[MUSIC] We're gathering hearts and minds on today's show to tackle some of the biggest issues in space. Our guests today have researched international legal perspectives on cyber attacks targeting space systems. And later in the show, I'll be telling you a little bit about the Artemis Accords workshop that's kicking off in Canada. Nobody gets to space alone and nobody will be defending it solo either, that's for sure. [MUSIC] Today is May 21st, 2024. I'm Maria Varmausis and this is T-minus. [MUSIC] NASA selects BAE to develop a new NOAA instrument. SSC increases support for starfish space for docking mission. ESA says Arian 6 is on track to launch in July. And our guests today are Brianna Bates and Unal Tatar. We're going to be discussing their latest research on cybersecurity in space, so stay with us for that chat. [MUSIC] Happy Tuesday everybody. Let's dive into today's briefing, shall we? And we're starting off with some big contract news. NASA has selected BAE systems to develop a $450 million instrument for NOAA's Geostationary Extended Observation Satellite Program, which is also known as GeoXO. Who said climate monitoring didn't pay well? The GeoXO Ocean Color instrument will monitor US coastal waters, the exclusive economic zone, and the Great Lakes. The instrument will observe ocean biology, chemistry and ecology to assess ocean productivity, ecosystem change, coastal and inland water quality, seafood safety, and hazards like harmful algal blooms. The instrument will provide updates at least every three hours and will deliver a more frequent and comprehensive view of ocean and coastal conditions than is currently available. The contract scope includes the tasks and deliverables necessary to design, analyze, develop, fabricate, integrate, test, verify, and evaluate the ocean color instrument, support the launch, supply and maintain the instrument ground support equipment, and support mission operations at the NOAA Satellite Operations Facility in Suitland, Maryland. The US Space Systems Command has awarded Starfish Space a $37.5 million strategic funding increase, also known as a stratify contract, to build, launch, and operate an Otter satellite vehicle. That Otter will do a first-of-its-kind docking mission designed to provide two years of augmented maneuver for national security space assets. SSC's Assured Access to Space Organization has expanded efforts to improve responsiveness, resilience, and strategic flexibility of US assets on orbit. The Otter spacecraft will be capable of performing autonomous rendezvous, proximity operations, and docking compatible with a wide range of clients, including those that were never designed or configured for docking. This capability gives the US Space Force a range of options to support existing assets and allow future assets to be supported without imposing additional configuration requirements. And it's good news from the European Space Agency on the launch of the delayed Ariane 6. ESA's latest update from the Ariane 6 Launcher Task Force says that the launch period and the first attempt for launch will happen within the first two weeks of July. Yes, this year. The tentative date for the first launch attempt is expected to be released during the first week of June. The tit for tat at the United Nations over weapons in space continues, "This time, a Russian draft resolution that called on all countries to prevent, for all time, the placement, threat, or use of any weapons in outer space, failed to get support. The draft resolution got seven votes in favor and seven votes against. Russia proposed the draft text following the US drafted resolution last month, which Russia vetoed, that called on countries to prevent an arms race in outer space." And so it goes. A new report from NASA's Office of Technology Policy and Strategy provides agency leadership with new insight about how to measure the risks presented by orbital debris. The report, called Cost and Benefit Analysis of Mitigating, Tracking, and Remediating Orbital Debris, is Phase 2 of OTPS's work to address the technical and economic uncertainties associated with orbital debris. The new report directly estimates the risk posed by space debris instead of risk proxies like the number of pieces of debris in orbit. Additionally, it measures the risk in dollars, modeling the costs that operators would incur from maneuvering spacecraft to avoid debris from dealing with close approaches and from damage or loss due to debris impact. And it simulates how the orbital debris environment will evolve over 30 years. Wow. Go check it out by following the link in our show notes and definitely let us know what you think. Sierra Space's uncrewed space plane arrived at NASA's Kennedy Space Center in Florida ahead of its first flight to the International Space Station. The dream chaser space plane, also named Tenacity, arrived at Kennedy on May 18th inside a climate-controlled transportation container from NASA's Neil Armstrong Test Facility in Sandusky, Ohio, and joined its companion Shooting Star Cargo Module, which arrived on May 11th. Tenacity will lift off aboard a ULA Vulcan rocket from Space Launch Complex 41 at Cape Canaveral Space Force Station and is set to deliver 7,800 pounds of cargo to the orbiting laboratory later this year. SIDA Space has shared its financial results for the first quarter ending March 31, 2024 and provided a business update. The Space and Data as a Service Satellite Company has had a successful quarter, launching its first LizzieSat and securing new government contracts. However, SIDA Space reported that their revenue for the quarter totaled approximately $1.1 million, which is a decrease of $1.2 million compared to the same time last year. As of March 31, 2024, the company had cash of $6.2 million as compared to $1.2 million at December 31, 2023. So during the quarter, the company received gross proceeds of $15.2 million through the exercise of warrants and two offerings. Over to China now, and the country launched four new satellites to orbit on Monday. The satellites are part of the Beijing 3C satellite constellation and were carried to space by a Long March 2D rocket. The Beijing 3C constellation is a fleet of high-resolution optical remote-sensing satellites that capture detailed images of Earth, offering valuable data for various applications. Once operational, the four satellites will work together in a synchronized network, providing crucial areas of support like land and resource management, agricultural surveys, environmental monitoring, and comprehensive urban planning. And staying with China, the country has shared results from its first radar network for global space weather forecasting. The radar network, constructed by the National Space Science Center under the Chinese Academy of Sciences, was completed in October 2023, and it's part of the second phase of China's Meridian project, which is a space weather monitoring network comprising ground-based stations. The high-frequency radar chain is expected to join a global network of scientific radars monitoring conditions in the near-Earth space environment, called the Superdarn. This will position China as part of a real-time data exchange, sharing its information with databases in the United Kingdom and Canada. And AI-AA has announced their ascend-diverse dozen for this year's conference. You can find out more about that story, along with all the others that I've mentioned, by following the links in our show notes. Hey T-Minus Crew, if you're just joining us, welcome! Be sure to follow T-Minus Space Daily in your favorite podcast app. Also, if you could do us a favor, share the intel with your friends and coworkers. So here's a little challenge for you. By Friday, maybe show three friends of coworkers as podcasts. It's because a growing audience is the most important thing for us, and we would love your help. It's part of the T-Minus Crew. So, if you find T-Minus useful, and I say it every time, but seriously, we really hope that you do, please share it so other professionals like you can find the show and join the T-Minus Crew. Thank you for your ongoing support, everyone. It means a lot to me and all of us here at T-Minus. Today, our guests are Brianna Base and Unal Tatar. They recently co-authored a paper on cybersecurity in space, and I asked Unal to start off by telling us more about the research. We investigated in the case of a cyber attack targeting a space infrastructure. This can be a ground system, or this can be a satellite system. What would be the legal tools we have in responding to this? And in writing this paper, you need to bring an interdisciplinary perspective, because there are some technical aspects of the cyber attacks and the laws, how they apply for this situation. And these laws are not created in international, long-farm conflict, international space. So, these are not created by considering the cyber attacks targeting, because there was no cyber attacks at this time. These are the reasons we analyzed this domain, and we created several scenarios. Actually, Brianna can give more information. I brought my expertise in creating the cyber attack scenarios and their technical details. Brianna and our third co-author is a lawyer, brought their legal expertise, and then together we wrote this paper. Yes, Brianna, why don't we? Yeah, please go ahead. My name is Brianna Base. I'm a graduate of the University at Albany in New York. I hold a bachelor's degree in emergency preparedness, homeland security and cyber security, and a master's degree in public administration and policy. So, in the paper, just as a little bit of a brief synopsis, we created three realistic cyber attack scenarios in which the attackers were targeting space infrastructures, and that includes orbital and terrestrial infrastructure. And in each of the scenarios, a principle of international law was violated. So, without going into too much detail about the principles themselves, we looked at the principle of sovereignty, the principle of non-intervention, and the principle on the prohibition of use of force. And in each of the scenarios, we created them in such a way where that principle was violated. And this was to demonstrate that international law can in fact be violated by cyber attacks, including on space infrastructure. Though, as we could talk about later, we ran into some of the common complexities when it comes to applying law to cyber, including the issue of attribution. Yeah. Would it be too much to indulge me if you could actually talk about each of those scenarios? Because I had the privilege of reading the paper, and I know we want people to read it. I know we don't want to give too much away. But they're really fascinating scenarios. I think it'd be really cool for people to hear a bit about what you all worked on and came up with, because I thought it was very interesting. The creation of the realistic scenarios is very important. They are hypothetical scenarios, obviously. We are not using the real nations or real attackers. But when creating these scenarios, making them realistic, although they are hypothetical, is very important. So when we're creating, we reviewed the recent cyber attacks against space infrastructures. Also, recent cyber attack trends in IT systems, which can be replicated soon in the space infrastructure. So we created our scenarios based on that. And these realistic scenarios actually can be very useful because these scenarios we created can be used to play some tabletop exercise later by the readers if they prefer to use it. Brianna, anything to add to that? So scenario one, we focused on the principle of sovereignty. And in this scenario, we framed it as a state-A aerospace manufacturing facility being hit with cyber attack. And the violation occurs because the attack actually caused certain systems to be permanently damaged, and you're needing to replace that software and hardware. The second scenario we focused on the principle of non-intervention. In that case, you have the two aspects of non-intervention. So you have the attack bearing on the matters of the state. So in this case, we had it where a master control station as part of the GPS system was hacked, and they couldn't access the data that was being sent from the satellite. And the attackers said that they would not provide the data and it would actually continue their attack throughout the system unless the state that was attacked changed their policy, which is an aspect of non-intervention, that coercion element. And then our third scenario was focusing on that principle of prohibition of use of force. And for that one, you had a cyber attack causing real physical damage and injury to the state. And that again is what led to that violation. Fascinating. So you mentioned the complexities that came up here when looking into this, not just from the cyber side, but also space law, which as I cover a lot on the show, there's a lot of gaps there. And it causes a lot of frustration, understandably. And I know that's the same in the cyber world too, where technology is just far outpaced legislation pretty much across the board. Any commonalities in those gaps that you found, or are they unique to each sphere? What did you find there? So I think the problem of attribution is probably the white. Wherever you're looking at cyber attacks, whatever domain you're looking at, that attribution issue is going to occur, especially when applying international law, because international law is based on state responsibility and accountability. And the way you prove state responsibility, or that a state has committed a wrongful act, is making that attribution. And it's not only important for just accusing the state or blaming the state, taking the blame and all of that, but you have attribution required so that you can move down the process of those legal regimes and responses, like cessation, the guarantees of non-repetition and reparations. All of that can't happen unless you have that violating state and you make that attribution that they're the ones that did it. This is a very basic question, and Breonna, I'll just stay with you for a second. This is a legal question. When there's an attack that affects a ground system, a space ground system, or a facility that is space related, but on the ground, and that then affects later something that is on orbit, is there a distinction in terms of the law about the physical domains that are being affected there, or is it looked at just systematically? From what I've found, you look at the who owns that space asset. So even though it's in space where there is no sovereignty, that asset belongs to a nation, and that's what you're looking at in terms of territoriality when it comes to applying the law. Okay, so in my mind, I'm over-complicating things, okay? So that's good to know. And just kind of, I think a lot of people think when they're looking at international on applying it to space that it is overly complicated, but what I found from doing this paper is that you can apply those existing frameworks. It's just, and you kind of have to step back and not over-complicate it and see that, oh well, even though we are talking about space, someone owns that infrastructure, and that helps to apply the law. Yeah, I know I imagine the complication comes into situations where it's not as clear about who owns what, although right now in space that's not usually an issue, but we've seen with things like space debris, it does become an issue because we don't know where the debris comes from. But attribution can mean two very different things in the cyber and space world, but it's amazing how much that's still an issue. And all I see you want to add something to this. Yeah, I think attribution is an important issue for, you know, when the internet was created first, security was not a design principle, because the internet was created for trusted parties, long people, long entities to use it, and it was not for commercial purposes. So now we're still trying to fix the underlying protocols, because they have protocol vulnerabilities, and still it's really hard to fix them because the whole internet is running on them. I think space is not very different than this. When space was created, it was mostly for the nation's use. The commercialization was low, maybe, and more to fast purposes, but now we are living in a very different era. So the dual use of this technology is huge. And since these systems and protocols were not designed for security purposes, space engineers, they don't take security as a, until recently, this is what I can say, as a design principle, because it's in the orbit, so we don't need to worry about people will not physically get into it. But the things are changing now. We see that cyber attacks. And now, in order to respond to it, you need to attribute who did it to deter them to follow up what happened. And then, but the systems, I think, in the security by design principles should be more applied in the space system development. And then we can see the attribution is more possible in the systems. Some great points in what you just said, and I, my mind can't help but go back to Viacet 2022, that attack, and how much the fallout from that just revealed that commercial companies need to understand that cybersecurity in their direction is such a priority. In the critical infrastructure domain, such as energy, they were the victim of cyber attacks, very long time ago, and over time, they're in this sector adopted some cybersecurity principles, and then minimum at this minimum security requirements. Some other sectors like many times they are coming later. Space is one of the newest ones, which introduced cybersecurity in their domain. Very quickly. And with the geopolitical conflicts going around the world, it won't be a surprise to see more of these cyber attacks against space infrastructures. Indeed. Yeah, I wondered if you could also walk us through some, you had mentioned these are hypothetical scenarios, and I want to emphasize these are hypothetical, but potential technical threats in the cybersecurity domain that would affect space systems. You mentioned a few of them in the paper. Yeah, I think maybe we need to differentiate cyber space systems, cybersecurity and the traditional IT systems, cybersecurity, because they are running in different domains. The space systems composed of different layers like link layer ground systems, space systems. So each of them runs different protocols in the in the traditional IP systems, IT systems we are running on the IP domain. But in the space systems, the ground systems, yes, they have IP, especially with the user interfaces, but later it is the radio frequency RF signals. So you need to understand the RF space engineering concepts to attack the systems. But since it is radio frequency, the attribution is way harder. And with the software defined radio, you can easily implement with low cost systems and then try to attack the systems. And that absolutely opens things up to the attribution becomes not impossible. I'm sure not technically impossible, but very, very hard. So again, I want to emphasize we want people to read the paper. So I don't want to give too much away. I'd love to hear from you both about the sort of the conclusions and takeaways from this paper that you would like people to know. Before folks in the space industry, it is obvious that security should be a design principle in mind for building security, not bought on security to be done later because it's really hard for space systems. They are embedded systems there on space. So physically, you cannot reach them to update them. So security should be integrated as a design requirement at the first place for creating the developing the space systems. I think this is one thing they need to know. And for space policy experts, they need to understand the landscape, the cyber threat landscape and what kind of cyber attacks can be done so they can get prepared in responding to these attacks. That's a great point, Brianna. How about you? I agree with everything that I said. I would also add, in addition to the technical cybersecurity, you also have just emphasis on training your employees, training your staff, because you always have that human factor. They're always going to be a vulnerability. So making sure that they're prepared and they know how to handle themselves and they have that security knowledge in face of attack. Fantastic point. I could not agree more on that. That's a really good point. And maybe we flip the question now for cybersecurity folks who've been in this field for a long time and they're like, oh, yeah, different new flavor or same flavor, different day, something like that of cyber attack. What's I mean, what's different about what you found in the space, Brianna? Is it just the policy of things? Is it its space? Is it actually even is that it is it an erroneous question that I'm asking? Is it any different really? Yeah, I can give some perspective for the cyber security professionals from technical perspective and then maybe Brianna can follow up with the more on policy and low perspective. From the technical perspective, there is a lot in the cycordomain, in the space domain for cybersecurity. So I think we need to see more cybersecurity experts working closely with the space systems engineers because you need to understand the domain and what cyber vulnerability can impact the system. So you need to have the understanding of the domain and traditional regular cybersecurity expert don't have these expertise about the space systems. They need to gain this information. And with this, they can speak the language of the space engineers with the systems and the space engineers, if they have some understanding of the cyber threats and vulnerabilities. So these two groups can connect and then understand each other. Now there's that, I can say that there's a disconnect. The focus is completely different. The cybersecurity people, they are not very familiar with the technical infrastructure of the space systems, space engineers, they are not familiar with the cyber threats. So there is a communication gap. I think both of them need to learn the other domain and at least the basics of it so they can communicate and work together. Sure. Speaking more towards the legal aspect of it, I think when it comes to applying international law to cyber, there's still a lot of work to be done and there are a lot of efforts taking place, including our own research. I think it's important when you're applying these principles to know exactly when you're meeting certain thresholds of force or intervention. A lot of that is still unclear. What types of cyber attacks meet that threshold of use of force or what type of cyber attacks are actually a prohibited intervention. We have some widely accepted ideas of what those are and we use those in the scenarios to create the violations. But there are so many different types of cyber attacks and so many different ways that they can happen that I think really understanding how those can violate or whether or not those violate international law is important. Because the more clearly defined our legal boundaries, the better because that's policymakers and world leaders that are using those legal definitions and laws to make decisions. So it's very important that they're as clearly defined as possible. [Music] We'll be right back. [Music] Welcome back. And we're staying with the theme of collaboration today to prevent disasters in space. The second edition of the Artemis Accords Workshop is being held in Canada this week. Representatives from 25 of the 40 signatories of the International Coalition are meeting this week to discuss principles for safe, transparent and sustainable space exploration activities. The Accords reinforce the commitment by all signatories to enhance the governance of space exploration to support scientific discovery and innovation. Canadian Space Agency President Lisa Campbell and NASA Deputy Administrator Pamela Melroy kicked off the second edition of the Artemis Accords Workshop at the John H. Chapman Space Center, which is CSA headquarters. It's worth noting that in October 2020, Canada became an original signatory of the Artemis Accords and continues to work with international partners to further develop and refine the international framework for the next chapter of space exploration. And we're looking forward to hearing more about the outcomes from this workshop series, and we'll of course bring those updates to you dear listeners when we have them. [Music] That's it for T-minus for May 21st, 2024, brought to you by N2K Cyberwire. For additional resources from today's report, check out our show notes at space.n2k.com. We're privileged that N2K and podcasts like T-minus are part of the daily routine of many of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Alice Carruth. Our associate producer is Liz Jokes. We are mixed by Elliot Peltzman and Trey Hester, with original music by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And I'm your host, Maria Varmazes. Thanks for listening everybody. We'll see you tomorrow. [Music] [Music]
