In the midst of international tensions, an incident report published by the private satellite operator Viasat (2022) on March 30, 2022, marked one of the rare public acknowledgments by a private space entity of a malicious cyber activity targeting satellite services. The disruption, which had begun a month earlier, had spread from Ukraine, causing hundreds of thousands of user ground terminals to be disconnected all over Europe. Although temporary, the shutdown of services had significant adverse consequences. Customers were disconnected from their internet access, and a private company that manages and remotely monitors wind turbines for electricity production was unable to receive or transfer any data from the system (Fontez 2022; Reuters 2022).
Similarly, another satellite operator has also reported an external disruption targeting its space infrastructure. SpaceX, which operates Starlink, a satellite constellation providing broadband internet access and connecting civilian and military users to software-driven technologies, was involved in tactical operations in conflict zones, as troops were using satellite connectivity to operate drones and use communication equipment (Allen and Titcomb 2022; Miller, Scott and Bender 2022).
Such events are unlikely to remain rare. Drawing on the examples of Viasat and SpaceX, this essay describes how commercial satellite technologies, infrastructure and services are increasingly integrated into military operations and, consequently, the type of cyber and electronic interference to which all system users may be exposed. While non-government operators are developing cybersecurity mechanisms that could reduce vulnerability to such interference or the scope of impact, states must also establish a cyber environment governance system that applies to different stakeholders, including national laws and policy recommendations to foster the legal, political and technical protection of space infrastructure to mitigate future threats.
Commercial Space Assets in Military Activities
Space assets are integrated into almost all military activities, from operational deployments and the tactical use of force, to strategy and decision making. Across these functions, continuous communication and connectivity are key. From the early days of the space age, communication satellites have been among the most essential military capabilities, enabling communication across the globe and far beyond the reach of terrestrial infrastructure, and providing extended autonomy to warfighting units and capabilities deployed over vast areas and remote territories. Today’s modern battlefield requires constant flows of information to support communication; maintain awareness of what is happening across different domains (land, maritime, air); provide location and navigation capabilities; and maintain control over autonomous systems, all of which have increased reliance on space assets (North Atlantic Treaty Organization 2022; Bolder and Chavannes 2020).
Success in this new digital battlefield rests on the ability to maintain command and control (C2) over a vast network of connected systems in order to predict events on the ground, identify objectives, securely transmit orders and organize the means to obtain them, all while using as little time and resources as possible. The continuous flow of information relies increasingly on satellites enabling a connection to software-driven technologies that facilitate the fast transmission and processing of data.
This new operational domain is not only populated by military programs and equipment, but also increasingly involves the use of private sector services and capabilities. The competitive commercial environment provides military advantages. It fosters faster technological progress because industry players must constantly innovate to maintain their market advantage and remain the supplier of choice. This is particularly true of space-based services and capabilities. For example, on the hardware side, small commercial satellites are launched more easily, more quickly and with lower costs and better tolerance for failure risks (Borowitz 2022, 1, 9). Commercial satellites also provide broader global coverage, extending the operational reach of modern militaries over vast geographical areas (ibid., 4).
Nowadays, neither strategic nor tactical equipment and networks are exclusively governmental or military-operated anymore but increasingly include private commercial entities worldwide. Some of these involve public-private partnerships such as Skynet, a British satellite system set up and managed by a private sector operator specifically to provide communication services in the X band, the portion of the electromagnetic spectrum reserved for military use. Yet military operators increasingly make use of commercially operated space-based communications systems (Bommakanti 2022). The private sector also supplies military actors with services and capabilities central to the C2 of data flows, such as satellite management services including networks, telecommunications, data storage and continuity of information technology services.
This increasingly direct involvement of private space operators in day-to-day military operations is shifting the nature of warfighting. The blurred line between military and civilian infrastructure means that commercial systems — and their civilian users — are more likely to become targets of hostile activities designed to deny or disrupt their use, while introducing new vulnerabilities for military users.
Targeting space infrastructure, whether operated by a national entity or a foreign private operator, could be envisaged as denying a rival’s strategic or tactical advantage during tensions or in times of conflict. For instance, when tensions threaten a national terrestrial network, private actors may deploy equipment in a timely manner to ensure connection to users located in contested areas, regardless of whether the equipment is used for military or commercial and civilian purposes. In doing so, the infrastructure becomes a potential target for harmful interference, which necessarily involves the state from which the commercial operator originates. As a result, private satellite service providers play a significant role in international relations, even though, initially, the state overseeing the space activity may not be directly involved in the tensions over the area.
Space System Vulnerabilities: The New Threats to Private Operators
Because space systems are so central to the C2 of data flows that inform and enable the use of military capabilities, they are an appealing target for disruption. These systems are more than physical hardware; they are themselves networks of components that include satellites and their payloads, the transponders that transmit the signal, ground stations and computer systems, uplink and downlink data flows, and end-user terminals, all of which are digitally connected.1 The network is controlled from ground stations through communications links and signals. Each component and point of connection introduces a vulnerability into the system.
Whether deliberate or unintentional, harmful interferences can remotely disrupt the functioning of systems by stopping communications between infrastructures through the deterioration of the services of the affected system (Acharya 2017, 247–48) or the degradation, obstruction or repeated interruption of a service (Restrepo 2016, no. 1.169). An interference can also directly target the hardware components of a system and subsequently impact the flow of data it enables. As an example, in August 2022, a researcher exposed a vulnerability in the hardware security of Starlink user terminals and showed how to use the electronic components to bypass firmware signature verification and access the network. Through a voltage fault injection attack, the expert managed to compromise the terminal by obtaining root access and subsequently executing arbitrary code and instructions (Wouters 2022). SpaceX (2022) admitted that malicious actors can find vulnerabilities in their terminals and use them to spread cyber interference.
Commercial systems introduce additional vulnerabilities compared to dedicated military systems, which are considered to be more sensitive, requiring better availability of service and more protection measures (Dolman 2015, 318). However, the growing role of private sector operators in conflict zones is strengthening the need to reinforce commercial system security and increase safety requirements to ensure the reliable provision of services.
Viasat and SpaceX: Harmful Interference on the Digital Battlefield
Viasat is a private satellite operator providing satellite broadband services and secure networking systems to both commercial and military markets (Fidelman 2013).2 The cyber interference reported to have taken place in February 2022 appeared to target military users in a zone of tensions. The commercial infrastructure operated by Viasat consists of a network of user terminals composed of individual modems connected to antennas installed outside of customers’ homes and businesses. The antennas are configured to send and receive signals from a satellite operated by Viasat, KA-SAT, operating from geostationary orbit to provide internet connectivity over Europe. Viasat grants access to an internet connection via a ground station that manages the satellite’s distribution of the signal beamed.
Without identifying its source or attributing its origin, Viasat (2022) publicly indicated that the cyber activity disabled ground-based modems that communicate with its KA-SAT satellite, affecting only a single part of the satellite network. In the incident report, Viasat identified a misconfiguration in virtual private network equipment of the ground-based network operated by the company Skylogic and physically located in Ukraine, which allowed for a network intrusion in the trusted management segment of the KA-SAT network. This intrusion made it possible for the malicious cyber actor to simultaneously send instructions to thousands of modems from the commercially oriented portion of the network, triggering a massive denial of service event by creating high volumes of focused, malicious traffic across the network that disrupted communications and disconnected thousands of modems from the infrastructure (Viasat 2022; Burgess 2022).
The effects of the breach spread far beyond the Ukrainian military, interrupting network connections for civilian users across several European countries.
Viasat claimed that neither the mobility users, composed of aeronautics and maritime customers, nor government users on the KA-SAT satellite were affected by this event. However, based on information provided by ProZorro, the Ukrainian platform on national procurement, experts have identified the KA-SAT network as having provided communication services for the Ukrainian military and security forces, which are necessary for essential C2 functions. Yet the effects of the breach spread far beyond the Ukrainian military, interrupting network connections for civilian users across several European countries, including the Czech Republic, France, Germany and the United Kingdom (Burgess 2022). The disruption included adverse consequences for important civilian systems such as the remote monitoring and control of wind turbines in Germany, leaving around 11 gigawatts of power capacity unsupervised (Reuters 2022).
This is not the only example of harmful interference affecting commercial space operators in the context of military conflict. The Starlink constellation has been reported as being at the forefront of military activities carried out by Ukrainian forces, particularly for the use of unmanned aerial vehicles (Allen and Titcomb 2022; Wadhwa and Salkever 2022). In March 2022, Starlink CEO Elon Musk (2022) declared the constellation had faced a harmful radio interference called “jamming,” along with “hacking,” without providing further details. According to Dave Tremper, director of electronic warfare at the Office of the Secretary of Defense, the vulnerability was fixed with the modification of a line of code in less than a day (C4ISRNET 2022, 6:00).
Albeit different in their nature and operational mode, these two events share similarities and raise questions around the reliability of commercial actors and their potential for providing critical services.
The type of system misconfigurations disclosed in the incident report by Viasat raises the question of whether state actors should rely on the industry to transmit, store and process information and data, or should they instead strictly segregate their activities, with private commercial players on one side and military actors on the other, to ensure that their systems are better protected. In other words, military forces could be pushed to rely solely on military systems without private sector involvement to limit vulnerabilities and ensure full infrastructure control. While this strict separation seems to be the ideal solution for maximum safety, it is problematic because such a practice would be extremely costly and logistically and operationally challenging, both in terms of implementation and maintenance. Furthermore, the need for available forces to provide operations and oversight of the infrastructure could be an additional burden to military forces, whereas involving a private operator could ensure the smooth functioning of communications.
These examples also point to the challenge of mounting a state response to such interference. Despite prevailing assumptions, both cases demonstrate the difficulty of attributing the incident’s source. In the Viasat case, the digital infrastructure was disrupted through a vulnerable point of access to the network system through misconfigured equipment, which enabled the hostile actor to use a breach of the setup and infiltrate the system architecture in order to send specific instructions. To prevent attribution, the trail of clues can, to a certain extent, be deleted to prevent investigators from connecting the dots and identifying the source of the hostile cyber operation. In the Starlink case, the jamming was perpetrated by an actor intending to disrupt, disconnect or degrade the functioning of the constellation. However, it would be extremely challenging to determine who the perpetrator is (Mountin 2014, 179–80). Even if the source of the interference is identified, attributing the harmful activity to a specific entity (governmental or non-governmental) and determining whether they acted alone or on behalf of someone else, is not easy. Even though the jamming that overrides and disrupts a signal emanates from a specific location, tracing the material used and obtaining information on the perpetrator is tricky.
Together, these cases point to the importance of prevention, detection and mitigation. The ability of SpaceX to quickly mitigate threats against its network by identifying breaches, understanding a vulnerability and bypassing attempts to fail the infrastructure suggests that strong protection and efficient resiliency going forward may be possible. The challenge that the cyber incident represented for Viasat showed, by contrast, how some disruptions in a network could damage thousands of terminals, which, consequently, could only be restored with a factory reset (C4ISRNET 2022; Viasat 2022). Therefore, while SpaceX has been able to react swiftly and counter the interference in a day, Viasat had to identify the breach, and its thousands of customers could only use the network normally after resetting their individual modems.
Yet, importantly, these examples also suggest that commercial operators may be more aware of the challenge and more willing to engage in better protection and response measures. Viasat’s public reporting of the event was noteworthy. Even more so is the response from SpaceX (2022, 5), which communicated the potential breaches, ranging from the type of network used to the access and authorizations gained, the scale of the breach and the persistence of the malicious cyber activity.
Clearly, industry players must develop resilient systems and meet higher standards of system protection against malicious cyber activity in order to fulfill essential safety and security requirements and minimize network disruptions to both military and civilian users. Yet ensuring the cyber protection of space capabilities cannot be the sole initiative of private actors but must be the result of international decisions and the adoption of national laws and policies.
Conclusion: The Need for State Leadership to Mitigate Cyberthreats
States have the responsibility to take steps to foster broad protection of their nationals from cyber incidents. On the one hand, they can set up strict security conditions for private operators to meet maximum protection requirements and, on the other hand, they can identify all the incidents that could affect space infrastructures according to their nature, use and level of protection. Key entry points must be identified and protected at each level of the space infrastructure and cyberspace.
States can adopt policies to ensure that all actors operating from or through their territories comply with the minimum standards of protection to prevent basic disruptions from happening and provide remediation processes to mitigate harm, as well as implement full recovery measures.
Because some state actors rely on systems owned and managed by commercial operators, they will face a choice between including them in the international discussions on cyberthreats faced by space systems or excluding them from the opportunity to add their voice to the debate. The latter option risks not considering all the interests at stake when trying to find a global agreement on space security issues.
Better coordination would also help. States could establish coordination mechanisms between governmental organizations and non-governmental entities to address serious system breaches and to determine appropriate responses.
During multilateral discussions on the security of information and communication technologies, states suggested setting requirements for appropriate responses in case of a breach and developing cyber incident assessment or severity templates to evaluate and assess vulnerabilities and indicators of potential breaches.3
In this context, the Viasat and Starlink cases illustrate the importance of involving various stakeholders in the multilateral discussions to exchange information on existing and emerging threats and best digital forensics and investigation practices in a malicious cyber incident. Their feedback on the challenges they face while operating space systems would improve the overall understanding of cyberthreats and ways to overcome them.
The author extends a sincere thank you to Jessica West for all her help and advice.