Should space be designated as critical infrastructure? - T-Minus: Space-Cyber Briefing

Summary6 min read

Episode Overview

Title: Should space be designated as critical infrastructure?
Podcast: T-Minus Space Daily (N2K Networks)
Host: Maria Varmazes
Guest: Jake Braun, Executive Director, Cyber Policy Initiative at the University of Chicago; Former Acting Principal Deputy National Cyber Director, White House
Release Date: November 28, 2025

In this episode, the discussion centers on whether space should be formally designated as critical infrastructure. The conversation dives into U.S. federal cyber policy, the consequences of such a designation, the evolving threat landscape in space, and the practical cybersecurity advice for the space industry. Jake Braun draws on his White House experience to explain both the policy implications and the very real, constantly evolving technical threats facing satellites and space assets today.

Key Discussion Points & Insights

1. The Role and Authority of the Office of the National Cyber Director

Jake Braun outlines the creation and purpose of the White House cyber office:
- The office was established to have White House-level authority to compel government-wide adoption of cyber policy, filling a federal gap.
- "Running a startup is interesting. Running a startup in government is particularly unique. And then running a startup in the White House is something that I have a lot of scars from, but I would have never given up for the world." (03:14)
The office’s first major task was updating the National Cyber Strategy, involving implementation across all federal agencies—including the space domain.

"Space was a key component of it... as well as a whole host of other things." (04:26)

2. Why Consider Space as Critical Infrastructure?

The vast majority (60%+) of active satellites are commercial, and society is increasingly reliant on them for everything from GPS to communications.
Jake explains how the cyber director's office advocated for being part of the space-asset security conversation:
- "We kind of rose our hand as kind of the new kid on the block and said, hey, cyber's kind of a key component of all this. We should really be at the TABLE..." (06:19)

3. The Policy Debate: Pros and Cons of Formal Designation

Pros:
- More resources: Designation triggers government-funded threat intelligence, info sharing, and complimentary security assessments—especially beneficial for small companies.
- Integrated protection: Brings space into the ecosystem of nationally protected sectors, similar to energy and water.
- "The government will often fund... information sharing groups to share threat intelligence. They'll often fund via CISA and other entities, folks that will go out and do free cybersecurity assessments." (08:21)
Cons:
- Potential for more regulation and scrutiny: The industry fears increased bureaucracy.
- "Part of the reason I think the space industry was, was somewhat less excited about it was that it, it can, doesn't always, but can come with increased regulations and scrutiny from government, which of course industry generally doesn't like." (08:21)

4. How Special Are Space-Based Cyber Threats?

Maria questions whether space-sector threats are unique or merely extensions of known terrestrial risks.
Jake emphatically asserts that the space industry (like most others) is not adequately prepared for nation-state level threats:
- "Absolutely not. They don't got it. And that's not their fault. Like no one does." (10:38)
He references the Stuxnet attack to illustrate that sufficiently motivated and resourced attackers can compromise systems believed to be unbreakable:
- "If somebody can get into... infrastructure that's not connected to the Internet, that's buried underground in the desert... then a nation state... could get into your satellite, which by definition is connected to networks all over the planet." (10:38)
Real-World Example: DEF CON hackers demonstrated a software-defined radio signal injection attack on a VSAT satellite modem (Newtek MDM 2200 by iDirect), executed from Earth with modest resources (12:10).
- "These hackers are doing this on a shoestring budget... If they can do it on a shoestring budget, imagine what China, Russia, Iran... could do when they have, you know, millions or billions of dollars to throw at it." (12:10)

5. The Threat Landscape: Techniques and Attacker Profiles

The same types of cyber attacks prevalent on Earth—basic network attacks, SQL injections, zero-day exploits—are all relevant to space technology.
- "Your typical network attacks that are used against other computer systems are normal. Even basic things like SQL injections are applicable here." (16:03)
Zero Days: Nation states (esp. China, Russia, Iran, North Korea) stockpile undisclosed vulnerabilities targeting space-related infrastructure.
- "They spend all day, every day looking for zero days in this infrastructure. A zero day refers to basically a new vulnerability that nobody knew about before." (17:09)

6. What Should Space Companies Do?

Jake offers practical actions:

Join industry information-sharing groups:
"Join the Space ISAC. Even if you're a small company... it's worth it." (18:46)
Hire a CISO (Chief Information Security Officer):
"If you're a startup and you don't have a CISO, hire a CISO. That's really important." (18:46)
Beware of targeted IP theft:
"Attacks from China on IP were directly correlated to press releases of $20 million of investment or more." (19:15)
Think creatively about cybersecurity staffing:
- Not everyone needs elite credentials; upskilling, certifications, and on-the-job training can rapidly expand a company's cyber capability.
- "If you've already got a CISO, you probably don't need people at that level... You could plus up your cyber workforce... bring on people who maybe have less qualifications from a degree perspective, but could quickly gain hands on knowledge..." (20:00)
Leverage the "Hacker's Almanac" (DEF CON + University of Chicago):
Provides educational insights from the hacking community.
- "I encourage everybody to Google and read because it's a fun read." (21:26)

Notable Quotes & Memorable Moments

On the myth of perfect security:
“If somebody can get into your infrastructure that's not connected to the Internet, that'll tell you everything you need to know... Certainly a nation state... could get into your satellite, which by definition is connected to networks all over the planet.”
— Jake Braun, (10:38)
On resource gaps for defenders vs. attackers:
“If they can do it [hack satellites] on a shoestring budget, imagine what China, Russia, Iran or... bad actor could do when they have, you know, millions or billions of dollars...”
— Jake Braun, (12:10)
On the high stakes for every company:
"What companies most recently got major investments... those will be the ones they target. We found several years ago at Homeland Security... attacks from China on IP were directly correlated to press releases of $20 million of investment or more."
— Jake Braun (19:15)
On everyone’s role in global cyber competition:
"We are all players in this new great game, whether you know it or like it or not. And... we're either going to protect our infrastructure to ward off authoritarian states... or not."
— Jake Braun, (22:19)

Important Timestamps

03:14 — Jake’s experience running the White House cyber office
04:26 — National Cyber Strategy update and space as a key pillar
06:19 — Cyber director’s role in the space critical infrastructure debate
08:21 — Practical impacts of critical infrastructure designation: regulation vs. resources
10:38 — The Stuxnet lesson and nation-state threat realities
12:10 — DEF CON’s demonstration: Hacking satellite modems from Earth
16:03 — Parallels between terrestrial and space cybersecurity threats
17:09 — Explanation of zero-day vulnerabilities
18:46 — Concrete advice for the space sector (Space ISAC, hiring, IP threats)
22:19 — Jake’s closing thoughts and the "new great game" metaphor

Final Thoughts & Takeaways

This episode underscores that while the space sector’s digital assets face some unique technical challenges, the real gap is in preparedness and resourcing—especially for small, innovative companies. The formal designation as critical infrastructure would both raise the bar for regulation and bring much-needed government resources and support.

Jake Braun’s main message: The space industry can’t “go it alone”—collaboration, info-sharing, practical cyber hiring, and a recognition of the real nation-state threat environment are urgently necessary, because the new "great game" is playing out not just on land, but in cyberspace and outer space.

For further reading or to expand your understanding, Jake recommends:

Researching the DEF CON Hacker's Almanac
Engaging with Space ISAC
Participating in hands-on learning opportunities like DEF CON

Loading summary

Transcript34 lines

[00:02]
Maria Varmazes
You're listening to the N2K space network. AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Buettner and Barak Shalef from Oasis security on Wednesday, December 3rd at 1pm Eastern 4 for a live discussion on agentic access management and how to secure non human identities without slowing innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.
[01:01]
Sponsor/Advertisement Voice
From phishing to ransomware Cyber threats are constant. But with Nordlayer your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025.
[01:58]
Maria Varmazes
As of March 5, 2025 using the satellite tracking website orbiting now there are 11,833 active satellites in various earth orbits. Over 60% of them are commercial spacecraft and increasingly we're becoming reliant on their support for everyday occurrences. Given that reliance, should space be designated as critical infrastructure? Are we doing enough to protect our space based assets? Welcome to T minus deep space from N2K Networks. Maria I'm Maria Ramazos. Our guest today is Jake Braun, Executive Director of the Cyber Policy Initiative at the University of Chicago. And Jake is the former White House Principal Deputy National Cyber Director and Chairman of defcon. Franklin and I wanted to ask his opinion on designating space as critical infrastructure and get an overview of its attack surface.
[03:14]
Jake Braun
My name is Jake Braun. I am currently the Executive Director of the Cyber Policy Initiative at the University of Chicago. But maybe more relevant for this conversation, I was most recently, as of about six months ago, eight months ago, the Acting Principal Deputy National Cyber Director in the White House, which essentially means I was the COO of this new cyber office they set up in the White House that was actually created in the Trump administration, but it was so new they hadn't hired any people into the office until Biden. And the first employee I think was hired in 21. And by the time I left, we were up to about 100 people. So running a startup is interesting. Running a startup in government is particularly unique. And then running a startup in the White House is something that I have a lot of scars from, but I would have never given up for the world. Wow.
[04:15]
Maria Varmazes
Yeah. So I want to hear more about that. Not the scars up to you obviously, but the work that you were doing in the White House. Please tell me a bit more about the efforts that you are working on.
[04:27]
Jake Braun
Sure. So Congress created this office essentially because there were, while there's a bunch of offices around the federal government that do cyber, there wasn't one that was at a level, meaning White House level, that could kind of compel other agencies to implement government wide policies and programs in cyber. And so this group in Congress, the Cyberspace Solarium Commission, created this. And our first task that was assigned to us by the President was to write or really update the National Cyber Strategy, which the first one was written in Bush, the second term of W. Bush, and then it's been updated, we did the fourth iteration of it. So our office rewrote or updated the National Cyber Strategy and then I was brought in to oversee implementation across the federal government of that strategy. And space was a key component of it and as well as a whole host of other things, including AI and mundane things like workforce and sexy things like cybercrime and cartels and stuff like that. But it ran the gamut.
[05:47]
Maria Varmazes
Yeah. Given what I often focus on, I'm clearly biased. I really want to hear more about the space side of things because as I mentioned before we started recording, I have a number of conversations with people in various parts of the space industry where we talk about space as critical infrastructure, what that means and what that would affect. And I don't think this is a very well understood thing. So I'd love to hear a bit more about your thoughts on that and sort of why the effort to get space designated as critical infrastructure is so important.
[06:20]
Jake Braun
Sure. So actually our role in that conversation, the role of my office in the White House, the Office of National Cyber Director, was actually not kind of a foregone conclusion. Initially, the Space Council and the National Security Council were going to work to decide how things should unfold as it relates to space as critical infrastructure, and kind of key recommendations on security of space infrastructure and so on. However, we kind of rose our hand as kind of the new kid on the block and said, hey, cyber's kind of a key component of all this. We should really be at the TABLE and after some hemming and hawing and typical government turf battles and everything else, folks agreed that not having the cyber office involved in this conversation was a big missed opportunity. And so we had a great team of folks who worked on this for me and the director. And it kind of boiled down to the fact that so much of our lives are governed by the satellites that are up in space. And the obvious example is gps, but also a million other things. Over time we made a strong push, as did others, to designate space as critical infrastructure officially. I know that there's been some disagreement on that designation, but I think in practice people have largely kind of come to agree that that space is critical infrastructure, regardless of its formal designation by the government as such.
[08:04]
Maria Varmazes
Yeah, that's a really good point. I think you're right that I think unofficially a lot of people are thinking of it that way. Would there be a really super big material difference if it was more officially designated? I mean, I know there is, but how, how big a difference would that really make at this point?
[08:22]
Jake Braun
Well, part of the reason I think the space industry was, was somewhat less excited about it was that it, it can, doesn't always, but can come with increased regulations and scrutiny from government, which of course industry generally doesn't like. And for obvious reasons. That being said, also, more resources often come with it. So the government will often fund the way it does with other industries, information sharing groups to share threat intelligence. They'll often fund via CISA and other entities, folks that will go out and do free cybersecurity assessments. CISA does this on a whole host of entities like state and local governments in the energy sector and water and so on other parts of critical infrastructure. And so those types of resources would be available. Generally we try not to subsidize major corporations who have the financial wherewithal to do it themselves. Like CIS is not out there doing free cyber assessments for JP Morgan or Bank of America, which are also critical infrastructure designated formally as such. But you know, you could certainly envision that being applicable to many of the smaller companies in space. And so, you know, there's a little bit of a yin and a yang here. You may get more regulation, but you also get more resources and so on. So that's kind of the push and pull as to why, you know, industry may want or not want something designated officially as, as critical infrastructure.
[10:05]
Maria Varmazes
Absolutely, yeah. I think some of the tenor of the conversations I've had also have been we're fine, we're good, we've got this. But my question is often the follow up. Do you actually have it? Are you actually fine? Is the nature of the threat really fully understood? I'm not an expert here, I don't know. I often wonder though, do people quite understand what threats look like in the realm of space? Is it even all that special and all that different from the threats that we see terrestrially? I'm just so curious your thoughts on sort of the nature of what's going on in the space domain.
[10:39]
Jake Braun
So first off, just to answer your question, absolutely not. They don't got it. And that's not their fault. Like no one does. I mean, if you've got a nation state actor after you just remember stuxnet, right? Stuxnet was the US and Israeli attacks on the Iranian nuclear program. The Iranians put their centrifuges in concrete vaults in the desert, buried underground, zero connection to the Internet or anything else. And we were still able to hack into those centrifuges and shut them down and make them break in a whole bunch of creative ways and so on and so forth. And so if somebody can get into your, your infrastructure that's not connected to the Internet, that's buried underground in the desert in a concrete vault, then they absolutely. A nation state of similar capability like China or Russia or Iran or whoever could get into your satellite, which by definition is connected to networks all over the planet. And by the way, in fact, I'll give you an example. So in my current capacity at the University of Chicago, we've partnered with defcon, the largest and longest running hacker conference in the world, to put out an annual report on the top findings at defcon. One of those findings this year was Around Space. And since this is a little bit more technical than I am, I'm just going to kind of read it off to you. So a group of hackers figured out that they could reverse engineer efforts to exploit VSAT satellite modems from Earth. And they focused on the Newtek MDM 2200 from iDirect. So as far as they could tell, this was the first successful demonstration of a signal injection attack on a VSAT modem using software defined radios from Earth. And so essentially they were able to attack VSAC modems from Earth with these software defined radios. That's pretty. I mean, these hackers are doing this on a shoestring budget. I mean, they're spending, you know, hundreds or single digit thousands of dollars just messing around. Now granted, these are brilliant people, so they're messing around is a lot more advanced than most people's messing around. But nonetheless, if they can do it on a shoestring budget, imagine what China, Russia, Iran or some other bad actor could do when they have, you know, millions or billions of dollars to throw at it. And considering that, you know, China itself has said that we're going to be at war over Taiwan in 2027, which hopefully none of us, hopefully that doesn't happen, and hopefully that's all bluster and everything. But as we know from the Ukraine war, the first shot across the bow was against satellites. And we would presume the first shot fired in a war with China would be in space at our satellite infrastructure.
[13:53]
Maria Varmazes
We'll be right back.
[13:58]
Jake Braun
At Talas.
[13:59]
Maria Varmazes
They secure what matters most the most.
[14:02]
Jake Braun
Trusted companies and organizations utilize Thales cybersecurity products to protect critical applications, sensitive data.
[14:10]
Maria Varmazes
And identities anywhere at scale.
[14:12]
Jake Braun
Through their innovative services and integrated platforms, Thales provides customers a greater visibility of risks, the ability to defend against cyber threats, close compliance gaps, and deliver trusted digital experiences for billions of consumers every day. That's Talas.
[14:31]
Maria Varmazes
T H A L E S learn more@cpltalusgroup.com.
[14:47]
Sponsor/Advertisement Voice
What's your 2am Security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.
[15:55]
Maria Varmazes
I'm just curious, can you give me a sense of what kind of attacks are sort of typical for the space domain?
[16:04]
Jake Braun
Sure. I think that it is. To your point you made earlier, it's nothing new. You know, you know, folks are even doing, you know, very basic attacks. You know, what these guys did against the modems is. Is pretty standard, I think. You look at, you know, your typical network attacks that are used against other computer systems are normal. I mean, you know, even basic things like SQL injections and so on depending on the, depending on the attack surface that we're talking about are even applicable here. And that's like the most mundane, lowest grade attack. But folks should know that the folks in China and Iran and Russia and so on, and I guess North Korea for that matter, they spend all day, every day looking for zero days in this infrastructure. I don't know how much your listeners are familiar with this type of stuff, but would they know what a zero day is? Do I need to explain that?
[17:07]
Maria Varmazes
Yeah, if you want to explain a zero day, that would be great. Yeah.
[17:09]
Jake Braun
Okay, so a zero day refers to basically a new vulnerability that nobody knew about before. Often when they talk about patches, they'll say, oh well, this was seven days since we was patched, seven days since we found the vulnerability. In this case they're saying, well, there's no patch, no one knows about this vulnerability. So it's a zero day. Like where this is, you know, we may have found it six months ago, but nobody knows about it. And so once we use it or release it, that'll be kind of the first time it was ever used and thus a zero day. And so, you know, these nation states stockpile these zero days and we can all be sure that they are absolutely doing that for space infrastructure.
[18:02]
Maria Varmazes
So if I'm a space company, large or small, I'm sure if I'm a large company, I have a good, I would hope a good understanding of some of the things that I would need to do. But I mean, no company can deal with this alone. I mean nobody can deal with it in a vacuum. Collaboration is key. Threat information sharing is key. What is what needs to be done? I mean, what I know there are some efforts underway. I'm thinking of the Space ISAC is one of them in terms of sharing threat intel in the space industry and the space domain. But you know, if there, if there's something going on, if there's a threat that's, you know, if something is underway, how do, how do, how do people in this space domain share that information with each other in a meaningful way?
[18:46]
Jake Braun
Right. So first off, you know, your initial point is the exact right one. Join the Space isac. Even if you're a small company, I forget exactly what their fee structure is like, but usually the little guys and gals get a joint for free or very reduced rate and it's worth it. Secondly, particularly if you're a startup and you don't have a ciso, hire a ciso. That's really important.
[19:14]
Maria Varmazes
Chief Information Security Officer.
[19:15]
Jake Braun
Yeah, Chief Information Security Officer. Yes, and look, that's important not just for your security, but it's also important for your valuations. And so on. I mean, a lot of these folks in China and elsewhere will look at what companies most recently got major investments from private equity firms or venture capital firms or whoever else, and then those will be the ones they target. In fact, we found several years ago at Homeland Security or Homeland Security found several years ago that attacks from China on IP were directly correlated to press releases of $20 million of investment or more. And so, yeah, like we could see that within weeks or, or whatever after press release saying they got 20 million in investment, they were getting hacked and their IP was getting, you know, pulled out the back door. So it's not just that you should do this for the good of the security of our space infrastructure, it's also for the good of the security of your company's ip. So number one, join the space isac. Number two, if you don't have a ciso, hire a ciso. And then number three, if you have a ciso, they're going to know most of the things that you need to the basics that you need to do. But a huge challenge in cyber that often prohibits folks from hiring cyber staff is how expensive they are. And if you want somebody with a master's or even a bachelor's in computer science with a focus on cyber, they're incredibly expensive. However, if you've already got a ciso, you probably don't need people at that level. And one of the things we really pushed for in the national cyber strategy was for companies to think about how they could bring on folks that are maybe not super duper cyber Experts with a PhD in cyber or whatever, but somebody who they can do on the job training, there's a lot of certifications, online classes and so on where you could, where you could plus up your cyber workforce, meaning you could do more cyber security if you were to bring on people who maybe have less qualifications from a degree perspective, but could quickly gain hands on knowledge they would need from working with your ciso, taking some online classes, getting a certification here or there, or by the way, attending defcon, who we partner with on the Hackers Almanac that again, I encourage everybody to Google and read because it's a fun read.
[21:49]
Maria Varmazes
I will definitely be doing that because I've gone to DEF CON a bunch of times and I'm hoping to go again this year. I have always learned a ton and I'm very much not a technical expert, but I learn a great deal just from going. And I think it's a very, as you said, it's a very educational in ways you May not expect very educational place to be.
[22:08]
Jake Braun
Yes.
[22:09]
Maria Varmazes
Well, Jake, I've learned a ton from you and I really appreciate you taking the time. So thank you for joining me today. If there's anything you want to leave the audience with, please, the floor is yours.
[22:20]
Jake Braun
I'll go back to my shameless plug of the Hacker's Almanac and the intro, which I wrote. I talk about the fact that we're in the middle of a new great game. And so what you may remember from your History 101 in college class, the great game was a struggle between Russia and the British over Central Asia. Many of us believe that we're in a similar struggle today, but instead of a conflict over Central Asia, it's over the Internet and, and really it's between authoritarian countries like Russia, China, Iran, North Korea and so on, and democracies. And, you know, space is clearly one of the main kind of parts of the terrain or so on that we're dealing with here. And everybody who's listening to this call or reading about this should know that they are, they are all players in this new great game, whether you know it or like it or not. And we're either going to protect our infrastructure to, to ward off authoritarian states and so on, who are trying to make the Internet and our lives not free, fair and secure. And, and that's kind of where we're going to find ourselves for probably the next 20 years is, is in the middle of this, this conflict between authoritarian states and the democracies of the world over cyberspace, to include cyberspace and outer space.
[24:02]
Maria Varmazes
That's it for T minus deep space. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us@spacen2k.com or submit the survey in the show notes. Your feedback ensures that we deliver the information that keeps you a step ahead in the rapidly changing space industry. N2K Senior Producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I am your host, Maria Varmazes. Thanks for listening. See you next time.
[25:02]
Sponsor/Advertisement Voice
Foreign. Most environments trust far more than they should and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold with with ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.