EL SEGUNDO, Calif. -- El Segundo, Calif. – Countering cyber threats from China and Russia, protecting the supply chain, the roles and risks of artificial intelligence, and developing the next generation of cyber experts in the workforce were just some of the topics covered at the 7th annual SSC Cyber Expo hosted by USSF’s Space Systems Command (SSC).
More than 400 people from SSC, Space Operations Command (SpOC), Space Training and Readiness Command (STARCOM) as well as commercial space industry representatives attended the two-day event April 22-23 held at Los Angeles Air Force Base.
“Every person here, every satellite on orbit, and every network is a viable target,” said Col. Michelle Idle, deputy commander of SSC, as she welcomed participants to the event.. “Our call to action is to close kill chains with next-generation space capabilities and to finish the pivot to a more resilient on-orbit posture.”
“Cyber Expo gets industry and government partners together in one forum to talk about what the challenges are and possible solutions,” said Col. Craig Frank, SSC S6 (cyber) director, who also gave a presentation on supply chain risk management.
John Garstka, director for cyber warfare within the office of the Deputy Assistant Secretary of Defense, gave the keynote speech on the first day, describing space as the fourth warfighting domain and cyberspace as the fifth.
“This is something that’s really hard for people to understand, because most people can’t go to a war game or exercise where they’re getting the impact of a real-world cyber-attack,” Garstka said. “This is a significant threat that we have to prepare the joint force to deal with.”
Sometimes it’s hard for people to grasp when new technology has become a critical threat, Garstka said. He cited a key example from history: just days before the Pearl Harbor attack on Dec. 7, 1941, that sunk the USS Arizona, the Army-Navy football game program included a photo of the ship with the caption, "It is significant that despite the claims of air enthusiasts no battleship has yet been sunk by bombs."
In a similar fashion, most space systems on orbit today were not developed in an era where cybersecurity was even a consideration, Garstka said.
When it comes to space systems, the risks aren’t limited to the operations and sustainment phase but run across the entire life cycle, Garstka said. If you’re considering cyber security for space systems, it needs to cover the entire mission stack, including critical installation and commercial infrastructure.
“If you shut down the water or the power or the fuel and you can’t provide a space system ground segment with power, then you have a static display,” Garstka said.
He added that it’s critical to understand that the Defense Industrial Base (DIB) is a key mission partner. The military needs to give them the requirements they will need to meet but also understand that most of them are smaller businesses and may find it difficult from an economic standpoint to meet those cybersecurity standards.
“If you want the designs of our next generation space systems to not be the victims of adversary espionage campaigns in cyberspace, we’ve got to figure out how to close the cost equation to make that a reality,” Garstka said.
“If you want to do something about enhancing the cybersecurity posture of space systems, the most important thing you can bring to the fight is motivation – the ability to identify the type of requirements that these space systems need to meet, and you’ve got to be able to move the Benjamins (money,)” Garstka said.
Mike Schripsema, a cyber intelligence analyst for SSC, gave an intelligence threat perspective on the race to resilient space systems, describing specific threats from China, Russia, North Korea and Iran. Of those, China is the most active and persistent cyberthreat to U.S. government, private sector and critical infrastructure networks but both China and Russia have weaponized space to deter and counter possible U.S. intervention during a regional conflict.
Cyber threats have inherent qualities that make it attractive to both state and non-state actors, Schripsema said. It has a lower barrier of entry than other kinds of attacks; the effects can range from temporary denial-of-service-attacks to more permanent and destructive; attackers can conceal warning indications as well as who committed the attack; there are many attack surfaces; and it’s available in all facets of a conflict, including before the conflict.
Space systems rely on information systems and networks from design and conceptualization through launch and flight operations, Schripsema said. Command-and-control transmissions between space vehicles and ground networks relies on the use of radio frequency dependent wireless communication channels. These systems can be vulnerable to malicious activities that can deny, degrade or disrupt space operations or even destroy satellites.
In addition, adversaries are looking to access key U.S. supply chains, at multiple points, from concept to design, manufacture, integration, deployment and maintenance, Schripsema said.
In a roundtable discussion featuring panelists from SSC’s S6 and the Space Systems Integration Office, Col. Brian Mihalko, SSC S6 chief of staff, said one of the reasons SSC recently developed its Cyber CONOPS plan was to eliminate some of the confusion surrounding cyber.
“If someone asks me, ‘How are we handling cyber at SSC?’ my first question is going to be, ‘Well, what do you mean by cyber?’” Mihalko said. “Do you mean the cybersecurity of our space segment, the cybersecurity of our ground segments that control our satellites? How we’re implanting the risk management framework? How we’re implementing ZeroTrust architectures?”
“Cyber” also could refer to defensive cyber operations in cyber warfare and how SpOC is posturing Guardians in the cyber ops squadron to hunt for anomalies and clear adversaries out of networks, Mihalko said. It could refer to the IT infrastructure and everything from the long-haul communications systems Space Force uses to traverse the globe to weapons systems. Or, it could refer to the data generated by space systems and how SSC stores that data, makes it available and curates it to feed into artificial intelligence and machine-learning efforts.
Alex Stamos, SentinelOne chief information and security officer, gave the keynote address on the second day, outlining the magnitude of the threat from dedicated state actor adversaries, and noting, “The size of Chinese capabilities is unprecedented.”
China has more than 150,000 people working on offensive cyber operations – both those directly working for the Chinese government and those working for private organizations, Stamos said. Russia is less organized, but both countries have large numbers of hackers who get constant practice, which gives them an advantage against their U.S. counterparts.
“You should not overestimate the capabilities of these (Chinese) actors, but it does mean that effectively any organization that has any relation to the defense industrial base, that has any relation to any of the industries the PRC (Peoples Republic of China) considers critical – biotech, semiconductors…any of the things that the Chinese want to be competitive in, you have a dedicated team working on you,” Stamos said.
“These hackers are working every single day,” Stamos said. “They’re hacking on behalf of Chinese companies, they get real practice in real scenarios, without the Chinese government having to pay them to do that. They don’t have to build artificial cyber-ranges; they don’t have to pay for them to keep their skills sharp.”
“These guys are professionals,” Stamos said. “They show up every day. If you ruin their day, it’s not like they quit. These guys have a mission – they don’t get their bonus unless they succeed, and they will come back, over and over again.”
Complex supply chains mean there are numerous ways for adversaries to attack, often with the target only finding out at the last minute because the attack started within a third-party vendor, Stamos said. A few of the common techniques among Chinese hackers include credential theft; Living Off the Land (LOTL) attacks, or using legitimate tools to avoid detection; and lateral movement to escalate privileges.
Ways cyber defenders can counteract these hackers include having very aggressive cyber “purple teams,” incorporating layers of defense and maintaining network diversity.
“What’s happened is we’ve pushed people onto fewer and fewer platforms and pushed more into the cloud, and that’s great in lots of ways, but what it’s done has meant that one vulnerability allows you to pop more and more machines,” Stamos said. “I had a breach that I worked on where the company survived only because their system of record was AS/400. That was almost certainly older than the Russian attackers that tried to take out the company.”
In the future, Stamos predicted cyber professionals will see more AI versus AI conflicts, with various actors using AI proxies. Adversaries who are motivated by financial gain will be more likely to use AI to speed up their work, versus state actors, who have a greater interest in remaining undetected and less tolerance for the kinds of mistakes AI can make. Stamos also said there will likely be an increase in “vibe” coding or using AI to generate pieces of malware that can be assembled for an attack.
CHIRP (Cyber Halo Innovation Research Program) interns also were on hand to discuss their cyber research at the event. The CHIRP program is a collaboration between SSC and universities and industry partners to provide college and university students with a direct pathway into a cybersecurity career.
Other speakers included Chandra Donelson, USSF chief data and AI officer, who gave a data and artificial intelligence fireside chat; Roman Brozyna, MITRE incident responder, who talked about how MITRE handled the 2024 infiltration of its NERVE research network by a Chinese state actor; and Seth Whitworth, USSF S6 Deputy Director, who spoke about risk management framework.
In addition to the keynote speeches and panel discussions, participants could visit a “Cyber Petting Zoo” to see, touch and try out new cyber and IT technology and capabilities and visit more than 25 industry partner and DoD booths for information and networking opportunities. Aerospace Corporation also hosted a “Capture the Flag” event in which individuals or teams were given 90 minutes to solve a series of challenges involving a ground system attack on a simulated space vehicle.