Debris with telemetry: the cyber pathway to Kesslerby Daniel Morgan
|
| A cyberattack against a satellite need not seize control of it. It need only deny control to the legitimate operator. |
The on-call engineer assumes a software regression and begins a rollback. The rollback fails. The propulsion controller on each affected satellite is no longer accepting authenticated commands. Telemetry continues to flow. Position reports continue to arrive. The actuators are inert. A senior systems architect, woken at home, is the first person in the building to use the word “intrusion.”
The intrusion did not begin that Tuesday. It began 13 weeks earlier, when a contractor working on ground segment integration opened a spear-phishing email purporting to come from a regulatory body. The credentials harvested from that single compromise gave the attacker a foothold on a development network. From there, the path to a production telemetry, tracking, and command gateway took patience rather than brilliance. By the time the dormant payload triggered, it had already been signed by the satellites’ own update infrastructure. It overwrote the firmware governing the propulsion subsystem on each compromised spacecraft with a near-identical image that alters the cryptographic checks performed before a thrust command would execute. Every command from the legitimate operator would now be received, logged, and silently rejected.
By 17:00 UTC on the same day, the first conjunction warning involving two of the affected spacecraft was issued. The predicted miss distance was 412 meters. Under normal circumstances, a small avoidance burn would have resolved it. On this Tuesday, the operator could only watch.
In the language of orbital mechanics, 200 satellites had ceased to be operational and had become, in a single coordinated instant, debris with telemetry.
The scenario above is not a forecast. It is a plausible composition of vulnerabilities that already exist, joined together by orbital geometry. None of its steps requires a technological capability that does not currently exist. None of its dynamics are novel. What distinguishes it from the dozens of cascade scenarios in the technical literature is the trigger. In the canonical scenarios, the trigger is an accidental collision, a botched anti-satellite test, or a battery explosion. Here, the trigger is a line of code.
A modern small satellite is, in functional terms, a flight-qualified data center with thrusters. Software updates, telemetry retrieval, and command uplinks are managed through ground stations that, in the commercial sector, increasingly operate under a “ground station as a service” model. The economic logic is sound, but the security implications are less so. The literature on space system cybersecurity has identified the same set of weaknesses for over a decade: weak or absent encryption on uplinks, single-factor authentication for command authority, unsigned firmware updates, and a general absence of redundant command paths that would allow an operator to override a compromised primary channel.
A cyberattack against a satellite need not seize control of it. It need only deny control to the legitimate operator. That is the critical distinction. Hijacking a spacecraft requires either valid cryptographic credentials or the ability to forge them. Denying control requires only the ability to interfere with the legitimate command path. The threshold of capability is significantly lower, and the resulting failure mode is the one that matters for debris generation. A satellite that cannot maneuver is a non-maneuvering object in a maneuvering environment. It does not need to fail catastrophically. It only needs to fail to respond.
Three structural features of the contemporary orbital regime turn an old class of vulnerability into a present systemic risk.
The first is automation at scale. A constellation of several thousand satellites must rely on highly automated command and control. Manual oversight of each spacecraft is impossible. The same automation that allows an operator to manage a fleet of 5,000 spacecraft with a small team also allows a single compromise of the command pipeline to propagate to the entire fleet. The very property that makes megaconstellations commercially viable, namely homogeneity at scale, is the property that makes them attractive targets.
| The orbital environment does not care whether the cascade was started by a missile, a meteoroid, or a software update. Once it is running, the cause becomes a footnote. |
The second is ground segment exposure. Each ground station is a terrestrial network endpoint, often connected through vendor, cloud, or operator infrastructure. Each spacecraft authenticates commands using cryptographic keys that must be provisioned, rotated, and stored somewhere, and the somewhere is rarely as well protected as the spacecraft itself. The Viasat KA-SAT incident of February 2022 demonstrated, in operational rather than academic terms, that the ground segment of a satellite system can be attacked at scale, with effects that propagate beyond the targeted assets. KA-SAT did not produce orbital debris because the targeted assets were modems. The lesson generalizes.
The third is orbital density. Parts of the region from 800 to 1,000 kilometers are already among the most debris-sensitive orbital bands even in the absence of any deliberate event. The system is closer to the edge than the public conversation reflects. A correlated loss of maneuvering capability across a substantial fraction of an orbital shell is not the only way to push it over. It is, however, among the more plausible.
The temporal evolution of a cascade triggered by simultaneous loss of maneuvering across a substantial fraction of an orbital shell has been examined in recent modelling work, with collision-to-cascade timelines on the order of days under plausible LEO debris densities. The qualitative dynamics are robust across modelling assumptions, even where the precise timeline is contested.
At T+0, the payload executes. Operators retain telemetry. Public catalogues continue to list the objects as active. Conjunction warnings begin to flag predicted close approaches involving the affected spacecraft, but the warnings are addressed to operators who can no longer act on them.
Within the first day, the first collision occurs. Two non-maneuvering satellites of several hundred kilograms converge at a relative velocity in the order of 14 kilometers per second. The kinetic energy is sufficient to fragment both spacecraft entirely, producing hundreds of trackable fragments and tens of thousands of smaller, lethal, but untrackable ones. Within two days, the expanding fragment cloud has intersected the orbital paths of additional spacecraft. Within three days, the local debris flux in the most contested band crosses into a regime where the collision rate exceeds the natural decay rate. The cascade, in the technical sense Donald Kessler and Burton Cour-Palais defined in 1978, has begun.
The orbital environment does not care whether the cascade was started by a missile, a meteoroid, or a software update. Once it is running, the cause becomes a footnote.
The existing regulatory architecture is the product of a different era and a different threat model. National licensing regimes have made meaningful progress on debris mitigation. The US Federal Communications Commission tightened its post-mission disposal rule in 2022. European agencies and regulators have moved in the same direction, including through ESA’s updated debris mitigation requirements and the Zero Debris Charter. The general direction of travel is toward shorter disposal timelines and more rigorous demonstration of disposal capability at the licensing stage.
What these regimes do not, in general, contain is any mandatory cybersecurity standard for the satellites being licensed. The contrast with terrestrial critical infrastructure regulation is striking. Operators of electricity transmission networks, water utilities, and financial services infrastructure are subject in most developed jurisdictions to detailed cybersecurity obligations, including incident reporting, penetration testing, and supply chain security requirements. Operators of megaconstellations, whose failure modes include the contamination of the orbital environment for decades, are subject to almost none.
The voluntary architecture is more developed than the binding one, which is both a strength and a weakness. The UNCOPUOS Long-Term Sustainability Guidelines, the European Space Agency’s Zero Debris Charter, and the Inter-Agency Space Debris Coordination Committee’s mitigation guidelines together form a credible body of best practice. However, they have no penalty for non-compliance. They are, in a phrase that has begun to circulate among space lawyers, handshake agreements in a gunfight. The architecture assumes that the parties who matter will comply. In a scenario where the relevant actor is a state-sponsored adversary deliberately seeking to create debris, the assumption does not hold.
A further problem sits underneath the regulatory one. Even if the framework were adequate, its activation depends on attribution. A cyber-induced collision, viewed from the outside, is initially indistinguishable from an accidental conjunction failure. Forensic confirmation that a precipitating event was caused by a deliberate intrusion takes months, and the entities best placed to establish the cyber character of the event are often those with the strongest commercial reasons to characterize it as an anomaly. Anomalies trigger insurance payouts. Attacks may trigger exclusions. Attacks invite questions about the operator’s security posture that may threaten its license. By the time attribution is publicly established, the cascade is mature and the strategic moment for a calibrated response has passed.
The prevention architecture is not technically difficult to design. It is politically and bureaucratically deferred. Four measures, in combination, would materially reduce the probability of the scenario described above. None requires a new treaty. None requires a technological breakthrough.
The first is mandatory cybersecurity baselines for licensed satellite operations. National licensing authorities should condition the grant of a commercial satellite license on demonstrated implementation of cryptographically signed firmware updates, multi-factor authentication for command authority with at least one factor held by the operator and not by any third-party ground-station provider, and default-safe behavior in the event of loss of command authority. These measures are common practice in adjacent industries. They are not novel. Their absence reflects a regulatory choice rather than a technical constraint.
| Voluntary agreements are, in a phrase that has begun to circulate among space lawyers, handshake agreements in a gunfight. |
The second is mandatory redundancy in maneuvering capability for spacecraft above a defined mass threshold. A satellite whose collision avoidance depends on a single propulsion subsystem and a single command path is a satellite whose continued safe operation can be defeated by a single failure, accidental or adversarial. A requirement that satellites above a sensible mass threshold carry two independent propulsion subsystems with independent command authentication, and that they be capable of executing autonomous collision avoidance in the absence of ground command, would substantially raise the threshold for the kind of mass disablement the scenario contemplates.
The third is a defined incident-reporting obligation. Operators should be required to report maneuver anomalies, command authentication failures, and confirmed or suspected intrusions to the licensing authority within timelines short enough to be operationally useful. The current reliance on voluntary disclosure produces an attribution architecture in which the entities best placed to identify the cyber character of an event are those with the strongest reasons to obscure it. Mandatory reporting, with credible verification, corrects the asymmetry.
The fourth is parallel investment in active debris removal (ADR) as an insurance against the failure of the preventive measures, not as a substitute for them. Active debris removal is technically credible, with key rendezvous, capture, and proximity operations demonstrated in precursor missions, but operational removal of large debris objects remains limited and expensive. The legal complications, particularly the jurisdictional rule that a debris object remains under the jurisdiction of its registering state indefinitely, are real. They are not insurmountable. They mean only that ADR cannot be the primary tool of cascade prevention and must be developed alongside the regulatory measures, not in place of them.
Three of these measures could be implemented unilaterally by major spacefaring states without waiting for any international process. The FCC could initiate a rulemaking on mandatory firmware signing, building on the precedent of its disposal rule. The European Union could clarify the application of NIS2 to spacecraft as well as to ground-based service delivery. The UK Space Agency, the French space agency CNES, and their peers could each adopt licensing conditions requiring redundant command authentication and incident reporting. None requires international agreement. Each, on its own, would close one of the principal vectors in the scenario.
The case for these measures does not depend on assigning a high probability to the specific cascade described above. It depends only on assigning a non-trivial probability, multiplied by the magnitude of the consequences, and comparing the result to the modest costs of prevention. By that calculation, the case is overwhelming. By the calculations that have actually governed regulatory practice over the past decade, the case has been deferred.
The technology to reduce this risk already exists. What is missing is not basic capability, but enforceable standards. The treaties are not the immediate constraint. The license conditions are. They can be changed at any time. They have not been. The next cascade may not begin with an explosion. It may begin with a login.
Note: we are now moderating comments. There will be a delay in posting comments and no guarantee that all submitted comments will be posted.
