At a glance.
- Space systems as critical infrastructure.
- Comment on proposed US SEC cyber risk management and disclosure rules.
Securing the final frontier.
As Via Satellite notes, the White House has been debating for months whether critical infrastructure cyberspace includes, well, literal space. During the Value of Space Summit hosted by Space ISAC and The Aerospace Corporation in October, Lockheed Martin senior fellow Dr. Dawn Beyer stated, “I’m surprised that the United States is still talking about whether or not space should be part of the critical infrastructure — I don’t think our adversaries are struggling with that question,” referencing China’s reported recent testing of a nuclear-capable hypersonic missile. Experts worry that rivals see space as a chink in the US’s cybersecurity armor, especially distressing as the ongoing war in Ukraine has officials warning of almost inevitable Russian cyberagression. Samuel Visner, technical fellow for MITRE, explained, “Our adversaries see space as critical to their national interest. Frankly, I think they see [space] as a vulnerability to our national interest that they can exploit in support of their national interest. While we are considering this issue, our adversaries and potential adversaries are being active.”
The US Cybersecurity and Infrastructure Security Agency has designated sixteen critical infrastructure sectors, and though space has not been included in this list, space tech supports many of these sectors, including communications, defense industrial base, and food and agriculture. Ironically, the fact that space plays such a major role in critical infrastructure is part of what makes officially designating it as its own sector so challenging. The government must determine how to deal with the overlap and make difficult decisions about functional aspects, such as which federal agency would oversee the sector’s risk management agency. The Space Infrastructure Act, introduced by the House last year, would officially add space to the list, and, as assistant vice president of national security space for the Aerospace Industries Association John Galer noted, pave the way for greater collaboration between the space industry and the Department of Homeland Security.
During last fall’s CyberSatGov conference, ViaSatellite reports, National Cyber Director Chris Inglis emphasized that such collaboration is a key component of the country’s cyber strategy, using the 9/11 attack as an example. “The real story of 9/11 was that we need to lower the barriers to collaboration such that your hunches, my insights, and my partial view will be reconciled to yours so that we can discover something together that we never could have discovered alone, even with ten times the resources,” he stated. Inglis noted that his office is working with government space projects from the Defense Advanced Research Projects Agency (DARPA) and Space Development Agency, and is cooperating with the Office of Science and Technology Policy, DARPA, to ensure that the private sector is investing in space innovation.
Further comment on the Securities and Exchange Commission's proposed disclosure rules.
Michael Borgia of Davis Wright Tremaine sent us some comments on the US Security and Exchange Commission's (SEC) proposed cybersecurity risk management and disclosure rules:
“Running the notification deadline from the date materiality is determined rather than the date the incident is discovered could cut both ways for registrants. On the one hand, this gives registrants more flexibility as to when (if ever) an incident must be disclosed on a Form 8-K. On the other hand, when it is not immediately clear whether an incident is material, which is frequently the case, companies will need to continually reassess materiality as the investigation progresses. Registrants are advised to carefully document and update the materiality analysis so it is clear when, if ever, the company decided the incident was material.”
“Companies are increasingly likely to find themselves navigating overlapping—and in some cases conflicting—incident notification requirements. It is not difficult to see how these various reporting requirements might clash. For example, as the SEC acknowledges in the proposed rules, a company may be required to disclose an incident in a Form 8-K even though it is delaying reporting under state laws due to a law enforcement delay.”
“The SEC's proposed rules for publicly traded companies do not contain prescriptive requirements for internal cybersecurity safeguards. These proposed rules, for example, do not require companies to institute cyber compliance policies or ensure adequate board and management oversight. But by mandating disclosure of whether a registrant has these mechanisms, the SEC is effectively regulating through transparency.”