[Senate Report 117-122]
[From the U.S. Government Publishing Office]
Calendar No. 428
117th Congress } { Report
SENATE
2d Session } { 117-122
_______________________________________________________________________
SATELLITE CYBERSECURITY ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3511
TO REQUIRE A REPORT ON FEDERAL SUPPORT TO
THE CYBERSECURITY OF COMMERCIAL SATELLITE
SYSTEMS, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
June 21, 2022.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
29-010 WASHINGTON : 2022
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
Cara G. Mumford, Minority Director of Governmental Affairs
William H.W. McKenna, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 428
117th Congress } { Report
SENATE
2d Session } { 117-122
======================================================================
SATELLITE CYBERSECURITY ACT
_______
June 21, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3511]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3511) to require a
report on Federal support to the cybersecurity of commercial
satellite systems, and for other purposes, having considered
the same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill, as
amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis of the Bill, as Reported.............4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7
I. PURPOSE AND SUMMARY
S. 3511, the Satellite Cybersecurity Act, requires the
Cybersecurity and Infrastructure Security Agency (CISA) to
develop a publicly available online clearinghouse of
cybersecurity resources, recommendations, and other appropriate
materials specific to commercial satellite systems (CSS) owners
and operators, including materials tailored for small
businesses. The bill also requires CISA to consolidate
voluntary cybersecurity recommendations, including
recommendations collected from external sources, such as public
and private subject matter experts, designed to assist in the
development, maintenance, and operation of CSS, and for these
recommendations to be included in the clearinghouse. In
implementing the bill, the bill also requires CISA to carry out
the implementation as a public-private partnership to the
greatest extent practicable, to coordinate with the heads of
appropriate federal agencies, and to consult with entities
outside the federal government with expertise in CSS or
cybersecurity of CSS including private, consensus organizations
that develop relevant standards.
Additionally, S. 3511 requires the Comptroller General of
the United States, in consultation with other federal agencies,
to study and provide a report to Congress on the effectiveness
of efforts of the federal government to improve the
cybersecurity of CSS and any resources made available by
agencies to support the cybersecurity of CSS. The bill requires
the report to detail interdependence of critical infrastructure
and CSS, the extent to which threats to CSS are part of
critical infrastructure risk analyses and protection plans, the
extent to which federal agencies rely on CSS, and risks posed
by foreign ownership or foreign-located CSS physical
infrastructure.
II. BACKGROUND AND NEED FOR THE LEGISLATION
CSS are an essential piece of our economy. The Presidential
Memorandum on Space Policy Directive 5 states that space
systems are integral to the operation of numerous critical
infrastructure sectors and functions, including global
communications; position, navigation, and timing; weather
monitoring; and ``multiple vital national security
applications.''\1\ Former Acting CISA Director Brandon Wales
stated on May 13, 2021 that ``secure and resilient space-based
assets are critical to our economy, prosperity, and our
national security.''\2\ The National Institute of Standards and
Technology also notes that CSS are critical to protect, as
``[t]he commercial uses of space for research and development,
material sciences, communication, and sensing are growing in
size, scale, and importance for the future of the U.S.
economy.''\3\
---------------------------------------------------------------------------
\1\President Donald Trump, Memorandum on Space Policy Directive-5
Cybersecurity Principles for Space Systems (Sep. 4, 2020) (https://
trumpwhitehouse.archives.gov/presidential-actions/memorandum-space-
policy-directive-5-cybersecurity-principles-space-systems/).
\2\Cybersecurity & Infrastructure Security Agency, CISA Launches a
Space Systems Critical Infrastructure Working Group (May 13, 2021)
(https://www.cisa.gov/news/2021/05/13/cisa-launches-space-systems-
critical-infrastructure-working-group).
\3\National Institute of Standards and Technology, Introduction to
Cybersecurity for Commercial Satellite Operations (2nd Draft) (NISTIR
8270) (Feb. 25, 2022) (https://csrc.nist.gov/
publications/detail/nistir/8270/draft).
---------------------------------------------------------------------------
Despite the critical importance of these systems,
cybersecurity vulnerabilities in CSS are growing. On November
20, 2021, Gen. David Thompson of U.S. Space Force stated: ``the
threats [to satellite systems] are really growing and expanding
every single day. And it's really an evolution of activity
that's been happening for a long time.''\4\
---------------------------------------------------------------------------
\4\A Shadow War in Space is Heating up Fast, The Washington Post
(Nov. 30, 2021) (https://www.washingtonpost.com/opinions/2021/11/30/
space-race-china-david-thompson/).
---------------------------------------------------------------------------
Attacks against CSS have also grown over the recent years.
Between 2007 and 2008, two American satellites used by the U.S.
Geological Survey and NASA to monitor climate and terrain were
compromised multiple times.\5\ In 2014, U.S. officials blamed
China for a cyberattack that forced the National Oceanic and
Atmospheric Administration (NOAA) to cut off public access to
imagery data from a satellite network used for weather
forecasting.\6\ Most recently, on February 24, 2022, at the
onset of the Russian invasion of Ukraine, the KA-SAT
communication satellite network, owned by the U.S.-based
company Viasat, Inc., was disrupted and caused communication
and internet outages within Ukraine, significantly degrading
Ukrainian defense forces' command and control, and causing
large scale disruption to a German power company's wind
turbines.\7\ On March 17, 2022, the Federal Bureau of
Investigation (FBI) and CISA released a joint advisory further
bringing attention to the cybersecurity threats facing CSS.\8\
---------------------------------------------------------------------------
\5\For Hackers, Space is the Final Frontier, Vox (July 29, 2021)
(https://www.vox.com/recode/22598437/spacex-hackers-cyberattack-space-
force).
\6\Id.
\7\Satellite Outage Caused ``Huge Loss in Communications'' at War's
Outset--Ukrainian Official, Reuters (Mar. 15, 2022) (https://
www.reuters.com/world/satellite-outage-caused-huge-loss-communications-
wars-outset-ukrainian-official-2022 03 15/); Satellite Outage Knocks
Out Thousands of Enercon's Wind Turbines, Reuters (Feb. 28, 2022)
(https://www.reuters.com/business/
energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-
02-28/).
\8\Cybersecurity and Infrastructure Security Agency and Federal
Bureau of Investigation, Strengthening Cybersecurity of SATCOM Network
Providers and Customers (Mar. 17, 2022) (https://www.cisa.gov/uscert/
sites/default/files/publications/AA22-
076_Strengthening_Cybersecurity_of_SATCOM_Network_Providers_and_Customer
s.pdf).
---------------------------------------------------------------------------
While extensive federal and private sector research has led
to many cybersecurity standards and resources focused on
traditional enterprise information technology, there is a
relative lack of easily accessible, consolidated resources
focused specifically on securing CSS.\9\ The lack of these
resources is of particular concern given the increase in new
satellite businesses over the past decade, in part due to the
drastic decrease in costs to launch satellites.\10\
---------------------------------------------------------------------------
\9\Examples of well-established and widely used enterprise
information technology standards include the National Institute of
Standard and Technology's (NIST) Cybersecurity Framework and the
International Organization for Standardization's 27000 family of
Standards.
\10\To Cheaply Go: How Falling Launch Costs Fueled a Thriving
Economy in Orbit, NBC News (Apr. 8, 2022) (https://www.nbcnews.com/
science/space/space-launch-costs-growing-business-
industry-rcna23488).
---------------------------------------------------------------------------
Small businesses owning and operating satellites have
drastically expanded in the past decade as launch prices have
dropped.\11\ While NASA's Space Shuttle would cost $30,000 per
pound to put a satellite into low-earth orbit, private
companies have driven down this cost dramatically and increased
the frequency of launches.\12\ For example, SpaceX can now
launch satellites for under $2,000 per pound and Rocket Lab is
licensed to launch rockets every 72 hours.\13\ Multiple market
assessments project aggressive growth of the small satellite
industry over the next decade.\14\ As more businesses enter
this market, it is critical that these new satellite owners and
operators are aware of common satellite cybersecurity
vulnerabilities and the appropriate mitigations.
---------------------------------------------------------------------------
\11\Small Rockets Aim for a Big Market, Smithsonian Magazine (Apr,
2018) (https://www.smithsonianmag.com/air-space-magazine/milestone-
180968351/); To Cheaply Go: How Falling Launch Costs Fueled a Thriving
Economy in Orbit, NBC News (Apr. 8, 2022) (https://www.nbcnews.com/
science/space/space-launch-costs-growing-business-industry-rcna23488).
\12\Id.
\13\Id.
\14\Allied Market Research, Small Satellite Market Statistics 2030
(https://www.alliedmarketresearch.com/small-satellite-market) (accessed
May 26, 2022); The Small Satellite Market is Projected to Grow From USD
3.1 billion in 2021 to USD 7.4 billion by 2026, at a CAGR of 19.4%,
GlobeNewswwire (Feb. 28, 2022) (https://www.globenewswire.com/news-
release/2022/02/28/2393562/0/en/The-small-satellite-market-is-
projected-to-grow-from-USD-3-1-
billion-in-2021-to-USD-7-4-billion-by-2026-at-a-CAGR-of-19-4.html).
---------------------------------------------------------------------------
Historic and recent attacks against satellites, and the
severe consequences of a significant attack against satellite
systems, makes clear the need for commercial satellite
cybersecurity. This bill aims to help address this need by
requiring CISA to consolidate voluntary cybersecurity
resources, recommendations, and other materials for large and
small businesses regarding how to secure CSS. To distribute
these materials efficiently, this bill requires CISA to create
a clearinghouse, and to curate up-to-date satellite
cybersecurity information from private industry and federal
government experts. This bill also requires the Comptroller
General of the United States to study how the federal
government supports CSS owners and operators, and the degree to
which critical infrastructure and the government relies on CSS
today. The study will also examine how the government uses CSS
that are owned or operated by foreign entities.
While historically there has been a lack of federal
resources dedicated to improving the cybersecurity of CSS,
CISA's Space Systems Critical Infrastructure Working Group,
which the agency launched in May 2021, seeks to address this
risk by working with the private sector in a public-private
partnership to develop cybersecurity resources for CSS owners
and operators. This legislation would build upon that work.
III. LEGISLATIVE HISTORY
Senator Gary Peters (D-MI) introduced S. 3511, the
Satellite Cybersecurity Act, on January 13, 2022, with Senator
John Cornyn (R-TX). The bill was referred to the Committee on
Homeland Security and Governmental Affairs.
The Committee considered S. 3511 at a business meeting on
March 30, 2022. During the business meeting, a substitute
amendment, as modified, was offered by Senator Peters. The
Peters substitute amendment, as modified, extended the original
reporting requirement for the study from the Comptroller
General from one year to two years; refined the Comptroller
General's agency consultation and coordination requirement; and
emphasized the use of a public-private partnership in the
implementation of this act. The Peters substitute amendment, as
modified, was adopted by voice vote en bloc with Senators
Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff, Paul,
Lankford, Romney, Scott, and Hawley present.
Senator Ossoff offered an amendment which adds additional
requirements to the Comptroller General study and the
consolidated recommendations to evaluate the risks associated
with foreign ownership and foreign location of CSS equipment.
The Ossoff amendment was adopted by voice vote en bloc with
Senators Peters, Carper, Hassan, Sinema, Rosen, Padilla,
Ossoff, Paul, Lankford, Romney, Scott, and Hawley present.
The Committee ordered the bill, as amended, to be reported
favorably by voice vote en bloc. Senators present for the vote
were: Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff,
Paul, Lankford, Romney, Scott, and Hawley.
Consistent with Committee Rule 3(G), the Committee reports
the bill with a technical amendment by mutual agreement of the
Chairman and Ranking Member.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section designates the name of the bill as the
``Satellite Cybersecurity Act.''
Section 2. Definitions
This section defines the terms ``commercial satellite
system,'' critical infrastructure,'' ``cybersecurity risk,''
and ``cybersecurity threat.''
Section 3. Report on commercial satellite cyber security
This section requires a study to be performed by the
Comptroller General of the United States concerning the
cybersecurity of commercial satellite systems, including the
examination of federal government and critical infrastructure
reliance on these systems, existing government efforts to
support secure system development and operations, and the
identification of risks associated with foreign ownership of
commercial satellite system companies or infrastructure. The
Comptroller General is required to submit a report to Congress
no later than two years after enactment of this bill, and
provide a briefing on the status of the study one year after
enactment.
In carrying out this section, GAO is required to coordinate
with the Department of Homeland Security, Department of
Commerce, Department of Defense, Department of Transportation,
Federal Communications Commission, National Aeronautics and
Space Administration, and the National Executive Committee for
Space-Based Positioning, Navigation, and Timing.
Section 4. Responsibilities of the Cybersecurity and Infrastructure
Agency
Subsection (a) defines the terms ``clearinghouse,''
``director,'' and ``small business concern.''
Subsection (b) establishes the Commercial Satellite
Cybersecurity Clearinghouse to be developed by the CISA
Director. The clearinghouse is to be publicly available and
offer voluntary commercial satellite systems cybersecurity
resources and recommendations, including materials aimed at
assisting small business concerns with the development,
operation, and maintenance of commercial satellite systems.
Subsection (c) requires the CISA Director to consolidate
voluntary cybersecurity recommendations for commercial
satellite systems. The recommendations will address different
aspects of CSS development and operations, including protection
against unauthorized access, physical protection measures,
supply chain risk management, and mitigations against risks
posed by foreign entity ownership and maintenance of physical
infrastructure in foreign countries.
Subsection (d) requires the CISA Director to carry out the
implementation of this bill as a public-private partnership, to
the greatest extent practicable. It also requires CISA to
coordinate with the heads of appropriate federal agencies and
consult with non-federal entities developing commercial
satellite systems or supporting the cybersecurity of commercial
satellite systems, including private, consensus organizations
that develop relevant standards.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, April 19, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3511, the Satellite
Cybersecurity Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 3511 would require the Cybersecurity and Infrastructure
Security Agency (CISA) to disseminate information on cyber
safety measures to operators of commercial satellites. Under
the bill, CISA would collect security recommendations from the
private sector and other federal agencies with expertise in
satellite operations.
Using information from CISA about similar information
sharing efforts, CBO anticipates that the agency would need six
full-time employees to create and manage an online database
with cybersecurity resources for satellite operators. CBO
estimates that staff salaries and technology costs to publish
safety materials would total $3 million annually. Accounting
for the time needed to hire new employees and prepare the
database, CBO estimates that implementing the bill would cost
$12 million over the 2022-2026 period; such spending would be
subject to the availability of appropriated funds.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of Budget
Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]