[Senate Report 118-92]
[From the U.S. Government Publishing Office]


						Calendar No. 195

118th Congress}						{ REPORT				
                                                                                         
 1st Session  }         	SENATE		   	{ 118-92

======================================================================
                      SATELLITE CYBERSECURITY ACT

                               __________

                              R E P O R T

                                 OF THE

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              TO ACCOMPANY

                                S. 1425

             TO REQUIRE A REPORT ON FEDERAL SUPPORT TO THE
           CYBERSECURITY OF COMMERCIAL SATELLITE SYSTEMS, AND
                           FOR OTHER PURPOSES

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               September 5, 2023.--Ordered to be printed
               
                              __________

                                
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
                           WASHINGTON : 2023                    
          
-----------------------------------------------------------------------------------               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
          Kendal B. Tigner, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     
                     
						Calendar No. 195

118th Congress}						{ REPORT				
                                                                                         
 1st Session  }         	SENATE		   	{ 118-92

======================================================================
 
                      SATELLITE CYBERSECURITY ACT                                         
                    
                               _______
                                

               September 5, 2023.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 1425]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 1425), to require a 
report on Federal support to the cybersecurity of commercial 
satellite systems, and for other purposes, having considered 
the same, reports favorably thereon with an amendment, in the 
nature of a substitute, and recommends that the bill, as 
amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis of the Bill, as Reported.............4
  V. Evaluation of Regulatory Impact..................................6
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7

                         I. PURPOSE AND SUMMARY

    S. 1425, the Satellite Cybersecurity Act, requires the 
Cybersecurity and Infrastructure Security Agency (CISA) to 
develop a publicly available online clearinghouse of 
cybersecurity resources, recommendations, and other appropriate 
materials specific to commercial satellite systems (CSS) owners 
and operators, including materials tailored for small 
businesses. The bill also requires CISA to consolidate 
voluntary cybersecurity recommendations, including 
recommendations collected from external sources, such as public 
and private subject matter experts, designed to assist in the 
development, maintenance, and operation of CSS, and for these 
recommendations to be included in the clearinghouse. The bill 
also requires CISA to carry out the implementation as a public-
private partnership to the greatest extent practicable, to 
coordinate with the heads of appropriate federal agencies, and 
to consult with entities outside the federal government with 
expertise in CSS or cybersecurity of CSS including private, 
consensus organizations that develop relevant standards.\1\
---------------------------------------------------------------------------
    \1\On March 30, 2022, the Committee approved S. 3511, the Satellite 
Cybersecurity Act. That bill is substantially similar to S. 1425. 
Accordingly, this committee report is in many respects similar to the 
committee report for S. 1425. See S. Rept. No. 117-122.
---------------------------------------------------------------------------
    Additionally, S. 1425 requires the Comptroller General of 
the United States, in consultation with other federal agencies, 
to study and provide a report to Congress on the effectiveness 
of efforts of the federal government to improve the 
cybersecurity of CSS and any resources made available by 
agencies to support the cybersecurity of CSS. The bill requires 
the report to detail interdependence of critical infrastructure 
and CSS, the extent to which threats to CSS are part of 
critical infrastructure risk analyses and protection plans, the 
extent to which federal agencies rely on CSS, and risks posed 
by foreign ownership or foreign-located CSS physical 
infrastructure.
    Finally, S. 1425 requires the National Space Council, 
jointly with the Office of the National Cyber Director, to 
develop and provide to Congress a strategy for the activities 
of federal agencies to address and improve the cybersecurity of 
CSS.

              II. BACKGROUND AND NEED FOR THE LEGISLATION

    CSS are an essential piece of our nation's economy. The 
Presidential Memorandum on Space Policy Directive 5 states that 
space systems are integral to the operation of numerous 
critical infrastructure sectors and functions, including global 
communications; position, navigation, and timing; weather 
monitoring; and ``multiple vital national security 
applications.''\2\ Former Acting CISA Director Brandon Wales 
stated on May 13, 2021 that ``secure and resilient space-based 
assets are critical to our economy, prosperity, and our 
national security.''\3\ The National Institute of Standards and 
Technology also notes that CSS are critical to protect, as 
``[t]he commercial uses of space for research and development, 
material sciences, communication, and sensing are growing in 
size, scale, and importance for the future of the U.S. 
economy.''\4\
---------------------------------------------------------------------------
    \2\President Donald Trump, Memorandum on Space Policy Directive-5 
Cybersecurity Principles for Space Systems (Sept. 4, 2020) (https://
trumpwhitehouse.archives.gov/presidential-actions/memorandum-space-
policy-directive-5-cybersecurity-principles-space-systems/).
    \3\Cybersecurity & Infrastructure Security Agency, CISA Launches a 
Space Systems Critical Infrastructure Working Group (May 13, 2021) 
(https://www.cisa.gov/news/2021/05/13/cisa-launches-space-systems-
critical-infrastructure-working-group).
    \4\National Institute of Standards and Technology, Introduction to 
Cybersecurity for Commercial Satellite Operations (2nd Draft) (NISTIR 
8270) (Feb. 25, 2022) (https://csrc.nist.gov/
publications/detail/nistir/8270/draft).
---------------------------------------------------------------------------
    Despite the critical importance of these systems, 
cybersecurity vulnerabilities in CSS are growing. On November 
20, 2021, Gen. David Thompson of the U.S. Space Force stated: 
``the threats [to satellite systems] are really growing and 
expanding every single day. And it's really an evolution of 
activity that's been happening for a long time.''\5\
---------------------------------------------------------------------------
    \5\A Shadow War in Space is Heating up Fast, The Washington Post 
(Nov. 30, 2021) (https://www.washingtonpost.com/opinions/2021/11/30/
space-race-china-david-thompson/).
---------------------------------------------------------------------------
    Attacks against CSS have also grown in recent years. 
Between 2007 and 2008, two American satellites used by the U.S. 
Geological Survey and the National Aeronautics and Space 
Administration (NASA) to monitor climate and terrain were 
compromised multiple times. In 2014, U.S. officials blamed 
China for a cyberattack that forced the National Oceanic and 
Atmospheric Administration to cut off public access to imagery 
data from a satellite network used for weather forecasting.\6\ 
Most recently, on February 24, 2022, at the onset of the 
Russian invasion of Ukraine, the KA-SAT communication satellite 
network, owned by the U.S.-based company Viasat, Inc., was 
disrupted and caused communication and internet outages within 
Ukraine. This significantly degraded Ukrainian defense forces' 
command and control, and caused large scale disruption to a 
German power company's wind turbines.\7\ On March 17, 2022, the 
Federal Bureau of Investigation and CISA released a joint 
advisory further bringing attention to the cybersecurity 
threats facing CSS.\8\
---------------------------------------------------------------------------
    \6\For Hackers, Space is the Final Frontier, Vox (July 29, 2021) 
(https://www.vox.com/recode/22598437/spacex-hackers-cyberattack-space-
force).
    \7\Satellite Outage Caused ``Huge Loss in Communications' at War's 
Outset--Ukrainian Official, Reuters (Mar. 15, 2022) (https://
www.reuters.com/world/satellite-outage-caused-huge-loss-
communications-wars-outset-ukrainian-official-2022-03-15/); Satellite 
Outage Knocks Out Thousands of Enercon's Wind Turbines, Reuters (Feb. 
28, 2022) (https://www.reuters.com/business/ energy/satellite-outage-
knocks-out-control-enercon-wind-turbines-2022-02-28/).
    \8\Cybersecurity and Infrastructure Security Agency and Federal 
Bureau of Investigation, Strengthening Cybersecurity of SATCOM Network 
Providers and Customers (Mar. 17, 2022) (https://www.cisa.gov/uscert/
sites/default/files/publications/AA22-076_Strengthening_Cybersecur 
ity_of_SATCOM_Network_Providers_and_Customers.pdf).
---------------------------------------------------------------------------
    While extensive federal and private sector research has led 
to many cybersecurity standards and resources focused on 
traditional enterprise information technology, there is a 
relative lack of easily accessible, consolidated resources 
focused specifically on securing CSS.\9\ The lack of these 
resources is of particular concern given the increase in new 
satellite businesses over the past decade, in part due to the 
drastic decrease in costs to launch satellites.\10\
---------------------------------------------------------------------------
    \9\ Examples of well-established and widely used enterprise 
information technology standards include the National Institute of 
Standard and Technology's (NIST) Cybersecurity Framework and the 
International Organization for Standardization's 27000 family of 
Standards. National Institute of Standards and Technology, Framework 
for Improving Critical Infrastructure Cybersecurity (Version 1.1) (Apr. 
16, 2018) (https://nvlpubs.nist.gov/nistpubs/CSWP/
NIST.CSWP.04162018.pdf) and International Organization for 
Standardization, ISO/IEC 27000 (Fifth Edition) (Feb. 2018) (https://
www.iso.org/standard/73906.html).
    \10\To Cheaply Go: How Falling Launch Costs Fueled a Thriving 
Economy in Orbit, NBC News (Apr. 8, 2022) (https://www.nbcnews.com/
science/space/space-launch-costs-growing-business-
industry-rcna23488).
---------------------------------------------------------------------------
    Small businesses owning and operating satellites have 
drastically expanded in the past decade as launch prices have 
dropped. While NASA's Space Shuttle would cost $30,000 per 
pound to put a satellite into low-earth orbit, private 
companies have driven down this cost dramatically and increased 
the frequency of launches. For example, SpaceX can now launch 
satellites for under $2,000 per pound and Rocket Lab is 
licensed to launch rockets every 72 hours.\11\ Multiple market 
assessments project aggressive growth of the small satellite 
industry over the next decade.\12\ As more businesses enter 
this market, it is critical that these new satellite owners and 
operators are aware of common satellite cybersecurity 
vulnerabilities and the appropriate mitigations.
---------------------------------------------------------------------------
    \11\Small Rockets Aim for a Big Market, Smithsonian Magazine (Apr. 
2018) (https://www.smithsonianmag.com/air-space-magazine/milestone-
180968351/); To Cheaply Go: How Falling Launch Costs Fueled a Thriving 
Economy in Orbit, NBC News (Apr. 8, 2022) (https://www.nbcnews.com/
science/space/space-launch-costs-growing-business-industry-rcna23488).
    \12\Allied Market Research, Small Satellite Market Statistics 2030 
(https://www.alliedmarketresearch.com/small-satellite-market) (accessed 
May 26, 2022); The Small Satellite Market is Projected to Grow From USD 
3.1 billion in 2021 to USD 7.4 billion by 2026, at a CAGR of 19.4%, 
GlobeNewswwire (Feb. 28, 2022) (https://www.globenewswire.com/news-
release/2022/02/28/2393562/0/en/The-small-satellite-market-is-
projected-to-grow-from-USD-3-1-
billion-in-2021-to-USD-7-4-billion-by-2026-at-a-CAGR-of-19-4.html).
---------------------------------------------------------------------------
    Historic and recent attacks against satellites, and the 
severe consequences of a significant attack against satellite 
systems, makes clear the need for commercial satellite 
cybersecurity. This bill aims to help address this need by 
requiring CISA to consolidate voluntary cybersecurity 
resources, recommendations, and other materials for large and 
small businesses regarding how to secure CSS. To distribute 
these materials efficiently, this bill requires CISA to create 
a clearinghouse and to curate up-to-date satellite 
cybersecurity information from private industry and federal 
government experts. This bill also requires the Comptroller 
General of the United States to study how the federal 
government supports CSS owners and operators, and the degree to 
which critical infrastructure and the government relies on CSS 
today. The study will also examine how the government uses CSS 
that are owned or operated by foreign entities.
    While historically there has been a lack of federal 
resources dedicated to improving the cybersecurity of CSS, 
CISA's Space Systems Critical Infrastructure Working Group, 
which the agency launched in May 2021, seeks to address this 
risk by working with the private sector in a public-private 
partnership to develop cybersecurity resources for CSS owners 
and operators.\13\ This legislation would build upon that work.
---------------------------------------------------------------------------
    \13\Cybersecurity & Infrastructure Security Agency, supra note 3.
---------------------------------------------------------------------------

                        III. LEGISLATIVE HISTORY

    Senator Gary Peters (D-MI) introduced S. 1425, the 
Satellite Cybersecurity Act, on May 3, 2023, with original 
cosponsor Senator John Cornyn (R-TX). The bill was referred to 
the Committee on Homeland Security and Governmental Affairs.
    The Committee considered S. 1425 at a business meeting on 
May 17, 2023. At the business meeting, Chairman Peters offered 
a substitute amendment making technical edits to the bill. The 
substitute amendment was adopted by unanimous consent with 
Senators Peters, Hassan, Sinema, Rosen, Padilla, Ossoff, 
Blumenthal, Paul, Lankford, Romney, and Scott present. The 
bill, as amended, was ordered reported favorably by roll call 
vote of 10 yeas to 1 nay, with Senators Peters, Hassan, Sinema, 
Rosen, Padilla, Ossoff, Blumenthal, Lankford, Romney, and Scott 
voting in the affirmative, and with Senator Paul voting in the 
negative. Senators Carper, Johnson, Hawley, and Marshall voted 
yea by proxy, for the record only.
    Consistent with Committee rule 3(G), the Committee reports 
the bill with a technical amendment by mutual agreement of the 
Chairman and Ranking Member.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section establishes the short title of the bill as the 
``Satellite Cybersecurity Act.''

Section 2. Definitions

    This section defines the terms ``clearinghouse,'' 
``commercial satellite system,'' ``critical infrastructure,'' 
``cybersecurity risk,'' ``cybersecurity threat,'' ``Director,'' 
and ``sector risk management agency.''

Section 3. Report on commercial satellite cybersecurity

    Subsection (a) establishes a study, to be completed within 
two years by the Comptroller General of the United States, on 
the federal government's efforts and resources to support the 
cybersecurity of commercial satellite systems, including as 
part of any action to address the cybersecurity of critical 
infrastructure sectors.
    Subsections (b)-(e) require the Comptroller General of the 
United States to coordinate with appropriate federal agencies 
and organizations, require the report be unclassified, but may 
include a classified annex, and require briefing the 
appropriate congressional committees on the Comptroller 
General's findings.

Section 4. Responsibilities of the cybersecurity and infrastructure 
        agency

    Subsection (a) defines the term ``small business concern.''
    Subsection (b) establishes a commercial satellite 
cybersecurity clearinghouse to be developed and maintained by 
the CISA Director. The clearinghouse is to be publicly 
available and offer voluntary commercial satellite systems 
cybersecurity resources and recommendations, including 
materials aimed at assisting small business concerns with the 
development, operation, and maintenance of commercial satellite 
systems.
    Subsection (c) requires the CISA Director to consolidate 
voluntary cybersecurity recommendations for commercial 
satellite systems. The recommendations will address different 
aspects of CSS development and operations, including protection 
against unauthorized access and exploitation, physical 
protection measures, supply chain risk management, and 
mitigations against risks posed by foreign entity ownership and 
maintenance of physical infrastructure in foreign countries.
    Subsection (d) requires the CISA Director to carry out the 
implementation of this bill in partnership with the private 
sector, to the extent practicable. It also requires CISA to 
coordinate with the heads of appropriate federal agencies and 
consult with non-federal entities developing commercial 
satellite systems or supporting the cybersecurity of commercial 
satellite systems, including private, consensus organizations 
that develop relevant standards.
    Subsection (e) requires the CISA Director report on the 
implementation of the clearinghouse to the Senate Committee on 
Homeland Security and Governmental Affairs; Senate Committee on 
Commerce, Science and Transportation; House Committee on 
Homeland Security; and House Committee on Science, Space, and 
Technology.

Section 5. Strategy

    This section requires that the National Space Council 
jointly with the Office of the National Cyber Director, in 
coordination with the Director of the Office of Space Commerce 
and the heads of other relevant agencies, submit a strategy for 
the activities of federal agencies to address and improve the 
cybersecurity of commercial satellite systems to the Senate 
Committee on Homeland Security and Governmental Affairs; Senate 
Committee on Commerce, Science and Transportation; House 
Committee on Homeland Security; and House Committee on Science, 
Space, and Technology.

Section 6. Rules of construction

    This section establishes that nothing in this Act shall be 
construed to designate commercial satellite systems or other 
space assets as a critical infrastructure sector, or to 
infringe upon or alter the authorities of the other federal 
agencies.

Section 7. Sector risk management agency transfer

    This section allows the President to transfer the 
clearinghouse authority from CISA to another sector risk 
management agency if the President first designates an 
infrastructure sector that includes commercial satellite 
systems as a critical infrastructure sector, pursuant to the 
process established under section 9002(b)(3) of the William M. 
(Mac) Thornberry National Defense Authorization Act for Fiscal 
Year 2021, and then subsequently designates a sector risk 
management agency for that critical infrastructure sector that 
is not CISA.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    S. 1425 would require the Cybersecurity and Infrastructure 
Security Agency (CISA) to disseminate information on cyber 
safety measures to operators of commercial satellites. Under 
the bill, CISA would collect security recommendations from the 
private sector and other federal agencies with expertise in 
satellite operations.
    Using information from CISA about similar information 
sharing efforts, CBO anticipates that the agency would need six 
full-time employees to create and manage an online database 
with cybersecurity resources for satellite operators. CBO 
estimates that staff salaries and technology costs to publish 
safety materials would total $3 million annually. Accounting 
for the time needed to hire new employees and prepare the 
database, CBO estimates that implementing the bill would cost 
$14 million over the 2023-2028 period; such spending would be 
subject to the availability of appropriated funds.
    The costs of the legislation, detailed in Table 1, fall 
within budget function 050 (national defense).

                TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 1425
----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, millions of dollars--
                                                      ----------------------------------------------------------
                                                        2023    2024    2025    2026    2027    2028   2023-2028
----------------------------------------------------------------------------------------------------------------
Estimated Authorization..............................       0       2       3       3       3       3         14
Estimated Outlays....................................       0       2       3       3       3       3         14
----------------------------------------------------------------------------------------------------------------

    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Chad Chirico, Director of Budget 
Analysis.

                                         Phillip L. Swagel,
                             Director, Congressional Budget Office.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    This legislation would make no change in existing law, 
within the meaning of clauses (a) and (b) of subparagraph 12 of 
rule XXVI of the Standing Rules of the Senate, because this 
legislation would not repeal or amend any provision of current 
law.

                                  [all]