(Originally appearing in Space Quarterly Magazine, Mar.15th, 2013)
(click here for PDF version)
CYBERSPACE AND OUTER space are merging to become the primary battlefield for global power in the 21st century. Both space and cyberspace systems are critical in enabling modern warfare—for strike precision, navigation, communication, information gathering—and it therefore makes sense to speak of a new, combined space-cyberspace military high-ground. This article will discuss the similarities, key differences, and potential consequences of this.
From the moment Sputnik was launched in 1957, and everyone’s head turned skyward, space has occupied the military high-ground, defining much of the next fifty years of global geopolitics. Space-based systems, for the first time, broke the link between a nation’s physical territory and its global ability to gather information, communicate, navigate, and project power.
In the 1980’s, the rise of advanced ICT—information and communications technology—enabled the creation of the internet and what we’ve come to call cyberspace, a loosely-defined term that encompasses the global patchwork collection of civilian, government and military computer systems and networks. For the same reasons that space came to occupy the military high-ground—information gathering, navigation, communication—cyberspace is now taking center stage.
From a terrestrial point of view, space-based systems operate in a distant realm, but from a cyber point of view, space systems are no different than terrestrial ones. In the last decade, there has been a seamless integration of the internet into space systems, and communications satellites are increasingly internet-based. One can make the case that that space systems are now a part of cyberspace, and thus that space doctrine in the future will be heavily dependent upon cyber doctrine.
The argument can also be made, however, that cyberspace, in part, exists and rests upon space-based systems. Cyberspace is still based in the physical world, in the data processing and communications systems that make it possible. In the military domain, cyberspace is heavily reliant on the physical infrastructure of space-based systems, and is therefore subject to some of the same threats.
Space and cyberspace have several similarities. Both are entirely technological domains that only exist due to advanced technology. They are new domains of human activity created by, and uniquely accessible through, sophisticated technology. Both are vigorous arenas for international competition, the outcomes of which will affect the global distribution of power. It is no coincidence that aspiring powers are building space programs at the same time as they are building advanced cyber programs.
Space and cyberspace are both seen as a global commons, domains that are shared between all nations. For most of human history, the ability of one group of humans to influence another was largely tied to control of physical territory. Space and cyberspace both break this constraint, and while there is a general common interest to work cooperatively in peace, there has inevitably been a militarization in both domains. As with any commons, over time they will become congested, and new rules will have to be implemented to deal with this.
Congestion and disruption are problems in both space and cyberspace. Ninety percent of email is spam, and a large proportion of traffic over any network is from malware, which clogs up and endangers cyberspace. Cyberattacks are now moving from email as the primary vector, to using customized web applications using tools such as the Blackhole automated attack toolkit. Cyberattack by nation-states is now joining the criminal use of spam, viruses, Trojans and worms as deliberate attempts to attack and disrupt cyberspace.
The congestion analogy in space is that entire orbital regions can become clogged with debris. Tens of thousands of objects, from satellites and booster rockets to smaller items as nuts and bolts, now clog the orbital space around Earth. The danger of this was dramatically illustrated when an Iridium satellite was destroyed when it was hit by a discarded Russian booster in February of 2009. The situation can be made dramatically worse by purposely creating debris fields, as the Chinese did when they conducted an anti-satellite test in 2007 using a kinetic kill. Over time, entire orbital regions could become unusable.
Another similarity is that while traditional the air-sea-land domains are covered under the UN—Law of the Sea, Arctic, Climate Change, Biodiversity—outer space and cyberspace still operate under ad-hoc agreements mostly outside of UN frameworks. They both expand the range of human activity far in advance of laws and rules to cover the new areas being used and explored. Because space can be viewed as a sub-domain of cyberspace, any new rules brought into effect to govern cyberspace, will also affect outer space.
If there are many similarities between space and cyberspace, there are some critical differences, the most important being that space-based systems require massive capital outlays, while in comparison, cyberspace requires very little. As James Oberg points out in his book Space Power Theory, the most obvious limitation on the exercise of space power is cost, with the astronomical cost of launch first among these.
Cyberspace, on the other hand, has a low threshold for entry, giving rise to the reality that governance of an extremely high-cost domain, space systems, will be dictated by rules derived from the comparatively low-cost domain of cyberspace. Space power resides on assumption of exceptionalism, that it is difficult to achieve, giving nations possessing it a privileged role in determining the balance of global power. In contrast, cyberspace, and the ability to conduct cyberwar, is accessible to any nation, or even private organizations or individuals, which have the intent.
Another important defining characteristic of cyberwarfare is the difficulty with attribution. Deterrence is only effective as a military strategy if you can know, with certainty, who it was that attacked you, but in a cyberattack, there is purposeful obfuscation that makes attribution very difficult.
To most people, the term cyberwar still has a metaphorical quality, like the War on Obesity, probably because there hasn’t yet been a cyberattack that directly resulted in a large loss of life. In many analysts’ opinions, this is just a matter of time, especially given internet-centric reliance of a modern nations’ critical infrastructure. Cyberwar has already started, and is beginning to gain in frequency and intensity.
The first cyberattack can be traced back to the alleged 1982 sabotage of the Soviet Urengoy–Surgut–Chelyabinsk natural gas pipeline by the CIA—as a part of a policy to counter Soviet theft of Canadian technology—that resulted in a three-kiloton explosion, comparable to a small nuclear device. Titan Rain is the name the US government gave a series of coordinated cyberattacks against it over a three-year period from 2003 to 2006, and in 2007 Estonia was subject to an intense cyberattack that swamped the information systems of its parliament, banks, ministries, newspapers and broadcasters.
In 2011, the McAfee security company revealed a series of cyberattacks, that it dubbed Night Dragon, against Western critical infrastructure companies, most specifically against the energy grid. This is significant because of the Aurora Test conducted by Idaho National Laboratory in conjunction with the Department of Energy in early 2007. In this test, a 21-line package of software code, delivered remotely, caused a large commercial electrical generator to self-destruct by rapidly recycling its circuit breakers, demonstrating that cyberattack can destroy physical infrastructure.
A new breed of sophisticated cyberweapon was revealed when the Stuxnet worm attacked Iran’s Natanz uranium enrichment facilities in June of 2010. It was not the first time that hackers targeted industrial systems, but it was the first discovered malware that subverted industrial systems. A recent game-changer was the August, 2012 Shamoon virus that knocked out 50,000 computers at Saudi Aramco, forcing that company to spend a week restoring global services. Shamoon was significant because it was specifically design to inflict damage, and was one of the first examples of a military cyberweapon being used against a civilian target. It is only a matter of time before a cyberweapon targeting space-based systems is unleashed, if it already hasn’t happened.
It is worth it to back up and explore the core issues surrounding internet security. The internet was originally designed as a redundant, self-healing network, the sort of thing that is purposely hard to centrally control. In the late 80’s it evolved into an information-sharing tool for universities and researchers, and in the 90’s it morphed into America’s shopping mall. Now it has become something that is hard, even impossible, to define—so we just call it cyberspace, and leave it at that.
First and foremost, there is the issue that while everyone runs the internet, nobody is really in charge of it. ICANN— The Internet Corporation for Assigned Names and Numbers—exerts some control, but the World Summit on the Information Society (WSIS), convened by UN in 2001, was created because nations around world have become increasingly uneasy that their critical infrastructures, and economies, are dependent on the internet, a medium that they had little control over and no governance oversight. The issue has still not been resolved. To the libertarian-minded creators of the internet, decentralized control is a feature, but to governments trying to secure nuclear power stations and space-based assets, it is a serious flaw.
A large part of the problem is that we are trying to use the same internet-based technology for social networking and digital scrap-booking, and use this same technology to control power stations and satellites. Not that long ago, critical systems—space systems, power grid, water systems, nuclear power plants, dams—had their own proprietary technologies that were used to control them, but many of these have been replaced these with internet-based technologies as a cost-savings measure. The consequence is that as a result, now nearly everything can be attacked via the internet.
Another problem is that a truly secure internet is not in the common interest of freedom, nor in the interest of software producers—a curious statement, but one that is true. As more of our lives move into the cyber realm, for everything from banking to dating, a truly secure internet would be the same as installing CCTV cameras on every street and inside every home. Privacy is one of the cornerstones of freedom and civil liberty, and a truly secure internet would bring about an end to privacy, and thus an end to freedom—at least in the sense that we understand it today.
When it comes to software producers, while they would like their products to be secure from hackers, they have a competing interest in wanting to able to access their software installed on customers’ machines. They want to be able to collect as much information as possible, to sell to third parties or use in their own marketing, and also to want to update new features into their software remotely. Often, this is to install patches to discovered security vulnerabilities, precisely because code is poorly written to begin with, because they realize they can update it later. This backdoor into software is a huge security flaw—one that companies purposely build into their products—and is one that has been regularly exploited by hackers.
There are many consequences to all this.
The first is that, because we use the same internet-based technology to support both the private lives of individuals and operate critical infrastructure, there will be a perpetual balancing act between these two competing interests when it comes to security. Another is that until the general public really sees cybersecurity as a threat, many of the fixable problems will not be addressed, such as setting international prohibitions on cyberespionage—making them comparable in severity to physical incursions into the physical sovereign space of a nation-state—or forcing software companies to get serious about secure coding practices and eliminating backdoors into their products.
Because of the extremely high value of space-based assets, and because they are already a seamless part of cyberspace, when a major cyber conflict does emerge, space systems will be primary targets for cyberattack. Even if space systems are not directly attacked, they may be affected. There can be no known blast radius to a cyberweapon when it is unleashed. Even the Stuxnet worm, which was highly targeted in several ways, still infected other industrial control systems around the world, causing untold collateral damage.
A more difficult threat to consider than simply denying access or service to a space system through cyberattack is the problem of integrity. In the cybersecurity world, the three things to protect are confidentiality (keeping something secret, and being able to verify this), availability, and integrity of data. Integrity is by far the hardest to protect and ensure. If a cyberattacker, for example, decided on a slow (over time) modification of data in a critical space junk database, they could influence moving satellites into harm’s way.
Over the last fifty years, a comprehensive strategy based around deterrence was developed in conjunction with the idea of space power theory. In the future, a comparable framework and space-cyberspace power theory will need to be developed. Many questions need to be answered, most especially regarding how the international community will establish rules for cyberspace, the definition of rules for cyberwar, proportionality of response, and how to deal with the problem of attribution. Exactly how the developing cyberwar doctrine will affect the way outer space is governed remains to be seen.
About the author
Matthew Mather is the best-selling author of the new cyberwar techno-thriller CyberStorm, and has been a leading member of the international cybersecurity community for many years as the Director of Security Strategies for SecureOps.