Legal Framework of the Space Activity Cybersecurity in the USA: Experience for Ukraine

Keywords: cybersecurity, incident, cyber risk, cyber threat, critical infrastructure, space activities

Abstract

The article depict the timeline of the development of the cybersecurity legislation in the USA, which divided into two stages. The
first one rises as a response to the large-scale terroristic threats in 2001 and lasted until 2014. The second one starts with the massive
and multisectoral cyber incidents and cyber-attacks the US faced in the last five years. In addition, it was analyzed the changes in institutional
structure aimed to support the cybersecurity in the US and their branched connections with public and private actors. The main
attention was paid to the content of the Memorandum on Space Policy Directive-5 “Cybersecurity Principles for Space Systems”, which
could be the example of the best law-making practice not only for space actors within the US, but also for law-making actors of all
space-faring nations.
The chronology of the elaboration of cybersecurity legislation and the institutional structure of their support in Ukraine analyzed
in the second part of this article. On this ground, we observed some weak aspects of national cyber legislation. First is duplication and
inconsistency of the basic terms, like “cyberattack”, “critical infrastructure”. The second one is the absence of an approved list of cri -
tical infrastructure facilities and clear requirements for conducting an independent information security audit. The third one is by-laws
are aimed primarily at protecting public information resources and do not take into account the requirements for cooperation between
the public and private sectors in the protection of critical infrastructure, regardless of its affiliation to any form of ownership.
Analysis of the draft law concerned critical infrastructure permits to make a conclusion about coming to the second stage in the
development of cyber legislation in Ukraine, which will enhance the development of particular legislation within to each sector of critical
infrastructure. In this regard, it is necessary to elaborate legal background for cybersecurity of space activity. For this aim, we suppose
as necessary to designate the State Space Agency of Ukraine as a responsible entity in the field of space activities for the specified
sector of critical infrastructure. Furthermore, the article suggested prescribing plans to protect against cyber threats (cyber attacks or
cyber incidents) as one of the necessary documents for obtaining a permit to conduct certain types of space activities.

References

1. Cyber Security Law, its Regulation and Relevance for Outer Space: https://www.unoosa.org/documents/pdf/hlf/HLF2017/presentations/Day2/Session_7b/Presentation5.pdf
2. Electronic and Cyber Warfare in Outer Space, May 2019 — Space Dossier 3 : https://www.unidir.org/files/publications/pdfs/electronic-and-cyber-warfare-in-outer-space-en-784.pdf
3. Global Counterspace Capabilities, 2020 Report: https://swfound.org/counterspace/
4. P. Bilenchuk, M. Malii. Kosmichna y elektronna kiberzlochynnist: zahrozy i vyklyky novoho tysiacholittia : https://lexinform.com.ua/dumka-eksperta/kosmichna-j-elektronna-kiberzlochynnist-zagrozy-i-vyklyky-novogo-tysyacholittya-2/
5. [H.R. 4577] PUBLIC LAW 106–554—APPENDIX C, title V, DEC. 21, 2000: https://www.govinfo.gov/content/pkg/PLAW-106publ554/pdf/PLAW-106publ554.pdf
6. PRESIDENTIAL DECISION DIRECTIVE/NSC-63, May 22, 1998: https://fas.org/irp/offdocs/pdd/pdd-63.htm
7. National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience
8. 42 U.S. Code § 5195c. Critical infrastructures protection: https://www.law.cornell.edu/uscode/text/42/5195c
9. H.R.5005 - Homeland Security Act of 2002: https://www.con gress.gov/bill/107th-congress/house-bill/5005/text
10. National Infrastructure Protection Plan (NIPP) Security and Resilience Challenge is managed by the National Protection and Programs Directorate (NPPD), National Risk Management Center (NRMC), within the Department of Homeland Security (DHS), and in partnership with the National Institute for Hometown Security (NIHS): https://www.thenihs.org/
11. Critical Infrastructure Protection. DHS List of Priority Assets Needs to Be Validated and Reported to Congress, March 2013: https://www.gao.gov/assets/660/653300.pdf
12. John Moteff Critical Infrastructure: The National Asset DatabaseCRS Report for Congress, Updated July 16, 2007. 19 p. (P. 8-9): https://fas.org/sgp/crs/homesec/RL33648.pdf
13. DOD Dictionary of Military and Associated Terms. January 2020: https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf
14. H.R.3844 Federal Information Security Management Act of 2002: https://www.congress.gov/bill/107th-congress/house-bill/2458/text
15. FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems: Federal information processing standards publication, 2004: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
16. FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems: Federal information processing standards publication, 2006: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
17. NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations: https://nvd.nist.gov/800-53
18. SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems: https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
19. SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
20. US CodeTitle 44 - PUBLIC PRINTING AND DOCUMENTS CHAPTER 35 - COORDINATION OF FEDERAL INFORMATION POLICY SUBCHAPTER III - INFORMATION SECURITY Sec. 3542 – Definitions: https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title44-chapter35-subchapter2&edition=prelim
21. DoD Digital Modernization Strategy, 5 June 2019, 72 p., P. 63: https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF
22. S.2519 - National Cybersecurity Protection Act of 2014: https://www.congress.gov/bill/113th-congress/senate-bill/2519/text?q=%7B%22search%22%3A%5B%22cyber+act%22%5D%7D&r=38&s=2
23. NCCIC Services for Federal Agencies: https://us-cert.cisa.gov/sites/default/files/publications/NCCIC%20Service%20Menu%20-%20Federal.pdf
24. Presidential Policy Directive -- United States Cyber Incident Coordination: Presidential policy directive/PPD-41, July 26, 2016: https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident
25. S. 2521 An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Dec. 18, 2014: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf
26. SP 800-61 Rev. 2. Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
27. US-CERT Federal Incident Notification Guidelines: https://www.us-cert.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
28. Cybersecurity and Infrastructure Security Agency Act of 2018: https://www.congress.gov/bill/115th-congress/house-bill/3359
29. Establishment of the United States Space Force: Space Policy Directive-4, February 19, 2019: https://www.spaceforce.mil/About-Us/SPD-4
30. DoD Digital Modernization Strategy, 5 June 2019, 72 p. P. 16-22: https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF
31. Memorandum on Space Policy Directive-5—Cybersecurity Principles for Space Systems. Issued on: September 4, 2020: https://www.whitehouse.gov/wp-content/uploads/2020/09/2020SPD5.mem_.pdf
32. Natsionalnyi koordynatsiinyi tsentr kiberbezpeky posyliuie spivpratsiu iz mizhnarodnymy vyrobnykamy kiber-tekhnolohii, sait RNBO, 07.08.2020: https://www.rnbo.gov.ua/ua/Diialnist/4658.html
33. Pro zatverdzhennia Polozhennia pro Administratsiiu Derzhavnoi sluzhby spetsialnoho zviazku ta zakhystu informatsii Ukrainy: Postanova KMU vid 3 veresnia 2014 r. № 411: https://zakon.rada.gov.ua/laws/show/411-2014-%D0%BF#Text
34. STRATEHIIa rozvytku systemy Ministerstva vnutrishnikh sprav Ukrainy do 2020 roku: https://cyberpolice.gov.ua/strategy-2020/
35. Pro upravlinnia informatsiinykh tekhnolohii: Nakaz Ministerstva oborony Ukrainy № 426 vid 05.08.2019: https://www.mil.gov.ua/content/mou_orders/mou_426_05082019.pdf
36. Sytuatsiinyi tsentr zabezpechennia kiberbezpeky: Sait SBU https://ssu.gov.ua/sytuatsiinyi-tsentr-zabezpechennia-kiberbezpeky
37. Pro Natsionalnu bezpeku Ukrainy: Zakon Ukrainy № 2469-VIII vid 21.06.2018: https://zakon.rada.gov.ua/laws/show/2469-19#Text
38. Natsionalnyi bank Ukrainy posyliuie vymohy do informatsiinoi bezpeky ta kiberzakhystu v bankakh Ukrainy: Sait NBU, 04.10.2017: https://old.bank.gov.ua/control/uk/publish/article?art_id=55564890
39. Natsionalnyi bank ta Derzhavnyi tsentr kiberzakhystu spivpratsiuvatymut u sferi kiberbezpeky : Sait NBU vid 02.08.2019: https://bank.gov.ua/ua/news/all/natsionalniy-bank-ta-derjavniy-tsentr-kiberzahistu-spivpratsyuvatimut-u-sferi-kiberbezpeki
40. Kiberbezpeka. Novyy̆ pidkhid v Ukraïni vid UIFuture, 24.07.2020: https://uifuture.org/publications/kiberbezpechna-ukrayina-novyj-pidhid/
41. Proekt Zakonu pro krytychnu infrastrukturu ta yii zakhyst № 10328 vid 27.05.2019: http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=65996
42. Deiaki pytannia Ministerstva z pytan stratehichnykh haluzei promyslovosti Ukrainy: Postanova KMU vid 07 veresnia 2020 r. № 819: https://www.kmu.gov.ua/npas/deyaki-pitannya-ministerstva-z-pitan-a819
43. Pro vnesennia zmin ta vyznannia takymy, shcho vtratyly chynnist, deiakykh aktiv Kabinetu Ministriv Ukrainy: Postanova KMU № 1072 vid 04.12.2019: https://zakon.rada.gov.ua/laws/show/1072-2019-%D0%BF#n166
44. Pro rishennia Rady natsionalnoi bezpeky i oborony Ukrainy vid 27 sichnia 2016 roku "Pro Stratehiiu kiberbezpeky Ukrainy" vid 15.03.2016: https://zakon.rada.gov.ua/laws/show/96/2016#Text
45. Pro zatverdzhennia pereliku obiektiv derzhavnoi vlasnosti, shcho maiut stratehichne znachennia dlia ekonomiky i bezpeky derzhavy: Postanova KMU vid 4 bereznia 2015 r. № 83: https://zakon.rada.gov.ua/laws/show/83-2015-%D0%BF#Text
Pro zatverdzhennia Poriadku vydachi (vidmovy u vydachi, anuliuvannia) dozvoliv na provadzhennia okremykh vydiv kosmichnoi diialnosti: Postanova KMU vid 26 liutoho 2020 r. № 197: https://zakon.rada.gov.ua/laws/show/197-2020-%D0%BF#Text
Published
2020-11-10
How to Cite
Malysheva, N., & Hurova, A. (2020). Legal Framework of the Space Activity Cybersecurity in the USA: Experience for Ukraine. Law Review of Kyiv University of Law, 1(3), 325-335. https://doi.org/10.36695/2219-5521.3.2020.59
Section
The legal system of Ukraine and international law, comparative legal studies