There are currently 14,904 satellites in orbit — a 31.5 percent increase since 2023. More than seventy percent of NATO’s satellite communications are provided by commercial operators. Five documented advanced persistent threat groups are actively targeting satellite infrastructure. The governance framework that coordinates the protection of this architecture was designed for an era in which space was a government domain, cyber was a separate discipline, and commercial operators were not part of the security calculus. None of those conditions holds today.
By Vladimir Tsakanyan, PhD · Center for Cyber Diplomacy and International Security · cybercenter.space
In the early hours of February 24, 2022, a cyberattack against a commercial satellite communications provider’s network terminated the broadband access of tens of thousands of modems across Europe. The disruption affected not only the immediate communications network but emergency services, wind farm operations, and the early-stage command and control infrastructure of a military conflict that had just begun. The attack was attributed to Russian military intelligence. It was not directed at a military satellite. It was directed at a commercial network — because that commercial network was providing services that had become operationally indistinguishable from military infrastructure.
The Viasat attack established the defining precedent of the current space security environment: that the boundary between commercial and military space assets, which had been assumed to provide a degree of protection to commercial operators, does not exist in the operational planning of sophisticated adversaries. A satellite that provides positioning, navigation, and timing data to military units is a military asset regardless of the corporate structure that owns it. A satellite network providing communications to a government operating in a conflict zone is a military communications network regardless of the procurement mechanism that contracted it. The target set is defined by operational function, not by ownership category — and the majority of the operationally critical space infrastructure in the current environment is owned, operated, and maintained by the commercial sector.
This is the strategic triangle at the centre of contemporary space security: military requirements, commercial infrastructure, and cyber vulnerability, intersecting in an architecture whose governance has not kept pace with its strategic significance.
The Attack Surface in Its Full Dimensions
The conventional framing of satellite security focuses on the space segment — the satellites themselves, operating at altitudes ranging from low Earth orbit to geostationary, beyond the physical reach of most adversaries. This framing is analytically inadequate, as the documented attack patterns of the past decade consistently demonstrate.
The actual attack surface of a satellite system comprises three interdependent layers, each with distinct vulnerabilities and each capable of being exploited to achieve effects that compromise the system’s operational integrity without physically damaging any orbiting asset.
The ground segment — the network of ground stations, control centres, uplink facilities, and terrestrial communications infrastructure that commands and communicates with the space segment — is the layer most accessible to conventional cyber attack and the one whose compromise has the most immediate operational consequences. Ground stations connect to terrestrial networks. Control systems run on software with known vulnerability classes. Administrative interfaces have authentication mechanisms that can be targeted. The supply chain for ground segment hardware and software spans thousands of vendors — rockets, ground support infrastructure, and satellites are assembled from digital components from vendors whose individual security postures are rarely assessed in aggregate. Compromising the ground segment can grant an adversary the ability to issue commands to the satellite, alter its operational parameters, or deny its operators visibility into its status — achieving effects equivalent to physical attack without leaving the terrestrial domain.
The link segment — the radio frequency communications between the ground and space segments, and between satellites in constellation architectures — presents the vulnerability most visibly documented in current operations. GPS jamming and spoofing, which Fortinet assessed would become commonplace cyber warfare strategies by 2026, have achieved exactly that status. Jamming saturates the receiver with noise, preventing it from acquiring a legitimate signal. Spoofing transmits counterfeit signals that mimic legitimate satellites, causing receivers to calculate false positions with high confidence. The consequences extend from maritime navigation anomalies to the disruption of precision munitions guidance, from the misdirection of commercial aircraft to the degradation of the time synchronisation infrastructure on which financial settlement systems depend. A successful spoofing operation against positioning, navigation, and timing infrastructure does not require physical access to any space asset. It requires only a sufficiently powerful ground-based transmitter and the operational freedom to deploy it.
The space segment itself is increasingly vulnerable to software-based attack as the industry moves toward software-defined satellites — architectures in which the satellite’s operational characteristics can be reconfigured through software updates transmitted from the ground. This flexibility, which provides significant operational advantages, simultaneously introduces the attack surface of remotely updateable software into an environment where physical remediation is impossible and detection capabilities are constrained by communication latency and limited telemetry bandwidth.
Analyst note
The insider threat dimension of space cybersecurity has received substantially less attention than external attack vectors, despite its potential to be the most consequential category of vulnerability. Space systems involve extensive and variegated supply chains. Satellites are assembled from hardware and software provided by thousands of vendors, many of whom have no direct relationship with the ultimate operator and whose individual security postures are assessed, if at all, through contractual representations rather than technical verification. A malicious insider at any point in a satellite’s supply chain — from component manufacturing through software development to ground segment operation — has access to the system’s architecture, its communication protocols, and the authentication mechanisms that protect it. The NIST Cybersecurity Framework Profile for Hybrid Satellite Networks addresses ground station and communication link security in detail. It addresses the insider threat through the supply chain with less specificity than the documented risk warrants.
The Commercial Dependency Paradox
The privatisation of space access over the past decade has produced one of the most strategically consequential governance paradoxes in contemporary security: the military capabilities of the world’s most powerful alliances have become operationally dependent on commercial infrastructure that was not designed, procured, or regulated to military security standards.
More than seventy percent of NATO’s satellite communications are now provided by the commercial sector. The positioning, navigation, and timing services that coordinate military operations, guide precision munitions, and synchronise the communications of allied forces flow primarily through constellations owned and operated by private companies. The intelligence, surveillance, and reconnaissance capabilities that inform strategic decision-making are increasingly supplemented by commercial earth observation services whose data is purchased through commercial contracts rather than operated through dedicated military assets. The Chatham House assessment of NATO’s space security posture is direct: the private space industry plays a critical role in NATO’s operational readiness, and ensuring that commercial assets align with NATO’s security requirements is essential to sustaining collective deterrence.
The operational consequences of this dependency were demonstrated with unusual clarity in the context of the Ukraine conflict. A single company’s commercial satellite network became the primary communications infrastructure for a military conducting operations across a front of more than a thousand kilometres. When portions of that network were disrupted — through jamming, through service limitation decisions made by the network’s owner, and through attempted spoofing of ground terminals — the operational consequences were immediate and direct. The same commercial network that demonstrated the enabling power of private satellite infrastructure also demonstrated its governing characteristic: decisions about its availability, scope, and operational parameters were made by a private actor whose obligations to the government depending on it were defined by commercial contract rather than by security law, alliance treaty, or operational necessity.
The commercial dependency paradox has a second dimension that the procurement relationship does not capture. Commercial satellite operators make investments, design decisions, and security architecture choices on commercial timescales and with commercial cost structures. Military-grade encryption, hardened communications links, and the security monitoring architecture appropriate to a system serving as critical military infrastructure represent costs that commercial operators have generally not been required to bear because they have not been formally designated as critical military infrastructure. The security posture of the commercial satellites on which military operations depend reflects the security standards of the commercial market, not the requirements of the missions they are effectively performing.
Five Threat Actors and the Documented Campaign Pattern
Security researchers tracking the satellite threat landscape have documented five advanced persistent threat groups as active in targeting satellite communications technology, using a consistent set of methods applied across the three-layer attack surface with increasing sophistication.
The attack methods documented across these campaigns include exploitation of legacy protocols embedded in satellite ground system software that were designed for interoperability rather than security and that have not been updated to address known vulnerability classes. Insecure firmware in satellite terminals — the user-facing equipment through which end users access satellite services — provides entry points that are accessible without the technical sophistication required to attack the space segment directly. Unpatched software across ground system components creates the vulnerability windows that patient adversaries exploit following the publication of security advisories, exploiting the gap between disclosure and deployment that is wider in space system operations than in most enterprise IT environments.
The intelligence assessment published jointly by the Australian Signals Directorate, the NSA, and allied intelligence agencies in March 2026 identified the specific characteristics of the LEO constellation threat: the distributed architecture of large satellite constellations increases the attack surface in proportion to the number of satellites, ground stations, and user terminals in the system; the radio frequency links inherent to satellite communication are susceptible to jamming, spoofing, and interception in ways that terrestrial communications links are not; and the limited physical access to space-based assets makes remediation of compromised satellites significantly more difficult than remediation in terrestrial infrastructure environments.
The prediction made by multiple security researchers — that offensive AI systems fighting defensive AI systems over satellite networks would become a reality in 2026 — is moving from forecast toward documented incident. The first malware known to use AI dynamically during execution to change its form and evade detection, designated Promptlock, was identified in 2025. Its application to satellite systems has not yet been publicly documented. The technical preconditions for its application exist in the same satellite infrastructure that the five documented threat actor groups are actively targeting.
The Governance Architecture and Its Gaps
The international framework governing space security was designed for an era of government-operated space assets, Cold War strategic competition between two primary actors, and a clear conceptual separation between the physical domain of space and the digital domain of cyber operations. None of these design parameters accurately describes the current environment.
The Outer Space Treaty of 1967 prohibits the placement of weapons of mass destruction in space and establishes principles of peaceful use and state responsibility for national space activities. It does not address cyber operations targeting space assets, does not create standards for the security of satellite communications infrastructure, and does not establish any mechanism for attributing or responding to attacks that achieve their effects through digital rather than kinetic means.
NATO’s recognition at the 2021 Brussels Summit that attacks to, from, or within space can trigger an Article 5 collective defence response is a significant normative development. It does not resolve the core governance challenge: the threshold, attribution requirements, and response mechanisms applicable to space-targeted cyber attacks are as undefined as they are for terrestrial cyber operations — and the commercial ownership of most of the targeted infrastructure adds a layer of complexity to the attribution and response architecture that the Article 5 framework does not address.
The Space Force’s establishment of two new cyber squadrons specifically to defend against attacks during satellite launches, announced in early 2026, represents an institutional response to the operational threat that the governance framework has not matched. Protecting a launch is a defined military operation with a defined scope. Protecting the ongoing operations of thousands of commercial satellites providing services that have become indistinguishable from military infrastructure is an enterprise whose governance architecture is distributed across commercial operators with varying security standards, national regulatory frameworks with varying requirements, and alliance structures with varying commitments — and whose coherence, assessed against the threat, is insufficient.
Analyst note
The NATO Space Centre of Excellence in Toulouse, targeted to be fully operational by 2026, and the NATO Space Centre at Allied Air Command in Ramstein provide the institutional infrastructure for alliance-level space security coordination. Their effectiveness is constrained by the same factor that constrains most NATO cyber governance efforts: the alliance operates by consensus among member states whose individual security investments, commercial space relationships, and threat assessments vary significantly. The Chatham House three-tier framework — mitigation through technical hardening, adaptation through redundancy and resilience architecture, and resilience through the capacity to sustain operations under degraded conditions — provides a conceptually sound approach to the challenge. Its implementation requires the kind of sustained, coordinated investment across military and commercial actors that consensus-based alliance governance has historically found difficult to mandate.
What Protection Actually Requires
A security architecture adequate to the current threat environment requires addressing the strategic triangle — military requirements, commercial infrastructure, and cyber vulnerability — as an integrated governance challenge rather than as three separate domains managed by three separate institutional frameworks.
At the technical level, the foundational requirement is the adoption of security-by-design standards across the satellite system stack, from the space segment through the link segment to the ground segment, that reflect the current threat environment rather than the security posture of the commercial market at the time of system design. The NIST Cybersecurity Framework Profile for Hybrid Satellite Networks provides the most developed publicly available framework for this purpose. Its adoption by commercial operators providing services that function as critical military infrastructure should be a condition of the commercial contracts through which those services are procured, not an aspiration in published guidance.
Layered encryption for satellite communications — addressing both the link between satellites and ground stations and the link between ground stations and user terminals — is the specific technical measure most directly responsive to the jamming and spoofing threat that is documented as the most operationally disruptive current attack vector. The von der Leyen spoofing incident, in which the GPS signal affecting the aircraft carrying a senior European official was manipulated, illustrated both the accessibility of the attack and the absence of systematic countermeasures in commercial aviation satellite navigation.
At the institutional level, the commercial dependency paradox requires a governance response that creates security requirements commensurate with operational function rather than ownership category. A commercial satellite network providing services that are operationally equivalent to military infrastructure should be subject to security standards equivalent to military infrastructure — not as a commercial burden, but as a condition of the operational role the network is performing. The mechanism for establishing and enforcing these standards — through procurement requirements, regulatory designation, or alliance-level certification — requires the kind of public-private governance architecture that neither the commercial space industry nor the alliance security framework has yet developed at the required scale.
At the international level, the extension of existing cyber governance frameworks to specifically address satellite infrastructure — establishing norms against attacks on commercial space assets providing critical services, creating attribution and response mechanisms adapted to the three-layer attack surface of satellite systems, and developing confidence-building measures that reduce the risk of miscalculation in a domain where the consequences of escalation are global — represents the governance gap whose closure is most consequential and most difficult to achieve. The UN Global Mechanism’s mandate encompasses the full range of ICT security challenges. The space-cyber intersection has not yet received the sustained multilateral attention that its strategic significance warrants.
Bottom Line Assessment
The strategic triangle of space, cyber, and commercial dependency defines the most consequential ungoverned security frontier of 2026. Its three vertices are each individually significant — space as an enabling layer for military and civilian infrastructure, cyber as the primary attack vector for reaching that layer, and commercial operators as the majority providers of both — and their intersection creates governance challenges that no existing framework was designed to address in combination.
The 14,904 satellites currently in orbit represent a $421 billion economy and an attack surface that grows with every launch. The five documented threat actor groups targeting satellite infrastructure represent the vanguard of a campaign pattern whose sophistication is increasing at a rate that outpaces the security architecture of the systems being targeted. The seventy percent commercial dependency of NATO’s satellite communications represents a structural condition whose security implications the alliance’s governance framework has identified but not resolved.
The Viasat attack was the demonstration. The sustained GPS spoofing campaigns across maritime and aviation domains are the normalisation. The AI-enabled attack capabilities that security researchers assess will be operationally deployed against satellite constellations are the horizon. The governance architecture that should be managing this progression is operating at the speed of committee deliberation in a threat environment that is advancing at the speed of technological development.
Space is not above the fray. It is the fray’s enabling infrastructure — and it is the most consequential domain in which the gap between the capability of the threat and the adequacy of the governance has the furthest still to close.
Space Security · Satellite Cybersecurity · Hybrid Warfare · NATO · GPS Spoofing · Commercial Space · Ground Segment · LEO Constellations · AI Cyber Threats · Governance · Vladimir Tsakanyan
Leave a comment