While often less attention-grabbing than the use of kinetic weapons, cyberthreats are very real and capable of disabling space infrastructure in ways that can have devastating consequences for humankind. States have repeatedly expressed their concerns about the ways in which cyber technology can be used to harmfully interfere with satellite services, highlighting this as a priority to be addressed in the discussions of the open-ended working group (OEWG) established pursuant to UN General Assembly resolution 76/231 on “Reducing space threats through norms, rules and principles of responsible behaviours.”1
Cyberthreats are particularly dangerous to space systems since they are difficult to predict, detect and attribute. The use of cyber for counterspace purposes is relatively more accessible than other technologies: it can be developed much faster than other types of counterspace technologies and it does not require significant resources, as a cyberattack can be carried out by one individual using minimal equipment. These characteristics make cyber a threat that can prove difficult to mitigate.
The OEWG on space threats presents states with an opportunity to find a way to address these concerns. What is the significance of such an opportunity? To answer this question, this essay explores the characteristics and uses of cyber that can pose a threat to space systems; the existing regulations that already contribute to mitigating such a threat; and the specific role that the OEWG can now play to address these concerns.
The Cyber Phantom Menace: What Is It?
Space systems are increasingly critical to modern life. They provide services upon which humankind relies heavily, making life as we know it possible (West and Azcárate Ortega 2022). This ever-increasing economic and strategic importance has incited the development of counterspace technologies capable of destroying or damaging space systems or disrupting the services they provide. Counterspace technologies are not new. States developed an interest in them nearly as soon as humankind took its first steps into outer space (Azcárate Ortega 2021). However, the increased relevance that space technology now has for humankind, coupled with the continued keenness of some states for the development of new and more advanced counterspace technologies, makes these technologies particularly dangerous for modern society (Rajagopalan 2019).
Space infrastructure is vulnerable to a diverse range of counterspace threats.2 Cyberthreats to space systems are often overlooked in space policy discussions (Bailey et al. 2019) in favour of other threats, such as kinetic anti-satellite (ASAT) weapons, which have become especially concerning to stakeholders due to their ability to create debris.3 But cyberthreats also pose a significant danger to space technology that stakeholders cannot ignore.
The use of cyber technology for counterspace purposes seeks to target the data being transmitted by a component of a space system and the systems that use, transmit and control the flow of such data (Harrison et al. 2022, 4–5). Space systems are complex and comprise different components: first, the space segment, which includes satellites and space launch vehicles; second, the ground segment, including satellite dishes, receiving stations and end-user equipment; and, third, the data links in between.4 Any of these components can be targeted using cyber technology in a way that is relatively cheap, fast, and difficult to predict and detect, and can have a large impact radius, which can potentially affect critical infrastructure. These characteristics make cyberattacks an attractive form of counterspace technology, and both states and non-state actors are known to have developed and even tested their cyber capabilities against space systems (Weeden and Samson 2022, 13-01).
Cyberattacks that target space systems can also lead to major loss of data and affect multiple stakeholders, sometimes even those beyond the intended target.
A cyberattack on space infrastructure does not always have the high impact of other uses of counterspace technology, and the harm caused is often reversible. Indeed, the level of disruption sought by the attacker does not necessarily have to be significant. But cyberattacks that target space systems can also lead to major loss of data and affect multiple stakeholders, sometimes even those beyond the intended target (Burgess 2022). They can also have permanent effects if, for example, an attacker seizes control of a satellite’s command-and-control system and causes damage to its sensors. Moreover, some cyberattackers can conceal their identity relatively easily, which makes attribution a difficult task (Harrison et al. 2022, 5).
The silent and discreet nature of cyberthreats to space systems has caused them to go unnoticed and under-addressed by law and policy makers, particularly at the multilateral level. Yet space systems continue to grow in complexity, relying on all-digital components and thus increasingly becoming intermingled with the cyber domain. This environment heightens the danger posed by cyberthreats and therefore needs more attention from the international community.
How Does the International Community Mitigate these Threats?
Many states have sought to regulate cyber weapons variously though the establishment of domestic policies, legal frameworks and even multilateral agreements.5 However, the relationship between cyber and space is not often addressed by these mechanisms.6 At the international level, there are no laws that specifically regulate cyberthreats to space infrastructure. However, the legal and regulatory mechanisms applicable to the space domain provide a certain degree of protection from cyber counterspace assets.
The 1967 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies (OST)7 establishes a series of principles that constitute the basis for space law. Article III of the OST establishes that “activities in the exploration and use of outer space, including the Moon and other celestial bodies, [shall be conducted] in accordance with international law, including the Charter of the United Nations, in the interest of maintaining international peace and security.” This is particularly relevant as it poses a key limitation to the use of cyber counterspace technology: it prohibits the use of force or the threat of use of force enshrined in article 2(4) of the UN Charter,8 with the inherent right of self-defence to an armed attack, expressed in article 51 of the UN Charter, as the only exception to such prohibition. This obligation applies regardless of the weapons employed, therefore limiting the use of cyber technology for counterspace purposes.9
Furthermore, article IX of the OST obligates states to conduct their space operations with “due regard to the corresponding interests of all other States Parties.” Related to this due regard obligation, article IX also establishes the duty of states to carry out international consultations before undertaking activities that might cause harmful interference with those of other states parties. Other states may also request consultations if they have reason “to believe that an activity or experiment planned by it or its nationals in outer space...would cause potentially harmful interference with activities of other States Parties in the peaceful exploration and use of outer space” either prior to or during the performance of the space activity.10
Article IV of the OST establishes the only prohibition against the use of weapons in outer space or against outer space systems, but its scope is limited and has not impeded the development of cyber counterspace technologies. Under this article, states parties “undertake not to place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction, install such weapons on celestial bodies, or station such weapons in outer space in any other manner.” The article also forbids “the testing of any type of weapons and the conduct of military manoeuvres on celestial bodies.”11 Yet the development of weapons other than weapons of mass destruction, including cyberweapons, is not considered by the article.
These space laws were established with the objective of encouraging and maintaining the use and exploration of outer space for “peaceful purposes,”12 rather than to establish limitations on hostile uses of space. As a result, the language of international space law treaties is permissive and open-ended (West and Azcárate Ortega 2022, 3). This, coupled with states’ differing political interests, has led to competing interpretations and definitional issues, which, in turn, have allowed states to develop and test cyber counterspace technologies, thus posing a serious threat to space infrastructure (Rajagopalan 2019, 13). While outer space law may provide certain limitations to the use of cyber technology against space infrastructure, the lack of common understanding regarding the meaning of these concepts — resulting, in part, from a lack of consistent state practice — points to the existence of an important gap that the international community must fill to effectively mitigate cyberthreats.
Members of the international community, aware of the gaps in current space law that need to be addressed to ensure space security, have put forward proposals and engaged in negotiations with the purpose of achieving this goal. A notable example is the 2008 proposal for a draft Treaty on the Prevention of the Placement of Weapons in Outer Space, the Threat or Use of Force against Outer Space Objects (PPWT),13 introduced by the Russian Federation and China, which sought to have states parties undertake “not to place in orbit around the Earth any objects carrying any kind of weapons” and “not to resort to the threat or use of force against outer space objects.”14
That same year, the European Union proposed a draft International Code of Conduct for Outer Space Activities15 to establish a voluntary regime of transparency and confidence-building measures to complement existing regulations applicable to outer space and to enhance the safety, security and sustainability of all outer space activities. None of the measures proposed in the code managed to gain enough support from the international community, but they served to highlight states’ interest in achieving a common understanding on ways to keep outer space secure.
Moreover, in 2013, the UN Group of Governmental Experts (GGE) on Transparency and Confidence-Building Measures in Outer Space Activities adopted a consensus report recommending a series of voluntary measures to reduce military tension in space and to increase transparency. This included measures such as sharing of information and notification of certain space activities.16 While none of the recommendations directly focus on cyber technology, the application of such measures to cyber technology would result in the creation of barriers for the use of cyber for nefarious purposes.
The international community has also undertaken efforts to develop principles, norms and rules specifically for cyberspace. The most recent initiative is the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security, constituted in 2021 pursuant to UN General Assembly resolution 75/240 of the same name.17 The OEWG aims to build upon the work done by GGEs on this same topic in 2013 and 2015, and to expand on the conclusions adopted in the reports of these GGEs.18 These efforts, however, do not directly address outer space, although they do have indirect implications for the use of cyber technology in the space domain, and point to a desire by the international community to address cybersecurity issues.
In a similar manner, the common denominator of all the aforementioned laws, regulations and proposals focused on space security is that although they may tangentially affect the use of cyber technology for counterspace purposes, they fail to address it head on, thus not effectively mitigating that particular threat to space security. This is something that states can now remedy and that other stakeholders can also foster through their work within the OEWG on Reducing Space Threats through Norms, Rules and Principles of Responsible Behaviours.
A New Hope? The Role of the OEWG
The OEWG, convened under UN General Assembly resolution 76/231 on “Reducing space threats through norms, rules and principles of responsible behaviours,” is tasked with the preparation of a report making “recommendations on possible norms, rules and principles of responsible behaviours relating to threats by States to space systems, including, as appropriate, how they would contribute to the negotiation of legally binding instruments, including on the prevention of an arms race in outer space.”19 This process provides states with a new opportunity to turn their attention to the issue of cyberthreats to space systems and to agree on mechanisms to address them.
The OEWG was constituted a year after resolution 75/36, also on “Reducing space threats through norms, rules and principles of responsible behaviours,”20 which called on states to submit views to the Secretary-General on what activities “could be considered responsible, irresponsible or threatening.”21 The objective of this was to reach a “common understanding of how best to act to reduce threats to space systems in order to maintain outer space as a peaceful, safe, stable and sustainable environment.”22 Thirty states, the European Union and nine non-state actors submitted substantive comments,23 and key elements of states’ submissions were compiled in a report of the Secretary-General.24 This report highlighted cyber capabilities — among others — as a “challenge to the security and sustainability of outer space and as a possible threat to international peace and security.”25
A year later, during its first substantive session held in May 2022,26 the OEWG took stock of the “existing international legal and other normative frameworks concerning threats arising from State behaviours with respect to outer space.”27 States highlighted that despite the existence of these frameworks, cyber technology used for malicious intent — as well as other counterspace technologies — still poses a threat to the peace and security of the space domain, as it can harmfully interfere with space systems and the services they provide.28
States expressed their fears regarding the use of cybertechnology for the purposes of harming or interfering with the services provided by space systems.
The second substantive session, which took place in September 2022, considered “current and future threats by States to space systems, and actions, activities and omissions that could be considered irresponsible.”29 While cyberthreats were not the only focus of the session, states and non-governmental actors expressed that this is an issue of importance that should be addressed.30 States expressed their fears regarding the use of cybertechnology for the purposes of harming or interfering with the services provided by space systems, framing such use as undesirable and irresponsible.31
The second session served to ascertain that the use of cyber for counterspace purposes is a real threat to space systems that states should aim to mitigate. The remaining sessions of the OEWG will allow states to reach common understandings on how precisely to achieve this. Moreover, the participation of non-governmental entities — including commercial actors and civil society — in the OEWG will provide additional perspectives that can bring clarity to the reality of cyberthreats and how these can affect space infrastructure.
Discussions at the OEWG have not been solely focused on cyber technology, nor will they be in future sessions, and therefore neither will the recommendations that OEWG members propose. However, the emphasis with which states have singled out the use of cyber for counterspace purposes serves to highlight the increased awareness of the danger that these technologies can pose to space systems and the services they provide.
It is unlikely that OEWG discussions will result in detailed recommendations on cyberthreats. However, states could agree to declare the use of cyber against space systems for malicious intent as an irresponsible behaviour, as some have already proposed, and provide some general guidelines to mitigate this threat, such as the implementation of certain transparency and confidence-building measures that would make certain forms of cyber counterspace harder to carry out undetected. The OEWG’s awareness of the threat that cyber technology can pose to space infrastructure, and several states’ expressed desire to address it, points to this as a possible result.
The importance of such an outcome cannot be understated, as it could pave the way to clearer state practice regarding the use of cyber technology in relation to space systems, thus serving as an effective foundation for future regulations with a more specific focus on the cyber and space nexus. Norms, rules and principles could be the renewed hope the international community needs to finally bridge the gap between cyber and space security policy making, as their flexible nature makes them a useful tool to build trust and to create common understandings among members of the international community. Because these non-legally binding tools reside in social values and expectations rather than law, they are often easier to develop and to adapt, thus enabling them to evolve alongside technological developments and the diversification of actors and stakeholders (West and Azcárate Ortega 2022, 16).
At the international level, norms, rules and principles may be more amenable to constructive diplomatic discussion in a tense political environment — as space security has been for many years — due to their voluntary nature.32 As such, recommendations resulting from the OEWG process could be ideally suited to curbing potentially harmful uses of cyber technology and to promoting behaviours that mitigate the risk of conflict due to misperceptions and unintended escalation.
However, the non-legally binding nature of norms, rules and principles is also what makes them more susceptible to non-compliance. And monitoring of compliance can be difficult, particularly when it comes to the use of technologies such as cyber, where attribution is not always possible. Furthermore, the flexible nature of these mechanisms, which makes them politically expedient tools, also means that they can crumble and collapse if they are not robust and clear enough and their acceptance is not sufficiently widespread and sustained. When applied to highly dynamic domains, such as space and cyber, constant nurturing and reinforcement of norms, rules and principles becomes a necessity, but this is not always easy to achieve, as they are subject to constant interpretation and enactment (West and Azcárate Ortega 2022, 26–28).
These challenges inherent to non-legally binding mechanisms highlight that, although they are useful tools to build confidence and transparency among stakeholders, they will not be sufficient as a standalone tool to address the threat that cyber technology can pose to space systems. Nevertheless, they play a valuable role in building the common understanding needed for the establishment of legally binding measures. The OEWG on reducing space threats should therefore not be seen as a panacea that will result in definitive solutions to all space security issues, including the use of cyber for counterspace purposes. However, the recommendations for norms, rules and principles resulting from this process are a step toward a more transparent, trusting and secure space environment, where concerns posed by cyberthreats could finally be addressed, creating new possibilities for legally binding regulations in the future.