After Russian military hackers knocked much of Viasat‘s KA-SAT network offline at the start of the invasion of Ukraine, U.S. intelligence officials were so concerned about the threat to other satellite operators that they organized an unprecedented briefing for company executives. Although it was classified, executives without a security clearance were given a temporary one so they could attend.
“It was a milestone moment,” said Erin Miller, executive director of the Space Information Sharing and Analysis Center, which facilitated the briefing. A “significant number” of temporary clearances, known as “one time read-ons,” were issued to members of the Space-ISAC, she told a CyberLEO conference panel on May 13.
“We had people who were not cleared who were invited to the discussion, people who would normally never have had access to that [classified] information,” she said.
The briefing was pulled together under the leadership of Dr. Stacey Dixon, principal deputy director of national intelligence, a U.S. intelligence official confirmed to Via Satellite. The agencies briefing included the FBI and the National Air and Space Intelligence Center, according to Kevin Coggins, a Booz Allen Hamilton vice president and board member of Space ISAC.
“The U.S. government took people that do not have a security clearance, and said, ‘Today, you do,’” Coggins told the panel. “That’s huge, you probably never heard of that being done before.”
Speaking later to Via Satellite, Coggin called the decision to issue the temporary clearances “unprecedented.”
“The intelligence community said, ‘You have a need to know because you operate in the space domain. You might not have government contracts, but you’re part of the space ISAC and the space community, and we need you to know these classified threats and behaviors we’re seeing, because we want you to be able to defend against them.’”
The briefing, Miller told Via Satellite after her panel, followed “a surge of attacks on space systems happening this year” — implying there were other attacks in addition to the known ones against Viasat’s KA-SAT network and Starlink. Miller declined to comment further, citing the classified nature of the information. “There have been multiple attacks on space systems this year, and if I were to detail out any of the specifics, I think that’d be crossing the line,” she said.
Although the briefing demonstrates an unprecedented effort by U.S. intelligence officials to provide access to classified data for private sector owners of vital space infrastructure, it also illustrates a fundamental disconnect between national security satellite operators and the cybersecurity community.
It’s a basic principle of cybersecurity best practice to publicly share details of an attack as quickly as possible. Hacking tools like malware are automated and designed to scale fast, so it’s rare that there is a single victim organization of any particular attack. Sharing technical data, known as indicators of compromise, allows other potential victims to check whether they have also been hit by the same cyberweapons.
In the case of the Viasat hack, researchers at Sentinel Labs analyzed the malware used against the KA-SAT terminals, which they dubbed AcidRain. AcidRain was “generic and reusable” — a general purpose tool for attacking embedded Linux systems.
To cyber practitioners, that shows that the universe of potential victims was very large — much wider than the audience at the Space ISAC briefing.
“If it’s classified, it isn’t sharing, sorry,” Niv Davis, cybersecurity director for Ericsson, told the session from the floor during a lively Q&A with the panelists. “That’s exactly the wrong direction.”
Davis criticized the membership model of the Space-ISAC, and counterparts like the Aviation-ISAC, which restrict the circulation of most of its information-sharing products to members only.
“It’s too close, it’s not public enough, you don’t do enough publications for the public like you do for your members,” Davis said, urging them to take a leaf out of the books of U.S. government agencies like Cybersecurity and Infrastructure Security Agency (CISA), which he said had undergone an “amazing evolution by publishing so much information openly. This is an amazing change of paradigm.”
Miller said that information was shared by the Space-ISAC using the Traffic Light Protocol (TLP), in which Red products are restricted, Amber can be circulated on a limited basis, Green items can be shared with all members, and White is cleared for public release. The member or partner organization contributing the information gets to decide how widely it is shared, which was an essential prerequisite to member’s willingness to share in the first place, she said.
“There’s a trust factor within all these [information-sharing] communities that are being built,” she said. Using the TLP meant that companies could share information about being hacked with confidence that they were helping the rest of the community while reducing any reputational damage. “They have to have the ability to control that information,” she said.
Space-ISAC was issuing three to five alerts a day to its members, she told Via Satellite later. These are bullets that let members know how to protect their systems. The alerts are generated either by the Space ISAC intelligence team, or by CISA, Defense Information Systems Agency (DISA), or other government agencies.
She explained that Space-ISAC used information sharing standards called Structured Threat Information eXpression and Trusted Automated eXchange of Intelligence Information (STIX and TAXII) to produce machine-readable alerts that could be automatically — and almost instantaneously — incorporated into cyber defenses. STIX is a format for recording threat information in a standardized way so it can be easily shared. TAXII standards define how the sharing takes place.
“There’s a theme here,” she said of the discussion at CyberLEO, “which is that we’re finally embracing this idea that you build a community and the community works together and is stronger together, more secure together. At Space-ISAC, we do it in a digital fashion, so we’re able to share information more quickly and use it more efficiently.”
While stressing that classified information is generally classified for good reasons, Coggins acknowledged that classification can be a barrier to information sharing, especially in the cyber domain.
“Imagine if you had a neighborhood watch, but the people with the best ability to watch the neighborhood weren’t allowed to tell all the neighbors what they were seeing.” He said that in such situations, the government can issue advice, without necessarily explaining why. “You have to figure out, what can I tell them? I can tell them they ought to put a deadlock on their front door, but I can’t tell them why, I can’t tell them about the threat.”
Acknowledging the disconnect, panelist Bruce Chesley, a former Boeing executive, said that a cultural shift is needed, but not necessarily a large one.
“The space culture and the space enterprise grew up in parallel with the cyber culture and the cyber enterprise. Figuring out ways to bridge that gap, giving space and cyber and software people the ability to talk together and build those relationships is a key way to build that collaboration.”
Read more coverage of CyberLEO:
Space Development Agency Director Tasks Industry for Cyber Solutions
LEO Operators and Manufacturers Wrestle with Supply Chain Cybersecurity
Space Force Offers Free Cyber Scanning to Commercial Satellite Vendors
NASA Official Speaks to Cybersecurity ‘Language Gap’ in the Agency