Cover: Enhancing Space Mission Assurance to Cyber Threats

Enhancing Space Mission Assurance to Cyber Threats

Findings and Recommendations for the U.S. Space Force

Published Jul 8, 2024

by Quentin E. Hodgson, Kristin Warren, Jonathan L. Brosmer, Elie Alhajjar, Jonathan Fujiwara, Elena Grossfeld, Aleksandr Esparza Hartunian, Yool Kim, Mary Lee, Eddie López III, et al.

Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 1.6 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Summary

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Note: This report was updated on July 11, 2024, to correct a few errors of omission.

Cyberspace pervades all warfighting domains, including space, and supports nearly all military missions. As cyber threats advance, the U.S. Space Force (USSF) clearly recognizes the need to ensure that space missions can continue in the face of cyber attacks. In this report, the authors provide recommendations that will help USSF implement the guidance set forth in Space Policy Directive-5 to incentivize the commercial sector to adopt a cybersecurity strategy that will help ensure space mission assurance (SMA), which is a concept used to deter adversaries, counter risk from emerging man-made and natural threats to space, and pursue resilient space architectures.

The authors conducted literature reviews and semistructured interviews to (1) determine what U.S. Department of Defense (DoD) personnel and commercial companies consider to be cyber best practices, (2) identify the areas of risk for USSF missions and operations, and (3) gather insight on how USSF can motivate commercial partners to adopt cyber best practices and reduce risk to USSF missions. Additionally, they hosted a one-day workshop with industry representatives to better understand commercial perspectives and approaches to cybersecurity threats, challenges, and opportunities when working with government partners. In a follow-up to the workshop, the authors sought additional input from industry representatives on these barriers to inform their recommendations.

Key Findings

Views on SMA differ

  • USSF sees it as mitigating risks to space missions through defense, reconstitution, and resilience, whereas industry partners view SMA largely as providing the level of service as contracted, although companies could undertake additional measures in times of crisis and conflict.

There is no consensus on what constitutes cyber best practices

  • However, many companies highlight government compliance programs, National Institute of Standards and Technology (NIST) standards, and risk management frameworks as starting points.

A standards-based approach to cybersecurity is limiting and potentially counterproductive

  • Such DoD programs as Cybersecurity Maturity Model Certification and Infrastructure Asset Pre-Approval establish requirements based on NIST standards but may not be flexible enough to allow companies to dynamically address risk, devolving to a compliance-based assessment of security controls.
  • Existing cybersecurity frameworks lack consistent definition and space specificity.

Industry and DoD continue to talk past each other

  • There is a lack of mutual understanding regarding SMA and what each party would expect of the other during crisis and conflict.
  • Many in the commercial space sector say that they are not aware of USSF motivations, needs, or direction and that information only flows in one direction, from the commercial sector to DoD.

The commercial space industry hesitates to share information about vulnerabilities, threats, and compromises or cyber incidents

  • Reasons for this hesitancy include concern about liability and legal ramifications, potential reputational impact, and proprietary information protections.

Recommendations

  • USSF should promote security engineering to take a secure-by-design approach and incentivize the commercial sector to work toward SMA by elevating cybersecurity as a competitive advantage in the acquisition and procurement process, verified by a not-for-profit third party.
  • USSF should collaborate with the private sector to develop operational resilience, including precrisis planning and contract review and, during a crisis or rising threats, improving the ability to share classified information.
  • USSF should consider establishing a USSF-sponsored information-sharing program modeled on voluntary safety reporting programs used in other industries.
  • USSF should collaborate closely with interagency partners (such as working with the Cybersecurity and Infrastructure Security Agency and incorporating lessons learned from research conducted by the intelligence community) to promote security engineering, risk-based approaches to cybersecurity, developing operational resiliency and enabling seamless information-sharing among industry and government partners.
  • USSF should explore how new technologies and approaches can assist (e.g., implementing zero-trust architecture and improved artificial intelligence and machine learning for cybersecurity).

Research conducted by

This research was prepared for the Department of the Air Force and conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.