Should space be designated as critical infrastructure?

Episode Overview

Title: Should space be designated as critical infrastructure?
Podcast: T-Minus Space Daily (N2K Networks)
Host: Maria Varmazes
Guest: Jake Braun, Executive Director, Cyber Policy Initiative at the University of Chicago; Former Acting Principal Deputy National Cyber Director, White House
Release Date: November 28, 2025

In this episode, the discussion centers on whether space should be formally designated as critical infrastructure. The conversation dives into U.S. federal cyber policy, the consequences of such a designation, the evolving threat landscape in space, and the practical cybersecurity advice for the space industry. Jake Braun draws on his White House experience to explain both the policy implications and the very real, constantly evolving technical threats facing satellites and space assets today.

Key Discussion Points & Insights

1. The Role and Authority of the Office of the National Cyber Director

Jake Braun outlines the creation and purpose of the White House cyber office:
- The office was established to have White House-level authority to compel government-wide adoption of cyber policy, filling a federal gap.
- "Running a startup is interesting. Running a startup in government is particularly unique. And then running a startup in the White House is something that I have a lot of scars from, but I would have never given up for the world." (03:14)
The office’s first major task was updating the National Cyber Strategy, involving implementation across all federal agencies—including the space domain.

"Space was a key component of it... as well as a whole host of other things." (04:26)

2. Why Consider Space as Critical Infrastructure?

The vast majority (60%+) of active satellites are commercial, and society is increasingly reliant on them for everything from GPS to communications.
Jake explains how the cyber director's office advocated for being part of the space-asset security conversation:
- "We kind of rose our hand as kind of the new kid on the block and said, hey, cyber's kind of a key component of all this. We should really be at the TABLE..." (06:19)

3. The Policy Debate: Pros and Cons of Formal Designation

Pros:
- More resources: Designation triggers government-funded threat intelligence, info sharing, and complimentary security assessments—especially beneficial for small companies.
- Integrated protection: Brings space into the ecosystem of nationally protected sectors, similar to energy and water.
- "The government will often fund... information sharing groups to share threat intelligence. They'll often fund via CISA and other entities, folks that will go out and do free cybersecurity assessments." (08:21)
Cons:
- Potential for more regulation and scrutiny: The industry fears increased bureaucracy.
- "Part of the reason I think the space industry was, was somewhat less excited about it was that it, it can, doesn't always, but can come with increased regulations and scrutiny from government, which of course industry generally doesn't like." (08:21)

4. How Special Are Space-Based Cyber Threats?

Maria questions whether space-sector threats are unique or merely extensions of known terrestrial risks.
Jake emphatically asserts that the space industry (like most others) is not adequately prepared for nation-state level threats:
- "Absolutely not. They don't got it. And that's not their fault. Like no one does." (10:38)
He references the Stuxnet attack to illustrate that sufficiently motivated and resourced attackers can compromise systems believed to be unbreakable:
- "If somebody can get into... infrastructure that's not connected to the Internet, that's buried underground in the desert... then a nation state... could get into your satellite, which by definition is connected to networks all over the planet." (10:38)
Real-World Example: DEF CON hackers demonstrated a software-defined radio signal injection attack on a VSAT satellite modem (Newtek MDM 2200 by iDirect), executed from Earth with modest resources (12:10).
- "These hackers are doing this on a shoestring budget... If they can do it on a shoestring budget, imagine what China, Russia, Iran... could do when they have, you know, millions or billions of dollars to throw at it." (12:10)

5. The Threat Landscape: Techniques and Attacker Profiles

The same types of cyber attacks prevalent on Earth—basic network attacks, SQL injections, zero-day exploits—are all relevant to space technology.
- "Your typical network attacks that are used against other computer systems are normal. Even basic things like SQL injections are applicable here." (16:03)
Zero Days: Nation states (esp. China, Russia, Iran, North Korea) stockpile undisclosed vulnerabilities targeting space-related infrastructure.
- "They spend all day, every day looking for zero days in this infrastructure. A zero day refers to basically a new vulnerability that nobody knew about before." (17:09)

6. What Should Space Companies Do?

Jake offers practical actions:

Join industry information-sharing groups:
"Join the Space ISAC. Even if you're a small company... it's worth it." (18:46)
Hire a CISO (Chief Information Security Officer):
"If you're a startup and you don't have a CISO, hire a CISO. That's really important." (18:46)
Beware of targeted IP theft:
"Attacks from China on IP were directly correlated to press releases of $20 million of investment or more." (19:15)
Think creatively about cybersecurity staffing:
- Not everyone needs elite credentials; upskilling, certifications, and on-the-job training can rapidly expand a company's cyber capability.
- "If you've already got a CISO, you probably don't need people at that level... You could plus up your cyber workforce... bring on people who maybe have less qualifications from a degree perspective, but could quickly gain hands on knowledge..." (20:00)
Leverage the "Hacker's Almanac" (DEF CON + University of Chicago):
Provides educational insights from the hacking community.
- "I encourage everybody to Google and read because it's a fun read." (21:26)

Notable Quotes & Memorable Moments

On the myth of perfect security:
“If somebody can get into your infrastructure that's not connected to the Internet, that'll tell you everything you need to know... Certainly a nation state... could get into your satellite, which by definition is connected to networks all over the planet.”
— Jake Braun, (10:38)
On resource gaps for defenders vs. attackers:
“If they can do it [hack satellites] on a shoestring budget, imagine what China, Russia, Iran or... bad actor could do when they have, you know, millions or billions of dollars...”
— Jake Braun, (12:10)
On the high stakes for every company:
"What companies most recently got major investments... those will be the ones they target. We found several years ago at Homeland Security... attacks from China on IP were directly correlated to press releases of $20 million of investment or more."
— Jake Braun (19:15)
On everyone’s role in global cyber competition:
"We are all players in this new great game, whether you know it or like it or not. And... we're either going to protect our infrastructure to ward off authoritarian states... or not."
— Jake Braun, (22:19)

Important Timestamps

03:14 — Jake’s experience running the White House cyber office
04:26 — National Cyber Strategy update and space as a key pillar
06:19 — Cyber director’s role in the space critical infrastructure debate
08:21 — Practical impacts of critical infrastructure designation: regulation vs. resources
10:38 — The Stuxnet lesson and nation-state threat realities
12:10 — DEF CON’s demonstration: Hacking satellite modems from Earth
16:03 — Parallels between terrestrial and space cybersecurity threats
17:09 — Explanation of zero-day vulnerabilities
18:46 — Concrete advice for the space sector (Space ISAC, hiring, IP threats)
22:19 — Jake’s closing thoughts and the "new great game" metaphor

Final Thoughts & Takeaways

This episode underscores that while the space sector’s digital assets face some unique technical challenges, the real gap is in preparedness and resourcing—especially for small, innovative companies. The formal designation as critical infrastructure would both raise the bar for regulation and bring much-needed government resources and support.

Jake Braun’s main message: The space industry can’t “go it alone”—collaboration, info-sharing, practical cyber hiring, and a recognition of the real nation-state threat environment are urgently necessary, because the new "great game" is playing out not just on land, but in cyberspace and outer space.

For further reading or to expand your understanding, Jake recommends:

Researching the DEF CON Hacker's Almanac
Engaging with Space ISAC
Participating in hands-on learning opportunities like DEF CON

Episode Overview

Key Discussion Points & Insights

1. The Role and Authority of the Office of the National Cyber Director

Jake Braun outlines the creation and purpose of the White House cyber office:
- The office was established to have White House-level authority to compel government-wide adoption of cyber policy, filling a federal gap.
- "Running a startup is interesting. Running a startup in government is particularly unique. And then running a startup in the White House is something that I have a lot of scars from, but I would have never given up for the world." (03:14)
The office’s first major task was updating the National Cyber Strategy, involving implementation across all federal agencies—including the space domain.

"Space was a key component of it... as well as a whole host of other things." (04:26)

2. Why Consider Space as Critical Infrastructure?

The vast majority (60%+) of active satellites are commercial, and society is increasingly reliant on them for everything from GPS to communications.
Jake explains how the cyber director's office advocated for being part of the space-asset security conversation:
- "We kind of rose our hand as kind of the new kid on the block and said, hey, cyber's kind of a key component of all this. We should really be at the TABLE..." (06:19)

3. The Policy Debate: Pros and Cons of Formal Designation

Pros:
- More resources: Designation triggers government-funded threat intelligence, info sharing, and complimentary security assessments—especially beneficial for small companies.
- Integrated protection: Brings space into the ecosystem of nationally protected sectors, similar to energy and water.
- "The government will often fund... information sharing groups to share threat intelligence. They'll often fund via CISA and other entities, folks that will go out and do free cybersecurity assessments." (08:21)
Cons:
- Potential for more regulation and scrutiny: The industry fears increased bureaucracy.
- "Part of the reason I think the space industry was, was somewhat less excited about it was that it, it can, doesn't always, but can come with increased regulations and scrutiny from government, which of course industry generally doesn't like." (08:21)

4. How Special Are Space-Based Cyber Threats?

Maria questions whether space-sector threats are unique or merely extensions of known terrestrial risks.
Jake emphatically asserts that the space industry (like most others) is not adequately prepared for nation-state level threats:
- "Absolutely not. They don't got it. And that's not their fault. Like no one does." (10:38)
He references the Stuxnet attack to illustrate that sufficiently motivated and resourced attackers can compromise systems believed to be unbreakable:
- "If somebody can get into... infrastructure that's not connected to the Internet, that's buried underground in the desert... then a nation state... could get into your satellite, which by definition is connected to networks all over the planet." (10:38)
Real-World Example: DEF CON hackers demonstrated a software-defined radio signal injection attack on a VSAT satellite modem (Newtek MDM 2200 by iDirect), executed from Earth with modest resources (12:10).
- "These hackers are doing this on a shoestring budget... If they can do it on a shoestring budget, imagine what China, Russia, Iran... could do when they have, you know, millions or billions of dollars to throw at it." (12:10)

5. The Threat Landscape: Techniques and Attacker Profiles

The same types of cyber attacks prevalent on Earth—basic network attacks, SQL injections, zero-day exploits—are all relevant to space technology.
- "Your typical network attacks that are used against other computer systems are normal. Even basic things like SQL injections are applicable here." (16:03)
Zero Days: Nation states (esp. China, Russia, Iran, North Korea) stockpile undisclosed vulnerabilities targeting space-related infrastructure.
- "They spend all day, every day looking for zero days in this infrastructure. A zero day refers to basically a new vulnerability that nobody knew about before." (17:09)

6. What Should Space Companies Do?

Jake offers practical actions:

Join industry information-sharing groups:
"Join the Space ISAC. Even if you're a small company... it's worth it." (18:46)
Hire a CISO (Chief Information Security Officer):
"If you're a startup and you don't have a CISO, hire a CISO. That's really important." (18:46)
Beware of targeted IP theft:
"Attacks from China on IP were directly correlated to press releases of $20 million of investment or more." (19:15)
Think creatively about cybersecurity staffing:
- Not everyone needs elite credentials; upskilling, certifications, and on-the-job training can rapidly expand a company's cyber capability.
- "If you've already got a CISO, you probably don't need people at that level... You could plus up your cyber workforce... bring on people who maybe have less qualifications from a degree perspective, but could quickly gain hands on knowledge..." (20:00)
Leverage the "Hacker's Almanac" (DEF CON + University of Chicago):
Provides educational insights from the hacking community.
- "I encourage everybody to Google and read because it's a fun read." (21:26)

Notable Quotes & Memorable Moments

On the myth of perfect security:
“If somebody can get into your infrastructure that's not connected to the Internet, that'll tell you everything you need to know... Certainly a nation state... could get into your satellite, which by definition is connected to networks all over the planet.”
— Jake Braun, (10:38)
On resource gaps for defenders vs. attackers:
“If they can do it [hack satellites] on a shoestring budget, imagine what China, Russia, Iran or... bad actor could do when they have, you know, millions or billions of dollars...”
— Jake Braun, (12:10)
On the high stakes for every company:
"What companies most recently got major investments... those will be the ones they target. We found several years ago at Homeland Security... attacks from China on IP were directly correlated to press releases of $20 million of investment or more."
— Jake Braun (19:15)
On everyone’s role in global cyber competition:
"We are all players in this new great game, whether you know it or like it or not. And... we're either going to protect our infrastructure to ward off authoritarian states... or not."
— Jake Braun, (22:19)

Important Timestamps

03:14 — Jake’s experience running the White House cyber office
04:26 — National Cyber Strategy update and space as a key pillar
06:19 — Cyber director’s role in the space critical infrastructure debate
08:21 — Practical impacts of critical infrastructure designation: regulation vs. resources
10:38 — The Stuxnet lesson and nation-state threat realities
12:10 — DEF CON’s demonstration: Hacking satellite modems from Earth
16:03 — Parallels between terrestrial and space cybersecurity threats
17:09 — Explanation of zero-day vulnerabilities
18:46 — Concrete advice for the space sector (Space ISAC, hiring, IP threats)
22:19 — Jake’s closing thoughts and the "new great game" metaphor

Final Thoughts & Takeaways

For further reading or to expand your understanding, Jake recommends:

Researching the DEF CON Hacker's Almanac
Engaging with Space ISAC
Participating in hands-on learning opportunities like DEF CON

wavePod

Powered by Wave AI

Summary

Episode Overview

Key Discussion Points & Insights

1. The Role and Authority of the Office of the National Cyber Director

2. Why Consider Space as Critical Infrastructure?

3. The Policy Debate: Pros and Cons of Formal Designation

4. How Special Are Space-Based Cyber Threats?

5. The Threat Landscape: Techniques and Attacker Profiles

6. What Should Space Companies Do?

Notable Quotes & Memorable Moments

Important Timestamps

Final Thoughts & Takeaways

Summary

Episode Overview

Key Discussion Points & Insights

1. The Role and Authority of the Office of the National Cyber Director

2. Why Consider Space as Critical Infrastructure?

3. The Policy Debate: Pros and Cons of Formal Designation

4. How Special Are Space-Based Cyber Threats?

5. The Threat Landscape: Techniques and Attacker Profiles

6. What Should Space Companies Do?

Notable Quotes & Memorable Moments

Important Timestamps

Final Thoughts & Takeaways