Chairman Beyer, Ranking Member Babin, and Members of the Subcommittee, I am Matthew Scholl, the Chief of the Computer Security Division, of the Information Technology Laboratory (ITL) at the Department of Commerce’s National Institute of Standards and Technology – known as NIST. Thank you for the opportunity to testify today on behalf of NIST on efforts to improve the cybersecurity of space operations.
NIST is home to five Nobel Prize winners, with programs focused on national priorities such as artificial intelligence, advanced manufacturing, the digital economy, precision metrology, quantum science, biosciences and, of course, cybersecurity. The mission of NIST is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST’s Role in Cybersecurity
In the area of cybersecurity, NIST has worked with federal agencies, industry, international partners and academia since 1972, when it helped develop and published the Data Encryption Standard, which enabled efficiencies with security, like the electronic banking that we all enjoy today. NIST’s role is to provide standards, guidance, tools, data references, and testing methods to protect information systems against threats to the confidentiality, integrity, and availability of information and services. This role was strengthened through the Computer Security Act of 1987 (Public Law 100-235), broadened through the Federal Information Security Management Act of 2002 (FISMA) (Public Law 107-347)1 and reaffirmed in the Federal Information Security Modernization Act of 2014 (FISMA 2014) (Public Law 113-283). In addition, the Cybersecurity Enhancement Act of 2014 (Public Law 113-274) authorizes NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure.
NIST develops guidelines in an open, transparent, and collaborative manner that enlists broad expertise from around the world. These resources are used by federal agencies as well as businesses of all sizes, educational institutions, and state, local, tribal, and territorial governments, because NIST’s standards and guidelines are effective, state-of-the-art, and widely accepted. NIST disseminates its resources through a variety of means that encourage the broad sharing of tools, security reference data, information security standards, guidelines, and practices, along with outreach to stakeholders, participation in government and industry events, and online mechanisms.
Cybersecurity and Space Challenges
As stated in the 2021 U.S. Space Priorities Framework, “[a]ccess to and use of space is a vital national interest.” However, cyber-related threats to space assets (e.g., commercial satellites) and supporting infrastructure pose increasing risk to this economic promise and commercial space emerging markets.
Space is a high-risk environment in which to operate, so cybersecurity risks involving commercial space needs to be understood and managed alongside other types of risks to ensure safe and successful operations. Physical risks to these operations are generally quantifiable and have the most likely potential to adversely impact the businesses that operate commercial satellites, usually occurring in low earth orbit. While these physical risks are the primary risk considerations to satellite operations, continued growth in this new commercial infrastructure allows for opportunities to address the cybersecurity risks along with the many other risk elements considered.
Memorandum on Space Policy Directive 5 (SPD-5) – Cybersecurity Principles for Space Systems, issued September 2020, establishes key cybersecurity principles to guide and serve as the foundation for America’s approach to the cybersecurity of space systems. It directs U.S. Government agencies to work with commercial companies to promote these throughout the sector. SPD-5 further underscores the risks of such systems:
“Space systems are reliant on information systems and networks from design conceptualization through launch and flight operations. Further, the transmission of command and control and mission information between space vehicles and ground networks relies on the use of radio-frequency-dependent wireless communication channels. These systems, networks, and channels can be vulnerable to malicious activities that can deny, degrade, or disrupt space operations, or even destroy satellites.
Examples of malicious cyber activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks. Consequences of such activities could include loss of mission data; decreased lifespan or capability of space systems or constellations; or the loss of positive control of space vehicles, potentially resulting in collisions that can impair systems or generate harmful orbital debris.”2
NIST’s Work in Space Cybersecurity
Consistent with SPD-5 and to assist with the need to address many of these issues, NIST has taken actions that help to further this opportunity to include cybersecurity risk management as part of space operations.
NIST is not a space mission agency, but a measurement and metrology agency with a long history in cybersecurity. Per our mission, we provide our expertise to mission owners, like space operators, where we couple our deep cybersecurity experience with their understanding and contextual knowledge of the mission area to create applicable cybersecurity tools, references and guidance. These resources includes:
Events: NIST has also co-hosted a number of events:
Conclusion
Commercial space operations and opportunities continue to grow and provide an engine for our economy and expand our understanding of the world and the universe. Space operations are, by their very nature, fraught with risks that are not present with traditional Information Technology or Operational Technology Systems. The emerging nature of commercial space technologies gives us an opportunity to address cybersecurity risks early and in a broad, integrated way. The timely availability of cybersecurity guidance, efforts alongside industry in standards bodies, sharing of cybersecurity threat information and creation of resilient and recoverable space technologies is a critical part of our support for space missions that contribute to our economy, our security, and our understanding of the universe.
NIST is proud of its role in establishing and improving cybersecurity solutions, standards, guidelines, and other resources, and of the longstanding and robust collaborations we’ve established with our federal government partners, private sector collaborators, and international colleagues.
Thank you for the opportunity to discuss NIST’s activities related to space operations and cybersecurity. I will be pleased to answer any questions you may have.
1 FISMA was enacted as Title III of the E-Government Act of 2002 (Public Law 107-347).
2 Space Policy Directive-5; Cybersecurity Principles for Space Systems. Sept 4, 2020.