Last Updated on January 19, 2026 by Arnav Sharma
When most people think about cybersecurity threats, they picture hackers targeting banks, hospitals, or power grids. But there’s a massive attack surface floating above our heads right now that doesn’t get nearly enough attention: satellites.
I’ve been tracking the evolution of space cybersecurity for a while now, and honestly, it’s been fascinating watching governments repeatedly try to address this issue. The Satellite Cybersecurity Act just got reintroduced for the third time, which tells you something about both the importance of the problem and how difficult it is to get cybersecurity legislation across the finish line.
Let me walk you through what’s actually happening here and why it matters for anyone working in security or critical infrastructure.
The Viasat Attack Changed Everything
If you want to understand why legislators keep pushing this bill, you need to start with February 24, 2022. Hours before Russian tanks rolled into Ukraine, Russian military hackers launched one of the most significant cyberattacks against space infrastructure we’ve ever seen publicly.
The target was Viasat’s KA-SAT network, and the attack was devastatingly effective.
Here’s how it went down: Attackers first exploited a vulnerability in a Fortinet VPN used by administrators at a ground facility in Italy. From there, they pivoted to management servers controlling satellite modems across Europe. They deployed a custom wiper malware called “AcidRain” that permanently destroyed firmware on somewhere between 40,000 and 45,000 modems. For good measure, they also launched a denial-of-service attack flooding Viasat’s servers with over 100,000 requests in just five minutes, preventing any of those bricked modems from reconnecting.
The collateral damage was extensive. In Germany, 5,800 wind turbines lost their remote monitoring capabilities. Nearly 9,000 subscribers in France lost internet access. Roughly one-third of 40,000 subscribers across multiple European countries were affected. Commercial airlines worldwide experienced disruptions to in-flight connectivity.
Why Satellites Are the New Critical Infrastructure Battleground
Here’s something that catches a lot of security professionals off guard: the sheer scale of our satellite dependency.
The global space economy topped $630 billion in 2023 and is projected to exceed $1.8 trillion by 2035. Nearly 15,000 satellites currently orbit Earth, a 31.5% increase since 2023. Over 3,000 launches are projected for 2025 alone.
And these satellites aren’t just handling communications. They’re woven into the fabric of modern life in ways most people don’t realize.
Financial services rely on GPS timing to synchronize transactions and trading systems. That might sound abstract until you realize that a GPS disruption could throw off high-frequency trading by milliseconds, which in that world is an eternity. Transportation depends on satellites for aviation navigation, maritime shipping, and increasingly, autonomous vehicles. Emergency services use satellite systems for first responder coordination, disaster response, and weather forecasting. The energy sector uses satellites for grid synchronization and remote monitoring of infrastructure. Agriculture leverages precision farming, crop monitoring, and equipment guidance through satellite systems.
The Legislative Journey: Three Tries and Counting
The Satellite Cybersecurity Act has been through the congressional process three times now. Each attempt has advanced but ultimately stalled before reaching a final vote.
The first version, S.3511, was introduced in January 2022 by Senators Gary Peters (D-MI) and John Cornyn (R-TX). It passed out of the Homeland Security and Governmental Affairs Committee but never got a floor vote before the session ended.
The second attempt, S.1425, came in May 2023. It also advanced out of committee, with estimated implementation costs of $14 million over five years. Same result: no floor vote.
Now we have S.3404, introduced in December 2025 as the “Satellite Cybersecurity Act of 2025.” It’s been referred to the Committee on Commerce, Science, and Transportation.
The support is notable. This isn’t a small issue. Both sides recognize the threat. The challenge has been finding time on the legislative calendar and navigating competing priorities.
What’s Actually in the Bill?
The 2025 version contains several provisions worth understanding if you’re in the security space.
A Public Clearinghouse for Cybersecurity Resources
The bill requires the Department of Commerce to establish and maintain a publicly accessible online clearinghouse of cybersecurity resources and recommendations for commercial satellite system operators. This includes materials specifically designed to help small businesses with secure development, operation, and maintenance of their systems.
This matters because a lot of smaller operators simply don’t have the security expertise of the big players. Consolidating best practices into a single, accessible location lowers the barrier to improving security posture across the industry.
Voluntary Cybersecurity Recommendations
The Secretary of Commerce, working with the Secretary of Homeland Security, must consolidate voluntary cybersecurity recommendations covering several key areas. These include risk-based cybersecurity-informed engineering, planning for retention or recovery of positive control during incidents, protection against unauthorized access, physical protection measures, communications jamming and spoofing protection, supply chain risk management, and mitigations against risks posed by foreign entity ownership.
Notice the word “voluntary” there. The bill deliberately avoids imposing mandatory compliance, which addresses industry concerns about regulatory burden while still providing clear guidance.
A National Strategy Within 120 Days
The bill requires the Secretary of Commerce to work with the National Space Council and the Office of the National Cyber Director to submit a comprehensive strategy to Congress within 120 days of enactment. This strategy must address improving commercial satellite system cybersecurity and propose clear roles and responsibilities for relevant agencies.
GAO Study on Federal Efforts
The Comptroller General must conduct a comprehensive study examining federal efforts to support satellite cybersecurity. This includes assessing the extent to which commercial satellites support critical infrastructure, how threats are integrated into risk analyses, federal agency reliance on foreign-owned systems, and recommendations for further action.
The Structure Promotes Collaboration Over Compliance
One thing I find interesting about this legislation is its collaborative approach. Rather than imposing heavy-handed mandates, it promotes a framework where the government provides resources and guidance while industry maintains flexibility in implementation.
The Department of Commerce is responsible for creating and maintaining the clearinghouse within 180 days, offering voluntary resources and recommendations for commercial satellite system owners, including small businesses. They’re also required to produce biennial reports for nine years on engineering practices, recovery procedures, access protection, physical security, jamming and spoofing defenses, supply chain risks, and foreign ownership concerns.
A joint strategy must be developed within 120 days involving Commerce, the National Space Council, and the National Cyber Director. This strategy needs to outline agency roles and integrate threats into critical infrastructure plans.
The GAO conducts an unclassified study within two years covering federal support for commercial satellite cybersecurity, how risks are integrated into infrastructure planning, and issues around foreign ownership. A classified annex can be briefed to committees.
Importantly, the bill clarifies that there’s no new critical infrastructure designation and no expansion of authority for any agency. If a new space sector risk management agency is appointed, existing responsibilities may transfer to it.
This structure consults private entities and standards organizations while coordinating with DHS, including CISA, and the FCC. The voluntary nature addresses industry concerns about burdensome mandates, though feedback highlights challenges for resource-constrained operators trying to adopt even voluntary recommendations.
CISA’s Growing Role in Space Security
While Congress debates legislation, CISA has been busy building out practical guidance and collaboration frameworks.
In February 2021, CISA established the Space Systems Critical Infrastructure Working Group (SSCIWG), a public-private body that assesses and manages risks associated with space systems security and resiliency. This group has become the primary mechanism for coordination on strategies to increase space system security.
CISA has also released several important publications. Their 2024 “Recommendations to Space System Operators for Improving Cybersecurity” provides comprehensive guidance addressing common risks across ground segments, space segments, and user segments, with mitigations aligned to NIST frameworks. “Zero Trust in the Space Environment” from June 2024 explores opportunities for applying zero trust principles across space infrastructure, including dynamic policy enforcement based on satellite location and connection status. They’ve also partnered with the FBI on advisories specifically targeting SATCOM network providers and their customers.
The December 2025 release of Cybersecurity Performance Goals 2.0 is particularly relevant for space operators. Aligned with NIST CSF 2.0, it includes a new “Govern” function emphasizing leadership accountability, unified IT/OT goals applicable to satellite ground systems, new goals addressing third-party risks and zero-trust principles, and implementation guidance with cost, impact, and ease ratings.
These updates emphasize practical steps: multi-factor authentication, strong passwords per NIST guidelines, regular account audits, least privilege access, reviewing trust relationships with providers, ingress and egress monitoring, SIEM integration, EDR tools, independent encryption on satellite links per NSA guidance, and patching known vulnerabilities while conducting configuration audits.
The Threat Landscape Is Getting Worse
According to OpsGroup, GPS spoofing attacks grew from 300 affected flights per day in January 2024 to 1,500 flights per day by August 2024. That’s a five-fold increase in seven months. 41,000 total flights experienced spoofing in just one month. Between August 2023 and April 2024, approximately 46,000 GPS interference incidents were reported over the Baltic Sea alone.
Hotspots include areas near Russian military facilities, the Middle East (especially during conflicts), Myanmar (associated with drone warfare), and increasingly Southeast Asia including the India-Pakistan border.
State-sponsored threats continue to escalate. Russia maintains GPS jamming operations affecting commercial aviation across Europe and has explicitly stated that commercial satellites supporting military operations are legitimate targets. There are reports of nuclear space-based anti-satellite weapon development. China has demonstrated ASAT capabilities and is launching mega-constellations of over 13,000 satellites. North Korean cyber espionage activities have targeted defense, aerospace, and nuclear sectors.
The Space Information Sharing and Analysis Center reported approximately 25 space-sector organizations were targeted by ransomware groups in 2024. Criminal interest in the sector is growing as attackers recognize the high-value data and potential for operational disruption.
What About Other Regulatory Efforts?
Executive Order 14144 has updated space contract cybersecurity requirements. The proposed EU Space Act imposes extraterritorial obligations on operators serving European customers. Current trends show rising state-sponsored attacks including GPS jamming, with 25 space organizations targeted by ransomware in 2024, and AI-enhanced threats affecting 87% of firms. Supply chain risks remain prominent, as demonstrated by incidents like SolarWinds, urging operators to incorporate cybersecurity requirements into contracts and incident response plans.
The EU NIS2 Directive, effective since October 2024, explicitly includes the space sector as critical infrastructure for the first time. Medium-to-large space companies operating in the EU must implement appropriate cybersecurity risk-management measures, report significant cyber incidents to national authorities, ensure supply chain security, and potentially face fines of up to ā¬10 million or 2% of global annual turnover for non-compliance.
The proposed EU Space Act from June 2025 would establish a unified regulatory framework for space activities, including cybersecurity requirements that apply extraterritorially to non-EU operators offering services into the European Union.
Meanwhile, the Space Infrastructure Act (H.R. 1154) introduced in February 2025 would direct the Secretary of Homeland Security to designate space systems, services, and technology as the 17th critical infrastructure sector. This would trigger stricter regulations, increase federal resources for protecting space assets, streamline decision-making, and establish DHS as the federal interface for space sector security coordination. Critics worry this could create excessive bureaucratic burdens and potentially stifle innovation, particularly since space functions already fall under existing critical infrastructure sectors.
Real-World Consequences
What happens if a satellite compromise cascades into broader failures?
A single satellite compromise could cascade into navigation failures affecting transportation and military operations, communications disruptions impacting emergency services, and financial transaction halts. The 2022 Viasat incident led to outages affecting thousands of users, with economic losses estimated in the millions. By providing consolidated guidance, the Act could foster innovation in secure satellite design, enhancing U.S. competitiveness in the global space economy projected to reach $1 trillion by 2040.
Potential downsides exist too. Increased operational costs for implementation, such as upgrading legacy systems or conducting regular audits, might strain smaller firms. While broader industry feedback is generally supportive, concerns exist about duplication of efforts with existing frameworks like NIST guidelines or CISA advisories. No major criticisms have emerged in space policy discussions, but balanced regulation remains a discussion point to avoid stifling growth.
Looking Ahead
The Satellite Cybersecurity Act’s third introduction reflects growing recognition that our space infrastructure requires dedicated cybersecurity attention. Whether this version finally passes will depend on balancing the urgent need for security with concerns about regulatory burden on a rapidly innovating industry.
What’s clear is that the threat landscape is evolving faster than our protective measures. The Viasat attack demonstrated that sophisticated adversaries can and will target satellite infrastructure with devastating effects. The exponential growth of GPS jamming and spoofing shows that even less sophisticated attacks can cause widespread disruption.
For those of us working in cybersecurity, this represents both a challenge and an opportunity. As space becomes the new frontier of critical infrastructure protection, expertise in securing these systems will become increasingly valuable.
The voluntary framework in the current legislation mitigates concerns about over-regulation, but ongoing monitoring of foreign adversary threats will be crucial to the Act’s effectiveness. For those tracking progress, Congress.gov provides updates on S.3404, and engaging with stakeholders via the SSCIWG offers additional insights.