In space, cutting losses invite cyberattacks

The cybersecurity of commercial satellites can be on par with any government spacecraft. However, companies avoiding loss at all costs is precisely what ransomware gangs prey on. Besides, businesses don't shoot back.

The government monopoly in space has come to an end. Elon Musk's SpaceX alone runs over a third of all operational satellites currently in orbit. Having launched over two thousand spacecraft, the company plans to launch thousands more.

To keep up the pace, commercial satellites use more open-source software and hardware. While helping to cut costs, this could leave spacecraft more vulnerable to cyberattacks. However, Isaac Ben Israel, chairman of the Israeli Space Agency (ISA), thinks that commercial players do not leave space less secure for national space agencies.

Neither commercial satellites nor government-run satellites are immune to hacking, Major General (Ret) Israel thinks. Days of tailor-made hardware are long gone. Ransomware gangs and people defending against them often use the same tools. The same vulnerabilities apply, whether it's a company or a space agency.

"I think it's wrong to believe that safety was better just because few space organizations used to build satellites,"

Isaac Ben Israel, chairman of the Israeli Space Agency told Cybernews.

However, the critical difference in security lies not with the technology but with the mindset. Businesses are much more willing to pay up to cut their losses. Meanwhile, governments opt to retaliate instead of caving, an attitude that is inimical to crooks scouting for easy money.

We sat down with Major General (Ret), a key speaker in this years Cyber Week conference, Israel to discuss the effect commercial companies can have on space security, whether space agencies perceive cyberthreats as real, and if it's possible to avoid the militarization of space.

Commercial satellite makers rely on open-source software. At the same time, security regulations on satellite supply chains are only in the developing stage at best. Do you think the entry of companies to the space domain is leaving satellite infrastructure less secure?

The risks exist because communication depends on computers, not because commercial companies are involved. It doesn't matter whether the satellite is based on open-source or not. Hackers generally can hack into almost anything they like. Yes, it takes effort sometimes, and they don't always want to spend too much time doing it.

Sometimes bad actors don't have the resources to carry out the attack, but in principle, there is no big difference between private and government-owned satellites. If you'd like to hack into defense satellite communication, you can do it. The real question is about the volume of activity, which is increasing because the commercial world is joining in.

With an increasing number of satellites, there's more communication in space. And that increases the vulnerability of the system. But not because it's commercial. Private businesses can defend themselves the same way as defense or other organizations.

Satellite deployment. Image by NASA.

Some older satellite systems were hand-made for specific missions, while many nanosatellites rely on off-the-shelf materials. Don't you think that impacts the cyber safety of spacecraft?

I think it's wrong to believe that safety was better just because few space organizations used to build satellites. Maybe it was different because NASA or the Soviets secretly crafted satellites. However, now neither NASA nor the Israeli Space Agency makes parts, such as microchips, themselves.

For the past three decades, everyone has been using very similar devices. If you want to attack a space asset through the communication between the asset and the ground station, it's via the same computers. The ground stations that a threat actor may attack to influence the satellite in space are using the same computers, software, and hardware as anyone else. It's not hand-made. So, it doesn't matter if it's commercial or not.

And this phenomenon is very typical to cybersecurity, not only in space. The number of devices on Earth is increasing very fast. Computers became cheaper, more capable, smaller, and we put them in places [where] they did not exist two years ago. We have become dependent on computers in hospitals as much as in space.

Security experts discuss how financially motivated threat actors could use cyber means to hack satellites for ransom. At ISA do you see hacker attacks as a real, contemporary threat?

Yes, it's a real threat. Not for the future, either. It has been like this for a decade. It's not that people don't know how to do it, but so far, there has been no interest in doing it. I think there is a difference between government-owned and private satellites, at least in one aspect. The chance that a government will agree to pay the ransom is minimal. Governments do not like to do it.

If it's a commercial entity, the equation is 'how much we earn' versus 'how much will we lose by paying.' Usually, hackers don't ask for much money, and companies opt to cut their losses. In this sense, there might be an indirect link between the level of safety and the number of commercial satellites. The more commercial space is, the more place there is for doing whatever is done to, for example, hospitals.

Another thing is that a government, unlike a business, may attack you back. And nobody wants that. Criminals want easy money and not to become a target for the United States government.

"A government, unlike a business, may attack you back. And nobody wants that. Criminals want easy money and not to become a target for the United States government,"

Major General (Ret) Israel thinks.

There's a strong sentiment that nation-states should avoid the militarization of space. Do you think it is possible to prevent space from becoming just another theater of war in the 21st century?

It's a matter of choice. You see, space is unique. It is the only place that so far was not militarized. If someone sent forces to a sovereign nation, its citizens would do whatever it took to fight back. That applies to land, air, and sea up to a certain distance. Space is the only exception.

There were some attempts to do that in the past. Advisors to the US President Ronald Reagan offered to weaponize space in the '80s. The media called it the Star Wars program. It was the peak of the Cold War, and the whole issue was about nuclear weapons. The idea was to put weapons in space to intercept missiles coming to the US.

The program didn't materialize, and space was kept as a kind of an extra-territorial, non-militarized, non-weaponized medium. This proves avoiding militarization is possible. However, whether it will remain like that mostly depends on what the US, Russia, and China will do.

Recent events in Ukraine have shown that services commercial space companies provide can be used in an active conflict. What lessons will national space agencies and militaries learn from this?

I think there are more general lessons about his conflict that apply not only in space but to the cybersecurity realm in general. The first question we have to ask ourselves is why nothing serious happened within the cyber domain. Knowing Russia's cyber capabilities, everybody expected a lot more. When historians write about this war 20 years from now, they will barely mention the cyber dimension.

There are many possible ways to answer this. Some people say the Russians were not interested in doing too much, so they wouldn't give the West an opportunity to hit back. However, that doesn't explain why they didn't use malware in Ukraine on a scale that was expected.

I think that you have to build the capability with any weapon, be it a tank, an aircraft, or a cyber weapon. You don't know when and where you will use it. It might be that you build a particular weapon, and the need to use it will come years later. And when the time comes, you find that the weapon doesn't fit you anymore.

The problem is that the timescale to build capability for hard weapons is 10-15 years. However, it may take months to keep the capability alive for a cyber weapon. You have to invest a lot more than in other areas. The Russians didn't do it. They built certain capabilities that they demonstrated in December 2015 by shutting off the power in western Ukraine for 24 hours.

The problem is that if you want to do something like this, you need to constantly check, for example, what software your adversaries are using. It takes a lot of time and energy because the rate of change here is very fast.

You cannot use cyber weapons in the same way you use aircraft. The typical time is too short. And that's why it was used only at the beginning of the war. It's possible to prepare specific capabilities for the start of the conflict. But only that. Contrary to what many say, I think this is the biggest lesson I would take from this war.

More from Cybernews:

Popular child-tracking Android apps contain gaping security holes

Ukrainian cyber experts who stayed behind to work and fight

Why hackers destroying one Starlink satellite could cause orbital Armageddon

Cyber staff at risk of burnout, says industry fixer

China mimicked protestors to tighten grip on coveted metals, says report

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked