[0:23] Exploring Cyber Satellite Threat with Mark Montgomery

Audrey: Hello and welcome to the Point Podcast with today's guest, speaker Mark Montgomery. Mark, welcome.

Mark: Well, thank you very much for having me

Audrey: It's great to have you here. I'm actually really excited about this discussion today because we get to talk about two of my favorite things, one cybersecurity and two outer space to kick off these discussions. Mark, do you wanna introduce yourself to our audience and give a bit of background on your career and the kind of work you do in the cybersecurity space?

Mark: Yes, thanks. So not your standard career to get here. I spent 33 years in the United States Navy commanding destroyers destroyer squadrons, and carrier strike groups. And then I was eventually the J three or head of operations for the US, Indo-Pacific Comm all our joint forces in the Pacific. And there, the cyber teams work for me. I came out of that, went, and worked. 

I retired from the Navy and went immediately to work for Senator John McCain for two years as his policy director. And near the end of that time, I had to become a cyber professional staff member just because of changes in staffing and everything. And so got pretty experienced in how the legislation of cyber. From there, after Senator McCain passed away. 

Senator King, who is a member of the Armed Services Committee, hired me along with Representative Mike Gallagher, who was the Republican chairman. Senator King was a Democratic chairman of the Cyberspace Solarium Commission, and I was executive director of that for three years.

And what we did was study cybersecurity, figure out what were the challenges to it, and come up with 80 plus recommendations on getting the legislature. 

Addressing the Cyber Satellite Threat with CSC 2.0

Mark: But also the executive branch is in a better position to secure our national critical infrastructure in cyberspace. That just wound down coming out of it, Senator King, Representative Gallagher, and I set up a nonprofit called CSC 2.0. And we exist inside the foundation for defensive democracies.

A non-partisan nonprofit think tank in DC that takes no foreign money and no corporate money. So it was easy for us to put the nonprofit there. And so as a result we can continue to work on these issues. 

And space particularly became one of Senator King's real concerns that, we weren't treating it like critical infrastructure. So he had me and Frank Cilluffo, another commissioner from the Cyberspace Solarium Commission, take a look at this issue. We studied it for about four months with some of the professionals on each of our staff. He runs a think tank at Auburn University. The two of us produced a product that kind of makes the argument for why space systems should be a national critical infrastructure and why we should do that now. 

Many of our recommendations have been taken up. And you'd see there's a cybersecurity space cybersecurity act on the floor of the Senate. And I'm hoping and have been, some of our things have already been adopted into last year's NDA.

A National Defense Authorization Act as we were working on it. We expect to see more in the next two years because it wasn't an epiphany for us to say it was a critical structure. I think a lot of people held that opinion already. We just made some very specific arguments for how to set it up and where to set it up. 

Unveiling the Cyber Satellite Threat and Safeguarding Space Assets

Mark: So we're excited about this, as an area for where we can improve even through organizational changes, we can improve our cybersecurity posture in space. But don't be surprised. It is a high-threat environment.

Audrey: I agree with you in that, I think one of the things about kind of developing solutions to go out into space. People are generally thinking that there aren't a lot of other people out there to cause issues in the environment. A bit like the kind of people delivering the internet of things.

Yes, you can have all these really cool bits of equipment like Alexa and stuff like that, that'll do things for you. But not thinking about the security side of it because they didn't think about why would anyone want to hack your Alexa. 

So if we focus down on a kind of let's throw a spotlight on satellite cybersecurity. Because, after all, they're effectively purpose-built computers, and as such, they're as vulnerable to the same cybersecurity threats that we face on earth.

So if you could kind of shine a bit of light on that, on kind of what are the threats that we're facing in space with these items and what can we do about it? What are we doing about it?

Mark: Well, thanks. And, you're right. There's a lot in that. I'd break it up into two different types of threats. One, there is a physical threat. I'll talk about that in a moment. But second, there is a cyber or non-kinetic threat. And that threat's interesting. 

Beyond the Skies: Unraveling the Cyber Satellite Threat

Mark: If I were to go to 50 hackers and say, try to take down this low-worth orbit satellite network, I think 49 outta 50 would start with the ground control stations. So when you ask what's the threat? The threat is first and foremost traditional hacking which means, phishing and exploiting human frailties to gain access to the ground control network. 

And therefore pass inappropriate or destabilizing orders up to the satellites themselves, or ones that either disrupt, disable, or destroy the satellite. So that ground control station is typical normal hacking. We'll talk a little bit about Russia and Ukraine, but that's where they had some success. The second part of that is attacks on the satellites themselves. Now here, this is a little harder.

Audrey: IT's are talking like hammers, like people who go and bounce radio waves off planets. What are we talking about here?

Mark: I think here it would be through what would appear to be normal discourse, a normal communication through the satellite. Enabling the satellite was bought with almost all Leo satellites based on commercial office self-technology that is exploitable. You can install the physical malware on the ground and when it gets up in space, you can determine there's an open-source software flaw. 

And it's an interesting thing when we'll talk about updating if you think patching is poor on the ground, on terrestrial networks, absolutely. Patching on space networks is complicated because even if you want to do the right thing, it's sometimes hard to do the right thing. So a really interesting conundrum there. 

[7:00] Analyzing the Cyber Satellite Threat

Mark: So two different ways to go at it. Either go at the ground control web network, or go at the satellite in space, and in both cases, you could exploit existing malware. Because it was procured commercially off the shelf. And believe me, with the pace at which we're putting these satellites up, there is no capability or capacity here for unique purpose-built technology. Then the second way there is a physical attack capacity. And in that regard, there are both anti-satellite weapons. 

Both Russia and China have tested these. China more recently tested one that I think created about 2000 pieces of space debris. It was quite the core judgment by them. But they put quite a bit of debris in space. But the second one is that we've certainly seen the Chinese begin to develop this that is putting up attack satellites in space. And I know that sounds like a 1950s movie. It does but it's the idea and you said hammer earlier. I mean, it's like, it could be a mechanical claw or physical, striking object or such.

Or it could be radiation and radiation exposure that can be created by one satellite passing in front of another. I mean, there's a number of ways there's even a way to capture it and to knock it out of its orbit. So there are a number of different ways that we think the Chinese and others are beginning to develop anti-satellite technology based on other satellites in space. And in fact, recently I think when kind of out of a little bit of displeasure with how Starlink had helped the Ukrainians against Russia. 

Assessing the Cyber Satellite Threat and Its Impact on Critical Infrastructure

Mark: China announced that it would consider a Chinese academic. It would be appropriate to launch 13,000 attack satellites to shadow the Starlink satellites that were in theory gonna go up over the next decade or two.

That would probably be the least efficient way, I think, to get a Starlink, I think I'd look at the ground control networks probably. But, in any case, this is what I've just given you both, attacks on satellites, themselves or attacks on the ground stations, cyber or kinetic. It's there.

There's a lot out there. So that's how I, I look at it. This is an apparent existing threat and it's growing.

Audrey: Can I ask, 'cause a lot of reviewers may not actually consider the knock-on effect if satellites get taken out or taken down for a period of time. What could be the impact on businesses or infrastructure, and how do things run on the ground?

Mark: So I think a better question to ask is what's not impacted? I mean, look, first of all, position navigation and timing satellites are just critical to everything. They're how our agricultural systems work. They're how port systems you'll get, they're how our highly automated equipment gets their timing signals and their location signals.

So this really, as I mentioned, impacts agriculture. There are a lot of tractors out there that are operating off of PNT satellites to run the map that the farm has set for them for that field that day. There's the position navigation, timing is critical to how our ports operate, how our rail systems operate, how our air transport systems operate. 

Critical Dependencies in Peril

Mark: If you think of a port system, it tells the crane where it's at. It tells it where the Sierra land container they're supposed to pick up is. It tells where the place on the ship is. And it all works in an automated system, if you were to remove that position, navigation, and timing, we'd be back to like 1930 Steve doors.

And our ability to move shipping would drop, volumetrically, 70, 80, 90% as you go all manual. 

So, I mean, really, you can think about a trade, you can think about in the timing signals for trains. You can think about it in our air traffic control systems. All elements of our global and domestic trade are impacted by this. In addition, there's the monitoring of trucks, for the timing and sequencing of trucks as they come into distribution points and wholesale warehouses.

That's all based on a position, navigation, and timing signal. How you get driven to dinner tomorrow night is driven by that PNT signal.

Audra: I have to admit, I've kind of given up a lot and tried to learn the roads myself. Because I'm a bit old-fashioned and I still have maps in my car.

Mark: I would put you in the 5% category. And the other 95% of us, and I say this as Navy officers where we still do use paper charts on occasion in the Navy, but broadly we use electronic systems. Our weapon systems rely on this position, navigation, timing, and other satellite things. How we target our weapon systems is highly resilient, reliant on satellite systems. So our military national security is tied to this, as our economic productivity, and our public health and safety. 

Addressing the Cyber Satellite Threat and Establishing Sector Risk Management

Mark: These are all tied to this system. We like to say, I think the common terminology is that energy is kind of like the infrastructure that drives all the other infrastructures. I'm certainly not gonna take away from that, but I'm gonna say equally speaking, if you don't have space, you're gonna revert to 1930s America really quickly with all that implies for economic productivity.

So it would be pretty significant. So space systems, to me, are critical infrastructure, despite the fact that the US government doesn't call it one. And that was one of our big recommendations.

Audrey: But I'd say, considering what you've just said, it absolutely is part of our critical infrastructure. But the question is, how do you actually influence, or is this part of what has been put together in the Satellites Cybersecurity Act, how do we actually influence end-to-end the supply chain? That is what ends up creating satellites. How do we actually end up being able to control that?

Mark: Our recommendation there is first you have to appoint a sector risk management agency. Which is someone who is responsible for organizing the government for building the public-private partnership for determining what are the right standards to use. Not necessarily regulatory, I'm not arguing for that just yet, but I will say space is one of the places where most industry says we need regulation. 

We can talk about that in a second. But setting that aside, you need a federal agency that's in charge. Without that, you get way too much help. If you're in the private sector trying to organize things becomes much too disparate, whether it's inside the Department of Commerce, there's NOA which does some of the satellite certification licensing. 

[13:59] NASA: Leading the Charge Against the Cyber Satellite Threat

Mark: You have NASA you have the military, you have the federal communications commission, which is deeply involved in this. I'll cut to the chase and say, we recommended that the Sector Risk Management Agency, the agency that is the forward-facing piece with the industry is NASA.

And it's an independent federal agency. Our feeling with that was underneath it, you can have some sub-sectors that are about DOD and the very highly classified defense industrial-based work. 

And then another one on communications where there's already a heavily regulated environment run by the Federal Communications Commission. Those would be sub-sectors under a broad sector run by NAS and then NASA would be that forward-facing thing. And the absence of this, the Trump administration created and the Biden administration has maintained a national Space council.

But this thing just doesn't have the ability to get things done of a federal agency because it's a standalone small group inside the White House.

Almost everybody on it has a secondary or tertiary job besides this. And there's a very small staff to support it, a kind of executive secretary to support it. The reality is you need a federal agency running this and leading this.

The management of the sector, building the determining where we need regulation, where we need incentivization, where we need collaboration with the private sector. 

And then working with our international partners. Because this is not one of those areas where the United States gets to make a determination of what we have to work with international partners on this as well. So from my point of view, that is a missing element right now.

Empowering NASA as the Cyber Satellite Threat Sector Risk Management Agency

Mark: And interestingly, the Biden administration is rewriting a document called PP D 21, which is how you do sector risk management agencies in the government. And they're overdue on it, but I think they'll get it done next spring. One of my first recommendations on that is to namespace as a sector risk management agency and assign it to NASA.

And if they were smart, they'd get a head start on it, just start doing it and make sure NASA's budgeting for it and get moving. Because we need to make hay while the sun shines right now. And, we need the government to be better organized.

Audra: No, that's a hundred percent. But the question in terms of in order to actually get this legislation out there and view satellites as a critical infrastructure, like all branches of the government, needs to be involved. Does this actually bring it together? Or is it putting it all under NASA that then NASA brings everyone together? It's bringing that whole picture into one frame.

Mark: So listen, this act is written really well. And I could say that because I saw it while it was being written. And I agree with it. But what it says right now is, hey, look, do a study of the threat. Get the CIA responsible for cis the cybersecurity infrastructure security agency responsible for it. And then it says at the bottom, look if somebody gets designated SRMA load it on their shoulders, and that's exactly the right thing to do. That allows us to get this bill easier to get passed, people. Congress may not wanna determine who the SRMA is. 

The Key to Addressing the Cyber Satellite Threat

Mark: And if you wrote in there, NASA does this, you're kind of determining it by giving it to SRMA. You're giving it to the catchall fielder. CIA and then it says right in there, though, look, if the executive branch makes a determination. And this is inherently an executive branch responsibility to determine sector risk management agencies, it says that in law, then give it to that, as I said, hopefully, you give to NASA and they're off to the races. 

I'm a little worried if you give to the Department of Defense, DOD'S fantastic at DOD stuff. And they're fantastically unexcited about handling the non-DOD things. And FCC is way too small and focused on just the comms. So again, NASA would do it. So the way I think this act would go down is you pass the act, the PPD 21 designates, NASA's, and SSRM the responsibilities in the ACT fall on NASA. And they become the one that comes up with the plan for how you deal with the threat.

That's the front end of the act. The front end of the ACT says, do a study of the threat, the back end of the act says, tell me how you're gonna fix it and address it. So I think this is a perfect bill piece of legislation. It's what the legislators should do, which is say, I see a problem that you're not tackling, I'm going, I'm authorizing you to tackle it, and I'm telling you to get started with the agency just to get the ball rolling. 

Project Managing Space Security

Mark: So I'm excited that if that passes I'd be really excited if it got added in the NDA the National Defense Authorization Act. So I'll pass soon but we'll have to see what happens over the next two to three months.

Audrey: So what is your expectation for this act? We'll be able to both address the threat of satellites that are already in space and already kind of cruising around the earth and helping us with all of our supply chains working and that kind of thing. But also address the supply chain of building new satellites.

Mark: It gets right at that. It talks about current risk and it talks about potential risk. So I think it gets at both of them. And certainly, anyone doing a study would do both sides of this. I'm confident that this act can be done without this act. But by just saying you're the SRMA, the ACT kind of gives them the authority to kind of work better with other federal agencies to get this in. 

NASA doesn't hold the answers to all the questions in the threat study. They hold a small percentage, 10% prior to the answers. DOD has some, the Intelligence Committee has some commerce department has some, FCC has some, so the answer spread throughout the federal agency.

When you have that kind of issue, it's kind of good for the legislative branch to go do this, get it done by this date, and you're responsible.

Audrey: So project managing everyone.

Mark: Yes.

[26:11] Space Governance and the Cyber Satellite Threat

Audrey: Excellent. So in terms of kind of talking about space generally the rules for ownership over space entities and territories seem to remain pretty unaddressed. So how do countries handle space ownership today? And what kind of risks does that pose? Generally speaking, we have a level of entities of satellites and things that are up in space. How does this control that kind of interaction? Because as you said, China kind of going out and experimenting with prototypes to do, attract attack satellites. What are the rules around that?

Mark: So, right now, the governing treaty, I think is called the Outer Space Treaty. And it's at least, I think it's 55 years old. Maybe more. It's old. And it has some basic truths upfront. Like it prohibits nuclear weapons in space. It limits the use of the moon or, planets for anything other than peaceful purposes. It says that space should be explorable by all, and used by all it prevents claiming sovereignty okay.

 On any outer space body. It forbids bases like military bases. And I mean, this is 1967, and Star Trek was thick. I mean, absolutely. And they thought we're probably gonna be a little further along than we are now. But in theory, it prevents putting conventional weapons in space, obviously, how people define it, that's changed a little bit. 

And there are some very specific rules for, it had like some codicils on what you do if an astronaut, like a dead body, comes back into Earth. Or if there's damage caused by a spacecraft that falls to earth or a satellite or some very specific things to do with moon proper, sovereignty on the moon. So it's not without it, it has some thickness to it. 

Navigating the Cyber Satellite Threat Amidst Space Expansion

Mark: So, the question is to what degree it doesn't really address, some of the more interesting things that are gonna happen over the next two or three decades. This is when we begin to be able to harvest minerals and materials from space to bring back ownership of that. So when I say things like regulation, first of all, space is one of these highly safety-conscious things. In those small air errors of millimeters can lead to death, right? And we know that we've experienced that with several shuttles and an Apollo explosion. 

The Russians have experienced the same. So the time the Soviet Union experienced the same so regulations about how you put things in space, where they go, and what kind of safety they have to have around them. I think the industry is interested in that kind of regulation, just so it doesn't turn into the Wild West. You then have to make that internationally relevant. See if you can work that with your international partners. The control is, as Leo goes up right now, we're at like, maybe 4,000 LEO satellites. 

So we're fourth yes, we're at 4,000 now. I'll bet we're at 50,000 in 2035. So a tenfold increase, that's a lot more space up there, a lot more opportunity for collisions, a lot more opportunity for space debris. And a lot more opportunity for failed launches where something doesn't go exactly where you want and then begins to slightly warble out of control. So that's a lot the tracking of this, there's a lot of work that needs to be done. 

Balancing Space Regulation and International Cooperation

Mark: And it's not being done because we and the Chinese who are two of the largest purport placers of these systems in there are not working well together in international organizations. And then finally the use of weapons in space they've been used by several countries, and certainly the United States is beginning to think that, Hey. If you're gonna go ahead and do it in an unacknowledged way, then maybe we have to follow suit.

Okay, we're not gonna unilaterally disarm ourselves in a domain because we're adhering to a treaty to which you don't feel obliged. So I mean, I think this is a serious issue. It applies more to China than to Russia. Because I think for the Chinese particularly space is seen as a way of competing with the United States.

So in any case I think there are treaties out there. Let me give one more regulatory thing.

Audrey: I had regulatory one more question on that too. So you go for it.

Mark: Sorry about this. So, you go, let's say you're gonna make a big investment in going to get minerals from a meteorite or something. And this is a complex event, that takes hundreds of millions of dollars to execute maybe more, but with incredible opportunity in the bring back.

So you go up there, and you harvest that and you're bringing it back and you're gonna do a water landing with it so you can recover it without any harm to people. And a Chinese ship shows up and says, well, no we claim the space. 

The Need for Clear Regulation and Leadership in Tackling Cyber Satellite Threat

Mark: If you have not worked out a regulation about the rules of exploratory and resource extraction you're going to have, it is going to create a lot of risk for the private sector doing this work. So I think that we're going to need some sort of regulation both about the safety I talked about with launch and placement. And then the extraction, the future incredibly high potential economic windfall that the space economy offers us.

Audrey: Excellent. Because we're beginning to kind of run out of time, but in terms of your key thoughts, what are your biggest concerns that you hope to be addressed? And what are the most positive things that you see coming out of this?

Mark: Well, the first thing is one, I'll beat the drum again. Name put an agency in charge. The US government does not do well when no one's in charge. We have a long track record of not doing well.

Audrey: No one does. Well, when no one's in charge.

Mark: We sometimes don't do well with someone in charge, but at least I wanna put someone in charge, and I think it should be NASA. I think we need to get clear we need to explain to the private sector what the clear kind of like value proposition is in space. We need to show that look, if we can build security and resilience in our space system sector, it's gonna allow us to mitigate the kind of unique cybersecurity challenges. 

[27:12] Safeguarding the Space System Sector from the Cyber Satellite Threat

Mark: And I think it's gonna allow for substantial investment. Investment by the private sector and investment by the government and developing a healthy and robust space system sector. Look, I think that money is there, people are pushing and it's coming, but it's, the brakes will get applied if you start having Leo satellite collisions. If we don't get absolutely ourselves fully organized on this, understand who everybody's role is. 

And begin to work with our international partners to at least a non-confrontational, non-war-like set of rules with the Chinese and others. And then maybe the war-like ones have a set of rules with our like-minded partners. We're gonna be in a lot of trouble. So get ourselves organized, and start working on the rule sets fully integrate the private sector because look, 40 years ago this wasn't true. But today, if a satellite's launched today, it is much more likely than not that the private sector put it up and not the government.

Audrey: The supply chain's gonna be a private sector supply chain.

Mark: Yes. The final thing I'd say is, domestically putting out good rules on cybersecurity, on how to protect, on the need to protect the supply chain. Pre-installation in the satellite, the need to have a protected, I don't wanna say backdoor, but access point to provide patches to the satellite. And then most of all high levels of cybersecurity around your ground control networks. That's the first place I think the hacker's gonna head. If you make it a tough nut to crack, they'll move on to another target.

Understanding the Impact of Cyber Satellite Threats on Critical Infrastructure

Audrey: Absolutely. And so I think certainly if your act gets passed, then we'll start talking about space and satellites as critical infrastructure, which I think is amazing. Especially, I don't think a lot of people know how much dependency just in our daily lives we have on satellites at all.

Mark: Yes. There've been, lastly, I say that there have been a couple of studies that show measurable degradations in G D P within days. Mega significant depression level impacts if it were gone for months or a year. That's how significant the loss of space is to the current economy because we've gotten rid of the backup, right? You have a map in your car.

Audrey: Yes, I do. That's 'cause I forgot to throw it out.

Mark: The analog equivalent's gone at these companies and I get it the networking of all our systems has made us an affluent, successful entrepreneurial co-company country. And it increases of course all that networking is also a vulnerability. So if you don't provide the cybersecurity you'll be in trouble and all that networking is dependent on space. So if you don't protect yourself in space, I'm not gonna say it all comes crashing down, but it definitely reverts to a significantly more laborious non-space-based solution. 

Safeguarding Our Orbital Backbone in the Cyber Age

Mark: In fact, I'll tell you some of the non-space-based position navigation, and timing networks that we had in the sixties and seventies, and eighties. Because We assumed the Russians would do an EMP blast or something and get rid of everything. Those systems are gone now. Those backups are gone. We decided not to keep investing in them.

Audrey: So we uninstalled in and sent 'em off to the scrap heap

Mark: Correct systems called Loran which was a radio network that provided a timing signal gone. So just over time, we've made ourselves dependent on space, both to our great advantage, but also to our great risk.

Audrey: Excellent. Well, Mark, I really appreciate you joining today. This has been great and fascinating and admittedly I'm a child of the seventies and I absolutely love sci-fi and Star Trek and all of that. So any excuse to talk about space and cybersecurity, really enjoyed this. This is brilliant.

Thank you very much. And hopefully, people will be more concerned about space now and what's going on there and how we are looking after it.

About Our Guest

Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation, where he leads FDD’s efforts to advance U.S. prosperity and security through technology innovation while countering cyber threats that seek to diminish them. He also directs CSC 2.0, an initiative that works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he served as executive director. Previously, Mark served as policy director for the Senate Armed Services Committee under the leadership of Senator John S. McCain, coordinating policy efforts on national security strategy, capabilities and requirements, and cyber policy.

Mark served for 32 years in the U.S. Navy as a nuclear-trained surface warfare officer, retiring as a rear admiral in 2017. He was assigned to the National Security Council from 1998 to 2000, serving as director for transnational threats. Mark has graduate degrees from the University of Pennsylvania and the University of Oxford and completed the U.S. Navy’s nuclear power training program.