A bipartisan group of lawmakers recently introduced the Space Infrastructure Act, which pursues a recommendation made by the Cyberspace Solarium Commission 2.0 to designate space as the 17th U.S. critical infrastructure sector. While it’s encouraging to see Congress considering this issue seriously, designating space as a critical infrastructure sector puts form over substance and would not actually address the risk posed by adversaries like China and Russia or from natural phenomena such as space weather. This legislation would only harm the rapidly evolving space industry and further dilute the limited government resources directed at ensuring the security and resilience of our nation’s critical infrastructure.
It is indisputable that the space domain is both increasingly contested by our adversaries and relied upon for commercial and national security activities. In fact, infrastructure applications that utilize services from space are now nearly ubiquitous, with space systems—such as satellites and ground stations—providing essential communications and positioning, navigation, and timing.
Despite their importance and prevalence, space systems do not and should not comprise their own critical infrastructure sector. To put it simply, there is no critical infrastructure function or service performed in space that does not already exist within one of the 16 extant critical infrastructure sectors, such as communications, transportation, information technology, and government facilities.
That said, the increased visibility of threats to space systems, especially those posed by cyber operations, should spur Congress to pay closer attention to America’s space infrastructure. As the Cyberspace Solarium Commission 2.0 rightly made clear, space systems represent a logical collection of assets, systems, or networks, the disruption of which would have debilitating effects on the nation.
Unfortunately, the Commission’s proposed legislation, the Space Infrastructure Act, ignores existing policies and frameworks that prioritize and address the risks to space systems: from Presidential Policy Directive-21 (PPD-21) and Critical Infrastructure Security and Resilience (February 2013) to Space Policy Directive-5 Cybersecurity Principles for Space Systems (SPD-5) and the National Space Policy (September 2020).
PPD-21 is the foundational executive branch policy for critical infrastructure. It identifies the 16 different critical infrastructure sectors and guides the government’s approach to the security and resilience of those sectors. It aims to promote a more coordinated and holistic approach to managing both physical and cyber threats to critical infrastructure and to provide a process to mitigate risks.
SPD-5 defines space systems and establishes principles for the U.S. government’s approach to the cyber protection of space systems. In addition to cybersecurity-informed engineering, SPD-5 highlights the need for space system owners and operators to establish cybersecurity plans that incorporate capabilities to ensure they can retain or recover positive control of space vehicles.
Lastly, the National Space Policy establishes the framework for the protection of space systems and countermeasures for any deliberate interference with U.S. space systems. Indeed, the policy even goes so far as to explicitly include space systems that provide infrastructure services.
On this broad policy basis, the U.S. government has already established a critical infrastructure cross-sector working group for space systems and a space-focused Information Sharing and Analysis Center (ISAC). This cross-sector working group includes existing sectors relevant to space, including Commercial Facilities, Communications, Critical Manufacturing, Defense Industrial Base, government Facilities, Information Technology, and Transportation Systems.
Those calling for space systems to be designated as the 17th critical infrastructure sector are hoping that the designation will compel a growing private industry of satellite operators to better protect their networks and stimulate policy, legislation, and stakeholder attention, resulting in more resources to secure space systems.
But these views are misguided about what such a designation would enable. Instead of placing a higher prioritization on space systems and opening the door for new pots of federal funding, the designation would only serve to further dilute policy prioritization and resources. Creating a 17th sector does not guarantee Congress will appropriate more funds or that DHS will prioritize infrastructure any differently from how it operates today—making everything a priority simply means nothing is a priority. Indeed, the designation would effectively silo support for space systems, thus hindering the essential coordination and interplay that typically takes place between domains to achieve effective results.
A Better Approach
From a resilience perspective, the United States would be better served by ensuring the performance and delivery of the goods, services, and functions provided by critical infrastructure rather than attempting to protect the infrastructure itself. Take the critical infrastructure for communications, for instance. Focusing on a singular domain, technology, or location—say, space—of communications capabilities inherently carries more risk because it leads directly to the fracturing of our security systems and creates precisely the sort of gaps in coverage that our enemies are seeking to exploit. Rather than distinguishing space as its own sector and thus dividing it from communications, a better solution would be to let the risks to space systems that provide communications capabilities be addressed by the communications sector itself.
In short, rather than adding another critical infrastructure sector, a better approach is rooted in the implementation of existing policy, thus minimizing the expansion of our enormous bureaucracy and preventing the addition of yet another institutional burden for taxpayers.
Congress could take the first step in following this approach by introducing meaningful legislation to shore up the security and resilience of the goods, services, and functions critical infrastructure provides. For example, Congress could compel the Department of Homeland Security (DHS) to reformulate its initial, poor attempt to shift the paradigm from critical infrastructure sectors to critical functions into something more functional and useful. Congress could also propose legislation governing the development and use of a national risk register to identify the most significant risks to critical functions, thus enabling DHS to prioritize and update its efforts. This could be used to justify appropriations requests and allow DHS to address vulnerabilities in collaboration with the private sector.
Lastly, Congress should push DHS to become more than an information redistributor for infrastructure security breaches. Their operational role and relationship to the private sector must be clearly defined, and performance objectives and goals must be explicitly identified and assessed for achievement. Congress has, by and large, already granted DHS the authority to act and provided more than sufficient funding to improve the security and resilience of our nation’s critical infrastructure. The next step is to hold the Cybersecurity and Infrastructure Security Agency accountable by tying funding to specific outcomes and conducting meaningful oversight. In doing so, Congress can help DHS and—and especially CISA—to get out of their own way and advance critical infrastructure security and resilience.
In sum, the federal government must figure out how to drive innovation and spur private-sector competition in space. Specifically, Congress should push the private sector to provide new and additional capabilities that deliver critical goods and perform key services. The private sector, in turn, should attempt to serve consumers by improving security, resilience, and efficiency—a win for the businesses, the taxpayers, and the nation.
This piece originally appeared in Space News