On Wednesday, SpaceX postponed the launch of two tester satellites for a super-fleet of 12,000 — part of its Starlink space-based global internet. Good. That gives us an extra day to talk about cyber security in space.
Imagine a cutting-edge industry that's all about pushing boundaries, finding solutions to problems that never existed and "disrupting" absolutely everything we've come to rely on with a cast-iron belief in better-life-through-technology. Now, imagine them just "sitting around a big table with a lot of coffee, and talking about it."
It's not exactly an image of action, is it? No matter what the "it" is.
And yet that's precisely the way Constantin Constantinides describes the satellite industry today. Constantinides is a radio frequency engineer with a satellite company in Glasgow called Alba Orbital. And the "it" refers to … cyber security.
Cyber security is one of the biggest unsolved challenges we have on Earth, and it's about to become a far larger challenge in space.
You could say, "Well, at least they are talking about it." At least cyber security is on the new space agenda. And it had certainly better be, because the more satellites we fire up into space, and the more those satellites form huge constellations, the more we rely on the data they accrue — the communications networks, location services, Earth Observation, shipping, flight and freak weather tracking, plus masses of unimagined stuff.
And, the more we're putting our daily lives — human life — at risk.
An epic networked fail
If we don't act soon on cyber security in space, aren't we setting ourselves up for an epic networked fail?
"Yeah, and I think the areas where people have to pay the most attention is communications and anything that is critical day-to-day," says Nick Allain, director of brand at Spire Global. "So if you're looking at something where it's a life or death issue, those are obviously where security has to be the tightest."
So while we may all think it's cool when a company like SpaceX says it plans to deliver space-based broadband internet to the world, with a super-fleet of 12,000 satellites in low-Earth orbit, we may also like to wonder where we're heading. That's an easy one for SpaceX's Elon Musk to answer: He's heading for Mars. And his Starlink internet service will probably help him finance the ordeal with its projected 40 million customers generating about $30 billion in revenue.
But what about the rest of us? We can't even secure the network on Earth. And that's those of us who are bothered about cyber security. So how will we do in space, where some companies are alleged to be using decades-old, unencrypted satellite technology? The name you often hear — and read on internet forums, such as Hacker News @ycombinator.com — is Iridium. Allegedly.
Among other systems, Iridium operates a constellation of 66 satellites for voice and data communication in satellite phones, pagers and integrated transceivers. The Iridium communications network was originally developed in the 1980s by Motorola, and is described by some as obsolete. At a 2015 Chaos Communication Camp, the organizers, Germany's Chaos Computer Club, distributed 4,500 "rad1o badges" that could apparently intercept traffic from the Iridium communications network. Just like that.
In February, SpaceX celebrated the launch of its Falcon Heavy rocket. There's been no rest since then for founder Elon Musk
A networked target
But try getting anyone to talk on the record about it, or pretty much anything to do with cyber security in space, and this is the response you're likely to get:
Nick Allain [at the 2018 DATA.SPACE conference]: There's always a hesitation in the space community to talk about cyber security, because you're basically painting a target on your back the more you talk about it. However, being a new space company, a lot of the software engineers who work in new space come from IT backgrounds outside of the space community, where they are used to Google, Facebook or Amazon having that target painted on their backs already. So the industry is very aware of it as an issue.
Me: How have things changed over the last couple of years compared to satellites that were launched, say, 20 years ago?
Allain: Twenty years ago, even in general computing, where we're not talking about the same level of encryption — although military certainly was — the military led the way on encryption from the start — but the traditional space industry perhaps not so much. It's difficult to say because there's not a lot published.
Me: But there are satellites up there that are unencrypted, aren't there?
Allain: [laughs] Erm, I have some colleagues who would say I should say 'no comment' on that! [laughs again]
Me: Okay. But there are, aren't there?
Allain: Erm … perhaps.
Things have changed since the 80s, even for Iridium, which has its "groundbreaking second-generation satellite constellation" Iridium NEXT. But we're waiting to hear back from them on the technical detail.
We're also waiting to hear back from SpaceX about its encryption technology on the two Starlink tester satellites, Microsat-2a and Microsat-2b. Although it would be hard to imagine them, or indeed any space-internet competitors, like OneWeb, ignoring the threat from hackers in space. After all, anything that interferes with their networks will also interfere with their profits.
The scary thing, though, is how much in space depends on a handshake and what you might call "goodwill."
"To the best of my knowledge, there are no mandatory requirements yet," says Constantinides.
There are, however, recommendations from the International Telecommunications Union (ITU) on how to deal with "harmful interference" among satellites in space.
"I'm summarizing this a lot," Constantinides warns, "but the article states that based on goodwill, people have to be careful not to interfere with other satellites."
Excuse me for being the cynic, but goodwill does not sound like much when your life depends on it. And in any case, what is interference? Does it even include hacking?
Yes, it does, says Constantinides: "Interfering with another satellite can be done on purpose, so that can be considered hacking. And from what I know, that is the biggest cyber security threat — hacking. And then, there is interference due to spurious emissions [from] communications systems, so [unintentional] harmful interference."
Interestingly, Constantinides suggests a bit of old, analog technology can be a good way to deflect the hackers. "If I'm using Windows 95, for instance, it's not that I'm risk-free, but I am on a platform that far fewer people use, so I am less of a target for the hackers."
While we're at it
How all this will play into SpaceX's Starlink network and its intentions to provide a "reliable" service is anyone's guess at this point. But one thing is clear, and that is that the industry needs to get a few binding, international standards in place.
Space is no longer the preserve of traditional players in the USA and Europe. Now, India, China and others have game
And while we're at it, we may also like to look at a few legal aspects. For instance, who gets to decide which companies or governments get to launch how many satellites, and in which orbit?
Imagine you wanted to set up shop to sell candy in another country. You couldn't just waltz in with the timber, build a store, and start trading. You would have to get permission. And if you traded internationally, you may have to sign a few international agreements.
So how is it still possible in space for America's Federal Communications Commission (FCC) to decide it's okay for SpaceX, an American company, to potentially clog up two large swathes of low-Earth orbit — an international jurisdiction — without so much as a nod or a wink to anyone else? More than 7,500 Starlink satellites will operate at 320 kilometers (200 miles) up — that's in the International Space Station's neighborhood — and a further 4,425 satellites will be about 1,100 kilometers (700 miles) up.
I wouldn't want to be around when the first collision takes place. There's already enough space junk above our heads, and the potential for a cascading blow-out so mighty, that ducking just won't do it.
Iridium and CGI, a company that says it is "helping make space more secure" — it has a "space cyber team" — did not respond in time for publication. Neither did Germany's Chaos Computer Club, which distributed the Iridium hack "rad10 badge" in 2015, but we have spoken since publication, so there will be more on cyber security in space soon.