As bad actors in the cyberspace realm find ever more innovative ways to infiltrate, interfere and steal for the sake of profit, counterintelligence and general mayhem, the soft underbelly of our modern, data-driven infrastructure may actually be above our heads.
The objects we launch into space, if not protected by adequate cybersecurity, can potentially make everyday citizens back on the ground more vulnerable to cyberattacks and data breaches. A recent academic study of satellite security found that “modern on-orbit satellites suffer from different software security vulnerabilities and often a lack of proper access protection mechanisms.”1
Commenting on the “myth of inaccessibility,” the researchers pointed out that, in the past, the assumption was that satellites communicated with “prohibitively expensive” technology (thereby limiting the field of potential attackers). As recent technology advances have made space resources more accessible to a broader population, however, there has been “a paradigm shift in the assumption that satellites are inaccessible, which is particularly pronounced for LEO satellites.”2
The new reality is that modern satellites are not beyond the reach of modern attackers.
Neither, of course, are objects in space beyond the reach of modern regulation. Legislation and regulation typically lag behind real-world events, and regulatory enforcement is always playing catchup with technological advances.
The long arm of the law, however, knows few limits. Federal contracting laws bind federal contractors wherever they go, and privacy laws apply based on the residence of the data subject — while you may never travel into orbit, your data privacy rights generally go along for the ride with your data.
Indeed, certain services and companies automatically fall under legislativeoversight, regardless of who their customers might be or whose data they may handle. In example, 51 U.S.C. § 60122(a) states that “no person that is subject to the jurisdiction or control of the United States may, directly or through any subsidiary or affiliate, operate any private remote sensing space system” without a license (which requires industry “best practice” measures to prevent unauthorized access).
Part I: Regulatory Means at the Government’s Disposal
Government remains in many ways the “anchor” space industry customer. Therefore, it should come as no surprise that private space operators count U.S. taxpayers among their most loyal customers.
DFARS Clause 252.204-7012 requires government contractors and subcontractors to: (i) implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171; and (ii) report cyber incidents to the Department of Defense Cyber Crimes Center (DC3).
In the fight against satellite cyberattacks, then, the U.S. regulatory system is not without the legal means to demand and enforce greater protections. Increasingly, Washington has shown a willingness to bring those tools to bear. This column briefly addresses a few of the relevant regulatory frameworks and the ways that government leaders are using them to keep space safe.
Looking elsewhere in the Federal Code, the Communications Act requires telecommunications carriers to provide confidentiality for customer information as proprietary information of another common carrier. Carriers are prohibited from disclosing customer information except as required by law or with the customer’s permission.3
Among other mandates, the Federal Communication Commission (FCC)’s Telecommunications Consumers Division (TCD) is tasked with enforcing sections 201(b) and 222 of the Communications Act, relating to how telecommunications carriers protect the privacy and security of their customers’ (and certain other entities’) information.4
Section 201(b) requires that carriers’ practices be just and reasonable, including practices related to privacy, data protection, and cybersecurity. Section 222 restricts carriers’ use and disclosure of their customers’ (and certain other entities’) “proprietary” information and requires that telecommunications carriers protect the confidentiality of that information.
In addition, the FCC’s rules require carriers and interconnected VoIP providers to take reasonable measures to safeguard certain sensitive data known as “customer proprietary network information” (CPNI), to notify consumers and law enforcement of data breaches involving CPNI and to file annual certifications documenting their compliance with the CPNI rules (codified at 47 CFR § 64.2001 et seq).5
Finally, businesses that are subject to U.S. jurisdiction are generally responsible for compliance with U.S. privacy and data protection laws (e.g., the Wiretap Act and the Federal Trade Commission Act), even when the data itself is stored, collected, or transmitted through assets in space.
The same is true of most U.S. state privacy laws — the California Consumer Privacy Act applies to entities which “do business” in California and process personal information belonging to California residents, even if data is hosted elsewhere (there is no listed exception for outer space).
Part II: Growing Emphasis on Enforcement
The laws described above are (mostly) not brand-new. However, the Biden Administration and many U.S. state regulators do have a brand-new emphasis on cybersecurity-related enforcement.
First, in what has perhaps been the most significant development in federal cyber enforcement to date, the Department of Justice (DOJ) announced in November of 2021 its Civil Cyber-Fraud Initiative. The initiative is designed to use the False Claims Act (FCA) to “identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.”6
The FCA is “the government’s primary tool for addressing the knowing misuse of taxpayer funds.”7 The law prohibits knowingly submitting or causing the submission of false claims to the government and permits the government to recover three times its losses, plus a penalty for each false claim.
In the space arena, the FCA can potentially apply “when companies that do business with the government knowingly make misrepresentations about their own cybersecurity practices, or when they fail to abide by cybersecurity requirements.”9 Notably, the largest recovery to date through the Civil Cyber-Fraud initiative involved contracts with the Department of Defense (DoD) and NASA.
In July of 2022, Aerojet Rocketdyne paid a $9 million fine to resolve FCA allegations of misrepresenting compliance with cybersecurity requirements. Aerojet provides propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to various federal agencies. Whistleblower and former Aerojet employee Brian Markus received $2.61 million for his role in bringing the action against the company.10
Second, in June of 2022, around the time of the Aerojet settlement, the DoD issued a memorandum to its contracting officers emphasizing their obligation to monitor compliance by contractors with the cybersecurity requirements of their contracts.11 A contractor with insufficient focus on NIST 800-171 is now, more than ever before, likely to face scrutiny from contracting officers, withheld payments, loss of future business, and even contract termination.12
The administration appears to have reached the conclusion that historic DFARS Clause 252.204-7012 enforcement has been insufficient; compliance will now “be a distinct competitive advantage for contractors bidding for Department of Defense work. And noncompliance will be a disqualifier.”13
Third, in order to make its point quite clear, in March of 2023 the Biden Administration announced its National Cybersecurity Strategy (NCS), which emphasized that the federal government “must hold the stewards of our data accountable for the protection of personal data.” While the NCS does not specifically address cybersecurity for space-based assets, it does make very clear that more aggressive enforcement is a key part of the Administration’s strategy.
The FCC appears likely to apply that strategy in space. As the gatekeeper of satellite communication licenses, the FCC is uniquely positioned to address the subject.
In April of 2023, the FCC established the Space Bureau for the purpose of “undertaking policy analysis and rulemakings as well as authorizing satellite systems,” serving “as a focal point for coordination with other U.S. government agencies on matters of space policy and governance.”14
This brand-new bureau is led by Julie Kearney. A leader with decades of experience at “private legal practices and telecoms companies,” Kearney is hailed as “a law and policy veteran tasked with spearheading [FCC] efforts to modernize satellite regulations.”15 Kearney has said that her first priority is “modernizing regulations to match our new realities.”16
Conclusion
While bad actors bear the ultimate blame for cybersecurity attacks and the subsequent damages, regulators in the U.S. and across the world increasingly believe that those who are in the best position to offer a defense should have legal obligations to do so.
As opportunities for (legal) profit abound in the explosion of space and satellite- enabled services, private actors will be expected to do their part in implementing and maintaining the safeguards necessary to protect data privacy.
References
1 https://jwillbold.com/paper/willbold2023spaceodyssey.pdf
2 https://jwillbold.com/paper/willbold2023spaceodyssey.pdf
3 https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1288
5 https://www.fcc.gov/enforcement/areas#:~:text=In%20addition%2C%20the%2 Commission’s%20rules,and%20to%20file%20annual%2 certifications
6 https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-cybersecurity-and
7 https://www.justice.gov/opa/speech/acting-assistant-attorney-general- brian-m-boynton-delivers-remarks-cybersecurity-and
8 https://www.justice.gov/opa/speech/acting-assistant-attorney-general- brian-m-boynton-delivers-remarks-cybersecurity-and
9 https://www.justice.gov/opa/speech/acting-assistant-attorney-general- brian-m-boynton-delivers-remarks-cybersecurity-and
10 https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million- resolve-false-claims-act-allegations-cybersecurity
11 https://www.wsgr.com/en/insights/dod-to-contracting-officers-demand- compliance-and-seek-consequences-for-material-breaches-of- cybersecurity-requirements-by-contractors.html
12 https://www.wsgr.com/en/insights/dod-to-contracting-officers-demand- compliance-and-seek-consequences-for-material-breaches-of- cybersecurity-requirements-by-contractors.html
13 https://www.preveil.com/blog/what-is-dfars-7012/
14 https://www.federalregister.gov/documents/2023/04/10/2023-07066/establishment-of-the-space-bureau-and-the-office-of-international-affairs-and-reorganization-of-the; https://www.fcc.gov/news-events/events/2023/04/launch-fcc-office-international-affairs-and-space-bureau
15 https://spacenews.com/fcc-launches-space-focused-bureau/
16 https://spacenews.com/fcc-launches-space-focused-bureau/
Curt Blake, Senior Columnist to SatNews Publishers, is a Senior Of Counsel. He is an attorney and senior executive with more than 25 years of experience leading organizations high-growth industries — and more than 10 years as the CEO of Spaceflight, Inc.— at the forefront of the New Space revolution. Curt has extensive expertise in strategic planning, financial analysis, legal strategy, M&A, and space commercialization, with deep knowledge about the unique challenges of New Space growth and the roadmap to success in the that ecosystem.
The views expressed in this article reflect those of the authors themselves and do not necessarily reflect the views of his employer or the firm’s clients.