Subscribe
Share
Share
Embed
On today’s episode Vice Chair of the National Cybersecurity Research and Development Center, Sam Visnor, joins Dave Pearah to discuss Zero Trust infrastructure in our space networks. What needs to happen to make space secure?
Cybersecurity in space! Join us as we talk about protecting assets in space, hardening existing assets, and models for the new space ecosystem. Hosted by Dave Pearah, CEO of SpiderOak and SpiderOak Mission Systems.
Dave Pearah (00:13):
Hey, everyone. This is Dave Pearah, CEO of SpiderOak, with another installment of our ongoing podcast series on the intersection of cyber security and space, called Zero Trust 4 Zero Gravity. And as with a great pleasure, that I welcome our newest guest, Sam Visnor, who I had the pleasure of meeting through a connection at the SmallSat Alliance.
Dave Pearah (00:40):
I remember one of his colleagues asked a question about, "Yes, this space stuff sounds great, but what are we doing about cyber?" I said, "Finally, someone I can talk to," because as you know, guests and frequent listeners of the podcast know we're always on the hunt for folks that have something unique or interesting to say on the topic of space cyber. And when I finally got the opportunity to meet Sam, it was like a brother from another mother. We finally found someone on that journey. And I've had many wonderful discussions with Sam and want to welcome him to the podcast. Welcome, Sam.
Sam Visnor (01:15):
Thank you very much, Dave. It's a pleasure to be here.
Dave Pearah (01:19):
For those who don't know, you tell us a little bit about your background, which is all over the place, by the way.
Sam Visnor (01:25):
Yes, I guess that's true. I think my late mother of blessed memory, was concerned rightly that I would never be able to hold a job. I think she was right. After going to University of Georgetown, I spent the earlier part of my career as an intelligence officer, largely overseas. Came back, joined the private sector, took a master's degree in telecom. Was working in the private sector, teaching as an adjunct at Georgetown. And then all of a sudden, in 2001, I found myself back in government at the National Security Agency, as chief of signals intelligence programs. Did that for about two and a half years, coinciding with 911, giving you a sense of my perfect timing in life.
Sam Visnor (02:13):
Went back out into the private sector, ran a couple of cybersecurity businesses. Became an adjunct again at Georgetown, teaching cybersecurity policy operations and technologies, served on a few boards. And now I am a tech fellow at The MITRE Corporation and served as director of the National Cybersecurity Federally Funded Research and Development Center. And perhaps just as exciting I've been elected as vice chair.
Dave Pearah (03:39):
... just federal and just commercial, but the intersection of the two, to providing secure, trusted comms, over what I like to call the great Zero Trust infrastructure of our space networks. Just wanted to really dive into that topic, in terms of, what do you think about Zero Trust and that intersection of federal and commercial?
Sam Visnor (04:05):
Well, Dave, I've been in Washington a long time. So, I know a great trick and it's called thanking the person who's asked you the question for their excellent question, going off and answering the question you intended to answer anyway, and then going back and thanking them again for asking that question.
Dave Pearah (04:20):
It's a skill.
Sam Visnor (04:21):
Let me thank you for that question and I am going to answer it but I want to preface it with something. I don't see that large a distinction at this point between our government and our commercial space systems. And here's the reason that I don't. If you're an adversary and you want to hurt this country, you take a look at what would hurt us and you say, "Well, the United States security is both economic and national security. And if I can hurt their national security or their economic security, I'm still hurting their national security." If you take a look at our national critical functions, that list maintained at the Department of Homeland Security, all of them depend on space systems. And increasingly, if you take a look at how space systems are being used, both government and commercial, for communications under a wartime situation which is happening right now, with SpaceX, or the use of commercial imagery as a source of intelligence, what really is the difference in terms of our national interest between our commercial and our government space systems?
Sam Visnor (05:28):
And increasingly, although they may have been built and operated by different people, they're all part of the same complex of things that we call national security and economic security. And that leads me to your question and that is, the security of all these systems is absolutely vital. Now, as we move to a proliferation, particularly of lower orbiting satellites, where we now have somewhat over 4,000 coming up on 5,000 satellites, where SpaceX is talking about 12,000 and eventually 40,000 satellites and over 7,000 satellites for Blue Origin in their hyper constellation and other mega constellations being put up there. Planet Labs, having up something 200 imagers and Maxar with an impressive capability. It seems that we cannot defer the question of securing these of securing these infrastructures. Since both our industry and our national security will depend on how are we going to get this done?
Sam Visnor (06:32):
These are going to be systems that have very, very broad attack surfaces. Lots of people are going to have access to them and saying that, "Well, once you have access to the network, you're trusted to have access to every resource in the network is probably not the smartest thing to do." That's where Zero Trust comes in. Zero Trust and I'm sure most of our listeners know mean that we have to mediate access, but for every user to every resource individually. Now, there are a number of techniques for doing that, including machine learning and artificial intelligence to make the process more efficient. But given the enormous attack surface that these complex networks are going to have 12,000 satellites connected to a global cloud environment, connected through billions of IOT devices, it makes sense to secure these infrastructures using Zero Trust. And that's one of the reasons I'm so interested in the application of this kind of architecture to the cybersecurity challenges space systems, Dave.
Dave Pearah (07:35):
Well, you've hit on topic that's near and dear to my heart, how to implement Zero Trust in an industry that thinks it's already secure because they have type one encryptors. And I spent a lot of time having to explain, I'm not anti-tech one encryptor. I love me an encryptor, but that we're talking about securing each link of the chain when you really need to think about securing access to each resource end to end. I use the analogy of yes, your armored vehicle bringing the cash to the bank is secure, but the bank itself is secure but for a period of time, you have sacks of cash in the streets. This is a problem, but I feel that's the current state of cyber in space. So, talk us your view, where do you think our posture is now and how much are you getting pulled in the direction of supporting the industry where it wants to go versus pushing them in that direction?
Sam Visnor (08:34):
So, it's interesting that you ask the question in that way. First, I would say industry wants to do the right thing. I'm vice chair of the board of directors of the Space ISAC. And I would encourage people on this call to look up the Space Information Sharing and Analysis Center and ISAC, and you'll see that it really is an industry led organization and we have many of the leading companies in the space industry are part of it. We look at this cybersecurity challenge well beyond what's going to happen with the type one encryptor, there are the command and control systems. The TT & T systems that manage these satellites, that manage these platforms. There are the systems that manage the ground stations and there's been ransomware attacks against them. There are the systems associated with the payloads themselves, and oh, by the way, there is the supply chain issue of the hardware and software associated with these systems.
Sam Visnor (09:45):
All of that needs to be secured. If you take a look at what's happening with Sp0m, right, with the software build materials movement. It's designed to secure the software supply chain. Well, can you tell me of an industry that's more software dependent than the space industry? Think about what it takes to launch a rocket or even more interesting to land that rocket on a platform at sea so that it can be reused. This is a highly software intensive environment. So, it's the security of the command and control and the TT & C, it's the security of the payload systems. It's the security of the ground stations and the ground systems. And it's the security of the hardware and the software supply lines, supply basis.
Sam Visnor (10:30):
Space ISAC, by the way, has both an analyst working group and an information sharing, working group, our watch center, when it stood up later this year will look at everything from RF and appearance to space weather, to telemetry data, to unclassified threat data. It's going to look at all of that, but we've also stood up a supply chain risk management group to help our members achieve better visibility into their supply chain so that they can secure it particularly on the software side. So, I think as you said, it's a much broader question. It's not just the money is secure in the bank fault, right? Who's going to use that money? How are they going to use it? Is somebody going to get control of that money or control of the account that money secures? That would be an issue. The money is collateral for some transaction. How secure is the transaction for which the money is collateral?
Dave Pearah (11:30):
Exactly.
Sam Visnor (11:30):
Accrued but maybe useful analogy.
Dave Pearah (11:35):
By the way, the two most frequent vectors for the attack surface, if you will, for a bank is money on the street and the person driving the truck. Because they have the freaking key to the truck, right?
Sam Visnor (11:50):
That's right. And that by the way, even in Zero Trust, making sure that you have a Zero Trust architecture so that whatever channel you are using to mediate access that channel is also secure. The thing about cybersecurity is people throw terms around like, "Well, we've got this, we've got this covered." Make sure that when you choose a partner that the partner really understands all the aspects to security associated with the architecture that they're peddling. This is something that actually requires due diligence. This is not just, I've outsourced this problem and so somebody else is responsible. If something goes wrong, it's still your business that gets hurt and it's still your stakeholders who will hold you responsible. So, yeah, the fact that you've got a truck driver doesn't leave you of relieve your responsibility for doing a good background check, or in this case if you have a Zero Trust architecture for understanding the security of the process by which access is mediated.
Dave Pearah (12:59):
For us at SpiderOak, we've talked a lot about this. We use distributed ledger check to do decentralized key management so that you have true end to end storage and movement of info. So, really big into the end to end aspects of Zero Trust, which is not everything. Zero Trust is now one technology or even practice as you know. But I find it interesting when we're talking with ground station companies, they're like, "We're trying to break into the US market. We want to sell to the federal government. We want to show that we can be trusted, that we hire good people, that we secure our ground stations."
Dave Pearah (13:37):
And I just say, "Why don't you just prove you don't have to be trusted? Why would the ground station need to know what anything is happening on the satellite?" Or certainly not everything that's happening on the satellite. We really have to move away from this. Hire good people. We secure things too. We can't hire always good people and always secure things so now what. But moving that discussion forward has proven really challenging. The old ways of securing things still very prevalent in the space industry at least.
Sam Visnor (14:11):
Oh, well sure. David, look this isn't a question of blame. Let's let's think about where the space industry originated. It originated in the public sector with a small number of launchers, a small number of platforms that got launched, and each one was bespoke, right? Each one was custom made with its own team. Take a look at the teams that are operating around. For example, our Mars rover, which is among the most marvelous pieces of engineering. To land a rover on Mars, have it go and dig up samples, prepare samples for mission, for sample return. And oh, by the way, fly a little helicopter around the surface of Mars. That's fantastic. But the team of people associated with doing it and the systems are all dedicated. Some of those are people who have been on these programs for decades and the systems associated with it are unique to that system. That's where we were.
Sam Visnor (15:14):
There's an old and maybe apocryphal story about NASA, which talked about the supply chain. I'm putting this part into my booster. Okay. Where did you get this part? All right. Tell me about the factory that made that part. Well, that factory gets this bolt. Where's this bolt made? Show me the factory that makes this bolt. Well, it's made in this factory. Where'd they get the steel? What's the steel mill that made the steel, right?" Let me go there. All right. You guys got the steel. What is the mine from which the iron ore was mine, which went into the steel, which went into this bolt, which went into this part, which went into this booster. That's a kind of maybe apocryphal, but that gives you the sense of the dedication of resources associated with these purpose built systems. Now, we're trying to build space essentially as a commodity for communication, certainly, but remote sensing and for GPS and for observation and for travel and for perhaps mining and manufacturing in space, all of this is happening or coming.
Sam Visnor (16:18):
In fact, the first entirely commercial crew is about to be visiting the space station is about to come back, I think today or this week, if memory serves. We need a shift in our thinking from how to secure an entirely dedicated system to secure systems that are used by thousands, eventually millions of people that are based essentially on commodity hardware and software, and that are going to have commodity use. Buying ground station as a service, for example. So, that's going to require a change in our thinking. We can't secure these things the way we used to, because the way we used to was a few systems, each of which was purpose built as opposed to many systems, which are serving many users and many purposes essentially on a commodity basis. That represents a change in the environment to which we have to adapt our thinking.
Dave Pearah (17:19):
So, in your numerous roles and not limited to the work that you do at MITRE. You're advising and I'm assuming, helping to direct this future. And two things that have, as a small company navigating the defense and intelligence space, always fun and challenging and interesting, by the way. Two things that we keep noticing is space considered critical infrastructure.
Dave Pearah (17:45):
We saw all those executive orders coming out on Zero Trust, which was great. But then when we look at those orders as how they align to space, the questions come up as is space, critical infrastructure, not just spiritually, but actually. And what would that mean if it were. And two, one of those Zero Trust requirements be feeding into the solicitations because money talks and so when these agencies continue to put out initiatives that, "Hey, I want a constellation." And make it secure while you're at it somehow. It sends a message to everyone bidding on these things like, "Well, I guess cybersecurity is 12 on the list. So let's not put anything in there to lower the P win on this one." So, we're still seems to be finding a really uphill battle. So, I'm asking the question in terms of space is critical infrastructure and requirements. How are we going to get Zero Trust into those requirements for the new initiatives?
Sam Visnor (18:47):
Yeah. So, let me unpack that question. First, the last point first. I don't know when these requirements actually will show up in federal acquisition regulations of the defense, federal acquisition regulations. I just don't know. I do know that over time we're seeing requirements in the defense industrial base for a better cybersecurity large that's showing up in things like the CMMC, the Cybersecurity Maturity Model Certification and the requirement to use NIST 800-171, which doesn't answer your question but it does say that over time these requirements are showing up at least for sensitive and unclassified information in the defense industrial base writ large. So first in my mind, and I think for most people, space systems are critical, whether or not it gets a critical infrastructure designation, or it's considered to be one of the systematically important critical infrastructures, the new term that some people are using. I don't know, but I think most of us agree that space systems are critical.
Sam Visnor (20:03):
A mapping of the 55 national critical functions list at DHS shows that everything on that list depends on space. There's even talk and I would call this apocryphal information as opposed to empirical data, that the laws of our space systems on which we depend for food, we'd lose some 20% of our food supply. We use it to move tractor, GPS to move tractors around the field, to move trucks to the store, to communicate remote sensing, to even figure out where we're going to plant, we call this field today, precision agriculture. A designation would put in place a Sector Risk Management Agency, which would be responsible for coordinating requirement policy and eventually requirements could bring federal research and development dollars into this could begin to drive requirements at least for federal acquisition that I think would be useful. And it's also a signal to ourselves and to other countries. Very important right now that we have made a formal designation that our space systems are critical to our national and economic security. And we will defend them as such that I think would happen.
Sam Visnor (21:21):
If this will happen, I don't know. Something I think in this regard is likely what I would say is that what will take a longer period of time is the translation of such a designation into the requirements into requests for proposal. On the other hand, there's an increasing recognition that these systems, even commercial systems are important and that government systems can no longer all be one offs and best spoke and some are going to be shared with industry or built by industry or in the cases of company like Planet Labs and Maxar are commercial companies whose products are being sold to the government. So, it wouldn't surprise me if following such a designation. We tried to get some low hanging fruit by putting these requirements into federal acquisition. But that's a guess. I actually don't have any special knowledge on this and changes in the federal acquisition process can take some time. So, your guess on that is as good as mine. You're going to have to be patient
Dave Pearah (22:30):
And it's a virtue. So, I know-
Sam Visnor (22:35):
And I know patience is your strong suit.
Dave Pearah (22:37):
Exactly. Every startup has that long viewed slow pace. That's what we do. MITRE is one of those interesting organizations, at least from an outside perspective where you are really at that intersection of commercial and federal, and especially from a red team cybersecurity testing perspective, we actually had the opportunity to be tested by moderates an event last year. And I've recently heard about efforts to get a space equivalent of that going to help test solutions for face. Is that something that you're able to talk about?
Sam Visnor (23:19):
I'm not directly involved in that, but I will tell you this, that one of the things that MITRE has been doing and will continue to do is to develop reference architectures that take commercial technologies and show that they can be used for either specific industry verticals or crosscutting solutions. And I think that some of the work that we're doing in the space lab represents that effort. In addition, I think you are aware that NIST and with MITRE support, NIST has developed a draft framework for space systems based on the NIST Cybersecurity Framework. So, you are beginning to see, and perhaps even more than beginning to see an emphasis on the security of space systems and I'm trying to provide an actual architectural approach as opposed to just saying, "Well, it's important that space systems be secure." Instead, you're beginning to see examples of reference architectures and attempts to map space system security controls to the cybersecurity framework. And I would expect that MITRE will continue to be involved in that work as well.
Dave Pearah (24:36):
Yeah, it's interesting. I ran into a couple companies at space imposing recently where they just musing about space cyber and they brought up CMMC and I'm familiar with CMMC. A very small business in the defense industrial base, but also just we sell products to help companies satisfy parts of CMMC, but not in space. So, they were asking, "Well, is the satellite part of what needs to be in the CMMC framework, or are we just talking about corporate down on the planet?" Well, that's a good question.
Sam Visnor (25:10):
I think it's a great question. I'll give you my personal opinion on this. If in fact a company is using space systems for its corporate data for its controlled on class and to process to transmit controlled unclassified information, then those space systems need to be part of the architecture that's subject to CMMC, whether or not that's actually going to happen, I don't know. But I would say the prevalence of space systems and the likelihood that these systems are going to be part of corporate systems means that I would see this as a likely development. Now, a lot of space systems are being built for low demand density environments, right, where you don't have terrestrial carriers. But for example, in more rural areas or areas in this country where you don't have enough demand density for some of the terrestrial carriers, I think you're going to see more space systems in use.
Sam Visnor (26:14):
So, particularly in those areas, I would say space systems to the extent that they're part of the environment a company uses to transmit and process CUI are almost certainly should be subject to CMMC requirements. Assuming the program continues to develop, which I-
Dave Pearah (26:34):
You'll see, Sam. It'll be a program. You'll see. How many years has this been in the making for CMMC?
Sam Visnor (26:42):
Well, and I think they have made progress and making a change in something as broad and deep as the defense industrial basis substantial. You have huge companies that are enormous systems integrators, mid sized companies that are providing subsystems and thousands of smaller companies that do everything from providing very specialized expertise to specialized manufacturing of very high spec parts. So, it's perhaps the most complex industrial base in the world. The fact that it's taking time, the fact that it's hard shouldn't surprise anybody. The one thing that I think it requires is persistence and determination. We can't just decide that this is too hard to do or that it's taking too long. You're trying to secure the most complex, interdependent industrial based on the planet. This is simply going to be hard to do.
Dave Pearah (27:48):
You were serving NCS before and you were recently reelected. Tell us more about that in your new cyber set initiative.
Sam Visnor (28:01):
So, there are several things at which we're looking. I'm on the FC as cyber committee. This is the cyber committee of the Armed Forces Communications and Electronics Association. And I've served for a number of years on this committee and I had to stand down for a year when my term ended and then I stood for reelection and was brought back. We have underway a number of projects. One of them is taking a look at the question of a Bureau of Cyber Statistics. And this actually bears on the work that a number of companies including yours will do indirectly, but in an important way. As you may recall, congress constituted in recent years, a solarium commission to build out parts of our national cyber strategy. One of the recommendations of that commission was the development of a Bureau of Cyber Statistics. The principle reason is that empirical information about cybersecurity is frankly just not meant as good as it needs to be.
Sam Visnor (29:03):
And coming up with a way of accruing and analyzing information on an empirical basis that can be used by government CISOs and CISOs in industry, to understand their risks, to quantify and in some cases monetize their risk and figure out how to invest and what to invest in building their cybersecurity profiles is very important. It's a way of, for example, I think of elevating the question of cybersecurity to the C-suite. It's one thing to say, I hired a CISO I've delegated that responsibility. You might be able to do that, but accountability for its consequences in your business remains in the C-suite, right? You know, you might ask a CISO to put in place that controls, but if there's a successful attack or exploit against your company, and it has a material result on your balance sheet, you as the CEO and your team, your CFO and others are accountable to shareholders, you're accountable to employees, you're accountable to customers and you may be accountable to government regulators depending on the in the industry in which you're in which you're functioning.
Sam Visnor (30:13):
So, this is another way of making sure that there's good information that can be used by the C-suite to understand the risk to their enterprise and understand how they should be investing to mitigate that risk. This is one of the issues on which we're working, and there are a number of tough problems. Should the accrual of these statistics be mandatory, if not, what's the best way to encourage their use, their collection and by the private sector and giving them to a federal Bureau of Cyber Statistics for their analysis. And this is a project on which we've been working for the last few months. We have other projects upcoming, including a look at whether or not we think the nation's cybersecurity profile is adequate given the current international geopolitical situation.
Sam Visnor (31:04):
I really can't say more about that right now, but I would say that right now that in the interim, the question of cyber statistics and better cybersecurity data is a vital problem, so that we can take this national debate about discussion about improving our cybersecurity, both at the national level and at the level of individual enterprises and government and industry, and actually inform it with better data than we've had in the past. That's one of the big issues on which we're working. I'm also by the way, a member of the Cyber Council at the Intelligence and National Security Alliance, we're working on a broad range of issues there, but that council, by the way, has endorsed the idea that space systems should be declared a sector of critical infrastructure and they've published a white paper on the insaonline.org site, if anyone is interested in reading it.
Dave Pearah (31:59):
Any other topics we didn't touch on that you wanted to discuss here?
Sam Visnor (32:03):
Well, I think the one last topic is one that with which we started, and I think Dave, we can close with this and that is we're undergoing a fundamental change in our global information technology infrastructure. That's going to require new, better, more distributed and more efficient cybersecurity solutions. In the course of a human working lifetime, I moved from the first technology on which I was formally trained, which was Morse code to the use of an iPhone. From Morse code to an iPhone in the span of a single career. Think about the change in the information technology environment that that represents. The next change of that environment is emerging around us. Thousands of low Earth orbiting satellites, forming the backbone of global 5G networks connected to global cloud networks, connected to smart cities with machine learning to habituate themselves to data and learn patterns and artificial intelligence to take the data from millions of eventually- ... or maybe even a billion IOT devices.
Sam Visnor (34:14):
We're talking about, as many as the million IOT devices per square kilometer. And I think we're going to hit that number pretty soon. How do we secure that? We're going to see a fundamental change in the infrastructures that we have. So, that is the other issue that is consuming me. And you can see the smart cities problem as a subset of an increasingly smart global IT infrastructure where AI mediates the use of resources. How we're going to secure that, I think is the next great challenge and one in which I think Zero Trust will play a role.
Dave Pearah (34:49):
You know, this is not just academic for you or for me. And the topic you just brought up was this is playing out in real time. So, you look at SDA's amazing work in terms of rapid deployment of satellites for tranche, tier one, tranche one layer, transport, and tracking, right? You're following that closely.
Sam Visnor (35:11):
I am.
Dave Pearah (35:11):
So you have the current players, three different constellations of satellites and you see a different solicitation out for who's going to operate that meta constellation or all things together. Who's responsibility is it, to have secure comes storage and movement of data across these mixed interconnected networks?
Sam Visnor (35:38):
That's going to be-
Dave Pearah (35:39):
Everyone wants to do the right thing, but it's not obvious because the people bidding I know and I was, "Well, I assume they built that into the satellites, right?" And the people built the satellites, listen, security ends at the boundary of our constellation. I don't know what those other folks are up to, right? So everyone's correct. It's not a finger pointing in the sense of not wanting to own it. It's just a lack of clarity of how does one do end to end security in AI build this one thing world.
Sam Visnor (36:09):
I don't have a perfectly good answer. I think this is a question that the architects of those systems are going to have to answer as the procurement takes place. On the one hand, there's some anxiety associated with taking this approach because these are intermix systems in which you're going to have diffuse responsibility. On the other hand, Dave, I'm pretty optimistic. I'm glad to see that the Space Development Agency is taking this somewhat more agile and rather greatly more agile and innovative approach.
Sam Visnor (36:47):
One good thing about these systems is that they're so highly diverse and they have enough system diversity and redundant in them that it's pretty hard to bring them down. One of the things we're seeing with some of the commercial networks is that you can push a patch out to these modems very quickly, which is not all that easy to do with older hardwired systems. So, what I guess I would say is that without answering your question directly is some of the approaches that are being developed for securing highly distributed systems should be considered by the architects at SDA and I'm hoping that's what they'll do. I think they probably will.
Dave Pearah (37:27):
So, when you're not solving all the world's problems on space cyber, what else are you doing?
Sam Visnor (37:34):
Well, I am as I said, looking at the issue of cyber security of complex interconnected systems, when working with the Next G Alliance on how do we build an industrial strategy to ensure US leadership for 6G, that's a big issue for me. I think we need a national R&D strategy for 6G that includes, by the way, ways of making manufacturing of 6G gear more efficient so that we don't end up creating a 6G technology, the manufacturing and deployment of which gets outsourced to our competitors and adversaries, that's an issue on which we're working. And then, when I'm not thinking about that as the world reopens, we're hoping to do more travel. We started to go to the symphony, we're starting to go back to live performances and I'm looking forward to being able to do more of that as life begins slowly but surely to return to normal.
Dave Pearah (38:34):
And outside of work?
Sam Visnor (38:36):
Well, that is outside of work. That and playing with a new dog. That is a major focus right now. We've adopted a four-year-old hound mix, looks like a beagle foxhound, and we are just spending with her and she's consuming a lot of our attention.