CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
S 1425 Introduced
Copy link
Facebook
Email
Notes
More

S 1425 Introduced

Satellite Cybersecurity

Patrick Coyle
May 16, 2023

Share this post

CFSN Detailed Analysis
S 1425 Introduced
Copy link
Facebook
Email
Notes
More
1
Share

Earlier this month, Sen Peters (D,MI) introduced S 1425, the Satellite Cybersecurity Act. The bill would require the GAO to publish a report on government actions to support cybersecurity of commercial satellite systems. It also outlines new responsibilities for CISA on satellite cybersecurity. No new funding is authorized by this legislation.

This bill is very similar to S 3511 introduced in the last session by Peters. That bill passed in Committee but was not taken up by the Senate.

Definitions

Section 2 of the bill provides definitions for seven key terms. Four of the terms are define by reference to existing statutes. The one key technical term defined in this section is ‘commercial satellite system’. That term includes the actual satellite, ground support systems, and communications between the two.

GAO Report

Section 3 of the bill would require the GAO, within 2-years, to prepare a report to Congress on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems. The report would include information on:

  • The resources made available to the public by Federal agencies to address cybersecurity risks and threats to commercial satellite systems, including resources made available through the clearinghouse,

  • The extent to which commercial satellite systems are reliant on, or relied on by, critical infrastructure,

  • The extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems,

  • The extent to which Federal agencies are reliant on commercial satellite systems that are owned wholly or in part or controlled by foreign entities, or that have infrastructure in foreign countries, and how Federal agencies mitigate associated cybersecurity risks, and

  • The extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems.

CISA Responsibilities

Section 4(b) would require CISA to establish a commercial satellite system cybersecurity clearinghouse. The clearinghouse would:

  • Be publicly available online,

  • Contain publicly available commercial satellite system cybersecurity resources,

  • Contain appropriate materials for reference by entities that develop, operate, or maintain commercial satellite systems, and

  • Contain materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems.

CISA would be allowed to establish a process by which controlled unclassified information could be shared with commercial entities.

In conjunction with the Clearinghouse, §4(c) requires CISA to consolidate voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. Those recommendations would address:

  • Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency.

  • Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident.

  • Protection against unauthorized access to vital commercial satellite system functions.

  • Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems.

  • Protection against jamming, eavesdropping, hijacking, computer network exploitation, spoofing, threats to optical satellite communications, and electromagnetic pulse.

  • Security against threats throughout a commercial satellite system’s mission lifetime.

  • Management of supply chain risks that affect the cybersecurity of commercial satellite systems.

  • Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities.

  • Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries.

Moving Forward

As I mentioned earlier, the Senate Homeland Security and Governmental Affairs Committee will take up S 1425 (along with 14 other bills) in a business meeting on Wednesday. This typically means that there is at least some bipartisan support for the measure, though amendments may be offered to improve the bill. I suspect that there will be substantial bipartisan support for the bill.

It is unlikely that the bill would be considered in the Senate under regular order, that process is just too time consuming. There is a chance that it could be considered under the unanimous consent process, but that is just too fraught with potential for unrelated political concerns to interfere with the process. I suspect that this is a prime candidate to be included in some must pass spending or authorization bill.

Commentary

I have been asked on several occasions why I place emphasis in these legislative reviews on the definitions included in the text. This bill provides a good example. The definition of the term ‘commercial satellite system’ specifically includes “any ground support infrastructure for each satellite in the system”, and the transmissions between the satellite and that ‘ground support infrastructure’. Unfortunately, the ‘ground support infrastructure’ term is not defined. While it would certainly include systems responsible for sending satellite control system information to and from the satellite, it is not clear that systems for sending and receiving information transiting communications satellites would be covered.

Practically speaking, in a bill like this (with no regulatory provisions) this means relatively little. Simply put, CISA is not required to address security of information transiting communications satellites. I fully expect that they would include this important satellite use in both their clearinghouse operation and in their cybersecurity recommendations.

If there were regulatory provisions in this legislation, operators of satellite communications ground stations would argue in court that their systems were not covered by any regulations based upon the definition of ‘commercial satellite system’, since they do not control or affect the operations of the satellites. Whether or not a court would agree with that argument, of course, remains to be seen. But it would certainly be a stumbling block in the regulatory process.

Share this post

CFSN Detailed Analysis
S 1425 Introduced
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More