Securing Cyberspace in Space Systems -The Value of Information Security in Space Power
Securing Cyberspace in Space Systems: The Value of Information Security in Space Power
Securing Cyberspace in Space Systems: The Value of Information Security in Space Power
Securing communications via cryptography has been around far longer than the computer has been, in fact most of the earliest documentation on ciphers and encryption are dated back to ancient history, most prominently the Caesar Cipher (Holden, 2017). The Caesar Cipher worked by shifting a letter a number of spaces in the alphabet (Military Dispatches Editorial, 2024). So a Caesar Cipher with an offset of 3 made the letter ‘A’ become the letter ‘D’, therefor ‘Apple’ became ‘Dssoh’. While this was effective in the ancient world, better techniques became required. A more modern example is during WWII where the German Enigma machines instituted a complex electro-mechanical device to encrypt their messages and made them nearly unbreakable (Military Dispatches Editorial, 2024). Assuming the historical necessity is carried forward to modern day, we would expect one of the backbones of military communications, space systems, would require the same level of secure communication.
Background
Clausewitz had come up with the theory around the “fog” and “friction” that is found in war (von Clausewitz, 2008). An important factor in the friction of war was the lack of information surrounding the enemy, the elements that cannot be easily measured when in the planning phase. It is what distinguishes what Clausewitz considered “real” war versus that of war “on paper”. Reducing the friction in war reduced the possibility of Clausewitz’s version of “chance” playing a part and allowing for operations to go as closed to planned as possible. To this end, Clausewitz stated that “accurate recognition” was one of the biggest frictions in war and that accurate intelligence is what increases accurate recognition (von Clausewitz, 2008).
While the “logic” of strategy used to define national power may be pointed out as a “Delta” configuration consisting of the Military, Economic, and Political points, the Pentagon has routinely used DIME (Diplomatic, Information, Military, and Economic) as a way to describe the core elements of national power (Ziarnick, 2015). Space power theorists have used DIME to extend their definition of Space Power Theory (SPT). It would be hard to find a situation in which the Military, Diplomatic, or Economic instruments of national power could exist without the Information instrument. Our modern world has made sure that the overwhelming majority of information is processed digitally, and nefarious actors look to exploit cyberspace. The complexity of cyberspace cannot be understated, the Pentagon has had 13 separate definitions (as of 2014) of cyberspace and this will likely increase as the landscape becomes ever more complex and developed (Singer, 2014). Another issue compounding this problem is the leaders responsible for creating laws and regulations around cyberspace did not grow up using computers, many don’t understand that if you have access to the internet, then it also has access to you. Adding in the complexity that is space systems on the already complex topic of cyberspace further exponentiates this problem of fundamentally grasping the various computer, electrical, physics, astronomy, engineering, mathematical, and cryptographic fundamentals needed to understand the system they are responsible for protecting.
The Gulf War in 1991 was widely believed to be the first “Space War” due to the advantages gained and the power projected through space in a foreign territory (Ahumada & Del Canto Viterale, 2024). At the time, satellite communications was little understood by the Iraqi forces and thus there was no effort to intercept any communications, regardless, the going concern of satellite communications was the complexity in the system was the security, prioritizing function of the satellite instead (Ahumada & Del Canto Viterale, 2024). This had drastically changed and by the time U.S. Forces had returned to Iraq, the remnants of the Iraqi Republican guard were spoofing American guided missiles to miss their targets with a decoy device built in China for only $25 (Pillsbury, 2016). One of the 5 major areas of Space Hybrid Operations is Cyber Operations (the rest being; Directed Energy Operations, Orbital Operations, Electronic Operations, and Economic Operations (Ahumada & Del Canto Viterale, 2024)), yet as has been pointed out by Satellite Cybersecurity researchers, little attention is paid to the topic (Schalk et al., 2022). This has led smaller, less developed countries like Iran and North Korea have the means to attack our space systems via antagonistic cyber operations.
Adversarial Threats to Space Systems
Space systems as defined by space cybersecurity researcher, Gregory Falco, are “the assets that exists in suborbital or outer space or ground control systems, including launch facilities for these assets” (Falco, 2019). Space systems are the backbone of Command, Control, Communications, Computer, Intelligence, Surveillance, and Reconnaissance (C4ISR) capabilities for the military. Adversaries aiming to “level the playing field” against great powers have strong incentives to undermine these capabilities by damaging space systems (Pavur, 2021, p. 20). China has already implemented this strategy in their People’s Liberation Army (PLA) Strategic Support Forces (SSF) and have single responsibility for both counter-space weapons and offensive cyber operations (Pavur, 2021, p. 21). This is rather telling of the belief the Chinese have. This can only be interpreted as space and cyber being so necessarily interlinked that a single responsibility of command for both needs to be granted to a single authority within their military apparatus. China knows that America is highly dependent on its space systems and it is viewed as a critical system to attack to remove American power (Pillsbury, 2016). Without space systems America loses its GPS, surveillance, guided missiles, unmanned drones, and a lot more. China has even invented parasitic drone satellites that can attach to American satellites to either disable them or steal its information (Pillsbury, 2016).
Table 1. Types of Counterspace Capabilities (Fanning et al., 2024)
It could be stated that a cyber threat is no greater than a kinetic, non-kinetic, or electronic attack, but there is quite a large difference in the ends which leads one to believe that cyber will always be the first means of attack on a space system as viewed in Table 1. Firstly, kinetic attacks will require physical actions with known states or organizations that would be responsible for (or easily deduced as responsible) the attack and couldn’t be considered anything short of an act of war (especially when targeting a ground station). The cost to carry out these attacks would be very high, either in lives attacking ground stations, or monetarily in launch costs and space weapons development. There is also the cascade effect in which the destruction and resulting space debris from an attack could set off a chain reaction, also destroying the attackers satellites in space and even potentially making it impossible to travel to space. Secondly, Non-Kinetic attacks suffer from a lot of limitations of kinetic attacks, in which the cost is very high, especially in regards to nuclear attacks, and the cost of Directed Energy weapons is immense. Thirdly, the Electronic means while potentially harder to attribute, are not necessarily impossible, like in the case of Russia and spoofing GPS information in the Black Sea in 2017 (Falco 2019). Electronic attacks are non-permanent means of attacking a space system. This leaves the final form of attack that is arguably both quantitatively and qualitatively the best option to attacks a space system. The reason being, it is cheap, requires no domain knowledge, its very difficult to attribute the attack to a specific attacker, and you can choose how damaging the attack is. If you just need to get some information from the downlink of the satellite, the operator of the space system would be non the wiser (Pavur, 2021). Or if the space system is viewed as a threat that needs to be destroyed, you can brick the satellite to turn it into nothing more than a piece of useless space junk (Schalk et al., 2022).
With the establishment of cyber operations as the most approachable form of space systems attack and the evidence backed up in the form of PLA organizing their cyber-ops and space-ops under the SSF, it is prudent to look at the current state of the development of cyber operations in regards to developing national power in America. In fact, China disproportionately targets the cyber infrastructure of America precisely because of its reliance on critical infrastructure that depends on weakly secured cyber-physical systems (Pillsbury, 2016). China calls this their “Assassin’s Mace” and link naval power directly to space power and in the future plan on exploiting weaknesses in space systems to exploit naval operations (Pillsbury, 2016).
Current State of Cyberspace in Space Systems
The lack of value placed on cybersecurity for space systems is concerning considering the world is increasingly dependent on satellite communications for communication, banking, infrastructure, and much more day-to-day critical operations. The U.S. Department of Homeland Security has defined critical infrastructure across 16 different sectors, and most of this critical infrastructure relies on Space Systems. There are over 2,000 operational satellites that have a market worth of $150 billion annually, that include nearly 10 Tb/s of global internet capacity that will grow to 100 Tb/s by 2035 (Pavur, 2021). In our increasingly interconnected world, we place more and more trust into the hands of infrastructure that is facing drastically increased threats to its operations. Satellite cybersecurity doesn’t just affect the military and government, they only account for 30% of satellite operations, commercial operations account for 40% of operations and account for everything as mundane as getting the weather to broadcasting important news to over 100 million satellite TV subscribers to validating banking operations and combating fraud (Pavur, 2021). A simple way to ensure that satellite operations operate safely from a information security (InfoSec) perspective is to implement strong encryption in its communication.
Traditionally, satellites have been a closed source and proprietary system that has allowed for very little research to be conducted into the inner workings of the technology. As an example, when the Iridium satellite constellation was deployed it provided services to the Pentagon, but no cybersecurity was implemented in the system because it was believed that it was too complex to hack (Falco, 2019). While Iridium allows their users to encrypt their traffic, White Hat German hackers were able to prove that users trying to encrypt their own traffic isn’t enough and were able to get very sensitive texts and location data for high ranking DoD officials (Tereza Pultarova, 2025). There has been a rapid change with the reduced cost of space launches and increases in CubeSat manufacturing, allowing for even the most budget conscious commercial, educational, and government institutions to launch satellites into space and develop their own space systems (Pavur, 2021, p.19).
With this increase in space systems, NASA has found it amenable to create an open source software (OSS) tooling that helps users to create software for their space systems called core Flight System (cFS) (NASA’s Goddard Space Flight Center, 2017/2025). This software is a framework written in C that has been used on flagship spacecraft, human flight systems, cubesats and Raspberry PIs. While NASA does state that out of the box it is not flight ready and needs some additional programming, they also mention nothing about the cybersecurity of the framework, and it has been documented that many that use this framework do not actually implement cybersecurity (Schalk et al., 2022) and that space systems that implement this framework can easily be taken down with a couple lines of Python code, opening up major space systems attacks to “script kiddies”. At most, users were implementing simplistic encryption schemes that were easily broken and had no fallback encryption key (Oakley, 2020).
Analyzing many of the cyber attacks on space systems, researchers such as Gregory Falco at the Aerospace Adversary at Cornell University, James Pavur at Oxford, and many industry leaders that attended the Aerospace Village at DEF CON 32 (DEF CON 32, 2024) have pointed to unencrypted satellite networks that can be accessed via equipment you can buy on Amazon for a couple hundred dollars. The USSF CSO General Chance B. Saltzman is warning that the Unite States needs to prepare for a cyber conflict in space (Ahumada & Del Canto Viterale, 2024). His belief is that space and cyber are inextricably linked and if data integrity is not ensure then all of the USSF’s systems are worthless. The major idea being pushed is that the USSF needs more cybersecurity training directed at their guardians, but humans are always prone to err and while training is beneficial, the focus should be on implementing industry standards that are already in place. Like 2 Factor Authentication (2FA), strong passwords, etc… but it is also important to build robust infrastructure and utilize modern network protocols like QUIC and Performance Enhancing Proxies (PEP) across Virtual Private Networks (VPN)
Securing Communications in Satellite Operations
Virtual Private Networks (VPN) make transferring data from a host machine to a server secure across the internet by creating an encrypted tunnel between the two (How Does a VPN Work?, 2025). The VPN ensures that only the users who are suppose to have access to the data or systems within a companies (or users) network do so. While describing the varying details such as protocol selections, firewall setup, NATs, OSI, and encryption schemes are out of the scope of this paper, it is necessary to define some elements in order to solidify a model to work from for this topic. Firstly, we will only be discussing UDP (User datagram Protocol) which is generally defined as an unreliable, unordered, but blazingly fast transport protocol and TCP/IP (Transmission Control Protocol/Internet Protocol) protocol. TCP requires a “3-Way Handshake” between a host and server, which given latencies in satellite communications, this would turn a https request that takes 0.5 seconds to reach the satellite 1.5 seconds in order to start the request, UDP does not require this handshake (Davies, 2020). Secondly, a Performance Enhancing Proxy (PEP), is a proxy server (essentially a computer that handles your https request for you) that allows to avoid some of the time consuming sitting and waiting for request by automatically maintaining a connection with a server and already in use by many satellite providers today. QUIC (Quick UDP Internet Connection) is a relatively new transport protocol that uses UDP, 0-RTT (Zero RoundTrip Time), TLS by default, and HTTP/3 which allows for faster connections via multiplexing.
Earlier was discussed the ability to eavesdrop on sensitive information from Iridium satellites that were managing and handling DoD data. This issue still hasn’t been fixed in a significant amount of satellite communications. The main reason for this being is because to deploy applications that encrypt data and communications requires additional CPU power and will increase latency on already latency burdened satellite data connections. This is where a novel approach has been invented by James Pavur out of Oxford University. He has combined the safety and reliability of VPN connectivity with the performance enhancing properties of PEP via a QUIC Session called QPEP (QUIC PEP). This allows for end to end secure and encrypted data to be transferred via satellite without all of the latency and insecurity.
FiguRE 1: QPEP (Pavur, 2021)
When engaging in this research Mr. Pavur had to alert the FBI to his findings due to the amount of encrypted traffic from the 4 largest VSAT providers. He accidentally gathered information that jeopardized national security, for example in one transmission he received the manifest of a ship that was carrying hydrogen sulfide, which the Islamic State does their best to manufacture for the development of chemical weapons (Pavur, 2021). Extremely private information was also transferred unencrypted, being of both a financial and personal nature. He was also able to access data from services that typically cost thousands a month to use, all for a couple hundred dollars in commercial off the shelf (COTS) equipment.
Without disparaging the hard work that Mr. Pavur has done to design and implement this new protocol for satellite communications, this work also highlights how far behind the United States is on taking cybersecurity seriously whilst also claiming that it is developing national space power. The reason being the code base that has been developed for QPEP is rather small and barring the research going into it, the amount of code written would be expected to be completed by a mid-level network software engineer to write over a couple of sprints (sprints are anywhere from 2-4 week cycles) (Ssloxford/Qpep, 2019/2025). An advantage of this code being opened source is that it allows users to look at the code and make an informed decision on whether or not they want to implement the protocol, versus proprietary black-boxes that operate as a take it or leave it situation. Also, one of the security flaws in proprietary tooling that was highlighted by the Salt Typhoon attacks from China (Segal, 2025), is that they have built in backdoors that are supposed to be used by law enforcement, but lead to exploits by nefarious actors.
What this provides based on benchmarking data is a much faster and secure satellite network experience. Running 100 connections to the Alexa Top 20 internet domains resulted in 54% faster load times for QPEP than the proprietary competitor, averaging 13.77 seconds to the competition’s 30.5 seconds (Pavur, 2021).
If the United States wants to continue to count itself among the space powers and prevent certain nefarious state(s) from becoming a hegemon in space, it needs to start moving towards the less focused on aspects of maintaining the infrastructure of a great space power in its cybersecurity and more explicitly investing in technologies and a workforce that develop the most advanced communications and cyber systems in the world.
Works Cited
Ahumada, A., & Del Canto Viterale, F. (2024). Securing the Final Frontier: United States Space Force Cybersecurity Capabilities. Astropolitics, 22(3), 145–169. https://doi.org/10.1080/14777622.2024.2439802
Davies, G. (Ed.). (2020). Networking fundamentals: Develop the networking skills required to pass the microsoft MTA networking fundamentals exam 98-366. Packt Publishing.
DEF CON 32. (2024, August 11). Aerospace Village. https://www.aerospacevillage.org/defcon-32
Falco, G. (2019). Cybersecurity Principles for Space Systems. Journal of Aerospace Information Systems, 16(2), 61–70. https://doi.org/10.2514/1.I010693
Fanning, E., Swope, C., Young, M., Chang, M., Songer, S., & Tammelleo, J. (2024). Space Threat Assessment 2024.
Holden, J. (2017). Introduction to Ciphers and Substitution. In The Mathematics of Secrets (NED-New edition, pp. 1–28). Princeton University Press. https://doi.org/10.2307/j.ctvc775xv.5
Military Dispatches Editorial. (2024, June 12). Exploring Historical Cryptographic Devices in Military History—Military Dispatches. https://militarydispatches.com/historical-cryptographic-devices/
NASA’s Goddard Space Flight Center. (2025). Core Flight System (cFS) [CMake]. https://github.com/nasa/cFS (Original work published 2017)
Oakley, J. G. (2020). Cybersecurity for Space: Protecting the Final Frontier. Apress L. P.
How Does a VPN Work? (2025). Palo Alto Networks. https://www.paloaltonetworks.com/cyberpedia/how-does-a-vpn-work
Pavur, J. (2021). Securing New Space: On Satellite Cyber-Security [Oxford University]. https://www.proquest.com/docview/2647158963?pq-origsite=primo
Pillsbury, M. (2016). The Hundred-Year Marathon: China’s Secret Strategy to Replace America as the Global Superpower. St. Martins Griffin.
Pultarova, Tereza. (2025, February 12). Hackers Expose Iridium Satellite Security Issues—IEEE Spectrum. https://spectrum.ieee.org/iridium-satellite
Schalk, A., Brodnik, L., & Brown, D. (2022). Analysis of Vulnerabilities in Satellite Software Bus Network Architecture. MILCOM 2022 - 2022 IEEE Military Communications Conference (MILCOM), 350–355. https://doi.org/10.1109/MILCOM55135.2022.10017967
Segal, A. (2025, January 21). China Has Raised the Cyber Stakes. Foreign Affairs. https://www.foreignaffairs.com/united-states/china-has-raised-cyber-stakes
Singer, P. W. (2014). Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press.
Ssloxford/qpep. (2025). [Python]. SSL Oxford. https://github.com/ssloxford/qpep (Original work published 2019)
von Clausewitz, C. (2008). On War (M. E. Howard & P. Paret, Eds.). Princeton University Press. https://doi.org/10.1515/9781400837403
Ziarnick, B. D. (2015). Developing national power in space: A theoretical model. McFarland & Company, Inc., Publishers.
