Two members of the House have brought forth legislation that would press federal agencies to revisit what policies and programs are in place to help U.S. satellite owners and operators defend against hacks to their systems and assets.
The bill, introduced Friday, would charge the U.S. comptroller general to spend the next two years studying the federal government’s existing cybersecurity support to satellite owners and operators, as well as what more can be done.
That includes looking at where federally owned or operated IT infrastructure may intersect with or depend on commercial satellite networks (like the Global Positioning System) remaining operational and what plans or programs agencies have in place to prevent those hacks or help satellite owners recover quickly. Under the bill, the comptroller general would coordinate the study with the departments of Homeland Security and Defense, the National Institute for Standards and Technology, the Federal Communications Commission, the National Oceanic and Atmospheric Administration and the Federal Aviation Administration.
“We depend on satellites for everything from driving to work to defending our country, yet our space systems are vulnerable to cyberattack, and the commercial satellite industry has been asking for help to protect Americans against this threat.” said Rep. Tom Malinowski, D-N.J. “Our bill directs the U.S. government's primary cyber-defense agency to provide that help."
While satellite cybersecurity has long been a concern in some quarters, it’s receiving heightened attention in Washington after hackers believed to be working for Russia knocked out Ukrainian satellite operations earlier this year by targeting a provider, ViaSat, which also serves U.S. customers.
It also comes on the heels of a Government Accountability Office audit earlier this year that found it was less than clear whether the cybersecurity programs and resources CISA offers critical infrastructure entities in the communications sector (which includes satellites) are effective, and urged the agency to reevaluate its suite of offerings.
In addition to the study, the legislation would also require the director of the Cybersecurity and Infrastructure Security Agency to develop voluntary cybersecurity standards and recommendations for protecting commercial U.S. satellite networks. The bill includes a list of issues lawmakers want to see specific guidance on, including risk-based engineering with continuous monitoring, plans to retain or recover control of satellite operations in the event of a cyberattack, robust physical and digital access controls and supply chain vulnerabilities.
“Last month, reports indicated Russia was likely responsible for a cyberattack on a U.S. satellite communications provider that disrupted Ukraine’s military communications during a pivotal time in the war. As is the case with most U.S. critical infrastructure, the majority of satellites in orbit are operated by the private sector,” said Rep. Andrew Garbarino, R-N.Y. “The Satellite Cybersecurity Act will enable CISA to fulfill its duty as the Sector Risk Management Agency for the Communications Sector and work with private sector owners and operators to mitigate threats to U.S., Ukraine, and other international satellite communication networks.”
The legislation now has sponsors in both houses of Congress. Sens. Gary Peters, D-Mich., and John Cornyn, R-Texas, leaders on the Senate Homeland Security and Governmental Affairs Committee, introduce their own version last month.
