India’s space cybersecurity mesh: Criticality and call of purple revolution

Introduction

Cybersecurity has audaciously engrafted itself into the traditional war theatres of land, air, sea, and more recently, space. A breach of this war penta-theatre, L-A-S-S-Cy challenges India’s territorial integrity, strategic autonomy, and sustained growth. Any infiltration, incursion, or incapacitation of space systems can temporarily paralyse or permanently cripple and cause irreversible damage to increasingly space-dependent food, water, communications, dams, defence, energy, financial, healthcare, nuclear, transportation, and other critical networks. The unhindered proliferation of technology, techniques, and tactics have improved access to attack methods of common spacecraft bus architectures, to successfully bypass air-gapped systems, to mature remote proximity operations and on-orbit docking attacks, to slither into software/ hardware of supply chains, or to escalate space systems’ privileges.

While Russia, the United States (US), China, Iran, North Korea, and Israel keep their military space cybersecurity capabilities flexed, Japan, France, South Korea, and the United Kingdom (UK) are steadily picking up pace. Interestingly, the Strategic Support Force of China’s People’s Liberation Army has centralised space, cyber, electronic, and psychological warfare capabilities.

The unhindered proliferation of technology, techniques, and tactics have improved access to attack methods of common spacecraft bus architectures, to successfully bypass air-gapped systems, to mature remote proximity operations and on-orbit docking attacks, to slither into software/ hardware of supply chains, or to escalate space systems’ privileges.

Besides surreptitious state actors, possible space cyberattack adversaries include terrorist organisations, subversives, political criminals, curious computer hackers, commercial competitors, dishonest insiders, disgruntled staff, trusted but careless business partners, or rogue astronauts. All of the above can launch asymmetric attacks and are immune to the natural dynamics of ‘credible deterrence’ and the fragile notion of stability from the condition of ‘Mutually Assured Destruction’. There are efforts underway to counter these threats. For instance, Aerospace Corporation’s SPARTA (Space Attack Research & Tactic Analysis), an extension of MITRE ATT&CK adversary tactics and techniques, presents a cyber threat-oriented approach and risks covering all stages of a cyberattack from reconnaissance and attack-resource development, initial access of vulnerable systems and attack execution, existing cyber-defence evasion, lateral movement to other systems, exfiltration of critical data and/or other impacts. This helps scaffold threats to space systems during early phase development (supply chain entities’ design, supply, procurement, assembly, integration, and complete system tests), ground control (launch, payload control, mission control, space traffic management), and space segment (platform, payload, formations, and users).

India’s space and cybersecurity: Recent trail markers and lacunae

On 28 September 2018, Prime Minister Narendra Modi approved the creation of the Defence Cyber Agency (DCA) and Defence Space Agency (DSA). DCA is fully functional and DSA integration with the land, air, sea, and cyber theatres is a work in progress. The long-pending National Security Strategy must integrate L-A-S-S-Cy war penta-theatre and articulate an integrated warfare doctrine to produce purple [which combines the offence (red) and defence (blue)] capability characterised by swiftness, precision, and effectiveness.

Sectors like oil and gas, telecommunications, power, disaster management, manufacturing, logistics, delivery services, public transportation, eCommerce, insurance, law enforcement, defence verticals and their supply chains depend on global positioning, navigation, and timing. World over, there are only four Global Navigation Satellite Systems (GNSS): US’s GPS (Global Positioning System), Russia’s GLONASS, China’s BeiDou Navigation Satellite System, or Europe’s Galileo. To streamline time synchronisation, reduce dependency on foreign GNSS, and enhance national security, India has been developing the NavIC (Navigation with Indian Constellation) systems under Indian Regional Navigation Satellite System. It provides absolute position accuracy of fewer than 10 meters on the Indian landmass and less than 20 meters on the Indian Ocean with nanosecond preciseness.

Constructive watchful intervention has catapulted India to the 10th rank globally in the latest 2020 United Nations’ International Telecommunication Union Global Cybersecurity Index.

The Government of India has taken numerous steps to improve India’s cybersecurity posture. Constructive watchful intervention has catapulted India to the 10th rank globally in the latest 2020 United Nations’ International Telecommunication Union Global Cybersecurity Index.

With National Cyber Security Coordinator, the National Security Council Secretariat (NSCS) is trying to integrate the Indian cybersecurity architecture and policies. It has also formulated a draft National Cyber Security Strategy which is under consideration of the Prime Minister’s Office. But in this, the space element is missing. Interestingly, the Data Security Council of India, in its submission in 2020 on the draft National Cyber Security Strategy, had noted attacks targeting India’s critical infrastructure sectors including nuclear plants and space agencies but had provided no discourse on space cybersecurity.

This needs to change. As an integral part of the National Cyber Security Strategy, it’s imperative to integrate the L-A-S-S-Cy war penta-theatre into national critical infrastructure. Security and military functions and communications depend on critical space infrastructure. While India’s definition of “Critical Information Infrastructure”, includes “incapacitation” leading to a “debilitating impact” on “national security”, somehow space and its operations don’t figure prominently under the National Critical Information Infrastructure Protection Centre or the Computer Emergency Response Team-India.

With more than 100 start-ups, 22 MoUs, and five authorisations, space ecosystem is expanding. As more players enter this field, the attack surface is also widening. Intense collaboration among a large number of involved parties with varied expertise, risk portfolios, and information security attack-surfaces can lead to sabotage and disruption through adversarial supply-chain malware injection, malicious systems’ poisoning and unauthorised identity masquerades, and manipulative breach of confidentiality, integrity, & availability. Therefore, it is time India focuses on space cybersecurity.

India’s urgent to-do list

India’s space cybersecurity mesh needs relentless governance thrust, vigilant all-round resilience, and hawk-eyed techno-diplomatic engagement. What could be India’s urgent top five to-do?

One, on express mode, release version 1.0 of India’s comprehensive national space policy and interweave into it comprehensive critical national infrastructure level cybersecurity guardrails through National Cyber Security Strategy and finally, dove-tailing them into National Security Strategy.

Two, build rigour for a Purple Revolution- cybersecurity red-teaming (offense) and blue-teaming (defence) exercises to create a unified Purple. Ministry of Defence and Home Affairs must institute a rigorous programme and curriculum requirements covering four components: (a) Cyber Defence (Red Team), (b) Cyber Offense (Blue Team), (c) Cyber Operations and Services, and (d) Cyber Research.

The purple revolution will accelerate the rhythm of strategic and tactical Indian foreign policy, build internal critical mass to neutralise threats to India, and help create credible deterrence.

Three, adopt a whole-of-nation approach. Like corporate social responsibility policy, Chief Information Security Officers and information security researchers from public and private sector must allocate 2 percent of their productivity towards National Critical Infrastructure and space cybersecurity.

Four, increase space budget allocation from 0.04 percent to at least 0.5 percent of Gross Domestic Product (GDP). The Union Budget for 2023-24 allots only US$ 1.5 billion to the Department of Space, a nanoscopic 0.04 percent of GDP. More capital will boost creation of self-sufficient centrally-funded research and development centers, enhance Information Sharing and Analysis Centre–Space (ISAC-Space), and augment the creation of influential national and international space standards.

And five, integrate space supply-chain resilience and security into QUAD’s space-related applications and technologies cooperation. As part of an inter-governmental collaboration among the QUAD countries, a central Indian space resilience agency must analyse and map each sub-component with suppliers and suppliers of suppliers, their supply chain risk and attack-surfaces on design, build, delivery, and maintenance, and for mutual watchfulness, periodically conduct joint-monitoring and incident response exercises.

Conclusion

L-A-S-S-Cy war penta-theatre demands swift, precise, and effective purple interventions. In the face of progressively intensifying adversary attacks rapidly evolving on obfuscated pivots, to accurately adapt, respond, and recover, the purple revolution in India’s space cybersecurity mesh is at a critical point of convergence. The purple revolution will accelerate the rhythm of strategic and tactical Indian foreign policy, build internal critical mass to neutralise threats to India, and help create credible deterrence. It’s a critical time to integrate the entire country’s innovative perspectives, technical intelligence, and engineering abilities and apply thought and research to each entity in securing India’s space journey.