Is a cyberattack on Starlink as bad as hacking a military satellite?

Differentiating between attacks on military and commercial satellite infrastructure might inadvertently lead to the further militarization of space.

Russia's war in Ukraine has highlighted the issue of using commercial satellite infrastructure in conflict areas. One of the first victims of the war was Viasat's KA-SAT network that Moscow targeted with wiper malware.

Images from Maxar and Planet Technologies' satellites allowed the movement of Russian troops to be monitored even before the invasion began, while Ukrainian troops employed Elon Musk's Starlink satellites for advanced communication in battle.

Since private space infrastructure is a relatively novel phenomenon, there's virtually no international regulation that can be applied to the area. Ambiguity could lead to miscalculations, with one side in the conflict deciding to fatally hack a commercial satellite system without fear of retaliation.

While removing this ambiguity might make cyberspace safer for satellites, attorney Charles Lee Mudd Jr, space law and policy thought leader, thinks separating military and commercial infrastructure could embolden threat actors to use force.

"Should Russia have the ability to target the Starlink satellites just because of that? All the satellites are doing is providing communications. It's not like it's a weaponized system,"

Charles Mudd Jr, principal and founder of tech-focused law firm Mudd Law, said.

Pundits often say that cybersecurity in space is a novel concept. Do you think the same applies to regulations regarding, for example, a cyberattack on satellite infrastructure?

What we'd have to look at would be the existing laws. In the United States, the Computer Fraud and Abuse Act makes it unlawful to obtain unauthorized access or exceed one's authorized access to the interactive computer system.

The question is whether a satellite would be a computer system under those applicable statutes. However, I would argue that right now, there are no laws specifically targeting the prevention of cyberattacks on satellites. This is a problem, given the fact that if there is ambiguity, then the question arises whether or not it does encompass satellites as a computer system or not. Some legislation has begun to be introduced, however, focusing on cybersecurity and satellites.

You could also argue that the existing laws concerning harm to space vehicles or spacecraft would still apply, even though there wasn't necessarily a specific statute. If I do something to destroy or harm a satellite, there could still be traditional laws, or remedies under traditional common law, that could be applied.

Image by SpaceX.

Do you think there are quick solutions to the ambiguity surrounding the regulation of cyber intrusions against space assets?

We should have specific laws or amendments to existing laws that make it very clear that computer-based intrusions of satellites or satellite infrastructure would fall within the scope of the applicable statutes or regulations. The Computer Fraud and Abuse Act could be amended to make it very clear that a satellite would fall within that definition. Removing any ambiguity would be very welcome.

The cybersecurity of satellites is a vital issue. A key threat arises from actors trying to gain access, whether a nation-state or some rogue players, to cause damage or hold a satellite to ransom. There's a benefit to having laws that encompass intrusions of satellites, so that the issue is raised, because many people don't even think about that.

Last month, I discussed cyber and jamming attacks on satellites with Victoria Samson from the Secure World Foundation. She said that private companies that help nations in conflict, such as Maxar, Planet, or SpaceX, have targets on their backs. Are there any rules guiding such engagements between nation-states and commercial companies?

I don't know if there's a specific delineation between causing harm to another country's satellite based on whether it's for military or non-military use. If a nation-state attacks another, can the attacked nation target a satellite in retaliation?

Let's say Russia launches a missile. If each of the nations are targeting military resources, that's one thing, [but] targeting hospitals or using indiscriminate bombing is a war crime. It would violate international norms.

"I don't want us to get to a point where we start making distinctions between satellites that are used for military or non-military purposes,"

Mudd Jr said.

Let's take that principle to the satellites. It's a bit different because a lot of the war-crime aspect of what we just described is that civilians themselves, as opposed to civilian infrastructure, could be harmed. Whereas with satellites, you're not going to have human casualties.

Nonetheless, there's probably a difference under the law of war that allows perhaps a party, a nation-state, to target something that might be of military use versus civilian or non-military use. But the problem is that if we start to define that in space, we begin to condone space being militarized. And I think to a certain extent we'd like to, perhaps naively, say that space is not militarized yet, and we don't want it to be.

There are, however, satellites that are operated by the military and serve a military purpose.

Indeed, some satellites are up there doing, for example, reconnaissance. I would say that even if they are being used for reconnaissance purposes, countries should still [be governed by] international treaties for attacking a satellite. Whether it's owned by a nation-state or operated by a commercial entity, an attack is still going to violate international law. And I think that's how it should be.

I don't know that we should distinguish between attacking a satellite because it might be military or not. Because that then blurs the line. How can you determine whether a satellite is just for military or civilian use? For example, let's look at Starlink. Let's assume that reports were accurate, and SpaceX provided some resources to Ukraine. Should Russia have the ability to target the Starlink satellites just because of that? All the satellites are doing is providing communications. It's not like it's a weaponized system.

I would fall back on the liability convention in arguing that any country, any player, which causes harm to another country's craft, whether a satellite or a spacecraft, is liable for those damages. I don't want us to get to a point where we start making distinctions between satellites that are used for military or non-military purposes.

Image by NASA.

Would you say that, for example, a large-scale Russian cyberattack on a commercial satellite system like Starlink, which a US company operates, could be considered an act of war?

First of all, it's difficult to attribute cyberattacks. It's not an impossibility, but there's difficulty in identifying the attacker. Depending on the skillset of the hackers and those causing the intrusion, it might be difficult to know who it happens to be. It could even be an operative from X country that has ties to Russia, China, or some other country.

That complicates any retaliation attempts, because you have to be sure about who you're retaliating against. You can't retaliate on a hunch. To a certain extent, this plays into the law of warfare and what is perceived as an attack on a country and what is not.

I would argue that the attacked country has to know for sure that the party that it retaliates against has some involvement. Otherwise, there's a lot of room for making biased decisions. I mean, any country could argue that some other country attacked it.

It is challenging to determine where the cyberattack came from. Moreover, we'd have to rely on computer evidence that the attacked country chose to disclose. With physical attacks, there's physical evidence. But in the cyber realm, you're going to have to rely on the statements of the attacked country.

There's a danger that countries could utilize that ambiguity to their advantage even if they don't have evidence that it came from a particular nation-state.

The other question remains, what happens if an attacker shuts down a satellite? Let's take a Starlink satellite, since they are at least initially close to one another. By shutting off all operations, its ability to maneuver and orbit could be affected, potentially creating a cascading collision with others. And that is physical harm. Should that warrant a physical military response on earth? I don't know. These are interesting questions that need to be decided.

More from Cybernews:

Why can't Russians hack Starlink satellites?

Lax satellite cybersecurity poses a global threat - WEF

A space war will be fought in front of a computer screen

2 million patients impacted by a cyberattack on a healthcare organization

Emotet variant steals credit card data from Chrome

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked