Cybersecurity Advisors Network

On September 9th 2021, CyAN hosted a webinar on how space infrastructure and satellites are vulnerable to cyberattack.
CyAN International VP Peter Coroneos hosted the event and was joined by an extraordinary panel: Prof. Steven Freeland, international space law authority and Vice-Chair of a 5-year Working Group on the “exploration, exploitation and utilisation of space resources”; Edward Farrell, highly regarded cybersecurity expert and researcher, and Dr Samuli Haataja, legal academic and author of “Cyber Attacks and International Law on the Use of Force: The Turn to Information Ethics”.

You can watch the entire webinar here at:

Due to time constraints, not all audience questions could be answered. However, the panellists took the time afterwards to answer some of the webinar chat and email questions which we have provided below. The answers are unattributed as per the panellists’ request:

Q: To the panel- Bezos, Branson and Musk have all breached the atmosphere in the past few months. Is there danger in this activity, and what are the implications

A: More of a legal question, but on a personal note, I think this is awesome; we’re in a place to motivate and inspire others. 

Q: I am curious as to how the Tallinn Manual 2.0 applies to Space Law and specifically to Australia?

A: Chapter 10 of the Tallinn manual already covers off on a chapter of space law. However, I would also add in the protection of the natural environment as a rule in the manual, noting the Kessler effect, as well as protection of objects indispensable to survival, which given the roles mentioned previously of technologies such as GPS and its role in logistics/human supply chains could mean that everything has to be considered protected in space. I am not a lawyer, but another issue that will come out is using civil technology for military purposes, and the contention that the technology is then a legitimate target for war IE use of iridium sat phones- does this make these a target? 

Whilst the Tallinn Manual 2.0 does cover some aspects regarding space activities (and their interaction with cyber), it is intentionally not comprehensive. Moreover, whilst a useful starting point, there are many points where States appear to disagree with some of the assertions made in the Manual. 

Q: On the topic of attribution of state-sponsored attacks, how do we call out specific countries for attacks in educational media?

A: The same strategy we have long applied; disclose, publish and point out fault. 

Q: So Australia is legally on the hook if an Australian-owned satellite causes physical problems in space. Are we similarly on the hook if one of our satellites gets hacked, or if a hack on someone else’s satellite originated from inside Australia?

A: Space law liability covers in space collisions and damage on Earth / to aircraft caused by falling debris.

Like everything, it will depend on the circumstances. If, for example, the hacking leads to loss of control of a satellite resulting in a collision in space with someone else’s satellite, the space law liability regime provides for a ‘fault’ basis to determine who is liable and to what extent.

Q: Are micro-satellites more vulnerable?

A: I would say they’re no less vulnerable, but the open availability of their tech stacks through open sourcing means that weaknesses are readily identifiable; however, the disclosure process is also more achievable, which, over a prolonged period, will see a reduction in vulnerabilities. 

Q: Does the battle for the arctic reflect the ownership disputes we can anticipate in the future for space?

A: The Arctic raises different legal issues than outer space – outer space is akin to a ‘global commons’ (though some do not like that expression) with no sovereign territorial claims possible, whereas rights to utilise the Arctic may, under the relevant Law of the Sea treaty regime, ultimately be at least in part dependent on claims based on a countries’ continental shelf reach.

Q:To the panel – if automated orbital weapons platforms eventuate, is there a chance that they could be ‘spoofed’ or fooled by false inputs by bad actors into incorrectly activating/firing? I’m thinking of a comparison to Tesla cars mistaking a very bright full moon as a yellow light and breaking on a highway incorrectly.

A: Perhaps less focus on orbital weapons and look at spaces current military applications with GPS- short answer yes and this question of targeting sensor systems is a wider issue with other mission systems. I’d encourage looking at Zoz Brooks’ work in this space, specifically relying on multiple sensors in the process of making a decision. 

In any set of rules for any activity, bad actors may still attempt to act irresponsibly and it is impossible to stop that possibility entirely.

Q: Thank you all for such an interesting discussion. If I may, I would like to ask whether you see the most effective mitigations in security against threats to be created by commercial or government actors?

A: This is quite an expansive question- there is never a silver bullet in cyber security, and mitigation will be dependent on context, which is ever-changing.