top

TBJ JULY/AUGUST 2022 [OPINION]

Space Hackers

The need for updates in national and
international cybersecurity laws.

Written by Guillermo “Will” S. Trevino


Law and sci-fi nerds unite. In comic book shops across America, mentioning one space opera (subgenre of science fiction that deals with space adventures) over another spurs debates as to whether Star Wars or Star Trek is the better sci-fi enterprise (pun intended for those Trekkers who caught that). Star Wars: Episode IV—A New Hope was released on May 25, 1977,1 while the television series Star Trek debuted on September 8, 1966.2 Yet, the internet as we know it today did not become available until the early 1990s.3 Audiences then did not realize they were witnessing the first instances of failed cybersecurity as R2-D2 famously saved the protagonists of the movie franchise from the garbage smashers or when Captain Kirk was able to lower Khan’s shields and take over his spaceship remotely in Star Trek 2: The Wrath of Khan.


Sci-fi is often credited for inspiring technology that we have today. And much like the fictional Galactic Empire or United Federation of Planets, governments on Earth, specifically within the United States, provide various services to the public, which often includes police, fire, water, sewer and electrical utilities, and mass transit services. Federal, state, and local governments are also in the business of data collection as they maintain the personal identifiable information of the customers who utilize these services.4


As an employer, these governmental bodies maintain confidential personnel information on their employees as well.5 The federal government alone has approximately 4 million federal employees whose information was leaked from a cyberattack on the Federal Office of Personnel Management in June 2015.6 This equates to approximately 25.7 million records.7 Nationwide, it is estimated that more than 293 million records held by government agencies have been breached.8 And each breach comes with a hefty price tag as data breaches are estimated to cost approximately $8.64 million, or an average of $146 per record, and these numbers are climbing.9


The data keep pouring in as government bodies are also one of the largest consumers, as these entities purchase various commodities and services that allow them to then provide the services to the public. In receiving responses to requests for proposals or bids, governmental bodies tend to house a wide array of proprietary and financial information belonging to third-party vendors that they deem confidential.10 Many times, when a request for information is made under the Texas Public Information Act, the state’s right to information laws, upon request for a ruling from a governmental body, the attorney general will issue a ruling that such confidential and proprietary information may be withheld from public disclosure.


Moreover, much of the nation’s critical infrastructure systems that control traffic—airports, dispatch, water, sewer and electrical plants, and a wide range of vital infrastructure—is controlled by state and local governments. On February 5, 2021, residents of Oldsmar, Florida, learned what could happen to their water supply when a cybercriminal infiltrated the water treatment plant and started to increase lye, a dangerous and poisonous chemical that is comparable to drain cleaner.11 More recently, the website of Bradley International Airport, in Windsor Locks, Connecticut, was attacked by cybercriminals who left a message related to the United States’ supply of arms to Ukraine: “When the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop. America, no one is afraid of you.”12 These are just a few examples of how cybercriminals can threaten the public.


Confidential records and critical infrastructure systems maintained by governmental bodies are at risk of a breach from cybercriminals.13 Quite simply put, they are easy targets. Yet, when it comes to expenditures on cybersecurity training or infrastructure, corporations far outpace governmental bodies.14 Governments have seen an uptick in ransomware attacks.15 Once a computer or system is infiltrated, cybercriminals seek ransom payment in exchange for the information they took—a form of modern-day blackmail.16 Many cities have paid the ransom out of the taxpayers’ coffers, while others have relied on cyber insurance to pay the ransom.17 Legislation was introduced in the 87th Texas legislative regular session that would have prohibited cities, and other political subdivisions, from paying a ransom,18 but it never made it out of committee.


Unfortunately, only 38% of federal and state government employees have been trained in cybersecurity.19And consider that 90% of new skills are generally lost after training.20 These are clear recipes for disaster. Simply put, a cybersecurity breach is a manmade disaster.


But what about critical infrastructure in space? At the time of this writing, Ukraine is in the midst of defending against an aggressor that has infiltrated the boundaries of its nation. Much of the success of the Ukraine defense has been information received from allies using geospatial intelligence from satellites orbiting the Earth.21 Moreover, public-private partnership and laws such as the Spurring Private Aerospace Competitiveness and Entrepreneurship, or SPACE Act of 2015, have once again inspired a new space race as commercial companies such as SpaceX, Blue Origin, and Virgin Galactic are competing for the uncharted territory of space transit.


The Union of Concerned Scientists, a nonprofit organization founded by scientists and students at the Massachusetts Institute of Technology that advocates for a safer and healthier world, estimates that there are approximately 4,852 satellites orbiting Earth.22 Of this number, the United States has 2,944 satellites with 85%, or 2,516, being commercial.23 On February 25, 2022, the National Institute of Standards and Technology, or NIST, published draft Interagency/Internal Report 8270, or NISTIR 8270, that states: “Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities.24 Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space—including those affecting commercial satellite vehicles—need to be understood and managed alongside other types of risks to ensure safe and successful operations.”25 This second rendition of NISTIR 8270 aims at providing a “specific method for applying the Cybersecurity Framework (CSF) to commercial space business and describes an abstracted set of cybersecurity outcomes, requirements, and suggested controls.”26


Russia recently conducted an anti-satellite test and launched a missile at one of its old spy satellites hurling debris through space requiring the crew of the International Space Station to take shelter in a spacecraft.27 Arguably, this act was not a violation of the Outer Space Treaty of 1967 since no nuclear weapon was used. But sending deadly debris into space like a scene from the 2013 film Gravity is the least of our worries.


Gen. David Thompson of the United States Space Force, a military service that serves to protect United States and allied interests in space and to provide space capabilities to the joint force,28 was quoted in The Washington Post: “The threats are really growing and expanding every single day. And it’s really an evolution of activity that’s been happening for a long time. We’re really at a point now where there’s a whole host of ways that our space systems can be threatened.”29 But space has yet to be declared a critical infrastructure sector.30 That may change as the U.S. House of Representatives introduced HR 3713—the Space Infrastructure Act—that would designate space systems, services, and technology as critical infrastructure.31


With the advent of World War II, which spanned from September 1, 1939, to September 2, 1945, international laws have made great strides with several treatises being entered into or ratified by members of the United Nations.32 Collectively, these international laws define the legal responsibilities of states in their relations with each other, human rights, disarmament, international crime, environment and sustainable development, international waters, outer space, global communications, and world trade.33 Worldwide, the Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies, or simply the Outer Space Treaty, signed in 1967 through the United Nations and made official, or ratified, by 105 countries, governs the activities of spacefaring nations or states as used in the treaty.34 The Outer Space Treaty provides that:

  • the exploration and use of outer space shall be carried out for the benefit and in the interests of all countries and shall be the province of all mankind;

  • outer space shall be free for exploration and use by all States;

  • outer space is not subject to national appropriation by claim of sovereignty, by means of use or occupation, or by any other means;

  • States shall not place nuclear weapons or other weapons of mass destruction in orbit or on celestial bodies or station them in outer space in any other manner;

  • the Moon and other celestial bodies shall be used exclusively for peaceful purposes;

  • astronauts shall be regarded as the envoys of mankind;

  • States shall be responsible for national space activities whether carried out by governmental or non-governmental entities;

  • States shall be liable for damage caused by their space objects; and

  • States shall avoid harmful contamination of space and celestial bodies.35

Shortly after the Outer Space Treaty was adopted, the United Nations created several other treaties related to space activitiest:

  • Rescue Agreement (1968)

  • Space Liability Convention (1972)

  • Registration Convention (1976)

  • Moon Treaty (1979).36

However, none of these treaties address cybersecurity. Then in 2015, the United States passed the Space Act to address the commercial exploration and exploitation of extraterrestrial resources with several other countries following suit: Luxembourg, Japan, China, India, and Russia.37


But none of these laws address cybersecurity on a worldwide or outer space scope. Therefore, not surprisingly, the United Nations adopted Resolution 74/247 creating an ad hoc committee charged with drafting a “Cybercrime Treaty” in May 2021.38 The Cybercrime Ad Hoc Committee is an “intergovernmental committee of experts, representatives of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.”39 This ad hoc committee is tasked with “taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime.”40 It is unclear at this time whether the ad hoc committee will include outer space in the regulations of the Cybercrime Treaty.


One would hope that national and international laws are changed and updated to include cybersecurity of cyberspace and outer space critical infrastructure. Since the dawn of time when man first experienced conflict with neighbors, conflicts have been fought over land, sea, and then air. In modern times, conflict is being fought over cyberspace as cybercriminals and aggressor nations infiltrate private and public computer and network systems. Conflict between nations is also involving critical infrastructure in outer space.


Attorneys are advocates for their clients. But there is a reason why William Shakespeare so famously wrote, “The first thing we do, let’s kill all the lawyers” in Henry VI, Part 2, Act 4, Scene 2. This often-quoted line is used as a joke regarding lawyers, or worse, misinterpreted. We may never truly know what Shakespeare meant, but it is clear that lawyers in his time had an impact, whether for better or worse.41 R2-D2 and Captain Kirk are protagonists of their fictional worlds and yet used cyberspace infiltration for good. But in the hands of a cybercriminal, cyberattacks can lead to nothing short of a Death Star attack. It is incumbent upon our profession to be aware and advise our clients and the public of the importance of cybersecurity as our eyes turn to outer space and interactions in cyberspace.TBJ

 



Guillermo TrevinoGUILLERMO “WILL” S. TREVINO
is a member of the State Bar of Texas Computer and Technology Section and serves as a member of its council. He is a graduate of Texas A&M University (B.S. 2004), Texas Southern University Thurgood Marshall School of Law (J.D. 2007), Western New England School of Law (LL.M. 2011), and Baylor University (MBA 2021) and is enrolled in Baylor University’s doctoral program in Learning and Organizational Change. Trevino is a deputy city attorney for the city of Brownsville.


{Back to top}

We use cookies to analyze our traffic and enhance functionality. More Information agree