Space: The Latest Frontier for Cybersecurity

di Gabriel Lazazzara - 30 Settembre 2020

  from Trieste, Italy

   DOI: 10.48256/TDM2012_00128

Why the Brand New SPD-5 Is So Important for the Future of the United States.

Space systems are defined as assets that either exist in suborbital or outer space or ground control systems, including launch facilities, for these assets (Falco, 2018). Likewise, space asset organizations are organizations that build, operate, maintain, or own space systems. Most of the space assets, including both ground systems and satellites, are fundamentally components of wider critical infrastructures. 

Examples of critical infrastructures reliance on space systems ranges from the military intelligence satellites to agribusiness’ weather and climate satellites. Several sectors even depend on space systems for global communications. Nevertheless, space-specific standards on space system information sharing are lacking (Falco, 2018). While space assets are affected by similar cybersecurity issues to other industries, the challenges to be overcome in order to secure them are considerably more complex. The intersection between various industry sectors make space systems a possible single point of failure. 

The lack of standards and regulations, the involvement in a complex supply chain, the employment of commercial off-the-shelf technology, and the battle with resource constraints make space systems cybersecurity a unique challenge. Due to the complex supply chain, any component of this system is a potential attack vector and an attractive target for hackers. Further, the exponential increase in CubeSats usage – which is a type of miniaturized satellite that can be as small as 10 cm3has raised even more security concerns. In fact, CubeSats are usually based on open-source operating systems meaning that there are plenty of security vulnerabilities.


Possible Consequences of Cyberattacks to Space Assets

The range of possible consequences that a cyberattack could have is so wide, it became necessary to develop a specific framework to classify them. There is a transversal and complex connection between cyber and space domain with a wide variety of industries. For this reason the consequences could be classified in physical/digital, economic, reputational, psychological, and social domains (Agrafiotis, 2018).

Some years ago, a Russian cyber-espionage group, hacked their way into a satellite Internet provider to hide espionage operations (Santamarta, 2014). In other words, while you are reading, an attacker could intercept uplink or downlink packets from your IP address or inject data to the system connected to your IP address. Put to the extreme, hackers/criminal organizations could achieve command and control of a satellite with de-orbiting capabilities. For the sake of argument, they could even threaten to make it collide with other operating satellites triggering the Kessler Syndrome, causing the end of the space age.


The Cascade Effect

Referring to the possible economic consequences, scenarios are straightforward. Connecting them with the previous examples, the very same company that manages the satellite would disrupt its operations together with all the firms that rely on their services to work. While on the short-term firms profit and stock prices are the victims, on the long-run jobs are also affected. For instance, the criminal organization example causing a sharp increase of the space debris may have a cascade effect that will dramatically change the way we live nowadays, with unprecedented costs of recovery. Further, reputational consequences follow. As an effect of the economic troubles, customers will not trust the company anymore. The effect could be also amplified by media scrutiny, reducing even more business opportunities. 

Not difficult to imagine are also the psychological consequences of such an attack to space infrastructure. Imagine an attack against GPS or any other positioning system. This simple event could totally disrupt the confidence on these systems causing confusion if not anxiety in the worst case. Extending the previous on a larger scale it is possible to come up with the ultimate level of possible consequences that a cyberattack could reach. At these proportions it would create instability around the world both politically and economically. The perception of technology itself will change in the public opinion, affecting the political agenda in many countries. 

Cyberattack scenarios of these proportions are very unlikely. However, the shutdown of global positioning systems – for instance – will cause the disruption of global commerce, financial systems, and many security systems that rely on that technology. Moving from these premises, what does it entail the new space policy directive on cybersecurity principles for space assets?


The Space Policy Directive-5

“Every day, America’s adversaries are testing our cyber defenses. They attempt to gain access to our critical infrastructure, exploit our great companies, and undermine our entire way of life. And we can’t let that happen.” 

Donald J. Trump, President of the United States

These are the initial words of the Memorandum signed by President Donald J. Trump on September 4th (White House, 2020). The document establishes key cybersecurity principles to guide and serve the protection of strategic space assets. The SPD-5 is just one of the numerous steps already taken to augment the cyber protection of critical U.S. infrastructure. Indeed, it furthers the objectives of the National Cyber Strategy and of the SPD-3 on Space Traffic Management. The enhancement of the U.S. space leadership passes through freedom of action in space and the SPD-5 works specifically in that direction. 

The Memorandum recognizes that the threats that apply to terrestrial targets also apply to space systems. It pushes for the integration of cybersecurity measures and protocols for every stakeholder involved in the space supply chain (White House, 2020). It aims to establish a culture of prevention and active defense based on sharing best practices among operators.  

Five cybersecurity principles have been outlined, ranging from the implementation of a risk-based approach which takes into account cyber threats, to the collaboration principle which promotes sharing of mitigation best practices among space actors. Interestingly, the second principle refers to the integration of a cybersecurity plan for space systems which would have to define how to protect its own infrastructure from its cyber vulnerabilities.


Why Now?

As the American Vice President Mike Pence has said at the fifth meeting of the National Space Council one year ago (Wall, 2019):

“Make no mistake about it. We’re in a space race today, just as we were in the 1960s, and the stakes are even higher.” 

Mike Pence, Vice President of the United States

The long-held American space dominance is being challenged by China and Russia. The two superpowers are developing and deploying new space capabilities which will inevitably transform the space domain. Space assets nowadays underlie critical infrastructures on which our current lifestyle relies. Researchers, policymakers, and engineers are increasingly concerned with infrastructure cybersecurity, but they failed to include effectively the space assets. 

Cybersecurity challenges will only become more relevant as technology further evolves. Today, space assets are the weakest link (Wall, 2020). A wait-and-see attitude could have been very detrimental to the entire sector, particularly for the United States position. Eventually, U.S. policymakers included space assets in the list of assets requiring an effective cyber-defense. There is no doubt that cyber-secure satellites will cost much more than a university CubeSat project. Nevertheless, there is no viable alternative to ensure continued, sustained, and safe space operations in the future.



In less than four years, the Trump administration has already produced four Space Policy Directives (SPD), revitalized the National Space Council, established the U.S. Space Force, set an ambitious program to return to the Moon by 2024 and opened a new era of space multilateralism with the Artemis Accords last May. It’s worth noting that part of the guidelines enlisted in the SPD-5 are already practices both government and private space agencies have widely adopted (Bonifacic, 2020). In fact, this Memorandum is not to be understood as a reaction to a particular event but rather it represents the culmination of a process started in the past few years. Based on that, the brand new SPD-5 is just the last piece of a strategy which aims to further increase national space leadership and its resilience against the future of space threats.





Agrafiotis, I., Nurse, J., Goldsmith, M., Upton, D. (2018). “A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate”, Journal of Cybersecurity, Volume 4, Issue 1, January 2018.

Bonifacic, I. (2020). “White House issues ‘SPD-5’ cybersecurity policy for space”, engadget, September 4, 2020.

Falco, G. (2018). “Cybersecurity Principles for Space Systems”, Journal of Aerospace Information Systems, December 11, 2018.
<DOI: 10.2514/1.I010693>

Falco, G. (2018). “The Vacuum of Space Cyber Security”, 2018 AIAA SPACE and Astronautics Forum and Exposition, AIAA SPACE Forum, (AIAA 2018-5275).

Santamarta, R. (2014). “A Wake-Up Call for SATCOM Security”, IOActive Technical White Paper, Seattle, March 2014. 

Trump, D. (2020). “Memorandum on Space Policy Directive-5 – Cybersecurity Principles for Space Systems”, White House Official Website, September 4, 2020. 

Wall, M. (2020). “Trump signs Space Policy Directive-5 on space cybersecurity”,, September 4, 2020.

Wall, M. (2019). “US Is in a New Space Race with China and Russia, VP Pence Says”,, March 27, 2019.


Author of the Article*: Gabriel Lazazzara, expert in space policy of the think tank Trinità dei Monti. BA in Political Science at University of Trieste and graduate student of MA in International Relations at the University of Bologna.


Nota della redazione del Think Tank Trinità dei Monti

Come sempre pubblichiamo i nostri lavori per stimolare altre riflessioni, che possano portare ad integrazioni e approfondimenti.

* I contenuti e le valutazioni dell’intervento sono di esclusiva responsabilità dell’autore.

Editor’s Note – Think Tank Trinità dei Monti

As always, we publish our articles to encourage debates, and to spread knowledge and original and alternative points of view.

* The contents and the opinions of this article belong to the author(s) of this article only.