Cybersecurity continues to be a central topic in the space sector, from both a civilian and military perspective, not the least as a result of recent challenges, including the new risks and threats arising from the war in Europe.
At the international level, the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security issued its most recent report in July 2021 containing a set of norms, rules and principles for the responsible behaviour of States to ensure ICT security and prevent threats. On its turn, in March 2021, the Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security issued its report containing a set of recommendations for responsible State behaviour in the use of ICTs, including with respect to the integrity of the supply chain, prevention of the proliferation of malicious ICT tools and techniques, and responsible reporting of vulnerabilities. UNGA recognised the adoption of the OEWG report and of the GGE report in 2021 and called upon States to be guided, in their use of ICT, by these reports. In December 2020, UNGA adopted Resolution 75/240 establishing an Open-ended Working Group on security of and in the use of information and communications technologies for 2021-2025.
From a military perspective, NATO had already recognised cyberspace as a domain of operations in 2016 and had endorsed a Comprehensive Cyber Defence Policy in 2021. Additionally, NATO’s 2022 Strategic Concept affirms NATO’s efforts in “maintaining secure use of and unfettered access to space and cyberspace”, which are “key to effective deterrence and defence”. The Strategy foresees the enhancement of the ability to “operate effectively in space and cyberspace to prevent, detect, counter and respond to the full spectrum of threats, using all available tools”, as well as the enhancement of the “resilience of the space and cyber capabilities upon which we depend for our collective defence and security”.
In this respect, guidance for the application of international law to cyber conflicts and cyber warfare has been issued to assist in dealing with cyber issues: namely, the Tallinn Manual, which is currently under revision for the period 2021-2025.
At the EU level, the Strategic Compass notes the increasing number and sophistication of cyber threats, and indicates, among others, the development of the EU Cyber Defence Policy to better prepare and respond to cyber-attacks, and the strengthening of the EU Cyber Diplomacy Toolbox. The document also highlights, in the cyber domain, the goal of intensifying efforts “to develop and connect our capabilities to provide the necessary resilience and ability to act in all domains, particularly focusing on the Enhanced Military Mobility, which is an essential enabler”. The Action Plan on synergies between civil, defence and space industries already addressed cybersecurity and cyber defence, as well as synergies between cyber work in the civilian, defence and space spheres.
Following the above (and other cyber military documents, such as the 2021 “Military Vision and Strategy on Cyberspace as a Domain of Operations”), in November 2022 the EU published its Policy on Cyber Defence and an Action Plan on Military Mobility 2.0 to address the deteriorating security environment following Russia's aggression against Ukraine and to boost the EU's capacity to protect its citizens and infrastructure. The Policy on Cyber Defence expressly mentions the need to further increase the protection of critical infrastructure against large-scale cyber-attacks, with a focus, in the first instance, on energy, telecoms, transport, and space. The Action Plan on Military Mobility, in its turn, refers to the role of space-based solutions for military mobility.
In May 2022, the EU issued the Fourth Progress Report on the implementation of the EU Security Union Strategy, noting, among other points, the increased cyber challenges and required measures arising from the war in Ukraine.
Beyond military aspects, the EU recently put forward a Proposal for a Cyber Resilience Act, which addresses the vulnerabilities of digital products and ancillary services, seeing as the more everything is connected, the easier it is for a cybersecurity incident to affect a device or system and thus impact economic activities. This Proposal is part of a new EU approach to cybersecurity following the 2020 Cybersecurity Strategy, which also comprises the Cybersecurity Act and two proposals that, for the first time, will apply to the space sector: the Proposal for the NIS 2 Directive, which was approved at the European Parliament on 10 November 2022, and the Proposal for the CER Directive, which was approved at the Parliament on 22 November 2022.
In March 2022, new rules to establish common cybersecurity and information security measures across the EU Institutions, Bodies and Agencies (EUIBA) were also put forward: the Proposal for a Cybersecurity Regulation for EUIBAs and the Proposal for an Information Security Regulation creating a minimum set of information security rules and standards for the secure handling and exchange of information for all EUIBAs.
And, in November 2022, ENISA issued its 10th edition of ENISA Threat Landscape.
Bearing in mind the development of cybersecurity capabilities for the use of outer space, the EU has also been developing quantum technology capabilities for, among other ends, secure communication in space, particularly in the context of the EuroQCI Initiative. The Union Secure Connectivity Programme for the period 2023-2027 was also put forward with the aim of establishing a secure and autonomous space-based connectivity system for the provision of guaranteed and resilient satellite communication services, taking into account the existing and future assets of the Member States used in the frame of the GOVSATCOM component of the Union Space Programme established by Regulation (EU) 2021/696. In November 2022, the Council and European Parliament reached a provisional agreement on the Programme, with its constellation to be called IRIS2 (Infrastructure for Resilience, Interconnectivity and Security by Satellite).
At the national level, some countries have also addressed cybersecurity in space. For instance, in addition to the UK (Space Industry Regulation 2021 and Cyber Security Toolkit by the UK Space Agency) and the US (Space Policy Directive 5), the German Federal Office for Information Security recently issued a model for space-industry cybersecurity standards.
In Portugal, the Council of Ministers has also approved the National Cyber Defence Strategy, which expressly refers to the use of cyberspace as a domain of operations (land, sea, air, space and cyberspace).