Critical Infrastructure Security

Experts Say White House Memo Overlooks Space Cyber Risks

Security Memo Update Opts Not to Include Space as Critical Infrastructure Sector
Experts Say White House Memo Overlooks Space Cyber Risks
U.S. space industry executives say their sector should count as a separate sector of critical infrastructure. (Image: Shutterstock)

Space industry executives say they're feeling left out of a push to better national cybersecurity, calling a White House update on Tuesday to a memo organizing critical infrastructure efforts a missed opportunity.

See Also: 2024 Report: Mapping Cyber Risks from the Outside

The administration published a rewrite of Presidential Policy Directive 21, the federal organizing memo that designates critical infrastructure sectors and their federal oversight agencies. The memo left intact the 16 sectors that have been in place since the Obama administration but newly tasked the Cybersecurity and Infrastructure Security Agency with overseeing national critical infrastructure protections.

Rocket and satellite manufacturers have long called on the federal government to designate space as the 17th critical infrastructure sector, warning in a 2021 opinion piece that a cyberattack on one of the nation's space-based systems sparked an international, and possibly nuclear, confrontation.

"Overlooking rapidly advancing sectors like space infrastructure in national cybersecurity strategies can pose significant risks," said Jeff Hall, aerospace lead for the cybersecurity consulting firm NCC Group, describing space-based assets as "vital for national security."

"Space infrastructure, including satellites and ground stations, is becoming increasingly interconnected and reliant on digital systems," he told Information Security Media Group. "Failure to include these in cybersecurity strategies leaves them vulnerable to cyberattacks, including hacking, data breaches or even physical attacks on satellites."

The Space Information Sharing and Analysis Center announced plans to lobby the previous White House almost immediately after it was established in 2019.

But former National Cyber Director Chris Inglis indicated in 2021 that he didn't think the sector should be labeled as critical infrastructure, and the office has not publicly changed its stance on the issue since then. The Office of the National Cyber Director did not respond to a request for comment.

The new strategy directs critical infrastructure owners and operators to implement risk-based cybersecurity approaches with routine risk assessments, and it calls for enhanced information sharing between the federal government and private sector, including "relevant classified" intelligence when applicable.

The Office of the Director of National Intelligence will be required to conduct a national critical infrastructure intelligence assessment within six months, and CISA will have to identify and update a list of "Section 9 entities," defined as critical infrastructure in which a cyberattack could potentially result in catastrophic effects on public health or national security.

Those updates could help critical infrastructure operators look beyond the consequences of more traditional operational technology compromises such as the Volt Typhoon breach earlier this year and further consider the "potentially devastating consequences" associated with information technology breaches, according to Adam Maruyama, field CTO for Garrison Technology and former intelligence officer.

"Adversaries have seen the damage that the Colonial Pipeline attack - which targeted billing systems on the IT network, not distribution systems on the OT network - did to our society and economy," Maruyama said. "It’s time for regulations that incentivize technologies and architectures to prevent, not just detect and respond to, attacks on the equally critical IT networks that power America."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.