US Cybersecurity Efforts for Spacecraft Are Up in the AirUS Cybersecurity Efforts for Spacecraft Are Up in the Air

The cybersecurity of satellites, spacecraft, and other space-based systems continues to lag behind current threats, despite efforts by the National Aeronautics and Space Administration (NASA) to require that contractors shore up electronic protections for the hardware and software provided to the US space program.

The cybersecurity gaps will likely only grow worse as the Trump administration's efforts to deregulate private industry accelerates, and as Elon Musk — the CEO of the largest private space company, SpaceX —  pushes for less stringent requirements for spacecraft and launch-system manufacturers, experts say. The company's lobbyists have already reportedly pushed to disband the National Space Council (NSpC), a group of experts established during the George H.W. Bush administration that develops policies and guidelines for US space programs.

Meanwhile, the United States and its commercial contractors must keep up with an accelerating threat landscape, says Samuel Sanders Visner, a technical fellow at the Aerospace Corporation, a federally funded research and development center, who also serves as chairman of the board of the Space Information Sharing and Analysis Center (Space ISAC).

"Our potential adversaries understand the critical nature of our space systems to our national and economic security, [so] we can expect they will continue to develop the means to hold at risk these systems," he says. "We must redouble our own efforts to stay ahead of adversaries' capabilities."

Related:Credential Theft Becomes Cybercriminals' Favorite Target

And indeed, threats to space-based systems have increased. Russia-linked hackers disrupted satellite communications in Ukraine during the opening months of its invasion, and researchers are concerned about the potential satellite-hacking capabilities of China and Iran.

Because so much of the US space infrastructure now relies on private manufacturers, those organizations need to make sure they meet stringent levels of cybersecurity, says Josh Taylor, lead cybersecurity analyst at Fortra, an automated cybersecurity provider. In July 2024, two Democratic US representatives, Maxwell Alejandro Frost (Fla.-10) and Don Beyer (Va.-8) introduced a bill, the Spacecraft Cybersecurity Act, that would require manufacturers to adopt cybersecurity requirements to supply NASA with spacecraft. No actions have been taken on the bill.

"Spacecraft manufacturers are not proactively doing enough to ensure cybersecurity best practices, as evidenced by the original need for the Spacecraft Cybersecurity Act and the lack of progress in adopting large-scale changes since its proposal," Taylor says. "The delay is particularly concerning in today's heightened threat environment, given the recent renewed attention on supply chain breaches targeting government systems."

Related:Ferret Malware Added to 'Contagious Interview' Campaign

Trump & Policy: Not Politics as Usual

Such legislation may not get much attention in the current political climate. The Trump administration's off-the-cuff approach to setting policy has made the future of the space program — never mind its cybersecurity — a large question mark. While Trump has focused on space-based initiatives in the past — such as establishing the US Space Command in his first administration, and pledging last month to support programs to land Americans on Mars (a Musk pet project) — cybersecurity-focused regulatory efforts will likely face significant hurdles.

The Biden administration made some progress in cybersecurity but failed to require private contractors to commit to cybersecurity plans. In a flurry of eleventh-hour executive orders in January, the Biden administration issued a wide-ranging mandate to boost cybersecurity using contract requirements and the federal government's purchasing power. Among the provisions are stipulations that NASA and other civilian agencies create cybersecurity requirements for government-contracted systems, and inventory the existing cybersecurity protections of the ground systems that support space missions.

Related:Cybercriminals Court Traitorous Insiders via Ransom Notes

Yet the Trump administration has already reversed several of the previous administration's executive orders and regulations in general, and the threat to undo the National Space Council remains real.

"How important is outer space to the new administration? That's still an open question," says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly), and a member of the NSpC's User Advisory Group. "Without [the NSpC], we might see a single point of failure, if it's just the White House trying to tackle space policy alone — which already seems low on their agenda and thus may likely be under-staffed."

Regulation Remains in Orbit

Musk, meanwhile, has pushed back on regulations for commercial providers, including SpaceX, the dominant maker of private launch systems and spacecraft. The company accounted for more than half (52%) of 259 worldwide launches in 2024. Before attaching himself to the Trump administration, Musk — and SpaceX — had fallen afoul of environmental regulators and federal reporting standards for handling sensitive information.

A single private citizen has seldom, if ever, wielded as much influence over the US government as SpaceX's Musk, who has been designated a "special government employee" and whose team — the Department of Government Efficiency, or DOGE — has moved to cut specific programs and agencies.

But even without the threat of a private citizen with conflicts of interest cutting NASA's regulatory efforts, boosting cybersecurity for spacecraft is not an easy task.

NASA, a historically popular target of hackers, has focused on organizational and terrestrial cybersecurity, but the focus on cyber protection for space-based systems and communications is relatively recent. In 2019 and 2023, NASA issued its first guidelines to secure spacecraft, such as the Orion Multi-Purpose Crew Vehicle, but has not incorporated the requirements into its acquisition policies, according to a 2024 report by the US Government Accounting Office.

In addition, NASA needs trusted suppliers that also know the provenance of their hardware and software, says Space ISAC's Visner.

"Particular attention should be paid to the increasingly global and commoditized supply chain of hardware and software that comprises our space systems," he says. "Industry should recognize — and it appears many industry leaders do recognize — that the systems they produce for the public and private sectors are potential adversary targets."

Hope Remains for Cybersecurity Moonshot

A few weeks into the second Trump administration, experts are split on whether cybersecurity will be a focus in the push to ramp up the United States' efforts in space.

On one hand, the Trump administration has not stated a policy for current space efforts nor announced initiatives to secure space-based systems, but then NASA already issued a best-practices guide for securing space systems in 2023.

"It's worth noting that Space Policy Directive 5 (SPD-5), which described the principles for the cybersecurity of space systems, was promulgated by President Trump's first administration, while the subsequent Biden administration pursued implementation of this directive," Visner explains. "So, we can expect additional, and perhaps increased emphasis, as the new administration shapes its efforts."

CalPoly's Lin, however, is a bit more pessimistic about the chances for more stringent cybersecurity requirements for space-based infrastructure and the commercial contractors that manufacture components for those devices and vehicles.

"It's really anyone's guess how all this will play out, and that uncertainty doesn't give much confidence that space cybersecurity will be strengthened," he says. "[It] takes real work and coordination — discipline, competence, safety cultures, [and] international and industry cooperation. In the absence of governmental leadership, it may be up to the space industry to watch their own cyber-backs, which unfortunately doesn't bode well for national security."