Training the Next Generation of Space Cybersecurity Experts
A Q&A with Scott Shackelford
In a few short decades, since the first signals from our experimental satellites broke the stillness at the edge of space, more and more of the world's critical technology infrastructure has occupied the crowded regions of low earth orbit (LEO). Thousands of satellites from countries around the globe now serve every type of communications, from top-secret defense programs, to weather imaging, to basic science research, and so much more. From government and research agencies to commercial entities, large and small, securing those assets means more than incrementally pumping up existing cybersecurity resources and practices. Space cybersecurity is a field that must grow and mature significantly to keep up with the pace of change. Here, we ask Scott Shackelford, Indiana University professor of law and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, about some of the efforts — globally, nationally, and locally — that may help launch a separate discipline that will support changing practices and foster future space cybersecurity leadership.
Speakers at the workshop "Toward an Integrated Theory of Space-Cyber Power," held this spring in Washington D.C. by Indiana University's Space Governance Lab. (Image courtesy Indiana University. With permission.)
Mary Grush: Certainly cybersecurity has existed for some time around our space infrastructure and related digital technology. It has been here in some form, even if not called out as a separate, specific "space cybersecurity" discipline. What's new or on the horizon that might cause us to rethink space cybersecurity, redefine it, and restructure how we implement it?
Scott Shackelford: Our reliance on space infrastructure has been around for a long time now. We've been reliant on satellites for decades, especially since the '80s when the technology took off in a big way with a lot of different services. Of course, in the beginning it started off mostly in national security with early surveillance satellites taking pictures during the Cold War as part of our nuclear deterrence. But it did not take long for the first commercial satellites to be launched, originally for weather forecasting and telecommunications. And these days, we get a host of satellite-based services, from Internet access from space, to GPS, to all the geospatial applications like Google Maps — you name it. Just having this conversation right now, all of this is dependent on space and the infrastructure that we've launched into orbit (as we're continuing to do), along with the ground-based services that make it possible. Securing all of that is really challenging and important.
We've been focused on space as a vulnerability for a long time. Traditionally that meant basically not making it too easy to knock out satellites with missiles. And originally only the U.S. and the former Soviet Union, then Russia, were able to do that. China joined the club in the early 2000s when they very publicly took down an aging weather satellite and in so doing caused a cascade of orbital debris that continues to ricochet around LEO, still causing headaches for the International Space Station and for the other satellites that have to move out of the way.
And now, it's gotten easier for bad players to launch cyber attacks instead of missiles. Those cyber attacks are coming from countries or criminal organizations, and they're designed to go after satellites without the need to launch kinetic vehicles to interfere physically with the satellite. It's a lot easier for them when they can just punch a few keystrokes. We've seen countries do it, like Iran. We've seen groups do it to target different types of satellites or even in some cases to launch ransomware attacks against them.
Grush: So it's an evolving picture. What is the response from the international space cybersecurity community? What individuals or institutions are involved as leaders or contributors?
Shackelford: As space cybersecurity professionals, many of us thought that it's important to dedicate ourselves to space cybersecurity over the next few years. So in a collective effort — one among many — we've just started a new edited book project with the Air Force Office of Scientific Research, that's going to culminate in a first volume that will be a deep dive into space cybersecurity and what it means for government, for commerce, and ultimately, for all of us. It's going to include contributions from scholars and practitioners from lots of different walks of life around the world.
As space cybersecurity professionals, many of us thought that it's important to dedicate ourselves to space cybersecurity over the next few years.
There are a few key editors, including Eytan Tepper, a research professor here at IU who directs our Space Governance Lab, and Rob Templeman, who is IU's Executive Director of Cybersecurity Innovation. The call is actually still open right now, so we don't even have the final rundown yet. In fact, we just had our launch event in Washington D.C. a few weeks ago with some great speakers talking about the importance of this topic. The book itself is going to take a couple years to come together, with abstracts due in another month or so followed by a workshop to discuss the drafts later this year.
And again, the key editors are here at IU, but this is a much broader community effort, with contributors from all around the world: academics, people from industry, and people from think tanks… There's not one club that's exclusively interested in these things. These topics are important, and they span lots of different industries and sectors, so there will be people from all over involved in this effort.
Grush: What has catalyzed this project and the keen interest in rethinking space cybersecurity now? Is there anything you'd point to, in terms of events globally?
Shackelford: The war in Ukraine, definitely. The opening salvos of the war in Ukraine, starting a little more than three years ago, were a series of cyber attacks on ViASAT, which is a big telecommunications company based in the U.S. And that affected lots of different industries, including the Ukrainian air defense network. This was the first time that we saw a commercial aerospace entity targeted at scale by a foreign nation state, with the U.S. and the EU and the UK attributing the cyber attacks to Russia. It was the wake-up call that got a lot more attention focused on the issue of space cybersecurity.
Grush: What are some of the key elements, or the nature of space cybersecurity? What needs to be secured?
Shackelford: There are lots of different aspects to space. Most often people think of satellites and space stations, which is certainly a big part of it, but you also have to be mindful of all of the rockets and vehicles going up and releasing those satellites, launching them, and servicing them. So those are a few of the other vulnerabilities. And then you also have all of the ground-based systems that maintain or support satellites, and those can be broken into or hacked as well. So there's a growing of set of problems you have to deal with.
You can think about the issue as kind of twofold: One thing is you're trying not to make a problem worse. You're trying to do a better job of securing new satellites so that we don't make the same mistakes as we did in the past. And added to that you're trying to think through what we can do about all the technical debt floating above us… because there's a lot of stuff up there that was launched well before cybersecurity became the issue it is today, and that can be problematic.
Grush: Are we going to see the creation of a whole new field of space cybersecurity? Or, will this discipline consist of current cybersecurity practices that can simply be refocused specifically on space infrastructure and its related digital and information technologies?
Shackelford: We've had the space cybersecurity community out there for a long time though it's very disparate. There are people who are hands-on coders, finding vulnerabilities. But there are also lots of folks who are more interested in the policy and governance side.
So what we're looking at is really a conflation of two existing fields, and there's still debate about whether space cybersecurity is a whole new domain or not.
What we're looking at is really a conflation of two existing fields, and there's still debate about whether space cybersecurity is a whole new domain.
I would argue that this is absolutely an emerging field in its own right. It's distinct and different and spans enough issues, from supply chain security and critical infrastructure to geopolitics and the great game playing out in orbit right now. It does deserve its own unique study, which is exactly why we, as a diverse collection of professionals, pioneered our book project.
Grush: Who will the future and emerging leaders in space cybersecurity be? Is there a student cohort just matched to space cybersecurity and ready to take the baton, if you will? Is there a sufficient block of students interested in being trained in space cybersecurity as their own specialty?
Shackelford: As you're suggesting, there has been a shortage of cybersecurity professionals for many years now. So no, there are simply not nearly enough people at this time with that kind of expertise. That's why we launched our cybersecurity program at IU. It's the first that we're aware of at any university in the world that focuses on this issue.
Grush: So at IU, do you have an MS focused on cybersecurity?
Shackelford: Yes, it's an MS in Cybersecurity Risk Management, with three schools coming together, a law school, a business school, and a computer science school, to introduce students to the legal and business and technical challenges associated with cybersecurity. I was the founding chair of that program. It was created in 2017 and it's grown in the years since, with more than 100 students in it as of today. We also had students from the U.S. Space Force going through the program (as well as IU students) in the most recent cohort. We're hopeful that we can continue seeing that growth and we hope also to continue offering scholarships as well as access for community college students. Related to that, we also have the Kelley Space Cybersecurity Digital Badge, a 10-week, online space cybersecurity course. And among other things, we're going to be offering a new track in the MS in Cybersecurity Risk Management specifically for space cybersecurity, starting probably in A/Y 26-27.
Grush: In researching space cybersecurity issues, I noticed that a good proportion of the expertise and leadership in this evolving area seems to come from Indiana University. Is IU providing a home for many of the research projects and programs that are central to the high-level discussions that need to take place?
Shackelford: Yes. IU is providing some of those homes you refer to. I have the good fortune of running two of our research centers right now; the Ostrom Workshop and the Center for Applied Cybersecurity Research. The particular domain of space cybersecurity is absolutely at the intersection of both of those research centers and their areas of investigation and expertise. So those are two of the homes of this work right now, And frankly, it's just been a joy to see it come together.
[Editor's note: Images courtesy Indiana University. With permission.]