Information Sharing in the Space Industry
On April 8, 2019, it was announced at the 35th Space Symposium in Colorado Springs, Colorado that the space industry was getting an Information Sharing and Analysis Center (ISAC). Kratos Defense & Security Solutions, “as a service to the industry and with the support of the U.S. Government,” was the first founding member of the Space-ISAC (S-ISAC).
“[ISACs] helps critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.”
National Council of ISACs
ISACs, first introduced in Presidential Decision Directive-63 (PDD-63) in 1998, were intended to be the one aspect of the United States’ development of “measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.” PDD-63 requested “each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilities.” In 2003, Homeland Security Presidential Directive 7 (HSPD-7) reaffirmed the relationship between the public and private sectors of critical infrastructure in the development of ISACs.
Today, there are ISACs in place for a number of subsectors within the sixteen critical infrastructure sectors, for specific geographic regions, and for different levels of government.
However, the S-ISAC, while undoubtedly a good call, has left me with a few questions.
Why so much government involvement?
From what I’ve read, the Federal government’s role is to “collaborate with appropriate private sector entities and continue to encourage the development of information sharing and analysis mechanisms.” For example, the Aviation-ISAC (A-ISAC) was formed when “[t]here was consensus that the community needed an Aviation ISAC”; the Automotive-ISAC (Auto-ISAC) came into being when “[fourteen] light-duty vehicle [Original Equipment Manufacturers] decided to come together to charter the formation of Auto-ISAC”; and the Information Technology-ISAC (IT-ISAC) “was established by leading Information Technology Companies in 2000.”
Reportedly, it was not the private actors within the space industry that recognized or felt the need for the S-ISAC, but an interagency body designed to keep an eye on and occasionally guide or direct efforts across space agencies. The Science and Technology Partnership Forum has three principle partner agencies: U.S. Air Force (USAF) Space Command, the National Aeronautics and Space Administration (NASA), and the National Reconnaissance Office (NRO).
Additionally, it appears as though Kratos, a contractor for the Department of Defense and other agencies, was the only private actor involved in the development and formation of the S-ISAC.
These are just something to keep in mind. The S-ISAC’s perhaps unique characteristics must be considered in light of the clear national security and defense interests that these agencies and others have in the information sharing mechanism. Also, since the announcement of the S-ISAC, Kratos has been joined by Booz Allen Hamilton, Mitre Corporation, Lockheed Martin, and SES as founding members.
Why an ISAC?
Again, ISACs are typically the domain of the private owners, operators, and actors within an industry or sector. As new vulnerabilities and threats related to the United States’ space activities have rapidly manifested in recent years and are quickly emerging today, it would seem to make sense for the Federal government to push for the development of an Information Sharing and Analysis Organization (ISAO). ISAOs, formed in response to Executive Order 13691 (EO 13691) in 2015, are designed to enable private companies and federal agencies “to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.”
While ISAOs and ISACs share the same goals, there appear to be a number of differences between the two information-sharing mechanisms. ISACs can have high membership fees that individual members are responsible for, potentially blocking smaller organizations or new actors from joining, and that often work to fund the sector’s ISAC; however, grants from the Department of Homeland Security (DHS) are available to provide additional funding for the establishment and continued operation of ISAOs. ISACs – for example, the A-ISAC – seem to monitor and control the flow of member-provided information available to the Federal government more closely than ISAOs.
Also, ISACs – such as those recognized by the National Council of ISACs (NCI) – are typically limited to sectors that have been designated as Critical Infrastructure and the associated sub-sectors. Despite obvious reasons why it should, space has not been recognized as a critical infrastructure sector.
For now, this seems like a good place to end. This introductory look into ISACs generally and the S-ISAC has left me with many questions about the organization itself and its developing relationship with the private space industry as a whole. Hopefully, these questions and more will be answered in the coming days as the S-ISAC and the private space industry continue to develop and grow.
Here are some of my unaddressed questions to consider while exploring and considering the new S-ISAC: Why develop the S-ISAC now? What types of companies are welcome to become members, only defense contractors or, for example, commercial satellite constellation companies and small rocket launchers? As the commercial space industry continues to grow in areas such as space tourism, will the S-ISAC welcome these actors as well or will we see the establishment of a nearly-identical organization with a different name?