Subscribe
Share
Share
Embed
This week Dave discuss cyber risks in space with MIT scientist, Johns Hopkins professor and Author of the book “Confronting Cyber Risk” Gregory Falco. From Governments to the private sector, what is happing when it comes to Cybersecurity in space? What is the future of Cybersecurity in space?
Music Credits to Paweł Feszczuk - Sunny Walk
Created with LMMS
Cybersecurity in space! Join us as we talk about protecting assets in space, hardening existing assets, and models for the new space ecosystem. Hosted by Dave Pearah, CEO of SpiderOak and SpiderOak Mission Systems.
Dave Pearah (00:04):
Welcome everyone to another exciting episode of the Zero Trust 4 Zero Gravity Podcast. I'm your host, Dave Pearah, CEO of SpiderOak, providers of BlockChain and Zero Trust Security 4 Space. And every week we try to focus on someone who is on that crazy journey of space cyber, either from a research standpoint technology or thought leadership side. And it gives me great pleasure to welcome our latest guest, Professor Gregory Falco, who I've had the pleasure of knowing for almost two years now. Again, we were just first thinking at SpiderOak about exploring space cyber, it was, and frankly still is, a really small group and community of folks, but Greg was one of the few people that was loud and proud about space cyber, and really focusing on that as a research area. And he is coming out with a book just published called Confronting Cyber Risk: Endurance Cybersecurity, and we're glad to have you on the show. Greg, why don't you tell us a little bit about yourself?
Professor Gregory Falco (01:15):
Yeah. Thanks David. Thanks for having me here today. So, as you mentioned, I'm a professor in the Civil Systems Engineering Department at John's Hopkins University. I'm also joined with this place called the Institute for Short Autonomy, which is a collaboration between our engineering school and the applied physics lab at John's Hopkins. And the applied physics lab is a unique place because it is a trusted agent to the US government. And that means that if there is some cool R&D work that the US government needs in some capacity, they will call on the applied physics lab to go do that work.
So, it offers a translation zone for my research that I might do here in my lab with my students, to actual military projects or space projects. So, it's a fun opportunity to engage with the real world, in addition to my pie in the sky ideas with regards to space cyber. And yeah, so I've been doing space cyber work for a number of years now, and some of my early work in the space, I think it helped to inspire and was used in part for the first space cyber policies, SPD5, Space Policy Directive 5, on cybersecurity principles for space systems. So, have good amount of exposure to both the technical community, as well as the policy community on this topic. But thanks again for having me, Dave.
Dave Pearah (02:40):
Absolutely. So, let's dive right in. So, what's gotten better and what hasn't gotten better when it comes to space cyber? Because you've been following this topic longer than I have, and we have at SpiderOak. So, what makes you smile? What makes you cry?
Professor Gregory Falco (02:59):
Yes. Let's start with the good stuff. What's gotten a lot better is just people now know that this may be a problem or something that they should even think about. This spans the gamut from both government officials who may take this problem more seriously, to also just public knowledge. So, it may sound ridiculous, but the Netflix show Space Force just really got people thinking about what does space security look like? And even in that show, they talk about like, "Oh, China's hacking us," or something. That really helps to raise public opinion or interest in this topic.
So, I think things like that matter when it comes to these fringe research areas, that need to be brought to the fore. So, I think that's something that's definitely making me happy, that more people are talking about it. Something that's really frustrating though, is that we don't still have the funding lines or the priorities from a contracting standpoint to actually build these systems out to make them secure. There's a lot of good talk right now, but talk is pretty cheap. And one thing that is slowly progressing is that there's a number of bills in progress in the US to make space a more critical infrastructure sector, but also to require certain commercial space sector partners to do more with regards to cyber. There's a bill on the floor right now, it was introduced two days ago on this topic. So, there's public attention here, but we need to have the contract vehicles to actually go do work in this space. So, it's a lot different to actually go do stuff than to just keep thinking about it.
Dave Pearah (04:44):
I was on a conference on Friday, where I was asked the question, "What would really help advance space cyber?" And I said, "Actually asking for it in your contracts." Because right now, the way that everything's worded is like, "I would like a satellite that has this sensor with this bandwidth. And make it secure, please."
And that sends a very clear message to the community that security is 10th on the list of requirements, and therefore companies like SpiderOak, we're coming in with an exquisite level of hardened security and there's a shoulder shrug of, "Well, no one's asking for that. Why are you trying to give me this level of security while we don't want it."
Professor Gregory Falco (05:34):
Yeah, I hear you. It's definitely. It stinks that you guys are feeling it in that way, but it's been the same story for the past five or so years since we've been trying to ring the drum. So hopefully people are starting to listen. I had some feedback the other day from a contact at the Air Force saying that if you thought last year was good for space cyber investment, this year is going to be blowing your mind. So who knows, maybe there is actually something to that statement and they'll really begin major investments in this area, or specific requests to this area. I hope so.
Dave Pearah (06:10):
Absolutely. I see it a little bit. I don't follow this as closely as you do, but I felt that the whole DIU, air force space force, hybrid space architecture initiative with variable trust is one of the three pillars of the program. It was the first time where security got on the top three. It's an actual requirement, not just and also secure it kind of approach. So I thought that was nice. Zero Trust, talk about how that has changed... Because you don't just focus on space cyber, but obviously that's what we're focused on here. There's a lot of executive orders coming out on Zero Trust in general. Notably space was missing from a lot of that. How is Zero Trust in space happening or not happening?
Professor Gregory Falco (07:03):
Well, it's definitely not happening right now. Space systems are inherently promiscuous, meaning that they talk to anyone they possibly can, they shout their broadcasts out in order to be able to be heard. And doing that reliably is very important, so you don't want to mute their signal or encrypt their signal in case someone can't decrypt it if they need it. So there's a whole bunch of legacy issues as well that pepper that area. So when it comes to Zero Trust in space, it's a kind of a joke right now in terms of a practical side of things. However, there's a lot of good research and also products that can be applied to these space systems to help enable this relatively quickly. And I feel pretty confident that a lot of the answer is in applying BlockChain technologies and Distributed Ledger Technologies to enabling that distributed coordination and that trustless ecosystem that's needed to actually enable the Zero Trust architectures.
And I don't think that there's been a lot of people taking this seriously until very recently, because often BlockChain is thought of as a buzzword and something that maybe hackers have used to sell ransomware or get money from ransomware. But it's definitely not the case. There is amazing use cases here for Zero Trust architectures, something that my lab is working on really closely right now, thinking about and building out proposals for the likes of air force and DARPA. So we have a lot of confidence in that type of technology. Just, it's going to take a while to get over the hump of people realizing that this is a core purpose or reason why we should engage with Distributed Ledger Technology. So I have a lot of hope in that area.
Dave Pearah (08:46):
Yeah. As you know, SpiderOak platform is built to run a permissions distributed ledger. And we often struggle with does that open or close the door for us? Obviously what a ledger can do, it doesn't solve all the world's problems, but provides fantastic credible, provable benefits. But at the same time you get that eye roll of like, "Oh, you put a BlockChain in space." And there's that really just limited knowledge of it out there. So I feel it's very much a double-edged sword, but one that we look forward to working with you as well, if we get in your lab, you take a look at what we're doing. When did you first started looking at distributed ledger as one of the potential solutions for space cyber?
Professor Gregory Falco (09:41):
I started looking at distributed ledgers a number of years ago, way before I was interested in the space domain actually. We started a company that we recently exited that did industrial control security over the Bitcoin network as essentially an ultra secure communication protocol. And it worked really interestingly for these industrial systems where failure is not an option for the integrity of communications that are sent over with regards to security updates. And so I had some great success there in applying this technology to that domain space. And it became an open question after we exited the company, how do we take this to the next level beyond some of the very obvious use cases for BlockChain technology. And that's where my group started to think more about okay, well maybe it's actually about designing architectures that facilitate BlockChain protocols.
And that's what we are looking at in our lab right now. And just for reference, when I say our lab, we have about 700 square feet of lab space where we have a bunch of hardware. We have a cube set there, it has its flight grade. We also have a bunch of UAVs, a whole bunch of space radios, a lot of fun stuff for students to play with, and we call it a breaker space. So our goal is to build these things up just so we can break them down and figure out how they fail. And so this is something that we spend some time with and by building out these, these distributed ledger cases for our space architectures, we're really trying to stress test them and determine how these are going to work for us or how they're not going to work for us. And so that way we have just a very realistic picture of what the reality is going to look like in the future as we use this technology.
Dave Pearah (11:36):
So tell me a little bit about your book that just came out. Once again, it's Confronting Cyber Risk: An Embedded Endurance Strategy for Cybersecurity. I have not read it, but I can tell you having been a chief technology officer myself at a number of companies, I love this word endurance because there's often from an investor standpoint, or even when I reported to the CEO, this idea of, "Did you do it? Did you take care of the cybersecurity?" "Yep. I bought the firewall. I did it." It's like, if you do it, then you're done with it and endurance embodies the absolute opposite of that. So can you comment on that?
Professor Gregory Falco (12:18):
Yeah, totally. I wrote this book with my colleague, Eric Rosenbach, he's the co-director of the Belfer Center at Harvard, and he was also the former chief of staff for Secretary of Defense Ash Carter under the Obama administration. So he has a lot of government and military background, I have a lot of industry background, having spent nearly a decade in the consulting world before I did my PhD. And so together, we created a class at Harvard for executives for the most part on how do you actually deal with some of these cyber risks that exist? The course is called Information Risk in the Digital Age, or Digital Risk in the Information Age, something like that. So I'm phasing out the actual name of the course right now, but basically the book was really about how do we help these executives to think through how do you actually approach this as a systemic strategy that your organization needs to adopt, in order for cyber to not just be the fly by night?
Or what kit should I buy today, and I should go talk to this vendor because they're bugging me constantly. Like that's not the approach that executives need to take. The other problem that we started confronting and we wanted to address with the book is that we have a lot of executives, especially board members who know cyber is a problem, but they never really thought about it. And maybe then they get a bad call one day and they're like, "Oh, you have to come to a board meeting to go discuss this topic." And they don't know where to start. So this was booked to try and help them pick up on the plane, it's a really short book and go read it, and you might have a good understanding of stuff by the time you get off that plane. That's kind of why we wrote it.
And then answering your question on the endurance bit, it really just was a reality that we were sick of hearing that you can solve the cyber problem overnight or with one piece of technology. It's just not accurate. And so we were really trying to think about how do you embed cyber in everything you do in your organization and just plan for that and over the long haul. You're going to get hit, just a reality. You're going to get attacked, you're going to go down, but you need to be resilient and you need to plan for this as an endurance exercise. And that's the reason why we created this embedded endurance strategy for cyber risk.
Dave Pearah (14:41):
And how does that intersect with space, if at all? Because I feel like the book may be more toward like an exec at a terrestrial traditional company that is in its space. But how do you combine these two ideas?
Professor Gregory Falco (14:56):
Yeah, I think that it's necessarily not for space, but I think the space sector has a lot more growing to do before they can begin thinking about cyber as an endurance strategy. Now, one of the examples though, I have in the book that I write about is when I spent some time at NASA's jet repulsion laboratory in Pasadena, California. The team there I worked with, really passionate group, who cares a lot about cyber. They had this game called Donuts. And Donuts was where if you left your computer on and it was not password protected, someone was able to go on your computer in your group and send an email out from that person's email address that said, "Donuts." And that person who was the offending party that didn't lock their laptop, had to buy the group donuts the next day.
And I thought that was just a cool example of like how, even a team that doesn't know and maybe all of JPL doesn't really care about space cyber, now they do, but this was a number of years ago. That was a little tiny way that they were able to embed cyber thinking in what they were doing. And those little examples, they really grow on you. Now JPL is trying to be a leader in space cyber as an agency or as a group. So a lot of kudos to them, but that was just a cool little example of how even someone who doesn't ever think about cyber as an organization, they can do something in some way.
Dave Pearah (16:28):
I love that example. Speaking of some of experiences that you've had, tell us about Iceland.
Professor Gregory Falco (16:36):
Yeah. So I had the opportunity to go hang out in Iceland for a year or nine months, thanks to the pandemic. And the reason why I was, I was a Fulbright scholar there in critical infrastructures, cybersecurity. Specifically, I was an NSF Fulbright scholar there. So basically my job was to go over and help to do some research on how the country is adopting cyber security practices and help improve relationships between the US government and Iceland from a cyber cooperation standpoint. And one of the things that I did when I was there was I had the opportunity to work with the emergent space sector. And it was really cool dynamic because there wasn't a formal body in the government that does space in Iceland. However, Iceland happens to be a great location for polar orbit launches. And so countries have taken notice of that. Also because of its proximity to Arctic circle, there's a lot of contested area around there and it's kind of a geopolitical power play that's going on in this region.
And so we see an incredible amount of investment from the likes of China and Russia in Iceland, specifically in space. And so the question became, "If they're putting a lot of money into making the space sector a real sector in Iceland, what does that mean for the security of it?" And so working with the Icelandic counterparts there, a little bit with the government there, as well as with academic researchers there, we were trying to figure out, okay, well, what are the steps that we need to take so that it doesn't feel like this is just a China game because they're putting a lot of money in Iceland sector right now? And how do we make this a level playing field for everyone when it comes to a security standpoint? So it was interesting to see a very emergent space sector, doesn't have all lot of infrastructure, has a bunch of interest, but is also getting a lot of foreign money that could be concerning for more domestic US-based or Europe-based players.
Dave Pearah (18:41):
Most surprising and delightful fact about Iceland that you'd like to share with people who haven't been there.
Professor Gregory Falco (18:48):
Well, little kids sleep outside in the winter when they take their naps. It's really refreshing. It's kind of a weird quirk that you think in America, you might say, "Oh, lets call Child Protection Services."
Dave Pearah (19:05):
Yeah, it sounds like a DCSF problem.
Professor Gregory Falco (19:07):
It's a really interesting thing. And actually my wife grew up in Iceland and I remember when my first kid was born, she put him outside and I was like, "What the heck are you doing?" But it's a thing. There are strollers all over outside in Iceland, the kids are bundled up and they're sleeping in their strollers in the middle of snowstorms. So kind of a really delightful quirk there.
Dave Pearah (19:27):
I love it. Any parting comments on space cyber, because we just found out that we are both going to be presenting at CyberLeo, which is one of the very few events where there's that intersection of space and cyber. And it's not all about Leo, but Leo's the one that gets a lot of the attention given the proliferation as well as number of shared resources in Leo. So any parting shots.
Professor Gregory Falco (19:56):
Yeah. So it's interesting that you brought that up because the panel that I'm running at CyberLeo is on ransomware threat to space cyber, especially in Leo context. And when I got this topic, I was like, "Well, this is interesting topic, but it's not really exclusive to space as a conversation point, but then it became more realistic that space may have a whole bunch more challenges than other sectors dealing with ransomware, given the timing elements of things when it comes to launch and when it comes to service delivery. And so ransomware is a astronomical threat to the sector in different ways than it may be to other sectors.
So kind of just as a parting thought is you don't often always see space cyber as being the biggest priority in the world at first look, but then if you think harder about it, about how much space permeates everything that we do, and how all of our space systems are entirely digital at this point, or at least all of our future space systems are planned to be entirely digital at this point, we have a big threat in our hands and we need to start pouring money into it in order to actually take action on all of the vision that our government is putting forth in the idea of space supremacy.
So I think that's just some parting thoughts on that and, it was really good conversation, Dave, thanks again for having me.
Dave Pearah (21:16):
Well thank you for joining. And we like to get a variety of perspectives and opinions, so stay tuned for our next episode of the Zero Trust 4 Zero Gravity podcast. Thank you very much.