INTRODUCTION
The space sector comprises a wide range of activities encompassing exploring space which includes sending space crafts, satellites, and astronauts mainly for studying & understanding the cosmic phenomena and their moments. Satellite technology also plays a vital role in communication, weather forecasting, navigation of the Global Positioning System (hereinafter referred to as ‘GPS’), earth observation, and scientific research. They orbit the Earth and provide valuable data for various applications.
Space-based applications consist of satellite-based services such as telecommunication, remote sensing, climate monitoring, and disaster management. For example, weather satellites help to predict storms, while earth observation satellites watch & monitor deforestation and urban city growth.
National Aeronautics and Space Administration (hereinafter referred to as ‘NASA’), European Space Agency (hereinafter referred to as ‘ESA’), India Space Research Organization (hereinafter referred to as ‘ISRO’), China National Space Agency (hereinafter referred to as ‘CNSA’), and Japan Aerospace Exploration (hereinafter referred to as ‘JAXA’) are all Governments organizations while there are also private companies such as SpaceX, Pixxel, Blue Origin, Agnikul Cosmos, Virgin Galactic, etc. These organizations are the major stakeholders in the space sector across the globe.
The sole purpose of these organizations are to push the boundaries of human knowledge, expand our understanding of the cosmos, and drive technological advancements that have far-reaching benefits for society. Additionally, private companies bring innovation, competition, and commercialization to the space industry. They contribute to reducing the cost of space access, developing reusable launch systems, providing Earth observation data for various applications, and making space travel more accessible to individuals and researchers, resulting in fostering a dynamic and diverse ecosystem in space exploration and technology development.
The reliance on space-based sector has come to the forefront as it is been growing rapidly, and it becomes critical for ensuring their security from cyber-attacks. There is evidence that cyber-attacks have existed on every platform, and such data is further exposed on the dark web. Surprisingly, these attacks are not only targeted to the traditional digital platforms but also exist in the space sector.
REASONS FOR PROTECTING THE SPACE DATA
Cyber-attacks mainly disrupt satellite communication, navigation systems, and even compromise sensitive data. Space images captured by telescopes, satellites, and rovers provide valuable scientific insights. They help astronomers study distant galaxies, monitor Earth’s climate, track natural disasters, and explore other planets. High-resolution images reveal details about planetary surfaces, atmospheric conditions, and celestial events.
Firstly, the focus areas and objectives of space cybersecurity revolve around safeguarding space assets, infrastructure, and operations from cyber threats. This includes protecting satellites, spacecraft, ground stations, and communication networks from unauthorized access, data breaches, and malicious attacks. Ensuring the integrity, confidentiality, and availability of space data is essential to maintaining the functionality and reliability of space-based systems and services.
Secondly, the need to protect space data and information stems from its critical importance in various domains. Space data is utilized for communication, navigation, weather forecasting, Earth observation, scientific research, and national security purposes. It contains valuable insights, sensitive information, and proprietary technologies that, if compromised, can have far-reaching consequences. For instance, a cyber-attack targeting satellite communication systems can disrupt global communication networks, impacting businesses, Governments, and individuals worldwide. Similarly, the loss or manipulation of Earth observation data can hinder disaster response efforts, environmental monitoring, and climate studies.
Thirdly, space data protection is vital for preserving scientific integrity and innovation. Space agencies and research institutions collect vast amounts of data from space missions, telescopes, satellites, and rovers. This data is used for scientific research, exploration of celestial bodies, studying cosmic phenomena, and advancing our understanding of the universe. Protecting this data from unauthorized access, tampering, or exploitation is crucial for maintaining the credibility of scientific findings, promoting innovation, and encouraging further exploration and discovery in space science and astronomy.
Therefore, protecting space data is not only essential for ensuring the operational continuity and functionality of space systems but also for safeguarding national interests, economic activities, and societal well-being that rely on space-based technologies and services.
RISKS AND THREATS
The digital expansion into space has heralded a new era fraught with emerging cyber threats, presenting unprecedented challenges that demand attention.
As per NASA’s published data from 2021, spanning the period from 2017 to 2021, the esteemed space agency encountered a staggering number of cyber incidents, totalling over 6,000 cyberattacks. This significant figure underscores the escalating challenges posed by cyber threats within the realm of space exploration, satellite operations, and space-based services. The growing reliance on digital technologies in these domains has markedly increased the vulnerability of organizations like NASA to malicious cyber activities, necessitating robust cybersecurity measures to safeguard critical space assets and operations.
In the year 2022, an American space company Viasat fell victim to a cyberattack of notable sophistication. This cyber assault specifically targeted its KA-SAT network, bringing to light the immediate vulnerability not only of satellites but also of their interconnected systems. The repercussions of this disruptive attack were felt across Europe, causing widespread disruption and raising concerns about potential state-sponsored involvement. This incident underscores the urgent imperative for implementing robust cybersecurity measures within the space sector to mitigate such threats and safeguard critical space assets and operations.
In 2023, Boeing, a prominent American space company renowned as one of the world’s largest and most significant aerospace and defense contractors, encountered a severe cyberattack designed by the Lockbit cybergang. The attackers issued a dire threat, stating that unless Boeing met their ransom demands, they would proceed to release all the sensitive data they had illicitly acquired from the esteemed U.S. plane maker.
These are the recent events where the space companies’ scandalous cyber assault and having robust cybersecurity measures are essential not only for safeguarding the reliability and functionality of space-based infrastructure but also for upholding the integrity and security of interconnected global communications.
ISRO AND CYBERSECURITY THREATS
In the year 2023, during the 16th C0C0N cyber-conference, the Chairman of the esteemed ISRO, revealed alarming statistics indicating that ISRO’s intricate networks face a staggering influx of over 100 cyber-attacks daily. These persistent attacks predominantly target the domain of rocket technology, an area heavily reliant on state-of-the-art software solutions and sophisticated chip-based hardware architectures.
In response to these escalating threats, ISRO has diligently fortified its defences with a resilient cybersecurity infrastructure designed to shield its invaluable assets. This comprehensive approach encompasses meticulous examinations of software components and meticulous verification processes ensuring the utmost safety and security of hardware chips integrated within their cutting-edge rockets.
In the year 2019, ISRO confirmed alarming reports regarding a significant malware attack. The National Cyber Coordination Centre received intelligence indicating a severe breach of master “domain controllers” at both the Kudankulam nuclear plant and ISRO by an elusive and malicious “threat actor.” The malware responsible for this breach was identified as Dtrack, a highly sophisticated cyber tool attributed to a North Korean hacker group.
Despite recognizing the persistent threat posed by cyber-attacks, ISRO asserts that their systems have remained uncompromised thus far. The CASI report sheds light on China’s array of counter-space technologies, encompassing direct-ascent kinetic-kill vehicles (anti-satellite missiles), co-orbital satellites, directed-energy weapons, jammers, and cyber capabilities. These technologies are strategically aimed at challenging adversary space systems across various altitudes, from ground level to geosynchronous orbit (hereinafter referred to as ‘GEO’).
CYBERSECURITY STRATEGIES AND SOLUTIONS
1. Technical Measures
This includes implementing encryption protocols to secure data transmissions, deploying firewalls and intrusion detection/prevention systems to monitor and block unauthorized access attempts, using secure boot processes and firmware validation to prevent tampering, and employing secure coding practices to minimize vulnerabilities in software.
2. Cyber-Hardened Design
Designing satellites with cybersecurity in mind from the outset involves integrating security features at the hardware and software levels. This may include hardware-based security modules, secure communication protocols, and tamper-resistant components.
3. Défense-in-Depth Approach
Layered security measures, known as defines-in-depth, involve multiple security controls at different layers of the system. For example, combining network segmentation, access controls, encryption, and monitoring creates a defence against various cyber threats.
4. Quantum Computing Countermeasures
Developing a quantum secure verification platform to counter the threat posed by quantum computing, ensuring the ongoing security of space systems against evolving technological challenges.
ROLE OF DATA PRIVACY IN SPACE SECTOR
1. Foundation for Future Technologies
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDP Act’) lays the foundation for various other laws and acts cornerstone for future technological developments in India. It aims for the adoption of emerging technologies such as Artificial Intelligence (hereinafter referred to as ‘AI’) while safeguarding personal data. Not only does it provide a framework for Digital India, but it also paves the way for industry-specific regulations concerning privacy and data protection.
This legislation is designed to enable India’s embrace of cutting-edge technologies like AI while simultaneously ensuring the protection of personal data. It reflects a crucial balance between technological advancement and safeguarding individual’s privacy rights.
2. Data Privacy in Space Operations
Applying principles of the DPDP Act involves sensitive data like satellite communication and remote sensing, requiring strict privacy measures to prevent unauthorized access. Organizations in space activities must comply with the DPDP Act’s and its subsequent rules on data collection, processing, and storage, ensuring data integrity and confidentiality.
3. Mandatory Reporting Data Breaches
The DPDP Act mandates data fiduciaries, responsible for collecting and processing personal data, to report data breaches promptly to the Data Protection Board. This reporting requirement encompasses all types of cyber incidents, irrespective of their material impact, aiming for swift response and effective mitigation measures in the event of breaches.
4. Cybersecurity Collaboration
Collaborating with cybersecurity experts and agencies is crucial in the space sector. This partnership involves assessing and mitigating cybersecurity risks, implementing proactive measures, and responding effectively to threats and incidents. By working together, organizations can enhance their cyber resilience and protect sensitive data and space assets more effectively.
REGULATORY COMPLIANCE IN INDIA AND OUTSIDE
A. INDIA
i. Indian Space Policy 2023
The Indian Space Policy 2023 is a comprehensive framework aimed at unlocking India’s potential in the space sector by encouraging increased private participation. Its key objectives include enhancing space capabilities, fostering commercial presence, driving technology development, and promoting international collaboration. Compliance with this policy is crucial for all stakeholders, including government entities, private companies, and startups, to align with India’s strategic goals and leverage opportunities in the evolving space landscape.
ii. Indian National Space Promotion & Authorisation Centre (‘IN-SPACe’)
IN-SPACe plays a pivotal role in the space sector by granting authorizations to entities. Compliance with IN-SPACe entails obtaining essential permissions for a wide range of space-related activities, ensuring adherence to regulatory requirements, and fostering responsible engagement in India’s space endeavours.
iii. Foreign Direct Investment in Space Sector
The Union Cabinet in 2024 approved amendments to the Foreign Direct Investment (hereinafter referred to as “FDI”) policy for the space sector, allowing 100% FDI through an automatic route. Specific sub-sectors like satellite manufacturing, operation, data products, and ground segments have liberalized entry routes, with up to 74% FDI under the automatic route and government approval required beyond that. Launch vehicles and associated systems or subsystems allow up to 49% FDI under the automatic route. The creation of spaceports also falls under this liberalized FDI policy.
iv. Data Sharing Agreements
Under the DPDP Act, businesses must obtain consent before collecting or using personal data, including data associated with space activities, highlighting the importance of data-sharing agreements in ensuring compliance and protecting individual’s privacy rights.
B. BEYOND INDIA
i. Europe
The General Data Protection Regulation (hereinafter referred to as ‘GDPR’) which applies within both the European Union (hereinafter referred to as “EU”) and the European Economic Area (‘EEA’), establishes rigorous guidelines for data protection. It affects all entities involved in managing the personal data of residents from the EU/EEA, extending its reach to encompass activities in the space sector as well.
ii. United States
In the United States, data privacy laws exhibit variability across states. Space companies may find themselves subject to regulations such as the California Consumer Privacy Act, 2018 (hereinafter referred to as ‘CCPA’) and other state-specific statutes based on their operational scope.
AMLEGALS REMARKS
It is critical and imperative to have robust and protective software tools that prevent cyber-attacks. Safeguarding space systems against cyber threats necessitates a multi-faceted approach encompassing technical measures, cyber-hardened design, defense-in-depth strategies, and quantum computing countermeasures.
Implementing encryption protocols, firewalls, intrusion detection systems, and secure boot processes fortify data security and prevent unauthorized access. Designing satellites with built-in cybersecurity features, employing layered security controls, and integrating quantum computing countermeasures ensure robust protection against evolving technological challenges. A comprehensive and proactive security framework would be maintaining the integrity, confidentiality, and availability of space systems in an increasingly complex and interconnected digital landscape era.
In the Indian context, the DPDP Act plays a crucial role in regulating data handling and ensuring privacy protection within the space sector. Simultaneously, the liberalization of the space sector, allowing 100% FDI through the automatic route, marks a significant step forward.
To effectively safeguard sensitive data and space assets, it is imperative to prioritize the implementation of advanced encryption protocols, intrusion detection systems, and strict access controls through timely laws and policies. Collaborative efforts among space agencies, private entities, and regulatory bodies are essential to establish standardized cybersecurity protocols while aligning with the provisions of the DPDP Act. This proactive approach is vital for maintaining the integrity, confidentiality, and availability of space systems amidst the complexities of an interconnected digital landscape.
– Team AMLEGALS assisted by Mr. Sahid Sadik (Intern)
For any queries or feedback, feel free to reach out to mridusha.guha@amlegals.com or liza.vanjani@amlegals.com