The ODNI’s Counterintelligence Center (the National Counterintelligence and Security Center (NCSC) and the FBI and USAF have issued a joint bulletin designed to raise awareness of threats to the U.S. space industry.

This bulletin conveys important information that should be read and acted upon by any in the U.S. space industry. The government is doing us all a huge service by providing this warning.

We note, however, that the government recommendations on what to do about the threat fall short. There are some big recommendations the government should have made but didn’t, perhaps because they don’t really know how business works or perhaps they are hamstrung by bureaucracy. We discuss this more in our recommendations at the bottom of this post.

Before getting to recommendations, review the text from the bulletin here:

The Threat

According to US financial sector estimates, the global space economy is projected to grow from $469 billion in 2021 to more than $1 trillion by 2030. The United States is the main driver of this growth through its role as a global leader in space investment, research, innovation, and production. Space is fundamental to every aspect of our society, including emergency services, energy, financial services, telecommunications, transportation, and food and agriculture. All rely on space services to operate.

Foreign intelligence entities (FIEs) recognize the importance of the commercial space industry to the US economy and national security, including the growing dependence of critical infrastructure on space-based assets. They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise. FIEs use cyberattacks, strategic investment (including joint ventures and acquisitions), the targeting of key supply chain nodes, and other techniques to gain access to the US space industry.

FIE efforts to target and exploit the US space industry can harm US commercial firms and broader US national and economic security in several ways:

Global Competition

• Siphoning intellectual property and other proprietary data from US space firms for the benefit of foreign powers’ national security programs.
• Leapfrogging innovation that costs US space firms substantial time and resources to generate.
• Using state-backed resources and unfair business practices to disadvantage US space firms.
• Harming US corporate reputations by proliferating counterfeit products or falsely authenticated reproductions.

National Security

• Collecting sensitive data related to satellite payloads.
• Disrupting and degrading US satellite communications, remote sensing, and imaging capabilities.
• Degrading the United States’ ability to provide critical services during emergencies.
• Identifying vulnerabilities and targeting US commercial space infrastructure during conflict.

Economic Security

• Harming the US commercial space sector by causing losses of revenue and global market competitiveness.
• Exploiting critical resources and supply chain dependencies.
• Influencing international laws, norms, and host country business regulations governing space to disadvantage US space firms.

Indicators

Your employees, contractors, and suppliers are vital to protecting your organization. Be aware of the following indicators and other potential signs of FIEs targeting you.

• Unusually high cyberactivity targeting your company from unknown parties.
• Requests to visit your company facilities from unknown or foreign entities.
• Specific and probing questions about sensitive, internal, and proprietary information.
• Elicitation at conferences or online fora.
• Unsolicited offers to establish joint ventures with companies tied to foreign governments or state-owned enterprises.
• Attempts to recruit your company’s technical experts, including through invitations to travel to a foreign country, offers of employment (such as consultancy work), and provision of financial incentives in exchange for proprietary information.
• Acquisition or investment efforts by foreign companies via wholly-owned subsidiaries registered in third countries that are designed to obscure the parent company’s connections.

Mitigations:

You are not helpless in the face of FIE threats to your organization.

• Develop an “anomaly” log to track peculiar incidents to potentially spot malicious trends against your organization.
• Establish an insider threat program within your organization. Consider appropriate vetting and oversight for those with sensitive positions or access.
• Foster an enterprise-wide security posture at your company, ensuring security, cyber, IT, insider threat, legal, human resources, and procurement offices all collaborate on security efforts.
• Identify your “crown jewels” that are key to your company’s competitiveness and develop strategies to prevent or mitigate their loss.
• Conduct robust due diligence on suppliers, understand their security practices, and set and enforce minimum standards for them.
• Incorporate security requirements, such as incident reporting, into third-party contracts and monitor compliance throughout the lifecycle of a product or service.
• Ensure your business is familiar with host country laws and regulations that require the sharing of company data.
• Conduct appropriate due diligence on your investors.
• Build resilience and redundancy into your operations to minimize harm from FIE targeting.

Reporting Incidents:

If you believe your company’s intellectual property has been targeted or is at risk of compromise, contact the Private Sector Coordinator at your local FBI Field Office:
https://www.fbi.gov/contact-us/field-offices

You can also submit a tip to the Department of the Air Force Office of Special Investigations at:
https://www.osi.af.mil/Submit-a-Tip/

More Recommendations From OODA:

We love this report for what it does that no one else can. It gives insights from the perspective of our nation’s intelligence and law enforcement professionals and makes it clear this is a serious threat. And it provides general recommendations relevant to almost any firm in the US Space Industry.

But some major recommendations were left out. We assume this is because the government is in a hard position and cannot take action that might make it seem like they are making business recommendations or endorsing work with any particular group. We are not handcuffed by those problems so will tell you what we think.

Besides the smart recommendations provided by the government we strongly recommend and U.S. space firms:

• Understand that defense against hostile nations (the government says Foreign Intelligence Entities or FIE) cannot be done alone. You should team with others in your industry and the security industry. One recommendation we have for every member of the U.S. Space industry: Join the Space ISAC. Really. It is a no brainer. The Space ISAC is focused on cybersecurity but there will be benefits to helping you consider and work to mitigate other threats as well. It is really our biggest single recommendation.
• Ensure your physical and cybersecurity programs are independently verified by external experts (contact OODA for an assessment).
• Depending on your needs, you may also want to forge a relationship with external security providers. A managed security services provider (MSSP) can add talent and technology to your cybersecurity effort. We can help you find the right one if you do not have one already.
• You need to understand that governance starts at the top. No matter what your business size, it is the leadership team that is responsible f0r protecting your intellectual property and maintaining your ability to deliver long term value as a going concern. Ensure all your internal processes are developed in a way that give senior leadership control so their responsibilities can be appropriately executed.

Additional Resources

OODA Best Practices for Agile Cybersecurity

Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense.  We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries.

---

The New Enterprise Architecture Is Zero Trust

Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up.

---

Zero Trust Will Yield Zero Results Without A Risk Analysis

Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first. To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution.