Cybersecurity of Satellites - The Bees in Space
Today there are about 5,465 individual satellites orbiting earth who are responsible for providing critical services such as communication, imagery, and navigation on earth. (Union of Concerned Scientists). Satellites play a crucial part in maintaining global communication and can aid in a variety of earthly activities such as combating wildfires and tracking the consequences of global warming. The number of active satellites in space has increased by 43% since December 2020 mostly due to the growing research and development of satellite-based internet and communication. (Id.) If a network of satellites collapses this will have massive consequences throughout several fields of earthly and outer space activities. Some consequences are more evident than others, but just to name a few, if communication channels fail it would affect overseas military operations, commercial and military aircrafts would not be able to fly and trading on stock exchanges would come to a halt. This article will discuss whether hacking a satellite might constitute an “armed attack” according to the UN charter and why satellites need to be a legislative concern both domestically and in the international community.
Satellite constellations are faced with several external threats such as space debris, solar storms, radiation, and risk of colliding. All these risks may be categorized as accidental. There is however one risk that stems from a deliberate and targeted action, hacking. This threat became especially prominent in the beginning of the Ukraine-Russia conflict when allegedly Russia associated hackers knocked out a privately operated satellite, the KA-SAT network, causing internet modems in Ukraine to stop working, affecting mainly police and military communication. (Pearson, Reuters). The hackers flooded the satellite modems causing them to crash and delete key data to disrupt service. (Id.) What is most concerning is that the attack indiscriminately affected neighboring countries which shows that potential North Atlantic Treaty Organization (NATO) countries could have been collateral. (Id.)
Another regressive consequence of the current geopolitical situation is that satellite operators are reluctant to field test their security systems on satellites currently. The European Space Agency (ESA) has postponed their stress test of satellites due to the Russian invasion due to the risk of unintentionally exposing vulnerabilities. (ESA). One can imagine that this will further slow the development of satellite technology.
In the light of the KA-SAT incident the question arises if hacking a satellite might constitute an “armed attack” and what could the consequences of that be. The UN charter allows for both collective and individual self-defense in the event a country faces an armed attack. (UN Charter Art. 51). The definition of an armed attack is a disputed concept, and the UN countries have different views on what one may be. The term has been heavily argued in the case law from the International Court of Justice, however the terminology is still developing. (Trapp, ICLQ).
There are several arguments as to why a cyberattack against satellites may constitute and armed attack. The NATO glossary of terms defines the meaning of Computer Network Attack as an “action taken to disrupt, deny, degrade or destroy information resident in a computer and/or computer network, or the computer and/or computer network itself.” (AAP-06 Edition 2021, NATO). Given satellite technology is becoming more software based, satellites could be considered a computer connected to a network. (Torrieri, ViaSatellite). This would mean that an attack on a satellite could constitute a cyberattack under NATO’s definition. (Id.) The UN adopted resolution 73/266 on “Advancing responsible State behavior in cyberspace in the context of international security” in relation to which the U.S made a voluntary statement in 2021 which Germany, Norway and Estonia adhered to. (Resolution 73/266, UN). The U.S held that cyberattacks from state or non-state actors that have the same physical effects as “dropping a bomb or firing a missile would” and should allow for self-defense under article 51 of the UN charter (A/76/136, NATO).
Not all countries agree with the U.S statement. For example, Brazil holds that an armed attack needs to be at least attributable to a state. (Resolution 73/266, UN). Brazil also held that cyberattacks performed by non-state actors with “serious consequences” is a concern of criminal liability (Id.) Russia's comment is an interesting one and an anomaly. Russia uses the word “information space” and discusses countermeasures in relation to “internationally wrongful acts”, which does not entail right to self-defense. (Id.) Russia’s use of different words is important to recognize because International customary law can be established via opinio juris. (Cornell Law School). Opinio juris is established when a state “acts as if it was bound” by the international obligation. (Id.) From the commentary one gets the sense that Russia is not willing to adhere to the language or concepts used by the other UN states in relation to cyberattacks. This is most likely because Russia wishes not to be bound by the obligations that cyberattacks can constitute an armed attack, and with the KA-SAT incident in mind, thus making themselves a target. It should be no surprise that Russia continues to play with words, as the devil reads the bible, to try to fall beyond the scope of international obligations. Ultimately, Russia calls for “an in-depth study” of all controversial issues in the realm of “information space.” (Resolution 73/266, UN). The rest of the class just needs to figure out what that means.
Acknowledging that these statements are made within the context of “cyberspace” does not not necessarily entail satellites even though the word space is mentioned. However, these statements illustrate the massive consequences on political stability that a cyberattack against a satellite might have.
Because of the fast development of private satellite operators, the market is becoming more competitive, and companies are looking at how to spend their money more efficiently. Manufacturers are using off-the-shelf components and outsourcing maintenance and software development to cut costs. Some of the technology is also based on open source technology which enables hackers to open back doors in the software. (Akoto, The Conversation).
The saying that too many cooks spoil the soup comes to mind as it will be harder to pinpoint potential security issues and to establish liability when disaster strikes. These issues are interesting in the light of establishing regulation that ensures supply chain liability and enables agreements that deal with minimum quality standards as set by law. In the field of cyberspace, the Tallinn Manual 2.0 is a non-legally-binding scholarly work that provides objective restatements of international law applicable to cyber operations. (CCDCOE). The manual has in Article 60 set an embryo for the future progress of setting guidelines that cover satellites as well. Unfortunately Article 60 only regulates liability, which has long been the main theme for space regulation (Verco, Anu Jolt).
It’s clear how mankind will benefit greatly from the services that satellites provide, and we have yet to explore all the possibilities. Because we both as individuals and as a collective are relying on these critical services that satellites provide, a loss of these services - health, environment and life can be at stake. Given the gravity of these potential consequences, there needs to be more stringent and clear provisions on the operators and the satellites we propel into orbit. It’s also a question of peacekeeping because if we continue down the path of rapid expansion and profit seeking without due regard to cybersecurity requirements, we might end up having a vulnerable critical infrastructure in orbit that, in the event of an attack, might further worsen the geopolitical situation we are already facing. Without clear and predictable legislation, the satellites might as well be regarded as bees in the sky whom, if attacked, stings back.