In September 2023, the U.S. Department of Defense released a congressionally mandated report on its strategy to protect space-based assets. This unclassified version of DoD’s top-secret space strategy incorporates multiple defense approaches, including building resilient network architectures, maintaining situational awareness of the space environment, and defending against adversary attacks.

The Commercial Space Integration Strategy, published in April of this year, lays out four priorities for engaging the commercial sector to help achieve the greater strategy. It makes clear the DoD’s need to make solutions resulting from the proliferation of commercial solutions integral to achieving its goals.

Such an ambitious, multi-faceted approach is essential given growing threats to orbiting satellites and the terrestrial infrastructure that supports them. Last August, multiple federal intelligence agencies issued a joint warning about the increasing attempts to attack on-orbit satellites. We have already seen a Russian cyberattack crippling Ukraine satellite communications as Russia began its ground war there; and many leading experts continually warn about the vulnerabilities of the vast satellite infrastructure on which modern life depends.

Unfortunately, space has entered an unprecedented period of rapid technological change and geopolitical competition, where stability can no longer be taken for granted. Near-peer adversaries are continually striving to evolve their cyber-attack tactics, techniques and procedures (TTPs) against U.S. assets. To counter these efforts, the federal government must collaborate with commercial satellite operators to stay ahead of attackers.

Strengthening commercial satellite cybersecurity

To that end, the U.S. Space Force has led the development of the Infrastructure Asset Pre-Approval Program (IA-Pre). IA-Pre is an objective cybersecurity risk assessment process for key self-nominated commercial SATCOM assets measured against National Institute for Standards and Technology (NIST) controls and enhancements. It contains over 400 cybersecurity controls aligned with the NIST 800-53 High-Impact level – far exceeding the 55 controls in the legacy CIAQ security framework.

The Commercial Space Integration Strategy lists ensuring commercial solutions are available when and where needed, in peacetime and during conflicts, as the top priority. Achieving integration of commercial solutions into the desired military-commercial architecture is second. The point is to train as you intend to fight. But the full integration cannot be achieved without baseline IA-PRE protections.

Commercial satellite providers may opt to invest in the stringent IA-Pre cybersecurity capabilities that the DoD deems important. In fact, several operators are pursuing such investment, given both increased threat levels and the opportunity to become an integrated connectivity partner for defense missions. This is in addition to DoD-mandated CMMC compliance, where pursuing the highest Level 3 certification will ensure the most robust security posture.

Further, while the DoD has not specifically called them out, there are additional advanced security capabilities that providers may consider integrating to further strengthen their offerings: for example, adhering to security standards based on NIST SP 800-171; building a secure, global Layer 2 network architecture; installing a highly redundant terrestrial infrastructure to ensure operational continuity even in the most extreme conditions; and enabling capacity for any standard of encryption and key management. And, with the growing adoption of Low Earth Orbit, or LEO, satellite networks that include hundreds to thousands of satellites, advances like burst communications, antennas with fast-hopping agile beams, frequent satellite to satellite hand-offs, Optical inter-satellite links (OISLs) and terminal obfuscation will provide additional layers of protection.

Acquisition disconnects

Even with these opportunities to deliver elevated cybersecurity measures needed by the DoD, the commercial space industry has concerns about justifying the actual return on the considerable investment providing these capabilities represents. There are industry expectations that the government would give requirements like IA-Pre preferential scoring for source selection and procurement. Unfortunately, this has not yet become the standard practice for commercial SATCOM acquisition.

The situation is compounded by a growing interest among DoD agencies for a satellite-as-a-service model for space connectivity. For instance, the U.S. Space Force is planning to launch a marketplace for satellite-to-cellular communications services later this year. Last year, the DoD contracted for a 5-year blanket purchase agreement for medium-Earth orbit, or MEO, low-latency, high-throughput satellite services. More opportunities are expected soon. In fact, recent estimates suggest that the market for governments purchasing satellite access rather than building their own satellite networks could reach $14.5B by 2032.

For that model to be successful, commercial providers must be able to meet security requirements that government customers, including the DoD, will require. Without some meaningful market benefit from making such investments, commercial satellite providers won’t be able to continue incurring the cost and operational complexity of planning, implementing, and maintaining them.

Highly sophisticated space systems cannot be left to lowest-price technically acceptable (LPTA) selection. Defense authorization legislation and updates to the Federal Acquisition Regulations were supposed to limit agency LPTA usage, yet commercial operators continue to see a disconnect where providers who are significantly investing in cybersecurity requirements are not seeing those requirements appropriately scored in contract awards. This divide will put federal satellite communications at a critical disadvantage against the growing volume of attacks by increasingly-sophisticated and capable adversaries.

To help bridge the gap, the SATCOM Industry Group (SIG) proposed the following measures for DoD to implement:

— Establish a hard-cutoff date for the legacy CIAQ framework and other non-IA-Pre processes, to facilitate transition to the IA-Pre model

— Publish an objective and transparent assessment methodology and scoring of the specific controls relative to residual risk for commercial operators making investment decisions

— Increase data protection. The Space Force should consider the data provided in the IA-Pre Database as proprietary information of the asset owner, not to be released by any party except by the asset owner under the provisions of a Non-Disclosure Agreement

— Require licensed Agent of Security Control Assessors (ASCAs). If non-governmental personnel are used to evaluate IA-Pre compliance, clear personal and organizational conflict of interest safeguards should be established and enforced. Also, the cost of assessment needs to be clarified in a transparent manner.

A strong, transparent and equal public and private partnership is required for the DoD to adapt to this new era of contested space. Ensuring that cybersecurity investments are considered when procuring commercial satellite capabilities would be a strong start to such a relationship.

Philip Harlow is president of Telesat Government Solutions.

More In Battlefield Tech