As cyberspace and outer space become more integrated and interdependent, the security of space infrastructure is only growing more critical to national security. Although space cybersecurity is not a new topic, the cyberattack on Viasat’s satellite network in Ukraine on 24 February 2022 highlights the importance of adopting a whole-of-nation cybersecurity posture. The cyberattack is also the first real world example of a ‘cyberwar’ targeting commercial space sector in an armed conflict.
In our previous space cybersecurity series, we discussed the range of security obligations under the Security of Critical Infrastructure Act 2018 (Cth) and Telecommunications Act 1997 (Cth). A link to that article is available here. In this article, we look at the cybersecurity requirements in applying for a permit, authorisation, or licence under the Space (Launches and Returns) Act 2018 (Cth) (Act).
Licences, Permits and Authorisations
The Act establishes different classes of approval for space launches and related activities. The criteria for each of those classes are more specifically regulated by the Space (Launches and Returns) (General) Rules 2019 (Cth) (General Rules) and Space (Launches and Returns) (High Power Rocket) Rules 2019 (Cth) (High Power Rocket Rules) (together, the Rules).
Depending on the type of approval sought, the applicant must submit certain plans. For example, the application for an Australian launch permit must include a debris mitigation plan and flight safety plan, and an emergency plan is required for an application for a launch facility licence. In addition to the more specific plans based on the type of activity, the Rules generally require an applicant for any of the approvals (other than an applicant for an overseas payload permit) to include in its application a ‘technology security plan’.
Technology Security Plans
A technology security plan is a plan that set out the arrangements and procedures for safeguarding the technology to be used:
- in the case of a launch facility – in operating the launch facility;
- in the case of an Australian launch permit – in conducting the launch (or launches) and any connected return and in operating the launch vehicle;
- in the case of a return authorisation – in conducting the return (or returns);
- in the case of a high power rocket – in operating the high power rocket.
The technology security plan must also include:
- the procedures to prevent unauthorised people from having access to the technology;
- a proposed ‘cybersecurity strategy’; and
- where there is in force an agreement of any kind between Australia and another country that relates to safeguarding all or part of the technology (or otherwise also known as protected technology), information on how the plan ensures that Australia gives effect to its obligations under the agreement.
In relation to the last point, in support of Australia’s launch future capabilities, earlier this year Australia and the United States reached an in-principle agreement on a Technology Safeguards Agreement (TSA) to ‘allow for the controlled transfer of sensitive US launch technology and data’.1 The terms of the TSA are yet to be finalised and ‘final domestic authorisations’ are needed before the TSA becomes binding, but once in force the obligations in the TSA will need to be addressed, where relevant, in a technology security plan.
The term ‘cybersecurity strategy’ is not defined in the General Rules or High Power Rocket Rules. The Rules also do not prescribe a specific cybersecurity standard or framework; they merely mandate the applicant to include a cybersecurity strategy in its application. This approach accommodates the evolving nature of cybersecurity risks and allows industry leaders to make their own assessment and develop a plan according to the level of risks, without being too prescriptive. The explanatory memorandum for the Rules envisages the cybersecurity strategy to include defensive measures that the applicant would take to protect networks that are critical and prevent unauthorised access to those technologies, both physically and digitally.
As part of the application process, the Rules also require a ‘person with suitable qualifications and experience’ to conduct a written assessment of the adequacy of the cybersecurity strategy. Up until recently, the person conducting such assessments was required to be an ‘independent person’ or a person who is ‘not a related party’ to the applicant. However, following a consultation with stakeholders last year, the Australian Government has removed the requirement that the person conducting such assessments must be an ‘independent person’ or a person who is ‘not a related party’ to the applicant.
These amendments came into effect on 17 August 2023. This effectively eases the application process by permitting in-house experts to carry out assessments on the adequacy of the cybersecurity strategy in the technology security plan, without having to involve an independent third party in the process. According to the Department of Industry, Science and Resources, these amendments are intended to remove barriers to participation in the space launch industry, while still maintaining the safety of Australian space activities, as the Australian Space Agency is still ultimately responsible for assessing the application material and granting approvals.
To participate in the commercial space sector, businesses in Australia must have an appropriate cybersecurity strategy. Such strategy should include both preventative and responsive measures to respond to the range of threats in the cyberspace.
How can HWL Ebsworth help?
HWL Ebsworth’s Space and Technology team has extensive experience in advising businesses on regulatory and intellectual property issues. If you have any queries about space or intellectual property law, please do not hesitate to contact us for further information on how we can assist you.
This article was written by Daniel Kiley, Partner, Nikki Macor Heath, Special Counsel, and Veronica Mignone, Special Counsel.
1 Joint Statement issued by the Prime Minister of Australia and the President of the United States on 20 May 2023, https://www.pm.gov.au/media/alliance-our-times