIST was tasked with identifying ways
to increase the security of software supply chains, which will
be incorporated into new Federal Acquisition Regulation (FAR)
for Federal contacts moving forward. In a July 2022 update,
NIST indicated that it needs to continue to work to review the
proposed FAR regulations to ensure they are consistent with the
requirements of the Executive order. What is the status of this
work, and when do you expect these FAR regulations to be
released? And what's the expected timeline for compliance?
Mr. Scholl. Yes, thank you for the question. So NIST has
published a series of guidance, recommendations, and tools to
improve the the security of our software supply chain. The
publication and the update of the Federal Acquisition
Regulation or the FAR is not the NIST responsibility within the
executive order but rather will be conducted by GSA (General
Services Administration), who has oversight on the FAR, and the
implementation of that will come down through the Office of
Management and Budget in policy directives to the agencies writ
large. NIST has built the foundation in the guidance and the
directives that will be used by both commercial and government
software developers that both the FAR and the policy will cite
for those requirements. So we've laid the foundations and the
groundwork. Now the organizations that have responsibility for
governmentwide policy and for acquisition regulation will be
the next step. And those are external to NIST.
Mr. Babin. OK, thank you very much. My time is expended, so
I'll yield back, Mr. Chairman.
Chairman Beyer. Dr. Babin, thank you very much.
Let me now recognize the Member of Congress who will--whose
district will oversee the Artemis launch to the Moon in the
next 60 days or so, Mr. Posey.
Mr. Posey. Thank you very much, Mr. Chairman, for holding
this hearing.
It seems the threats to our national security never ends.
They just get greater and greater, and I thank the panelists
for coming today and sharing your thoughts with us.
The vast majority of space technologies are dual use. I
mean, they can serve both in national security and a civil
purpose. Companies like L3Harris, which is headquartered in my
district, offers solutions to protect government systems. Many
other companies manufacture, launch, and offer solutions to
protect them as well. Are there any barriers that any of you
see between the cybersecurity solutions provided for national
security civil and commercial space sectors?
Mr. Bailey. I'll jump in here. So one of the things I see
is the barrier for information sharing between government
national security and commercial. So there's been numerous
times where I've been involved in conversations where they kind
of have to stop because the proper caveats or access control
and information can't be shared with certain commercial
entities for certain reasons. So that leads to not
understanding the threat necessarily, as well as maybe national
security individuals may have, so that can lead to a
misrepresentation, misunderstanding of what kind of threat
they're actually trying to mitigate. So there definitely needs
to be some breaking down the barriers there, getting some
information sharing at the highest levels to individuals who
need it so that the engineers and implementers that are
actually doing the system engineering need the information.
Mr. Posey. Do you see that there is a potential solution to
the problem?
Mr. Bailey. Yes, there's--there could be. Getting
sponsoring access to certain contractors that build these
solutions or temporary, you know, clearances for individuals,
which they've done that in the past at certain levels, like
getting, you know, read on the certain accesses for a certain
meeting or something like that, so opening up that information
flow. But I think one barrier--one avenue that could
potentially help is with the standup in the last couple of
years with the space ISAC. There could be--that could be an
avenue to get information distributed out to a wider community
who are members of that community. However, it has to be kind
to--have to be certain--you know, certain things have to be
done with the information to make it shareable. And that
needs--work needs to be done, you know. So having someone to
handle that part to get the information, declassified or
demarked down to a certain level that can be shared will be
critical.
Mr. Posey. Great--that's a great answer. Again, to anyone
on the panel, how are you working with the aerospace and
defense sector to ensure government use applications have cyber
protections built into the requirements?
Dr. Suloway. So I actually have an answer to the previous
question on barriers for DOD on civil and commercial. In my
view, the DOD and civil agencies which have requirements are
able to fund the--or the addition of security measures to their
satellites. But for commercial vendors, they are driven by the
consumers of the services that are being used, and so they may
not be as willing to pay for security as a DOD or a civil
agency would because they're required to do so. So I think it's
important to remember that commercial--solely commercial
entities won't have the ability to be competitive with other
entities that don't include security if that's not somehow
incentivized by the government to do so.
Mr. Posey. That makes perfect sense. Do you see solutions
to that?
Dr. Suloway. I think when it comes to cybersecurity, the
NCCOE has been able to help private industry adopt
cybersecurity without a lot of additional costs by developing
practice guides that show commercial entities that do the R&D
to integrate security tools into a reference architecture to
help kind of lower that entry into using commercial--
commercially available cybersecurity products. And so I think
similar R&D and guides that can help commercial space--the
commercial space community adopt without having to do a lot of
experimentation to implement cybersecurity tools would be
helpful. So guides and additional references would help.
Mr. Posey. I see my time is expired. Thank you, Mr.
Chairman. I yield back.
Chairman Beyer. Thank you, Mr. Posey.
Let me now introduce the Chair of the House Administration
Committee, Ms. Lofgren.
Ms. Lofgren. Well, thank you very much, Mr. Chairman, and
all the Members of the Committee. I think this is an extremely
important hearing, and I'm grateful that we have organized it.
You know, when you think about the space sector, the
commercial side may not have the same protections that we have
in the governmental side. And yet, a cyber attack could be
simply devastating to the American economy and to the world
economy, so this is hugely important. I'm wondering, especially
since it looks like we will be taking up the CHIPS Act today,
we know in other sectors that supply chains and third-party
vendors can present significant cybersecurity vulnerabilities.
So how much do we need to worry in space systems' supply chains
posing cybersecurity risks, and what should we do about it? I
mean, one of the concerns that's been raised publicly, I won't
get into any of our classified briefings, but Huawei's
vulnerability is some--well-known or has been publicly
discussed. We hope to overcome that through the the CHIPS Act.
Can any of you address that?
Dr. Suloway. So at least from my perspective,
cybersecurity--the supply chain risks that you would have in
space systems, as you would in any other industry, are going to
be there, and there are a few things you can do. But I think
monitoring your systems because you are not going to be able to
fully vet every single line of code that you could be bringing
into your environment. So again, monitoring and sharing
information, as Mr. Bailey mentioned earlier, is important to
do for the commercial space industry in general, especially
because--especially for space systems, it's harder to deal with
things when--once systems are in orbit, so monitoring is really
important.
Ms. Lofgren. Correct.
Mr. Scholl. I'm----
Ms. Lofgren. Go ahead.
Mr. Scholl. I'm sorry, if I may. Yes, information
security--information supply chain risk management is a hugely
important field, which has shown itself even more so after the
Log4j vulnerability issue and SolarWinds. And so there's been a
significant focus that can and should be applied to the supply
chain and commercial satellites as well.
This technology, though, has the potential to be monitored
and managed a little tighter just because of the desire and the
need for technologies that have a space pedigree. This is not
necessarily a technology space that's as wide as commercial
off-the-shelf technologies that are used in our IT systems.
It's a smaller set. They have to survive the violence of launch
and the environments of space. So people look for technologies
that are specialized for that. So there's an opportunity here
to understand and provide visibility into a supply chain.
Mr. Bailey. I can say one thing real quick. So I agree with
what Mr. Scholl said. However, on the commercialization of
space that we're seeing and the influx is you are starting to
see a little more commoditized standard technology that's being
used, and open source software that's being used that we
haven't seen in the past. So I think the supply chain aspect is
going to be of increasing importance with the commercialization
of space because now you're seeing entities run like real-time
Linux on spacecraft where before you would never see that. And
then you have the ASIC (application-specific integrated
circuit), FPGA (field programmable gate array) hardware-based
Trojan things that can happen if you offshore those and don't
have those under a good lock and key so that--it's going to be
increased importance for sure.
Ms. Lofgren. I thank all of the witnesses, Mr. Chairman,
and I yield back.
Chairman Beyer. Ms. Lofgren, thank you so very much.
We're now going to do a second round of questions for those
Members who would wish to do so. And let me begin.
Dr. Suloway, you had mentioned--I think Mr. Bailey
mentioned also--that designating space systems as a critical
infrastructure sector within DHS, that there are 16 existing
already. My--our good friend, Congressman Ted Lieu from
California, actually introduced legislation specifically to do
that, which has not yet passed. Is this the right way to go?
And how big a priority should this be for us?
Dr. Suloway. There are several aspects to having space as a
critical infrastructure, and I think the advantages of having
it as a--space as a critical infrastructure allows there to be
a focus location for commercial entities to kind of engage with
the Federal Government. I know there is also a lot of concern
that it would add additional burden to the commercial space
industry, and that's why some people are concerned about
bringing it as an additional sector. And so I think whatever is
done, a centralized focus is important, and the implementation
of it needs to be done carefully so that it doesn't have the
opposite effect of driving commercial entities to not work
within the United States and register abroad. And so I think
that's my only concern.
Chairman Beyer. You led very nicely into the second
question. Of the three recommendations you made, the first one
was that we incentivize adoption of best practices rather than
regulate them. Is this the same concern that they would locate
in other countries if we regulated?
Dr. Suloway. Yes, that's the main concern is that we want
them to be part of the conversation. And as Brandon mentioned,
from a space information sharing perspective, we want them to
bring their data into the fold so that the community itself can
get stronger. But if commercial entities who have to serve
customers aren't able to be profitable with adding in
additional requirements, that's an issue. I will say the space
community, at least the ones that participate with the ISAC,
are very motivated to be involved and are applying their
resources, so I just want to protect that community and with
whatever is done from a critical infrastructure perspective.
Chairman Beyer. Mr. Bailey, let me pile on because this is
a constant debate here is how light, how heavy should the
regulatory touch be. So if we're in a place where we're
encouraging based on NIST recommendations and not mandating,
not having a set policy, what's the danger of the bad actors
slipping through in some five percent, 10 percent, 20 percent
of the cases? How do we find that right balance?
Mr. Bailey. Yes, I think incentivizing is one mechanism.
Maybe there's a balance between minimum--a minimum implantation
standard like encryption or other--or maybe some supply chain
controls as minimum and then incentivize to increase maybe
additional levels of security. And it's not a one-size-fits-all
either. It's not every single satellite that gets launched
needs needs a certain level of security. It's a risk-based
decision. And so anything that's being leveraged to provide
critical functionality for the country should meet, you know,
these minimum standards, but maybe, you know, a small research
CubeSats or nanosats that are running for universities may not
have to be the same level of security. So it's going to have to
be a risk-based decision. And as these things get used for
critical functions in the country, I think the barrier and the
minimum standard has to be established because, I mean, at a
minimum, what we've already--I mean, encryption is super
important. I think we all agree that should be done. And the
fact that we don't have that as a binding requirement for any
satellite that's launched in this country is a little
concerning from my perspective.
Chairman Beyer. Great. Great. Thank you very much.
Dr. Scholl, you talked about formalizing and strengthening
the government's relationship with Space ISAC. Tell us a bit
more about Space ISAC. Is it governmental, quasi-governmental,
private?
Dr. Suloway. It's a private company, but they are--they do
have relationship with DHS, so they're chartered by--I think
they have a relationship of information sharing with with DHS.
But right now, they don't have a formal Federal Government
role, and I think that's where the--there can be confusion from
a commercial space perspective of where--if they wanted
information, where do they plug in? Do they go to the FBI or do
they go to DHS or, you know, should they participate with the
space ISAC? It's--I think it would help to formalize that
relationship so commercial companies could feel comfortable
providing that information and know that they were plugging
into the appropriate part of the ecosystem because there isn't
a central, I think, location to go to.
Chairman Beyer. OK. Thank you. If if Dr. Babin is here--I
don't believe he is. But, Dr. Babin, if you're here, we'd love
to welcome you for a second round of questions.
So moving on, let me--Dr. Suloway, let me also just follow
up on that. ISAC--Space ISAC is it nonprofit?
Dr. Suloway. I believe it is a nonprofit, but I do not know
that off the top of my head. I would have to get back to you.
Chairman Beyer. And how would the government formalize this
relationship with ISAC?
Dr. Suloway. So that is a good question. I am not as
familiar with how the Federal Government formalizes
relationships with ISAC, and so I would have to get back with
you on what the specific mechanism would be for that.
Chairman Beyer. Mr. Bailey, if I could just pivot on this
same question, you talked about a proper sector-specific
agency, SSA, a sector risk management agency working with
something like ISAC. Is this something, again, that's created
from scratch based on an earlier model or does it already
exist?
Mr. Bailey. Well, the real intent of that comment was
ensuring that we select the proper, you know, sector agency and
not affiliated with maybe agencies who aren't necessarily or
can't tap into the space domain knowledge that does exist in
the Federal space. Because currently we have--you know, between
NASA, you know, Space Force, NRO (National Reconnaissance
Office), NOAA, we have numerous agencies, professionals, and
people who understand this domain and understand cybersecurity
concerns and the nuance thereof. So the real crux of that
comment is really ensuring that we leverage those agencies in
addition to the community that the ISAC is building with the
commercial sector to implement that properly. So what you don't
want is, you know, necessarily some bureaucratic agency that
has little domain awareness that relegates a whole bunch of red
tape that just stifles innovation.
So that's really the goal is making sure that you have the
proper bounds of oversight with people who have domain
expertise and then working directly with entities like the ISAC
to the further the, you know, cybersecurity posture and prove
it across the board. So if we were to do the critical sector,
critical--space technology is a critical infrastructure sector.
Whoever that, you know, agency is, that's probably where you
could have that tie-in with the ISAC and have that kind of
point-to-point communication in my opinion.
Chairman Beyer. Great. Thank you, Mr. Bailey, very much.
Let me yield to my good friend, the Ranking Member, Dr.
Babin, for his questions. In the meantime, Congresswoman Kim
will follow Dr. Babin.
Mr. Babin. Thank you very much. I wasn't quick enough
getting audio back on. I'm sorry, Mr. Chairman.
Yes, I do have a couple more questions, this one to Dr.
Suloway. How does MITRE support small- and medium-sized
businesses in the space industry on cybersecurity standards and
best practices? And how does MITRE work to explain what the
attack framework is to the commercial space industry?
Dr. Suloway. So MITRE works with several industry
associations like AIAA (American Institute of Aeronautics and
Astronautics) and engages with them on that front. As far as
MITRE ATT&CK, there isn't a specific MITRE ATT&CK for space
systems. But we do provide the MITRE ATT&CK framework because--
generally to all. So we are engaging heavily in forums and
conferences with the commercial space community, which is
actually where we've heard a lot of the concerns from a
regulatory perspective. And so those are the engagements we've
had.
And yes, MITRE ATT&CK is helpful, but it's important to
remember that MITRE ATT&CK is based on tactics, techniques, and
procedures that have been observed in other systems. And there
hasn't--you guys have mentioned several of the incidents that
have occurred for space systems, but there isn't that large
body of knowledge as there are with traditional network
systems, and so there's a lot of, I guess, predictive nature of
looking at a tech and how it could apply to space systems
because there isn't that knowledge base.
Mr. Babin. All right, thank you. Thank you so much. And one
more, Mr. Chairman, if you don't mind. This is addressed to Mr.
Bailey. Information Sharing and Analysis Centers, or ISACs, are
forums for private sector information sharing related to
critical infrastructure and cybersecurity. According to the
National Council of ISACs, they are typically nonprofit
organizations which do not lobby. I think you all mentioned
that a second ago. A new ISAC focused on space was recently
established, and both aerospace and MITRE are members. Is the
space ISAC a nonprofit or--and does it advocate for policy
positions?
Mr. Bailey. I also don't know 100 percent for sure if it is
nonprofit, but I believe that is the case, given the--how ISACs
operate. And yes, Aerospace and MITRE--and we support the ISAC.
And we don't really lobby for anything. We've necessarily put
out what we feel like is the appropriate, you know, guidance or
position that the ISAC would want to have as it relates to
cybersecurity.
So one of the things that we've done in the ISAC community
that we're currently working on--we haven't published anything
yet--but is trying to translate Space Policy Directive-5 from a
policy, even though it's nonbinding, to implementation details
that can actually be shared in the community. So that's an
ongoing effort. There's a Space Policy Directive-5 working
group where we're trying to better articulate some
implementation technical guidance as it relates to the
principles that were outlined in SPD-5. So that's kind of
where--we're more in the nuts-and-bolts area of this, but there
is some----
Mr. Babin. Yes.
Mr. Bailey [continuing]. Policy aspect to that.
Mr. Babin. OK.
Mr. Bailey. And if I may, if I could answer your--the
question you had before----
Mr. Babin. Sure, go ahead.
Mr. Bailey [continuing]. So the question you asked before
about how MITRE supports--Aerospace does similar activities
with--our focus is space. So MITRE does a lot of their work,
great work with ATT&CK and other things. Aerospace is really
focused mostly on space systems. And the way we collaborate
with industry and things is like we published that technical
operating report this year with a coordination through a
government agency to get it in the public sector so that can be
shared to commercial entities on the threats that could apply
to a spacecraft, as well as countermeasures and ways to
implement those and even get those into acquisition
requirements and design details. So we're trying to put out
additional low level guidance that can help mitigate some of
the cyber attack threats that we see that could manifest itself
onboard a vehicle. And we also have initiatives ongoing that
kind--that try to leverage what the MITRE ATT&CK framework is
but kind of translate that for what it would really mean to a
space vehicle. And we're--we have ongoing research in that
area. Thank you.
Mr. Babin. OK, thank you. Thank you so much. Excellent.
Mr. Chairman, I yield back, and I appreciate the second
round.
Chairman Beyer. Thank you, Mr. Babin, very much.
Let me now recognize the gentlelady from California, Mr.
Kim--Ms. Kim.
Ms. Kim. Thank you, Chairman Beyer and Ranking Member
Babin, for holding this hearing today. And I do appreciate the
opportunity to ask our witnesses questions in the second round.
Space already plays a very integral part in our lives, and
with the commercial space boom, we have witnessed in recent
years we should expect that our lives will be increasingly
reliant on technology in Earth's orbit. This means we'll be
increasingly reliant on cybersecurity. So I can ask this
question to either Dr. Suloway or Dr. Scholl. In your written
testimony, Dr. Scholl, you noted that examples of malicious
cyber activities harmful to space operations include spoofing
sensor data, corrupting sensor systems, jamming, or sending
unauthorized commands for guidance and control, injecting
malicious code, and conducting denial-of-service attacks. This
is what you said Mr.--Dr.--Mr. Scholl. So based on your
experience of working with the private sector to implement
Space Policy Directive-5, would you say maligned state actors
are the greatest threat to America's commercial space industry?
Mr. Scholl. So, yes, thank you for the question. Nation-
state actors are one of the most resourced and motivated to
disrupt this infrastructure of the threat actors that exist. So
certainly a nation-state actor has the resources, has the
capability, and has the need from a competitive perspective as
a threat actor that we should be prioritizing.
Ms. Kim. Sure.
Mr. Scholl. A lot of these attacks are described, absent of
the actual threat actor. A tier down is the potential
authorized and--person who has access but for whom there's an
accidental input, a disruption, an interference with an
adjacent band. So, yes, nation-state actors first, but there's
also a whole other class of threat actors, which are known as
the accidental but authorized as well.
Ms. Kim. Sure. For the past year, our Committee has worked
on legislation to increase the number of graduates entering
STEM (science, technology, engineering, and mathematics)
fields, including cybersecurity. So I want to ask you, Dr.
Suloway, what is your assessment of the cybersecurity work
force in the space industry and in the Federal Government's
space agencies?
Dr. Suloway. So it is a challenge to find individuals with
both a space background and a cyber background. And I think,
just anecdotally, it is hard to get both of those backgrounds
together in a single person. So more investment in education
would be--which would be helpful.
Ms. Kim. Dr. Suloway, are you aware of any state-sponsored
cyber attacks on American commercial space companies? And if
so, what was the damage that you're aware of?
Dr. Suloway. So I can speak to the two recent events that
Chairman Beyer brought up in his testimony, which were the
SpaceX terminals in Ukraine, as well as the Viasat. So from a
Viasat perspective, it's interesting because the attackers were
able to get in from the ground system and then move to the user
terminals and then disable those systems. So it's interesting
from a ground user space, getting into one allows you to pivot
to the other. In that case, they disabled the terminals, which
were able to be recovered at a later state but disrupted the
service. So it was recoverable, but I don't know the full
impact of what wasn't able to be done without that service.
Ms. Kim. So I know the last question you asked you
responded, and I wanted to just see what kind of attacks that
you're aware of, and if so--but I do agree with you that we
lack work force in the STEM-related fields. And I think that is
the more reason why our government has to invest more in
educating the next generation of future scientists, future--you
know, the work force in the STEM field. So I know I'm working
on legislation collectively with my colleagues, one of which
was already included in the CHIPS legislation that we're
working on this week. So I really agree that we need to build
our work force in that development, and I'm really using this
time to encourage my colleagues to think through it as we vote
on that legislation today. Thank you.
Chairman Beyer. Congresswoman Kim, thank you very much for
coming and being part of this.
Before we bring the hearing to a close, I really want to
thank our witnesses for your testimony. As I understand, there
are roughly 4,500 satellites in low-Earth orbit today. They
project 100,000 by the year 2030, which is not far away. We're
depending on them for communications, for weather, for
agriculture, for national security, and probably most
importantly for the internet for the whole world. And it's
critical for life in the 21st century that we protect the
satellites and the ground-to-satellite, satellite-to-ground
communications.
So this a really important hearing. Thank you so much for
all of your input. Thanks for the ideas and the wisdom. We will
try to figure out a way forward with your help.
The record will remain open for two weeks for additional
statements from Members and for any additional questions the
Committee may ask of the witnesses. The witnesses are now
excused. The hearing is now adjourned.
[Whereupon, at 11:17 a.m., the Subcommittee was adjourned]
Appendix
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Dr. Theresa Suloway
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Matthew Scholl
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Brandon Bailey
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]