Chad Raduege

SBIR Funding Demonstrates Growing Imperative for ‘Space Cyber’

In response to an evolving threat landscape where cyberattacks can manipulate and compromise a satellite’s data, the United States Space Force is heightening its focus on “space cyber,” or the cybersecurity of space systems on-orbit. One emerging solution toward this effort is the Cyber Reslience on-Orbit (CROO) tool, a software program that focuses on not just securing the links between satellites and the terrestrial networks, but on the cybersecurity of the satellite itself. Funded in part by an AFWERX Small Business Innovation Research (SBIR) Direct-to-Phase II contract, the CROO tool will leverage innovative technologies like artificial intelligence (AI), machine learning (ML) and digital twin modeling and simulation in a way that demonstrates how the Space Force is adapting to a more dynamic and contested ‘space cyber’ environment.

“CROO essentially acts as a ‘nervous system’ to indicate that something isn’t right with the satellite,” said Maj Gen (Ret) Kim Crider, the former Chief Technology and Innovation Officer with the Space Force and Founding Partner at Elara Nova. “It starts with building a complete digital model of a satellite, including its subsystems and components to learn the normal behavior of the system. CROO then uses AI and synthetic data to model attacks against one or more subsystems or components. By learning how the digital twin satellite reacts to simulated attacks, the CROO tool can learn to detect or infer real attacks on real satellite systems by knowing what attack indicators to look for. This ultimately will give satellite operators more ways to diagnose when an anomaly is in fact an attack.”

CROO is being designed to recognize and detect the broad range of current and emerging cyber threats.

“CROO is a next generation cybersecurity tool specifically designed for space systems,” said Brig Gen (Ret) Chad Raduege , the former Chief Information Officer with U.S. European Command and President of Elara Nova’s Cyber, Data and Communications sector. “By using the digital twin model to explore how the satellite might behave under a cyberattack CROO indicates what may happen when an intrusion or unauthorized access is taking place, where a bad actor is making malicious commands or tampering with the code in a way that results in an abnormal behavior. It’s also looking at its signals for software compromises like the different spoofing techniques an adversary or hacker can employ.”

In doing so, CROO both embodies the convergence of emerging technologies like AI/ML and digital twin modeling and simulation and reinforces the inherently integrated and operationally vital relationship between the space and cyberspace domains.

Ensuring Cybersecurity Across Domains

While the United States government has been putting satellites on-orbit for decades, it’s only been in relatively recent history that it’s had to protect those assets from cyberattacks. But protecting satellites from cyberattack isn’t as easy as protecting networks on the ground.

“Different strategies are required beyond our traditional cybersecurity approaches,” Gen Raduege said. “Cyber defenses for terrestrial networks like firewalls, patching and perimeter defenses, don’t necessarily translate well into space. You can’t just plug and play with different assets like you can on the ground, so cybersecurity defenses have to be designed and built in before the system is even launched. You have to have redundant and resilient systems in space, and that’s why other types of defensive approaches like AI/ML, digital twins and the automation activities of CROO will be important.”

Further complicating matters is the inherent interconnectedness of space and cyber technologies, which means the Department of War must consider how it will protect its networks across its whole system of systems.

“We have to keep in mind that when it comes to space cyber, the ground infrastructure and their data links to on-orbit assets create a complex, interconnected ecosystem across domains,” Gen Raduege added. “Terrestrial network defenses can be regularly accessed and updated with patches or fixes, whereas we don’t have direct access to space cyber networks that exist in a hostile and distant space environment. Space cyber is an end-to-end system across a distributed environment that blurs the boundaries of operational and information technologies. That’s a unique challenge to have to protect.”

It’s also where a cybersecurity tool like CROO will play an outsized role, particularly as satellites function as physical, control-oriented systems that rely heavily on IT for complex software, data processing, communication and data transport.

“CROO becomes incredibly important when it comes to monitoring a satellite’s behavior because satellites are just one set of endpoints in the entire system of systems,” Gen Crider said. “These satellites are assets we can’t afford to lose, and they’re operating thousands of miles away and traveling at incredibly fast speeds. So we’ve got to think through how we’re going to deal with potential compromises, delays or anomalous behaviors with that satellite and protect the rest of this system it’s connected to.”

Space Force Investing in Cybersecurity Solutions

As the nation’s newest military service, the Space Force recognizes its role beyond a facilitator and enabler of joint force operations. Its leaders understand that the service was stood up to protect and defend strategic assets on-orbit in response to a growing counterspace threat environment, which specifically includes cyber threats.

That’s why the government is creating avenues for companies to cross the ”Valley of Death” and bring innovative, dual-use solutions to the fight. CROO is one such example of this emerging public-private investment.

“This example demonstrates the government sees operational value in the CROO concept, because these Direct-to-Phase-II SBIR contracts are intended to transition a credible idea into an operational prototype as quickly as possible,” Gen Raduege said. ”The AFWERX SBIRs program and other innovation contracting approaches in general, are explicitly designed to attract startups with operationally feasible and relevant ideas, even from non-traditional defense contractors. These programs enable researchers to develop solutions that can close an operational gap.”

The influx of funding dollars capabilities like CROO also reflects the emerging priority that is “space cyber.”

“CROO signals that the Space Force is serious about ‘space cyber’ and is willing to put money behind it,” Gen Crider said. “The Space Force wants a framework for equipping a space system and monitoring it for threats and anomalous behavior. CROO now creates an opportunity that’s not just a one-off capability, but one that can be expanded across the Space Force’s mission areas over time.”

Leveraging Commercial Innovation and Collaboration

The successful development of CROO further demonstrates how the government is using the SBIR program to initiate high-level conversations about its needs and its willingness to explore commercial solutions to meet those needs. This can be an innovative break from traditional approaches, when the government oftentimes would receive different capabilities from different industry partners and would ultimately be responsible for integrating them together into a comprehensive solution themselves.

Instead, the SBIR program is creating an opportunity for industry partners to contribute their own respective strengths to deliver the most advanced capability – already fully integrated – to the warfighter.

“CROO is an example of the power of collaboration between innovative commercial companies, where Proof Labs, BigBear.ai and Redwire Space all came together to develop a solution,” Gen Crider said. “Proof Labs focuses on cybersecurity testing and analysis, while BigBear.ai delivers modern AI/ML techniques, and RedWire Space understands how satellite systems are developed and integrated into end-to-end systems. This resulted in a capability that incorporates all three of these strengths: cybersecurity, AI/ML technologies and space systems.”

An Evolving ‘Space Cyber’ Threat

The space environment, and particularly the space cyber environment, will only continue to evolve rapidly as technologies and adversarial threats advance. Therefore, the need to secure and protect space systems, and other systems across operational domains, becomes an increasingly significant imperative.

That’s why Elara Nova is also evolving to meet this emerging requirement, by standing up its new Cyber, Data and Communications business sector to ensure the cybersecurity resiliency of technologies and systems across operational domains.

“The Cyber, Data and Communications sector is focused on what our warfighters need across multi-domain operations,” Gen Raduege said. “Data exchanges through communication nodes that connect one domain to another require the right cybersecurity applications. Our objective is to help government and industry alike translate commercial technologies into solutions that meet the government’s needs, and can be integrated into the current operational environment.”

For Gen Crider, as one of the four Founding Partners at Elara Nova, the new CDC sector demonstrates a natural evolution for the strategic advisory firm.

“Elara Nova’s core focus from the start has been: ‘How do we help advance the national defense and security capabilities of the United States and its allies?’” Gen Crider said. “This requires a team of experts with deep experience across the specific domains of military, commercial and civil operations that are becoming more and more complex, interconnected and integrated together through data networks. We need the appropriate software and cybersecurity constructs to assure this spectrum of technologies can perform with assured protection across domains. So Elara Nova’s CDC sector is a natural evolution of how we help our industry partners satisfy and meet government requirements for operating in these complex environments and supporting how the government thinks about leveraging the capabilities industry brings forward.”

Elara Nova is a trusted guiding partner that builds tailored teams to illuminate unseen opportunities and deliver impact across every domain. Learn more at https://elaranova.com/.

Episode 34: Cyber Resilience On-Orbit a ‘Nervous System’ for Detecting Threats

Host: Scott King

SME: Maj Gen (Ret) Kim Crider, Founding Partner at Elara Nova (KC)

Brig Gen (Ret) Chad Raduege, President of Cyber, Data & Communications at Elara Nova (CR)

00:02 – 01:17

In response to evolving cyber threats that can manipulate and compromise a satellite’s data, the United States Space Force is heightening its focus on “space cyber,” or the cybersecurity of space systems on-orbit. One emerging solution toward this effort is the Cyber Reslience On-Orbit tool, or CROO, a software program that focuses on not just securing the data links between satellites and their terrestrial networks, but on the cybersecurity of the satellite itself. Funded in part by an AFWERX Small Business Innovation Research Direct-to-Phase II contract, the CROO tool will leverage innovative technologies like artificial intelligence, machine learning and digital twin modeling and simulation in a way that altogether demonstrates how the Space Force is adapting to a more dynamic and contested ‘space cyber’ environment.

Welcome to ‘The Elara Edge.’ Our topic today is the Cyber Resilience On-Orbit tool and the broader emergence of the space cyber imperative. We have two guests returning to the show today.

First, we have retired Major General Kim Crider, the first Chief Technology and Innovation Officer with the United States Space Force and a Founding Partner at Elara Nova.

Ma’am, welcome back to the show.

01:18 – 01:20

(KC) Thank you. Scott. It’s a pleasure to be here.

01:20 – 01:48

It’s a pleasure to have you.

Also returning to the show, albeit in a different capacity than before, is retired Brigadier General Chad Raduege, the former Chief Information Officer at Headquarters U.S. European Command. While General Raduege has been with Elara Nova for several years, he joins us now as the President of Elara Nova’s new Cyber, Data and Communications business sector, which we’ll get into a little more later on in the show.

Sir, welcome back!

01:49 – 01:54

(CR) Yeah. Scott, it’s great to be back and thank you for pulling together this important conversation.

01:55 – 02:12

Now, we’ll kick-off today’s discussion with the story at-hand, which is the Space Force has recently contracted with Proof Labs, a national security space startup, and two other industry partners to deliver the Cyber Resilience On-Orbit tool.

What is this software program and how is it designed to work?

02:13 – 03:38

(CR) Yeah. Thanks, Scott. I’ll jump in and, and take this first question and come out of the chutes. The Cyber Resilience On-Orbit, what we would call CROO.

It’s really one of those next generation cybersecurity tools specifically built for space systems that integrates in a very meaningful way – advanced AI and machine learning. And essentially what it does is it provides continuous monitoring, the ability to learn to detect cyber threats for the ongoing challenges of the on-orbit environment.

I think there’s a couple of important aspects associated with CROO. One is the on-orbit monitoring. What CROO does – is it watches the operational behavior of what is going on in the satellites and instead of just protecting the terrestrial networks or those encrypted links that we think about, it actually monitors the actual system in space and so I think that that’s a unique role of CROO.

It also provides what we would call intrusion detection and anomaly detection. And it does this by comparing what’s normal versus some of those threats that can come in. So you’re going to start hearing terms like digital twin technology. That’s how it does it. It establishes a digital twin model to allow those systems to test how they behave. I think an important note for CROO is while it’s being built for military application, it’s certainly going to have some dual-use.

03:39 – 05:25

(KC) It really is, as Chad said, kind of the next generation of what we need to be doing in securing our space assets.

What’s so powerful about it, is its application and use of artificial intelligence and machine learning and being able to understand and assess how a satellite system is supposed to be working and how it’s supposed to be responding to contacts from the ground and then what some of the anomalous behavior signals might be indicating, some of the potential on-orbit system compromises. If that system is not performing as expected, if the responses to ground contacts and engagement are not as expected, or if there’s an anomaly that occurs on orbit that creates some sort of alert, the system of CROO essentially acts as like a nervous system to provide an indication that something just isn’t right. Something isn’t performing the way it’s supposed to.

And if we have a digital twin, as Chad described, and we can talk about that a little bit more, we can compare that on-orbit activity, that on-orbit behavior, to what normal behavior would look like and really start to pinpoint where the problem is in a way that is much more comprehensive than what we can do today.

And as Chad mentioned, the other thing that I think is very powerful about this capability, is its ability to be able to support both military applications, government applications, commercial applications across the board.

So I think it’s going to be a very powerful capability and it’s very exciting to see the Space Force getting behind this.

05:26 – 05:33

I’d like to dig further into the idea of a digital twin model. Can you speak a little bit more to what that means and why it presents an advantage?

05:34 – 06:36

(KC) The idea of a digital twin is that you would use artificial intelligence to be able to describe a digital version of an asset, whether it’s a static asset where you wanted to create a digital representation of that asset, and you might use different sensors to understand what that asset looks like.

If there are certain operational parameters that you would expect or behavioral parameters, if you will, that you would expect that specific asset to accomplish and you would create a digital representation of the asset.

And that specific twin is then continuously updated and maintained to represent how that asset is changing in the environment within which it is operating.

And then in this case, of the CROO, might be compared to an anomalous activity of that asset that is outside of the norm, outside of the established performance parameters of the digital asset.

Let me turn it over to Chad for additional thoughts.

06:37 – 07:17

(CR) Yeah. Kim, I like the word that you used or the phrase that you used about operational parameters. And digital twins are being used to enable the operators to experiment a little bit to see what the art of the possible with the different sensors and tools and technologies and processes really would look like.

They’re able to learn, they’re able to apply different ideas, different hardware and software configurations to learn and really develop a best practice list of capabilities and how the live operational environment should look and so digital twins, as alluded to, have been around for a while, but I think we’re going to see more and more of this because it’s just such a powerful concept.

07:18 – 07:29

Now, the U.S. government has had assets on orbit for decades. But what does the continued development and maturation of artificial intelligence and machine learning technologies enable now that wasn’t possible before?

07:30 – 09:08

(KC) With artificial intelligence, we have so much more capability to create an understanding of a system in its environment without actually being there. We can capture data about the real world environment in space, and how a particular asset that we may have created a digital version of is performing, is responding to that environment with real world data.

But if we want to understand the possible scenarios, the possible attacks, the possible challenges that might impact an asset in the environment, we have to create synthetic data. We have to synthesize what that potential attack might look like, or what that potential reaction might look like in an environment that we might have to emulate through synthetic data and artificial intelligence can allow us to do that.

It can allow us to envision and establish: here is the asset. Here is the digital version of that asset in its established operational environment, and we would feed that synthetic version with realistic attack data once we have that in a range sort of scenario where it can be compared to what an attack might do to the asset. So it’s a process of using data and models to not just represent what is, but to represent what could be and to represent responses and actions that could be taken if and when an anomalous behavior or an anomalous activity occurs.

09:09 – 09:14

And Sir, what are some of the anomalous behaviors or cyber attacks that CROO is being designed to detect and prevent?

09:15 – 10:54

(CR) I love the way that, that Kim described the use of data, both with what we currently have [with] the large data models that are out there of what does a normal operation look like, but also that infused with synthetic data of what might an attack look like so that you can you can look at that data and learn from that and anticipate.

And so, Scott, to your question specifically of what types of cyber attacks CROO is designed to look at and developed to prevent. There’s a couple of things.

One would be intrusions and unauthorized access. So detecting when some sort of outside infiltration of the systems are taking place. It could be spotting malicious commands or any tampering or deviations in the code that are part of the normal behavior.

Kim used the term “the nervous system.” And I think that that’s a very good grab on the type of thing the CROO is designed to prevent. It’s looking at full signals and different spoofing techniques that an adversary or a hacker may be employing. It’s looking for things like software compromise. What is actually on board and what corrupt software states come in. It could be kind of the engine light warning in your car that’s popping up saying, ‘Hey, alert, there’s something going on here.’

And then finally, I would say that it detects some of those anomalous operational patterns. So things like changes in real time, things that are outside the norm – going back to the data that it has been fed, things that create what a normal environment would look like and what would a simulated attack look like and it can pick up on that. So that’s where I think CROO is going to help us prevent.

10:55 – 11:09

Now Charleen Laughlin, the Space Force’s Deputy Chief of Space Operations for Cyber and Data, has noted in the past that there is an inherent difference between defending terrestrial networks and on-orbit networks.

Can you elaborate on the difference between the two?

11:10 – 13:57

(CR) Yeah. Scott, I love that question. And I’d like to start by just acknowledging it’s great to have Char Laughlin, as the first stand alone S6, if you will, for our Space Force. I think her placement on the U.S. Space Force front office staff focused directly on cyber and data is a strong indicator of the type of talented leader she is.

She comes from a very strong joint and coalition experience in her previous role down in the Joint Staff, J6. And so she comes in and has been able to pinpoint in a very succinct way the difference between what you’re talking about of terrestrial, where we think about focusing on the network and how you physically control it, how you regularly update it.

Whereas, space cyber defenses, what I’ll call ‘space cyber,’ must protect things that we can’t necessarily touch. Once you put that in orbit, it’s operating in an area that we don’t have direct access to. Often in a hostile environment and it’s very complex given the distance that it is from us. So there’s a couple of things that I think feed into that ‘space cyber’ definition, if you will.

One is just the complexity and the architecture. Think about this. You know, it’s not just the ground infrastructure and not just the data links that we’re used to on the terrestrial side. But now you add in that orbital asset, and the interconnected ecosystem that that creates. So now you have different endpoints in different domains where you can get one by hand, but you can’t get the other and so that creates complexity.

It also limits the physical access as you can’t touch that once that’s already been launched. So those satellites and those orbiting systems are really out of our control. It also creates a very distributed environment. There are vast differences. I mean, we’re talking a long way up into space to even have that ability to work with it.

Final point that I will make is that there is a unique role that this ecosystem creates when you have those ground stations, those uplinks and downlinks and then all of those connections that are taking place. We’re really seeing a real blurring of the terrestrial IT environment. So the things that we can touch. Now, it’s on an asset that’s in space and so that begins blurring in and bringing in the boundary of operational technology and that’s really where the hardware and the software is processing. It’s the control, it’s the physical environment that is operating in space and so a real blurring of IT and OT and so that’s unique as well. So Char Laughlin’s description I think is spot on. It’s different and more complex.

13:56 – 14:13

And given these differences, the imperative to have the appropriate cybersecurity measures in place remains ubiquitous across operational domains.

So can you speak to how the government must take different defensive approaches to account for the cyber threat across these different operational domains?

14:14 – 16:00

(CR) I think there’s a couple of things that come to mind when you talk about that defensive approach and the way that we’re thinking about space cyber. One is that it’s an imperative to be built in from the start. This is one of those things that cybersecurity is built-in by design, before it is even launched into space and so that’s unique.

Different strategies are required beyond our traditional IT security. What we talked about with things like firewalls, or patching, or perimeter defense, all of those things that we are very involved in and very deliberate upon on the terrestrial side, once you get up into space that doesn’t necessarily translate well.

Now you’re having to think about things like remote detection and built-in resiliency. You can no longer just plug and play different assets like you could on the ground. You’re now having to have built-in, redundant systems and resilient systems in the event that something happens.

You also happen to figure out, even before you deploy what sort of hardening activities, you put on those systems.

We spent quite a bit of time already talking about AI and ML and I think that that is another example of the types of defensive approaches that the digital twins and automating activities like CROO is doing. And then finally, I would just say that I think that there is a role in this of thinking about the whole of system and what that integration looks like.

Earlier I used the term the ecosystem, but I think that that is a foot stomp to this whole conversation. It’s not just the exchange of data by way of uplinks and downlinks. It’s the spacecraft, it’s the ground systems. It’s all of that and you can’t treat those all individually. You have to think about the entire data flow, from ground to space and back.

16:01 – 18:31

(KC) You really do need to, more than ever, think about the engineering up front, and emphasizing the resilience up front, really working through the architecture of that entire space system as Chad’s talking about not just the on orbit asset, but the the links and the connections and the ground system and how it all works together and where and how the resilience is going to be built-in and across that entire entity, that entire end-to-end system.

And this is where something like CROO becomes so important is when you’re thinking about the end-to-end system [and] the monitoring of its behavior. How do you expect this system to behave across the board? And where are you going to be potentially seeing compromises in that system? We’re talking about endpoints, these space satellite systems that are operating at thousands of miles, tens of thousands of miles away, whether they’re in LEO about 1,200 miles away or in GEO 22,000 miles away. These assets are far away. They’re moving around very, very quickly in space and they’re entities that we can’t afford to necessarily lose.

So we have to be really mindful, even before the asset is launched. How could that system potentially be compromised? And what are we going to do if it is, what’s going to be the playbook on dealing with remediation? How are you going to get to the last normal mode of operation? And roll back in some manner to a level of operation that you can control and command the spacecraft with.

And so you’ve got to be able to think through how you’re going to deal with potential compromises, potential delays, potential needs to rekey or reconfigure and remediate any potential anomalous behavior in that on-orbit system and the entirety of this system that it’s connected to.

I’ll add one more point. I mean, oftentimes, as much as we’re concerned about the on-orbit asset and I’m glad that we’re thinking through this and how to be able to understand it better and assess anomalous behavior – we can’t overlook the ground system. The ground system is connected to the terrestrial network and it has so many potential attack vectors associated with it.

We need to be thinking about the entirety of the network, the entirety of the system, and the entirety of where the ground system could potentially be compromised as well, because quite frankly, that is still a very, very vulnerable point in our overall space end-to-end system.

18:32 – 18:53

Now, getting back to CROO. This software tool was partially funded through an AFWERX Small Business Innovation Research or SBIR, Direct-to-Phase II contract.

What does this demonstrate about SBIR as a contract vehicle for a capability the government is interested in? And further, what does this example signal about the government’s emerging cyber priorities?

18:54 – 20:37

(CR) I think what’s unique about the Direct to Phase Two SBIR contract that was put in place: the government doesn’t mess around on this stuff. Often, we’ll have an idea. We’ll get started with research by giving out some funds to allow researchers to go and be curious to look at the types of solutions that we could provide and then really bring it back to the government for us to evaluate.

I think in this case, when we’re talking about directly to a phase two, what this is signaling is that the government already sees strong operational value and relevance and credibility in this CROO concept. And so that’s a salute to CROO, that we’ve already bought into the idea. Now it’s just bringing it to light.

From our innovation societies in general – AFWERX, the SBIRs program – those are explicitly designed to attract startups with great ideas, nontraditional defense contractors. We’re looking for agile companies with innovative ideas. Innovation often is more important than anything. Speed matters. We’re trying to close an operational gap that we are seeing.

In this case, I think the Department of War is probably saying, ‘Hey, we’re willing to take some calculated risks on this.’ There’s enough vulnerability to what we’re seeing in space and down on the ground that we’ve got to get after this right now.

And so the whole idea about those phase two SBIRs is transitioning to a program of record as quickly as possible. And so for industry this is a real pipeline to real contracts. And so that’s a little bit of the incentive and a little bit to your second question of how industry should look at this.

20:38 – 22:08

(KC) Yeah, I’ll just add that I think that with what this signals, is that the Space Force in this particular case is very serious about space cyber. It’s willing to put some money behind it. It wants to see what can be done. It really wants to see a real prototype of what can be done in this area of digital twin of a space asset and using artificial intelligence and machine learning as we talked about, to be able to not only build out the digital twin and understand its performance parameters under normal conditions, but be able to detect anomalous behavior and have a framework for doing that.

Have a framework for really, tooling the system, monitoring the system, assessing anomalies, and then being able to use that as a basis for: how do you really defend against those challenges? And providing a basis, as I said earlier, for what we might be able to do with any type of mission system. This becomes an opportunity to create a capability that’s not just a one-off.

We can reuse these methods that are being built out here, to be able to expand and extend into all of the mission areas of the Space Force over time. So I think it’s a very powerful way to use the Small Business Innovative Research program to have a capability developed, to get a real usable prototype that can be extended and expanded across a variety of different mission sets.

22:09 – 23:06

(CR) Yeah. Hey, Scott, if I can just piggyback on Kim’s great response. Often the government is put in the role of integrator. We have stovepipe solutions that are delivered to us and then we in the government are forced to try and figure out how to bring those capabilities together.

In this particular case, with this SBIR, it’s really forcing a higher level conversation about solving the system of systems problem set and and being the integrator. And so for the example of CROO, we had three different companies that came together and said, ‘We’re going to take that integrator role off of you, and our engineers are going to tackle this and look at it from end-to-end and figure out how to how to bring in AI and ML and bring in cybersecurity aspects of things and bring in our engineering design, all of that together in a whole of system approach.’ And so that’s just a real kudo in this case.

23:07 – 24:03

(KC) It’s so interesting. In this particular case, you’ve got Proof Labs, Big Bear AI, and Redwire, all coming together. Again, the power of that collaboration, the power of that teaming of commercial innovative companies, a company very much focused on the application of AI and ML testing and assessing from a cybersecurity standpoint in Proof Labs. A leading AI company in Big Bear AI that is bringing modern AI techniques and machine learning.

And then a company that understands the space environment and the space components, and how satellite systems are developed and built out and the end-to-end system and particularly the on-board asset’s space components that RedWire brings to bear. So three really important capabilities coming together: cybersecurity, and the testing and analysis of it.

It’s a very powerful collaboration here.

24:04 – 24:30

CROO was also a topic of conversation at The Value of Space Summit, an event hosted last fall by the Space ISAC (or Space Information Sharing and Analysis Center).

The Space ISAC also recently announced that it’s expanding its watch center operations to the United Kingdom and other Allied countries. We’ve discussed the Space ISAC on the show before, but to briefly reiterate, can you share the role of the Space ISAC and its watch centers, particularly in context of the cyber threat?

24:31 – 25:41

(CR) I’ll take a first go at this and I’ll tell you that ISACs in general. So you described it: information sharing and analysis centers. These are stood up all over the environment. There’s sector specific threat sharing organizations that are meant to improve the cyber resilience by indicating when there are compromises, sharing best practices, sharing information between each other, [and] getting stronger as a group.

Typically these are member-based organizations, as is the case of the Space ISAC, which is one of those again, specific sectors. So our Space ISAC is headquartered in Colorado Springs. It’s a nonprofit industry consortium, but it’s also a membership. And so you can choose to be part of this. And, when you come in, you’re part of the broader space ecosystem that includes space companies, different government partners that are there. There are higher education research institutes and now, as you alluded to, there’s some allied contributions, and it’s all about sharing information about the security threats and vulnerabilities that are out there against our space systems.

25:42 – 27:25

(KC) Yeah, the Space ISAC has been around for a while now and I think they’ve really started to figure out ways to expand and grow into the international community with the expansion to the UK and Allied countries. They’ve found that it not only is important to bring those industry partners in, but as Chad mentioned, bring other countries in so that they can be able to leverage the information and insights, threat intelligence that Allied partners can provide around the globe on specific threats to the space domain.

What the Space ISAC does is it collects threat information. The members share information about vulnerabilities that they are observing to their space assets, threats to their space assets, and incidents occurring in space, whether those be cybersecurity incidents or environmental space anomalies that are impacting their systems.

And if you expand that to take advantage of the global reach of Allies and partners around the world, now you’re starting to really understand, how those assets might be impacted anywhere, from any vantage point of those assets from the globe, and from the perspective of different types of members who have assets operated from their different countries.

It provides a much broader understanding of what’s happening, much more potential threat vectors, against those space assets. And a lot of collaboration and coordination reinforcement, between U.S. commercial partners, international commercial partners, and U.S. and Allied government partners that are all interested in and collaborating on the Space ISAC.

27:26 – 28:29

(CR) You know, Scott, my last duty assignment was with European Command, so I had an opportunity to work quite a bit with our Allies and partners in the NATO environment.

We used to have a saying called ‘Stronger Together.’ And that was really a foot stomp of what these multinational Ally and partner cooperations look like. And so, thinking back to the Space ISAC and now that they’re going global, I think there’s some very easy takeaways for our audience to understand. Now you have more regions and more time zones that threat intelligence is flowing from and to, you have a ‘follow the sun’ monitoring model.

And so there may be something that you see happen in one part of the globe and through the interconnectivity of the Space ISAC they’re able to see that and perhaps even get the word out for others to protect themselves. I also think that it helps from an international perspective of dialing in, not only the response for anything that’s been detected, but building in some resiliency through some of the best practice programs that are out there.

28:30 – 28:46

Also at around this time, the Department of War announced a new cybersecurity framework, known as the Cyber Security Risk Management Construct, or CSRMC. Can you introduce us to this new construct and what does it aim to do differently from its predecessor: the Risk Management Framework?

28:47 – 31:13

(CR) Oh, Scott, you said the bad word of ‘risk management framework.’ RMF has been, one of those four letter words that I’ve known most of my career as I was in, different senior level jobs, near the end of my career, it was – I won’t say the bane of my existence – but it was a tough environment, as innovative and agile leaders at the Pentagon were trying to drive us to be more cyber secure through RMF, which was just a tough model.

RMF had its role. It was based in industry standards and NIST standards. It provided a framework to get to your authority to operate or your authority to connect. And so it did have an important role. But what I like about this new cybersecurity risk management construct is this is a new framework that’s built on a different set of values.

They have five different phases associated with this framework where they’re designing, building, testing, on-boarding and then operating. And so what does this look like?

RMF used to be one that was more of a compliance focus, [whereas] the new model was one of continuous operational risk management. Exactly what our warfighters are looking for, exactly what commanders are looking for when they employ systems. The RMF model used to be one where you have periodic assessments. We used to be on a schedule every year or two years or three years, depending on your authority to connect and authority to operate.

Now, this new framework, this new construct is built on real-time monitoring and dashboards. So now it’s not a static PowerPoint chart. Now it’s a live operational dashboard that’s showing you the true cybersecurity presence in real time.

What used to be a snapshot in time is now continuous and dynamic. It allows for real-time risk evaluation. It used to be limited and now there’s a real central emphasis on coming together and thinking about and managing our cyber risk as a community. Those that are responsible for evaluating it and those that are responsible for fielding and operating it. And so, I’m excited to see where this is going to go. I think it’s a real indicator that there is a shift, again, in the cybersecurity culture of our department. And I’m cautiously optimistic – how about that?

31:14 – 33:46

(KC) And Chad’s exactly right in terms of everything he described with regards to what’s different about the Cyber Security Risk Management Construct. [It] certainly puts us in a position to emphasize some of the things that we’ve been talking about here all along. The continuous assessment, the monitoring, versus, the sort of checking the boxes, paperwork-based approach that we had before.

And I think this is really what industry needs to think about when it comes to this new approach. That it really is about ‘show me the data,’ prove that there is a continuously measured security posture in place for a particular system or asset, and do that through evidence, through providing these digital twins that we talked about before that can really demonstrate how secure a system will be in the face of threats and how that system will be monitored and how that system will react in the face of threats.

It doesn’t call specifically for digital twins, but that is one way to certainly present a continuously measured and secure posture for an asset that can be supported with some evidence, with some data, with some provability. Industry needs to ensure that systems are built for reciprocity, that they are providing information and evidence and controls that show how they’re leveraging established controls and established secure methods for monitoring those systems that will reinforce its posture.

And then it’s communicating specific risk to mission, not just specific risk from a cyber perspective, from a technology perspective. But what does that risk mean? What is that cybersecure vulnerability that that system is designed to protect against? How is that reinforcing the mission security? The mission posture? And so how does that system design understand, and account for protecting the mission and assuring that the controls that are in place are oriented around a mission focus, versus just a focus on a specific component of the system.

Those would be some of the things that I think industry should be taking away from this new approach, and be leaning into as it looks to seek to support the Cyber Security Risk Management Construct. Chad, what would you add to that?

33:47 – 34:11

(CR) I think mine would just be a footstomp. This is going to become the new norm and industry needs to understand that. I was just reading an article this morning where we now have a confirmed DoD CIO, who is very interested in this new construct and what that will look like for weapons systems across the Department of War.

So, it’s going to be the norm, get used to the buzzwords and deliver accordingly.

34:12 – 34:32

So we’ve covered a lot of recent changes in the “space cyber” realm of national security. But here at Elara Nova, there have also been some recent developments.

General Raduege, you are now spearheading a new line of business for Elara Nova, the Cyber, Data and Communications sector, as its new president.

What are some of the goals and objectives of Elara Nova’s new CDC effort?

34:33 – 37:48

(CR) Scott, I’d be happy to. First of all, let me just say I’ve been with the Elara Nova team for several years now. Always been impressed with the way that they operate, the types of people that they have assembled as part of the Elara Nova family. I am just thrilled and honored to now pick up a more expanded role in this.

So we’re calling it the Cyber, Data and Communications sector. I’m very excited to see how those three things interact.

First of all, I would tell you that I’m thinking in terms of multi-domain. There is, there’s some real things that our warfighters are in need of, we have the terrestrial environment, we have air, we have space. And how do you tie all those things together to exchange data from one location to another through the communications nodes that we’ve assembled, and then make sure that you’ve got the right cybersecurity applications applied to that? So I mean, really, that’s going to be the focus moving forward.

We really do have an objective as we initially get started to help industry and government alike cut through the complexity of everything that’s out there. We’ve spent a lot of time today talking about systems of systems and architecture and cutting down on silos. This is a way of getting after that. We’re really thinking in terms of creating a strategic edge for our warfighter.

We’re focused in this new sector on industry: helping them understand really, what are the government requirements looking for? What are they asking? How do you interpret that? How do you enable your technology toward that? How do you message the capabilities that you have put together?

You have great tech, but it requires somebody that can help translate that great tech and that great vision into the requirements that the government is looking for. And then it’s figuring out how to engage the right leaders at the right time. Where does the acquisition community fit in this? Where does the Combatant Commander fit into this? How about the services? Where are the authorities? Who are the right people to get visibility and get that capability recognized?

But we’re also focusing on, on the government as well. How do we help them in the very demanding environment that they have? It’s just a look across the environment right now to see all of the military operations that are ongoing around the world and those that are in uniform and serving in the Department of War currently have a lot to figure out how to employ the capabilities of today, while trying to envision the future.

And Elara Nova will have a role in that: helping them think about that future construct, aligning the right capabilities, with the right technology and helping figure that out, interpret what industry has out there and how that may plug into the current environment.

So I’ll stop there, Scott, and just say, I’m really excited to see how this Cyber, Data and Communications play will all come together. You’re going to be amazed at the type of experts that we’ve been able to assemble into this new sector and we’re just really looking forward to making a difference for our nation.

37:49 – 38:07

And Ma’am, as one of the Founding Partners at Elara Nova, can you take us behind the scenes on what prompted the decision to stand up the CDC sector?

And how does expanding Elara Nova’s services in this way reflect the growing imperative to ensure government and commercial systems are cybersecure not only in space, but across operational domains?

38:08 – 41:14

(KC) These questions go hand in hand, really. You know, Elara Nova’s core focus from the start, is and continues to be: how do we as a company help advance the national defense and security capabilities of the United States and its Allies? And in doing so, how do we bring our team of experts who have deep and wide backgrounds and experience in and across specific domains of military operations, intelligence community operations, commercial operations, civil operations? How do we bring that expertise to bear so that we can ensure that the United States and her Allies have the absolute best capabilities that industry can bring forward and apply?

And in doing so, we recognize that those operations that I mentioned across the board are becoming more and more complex. They’re becoming more and more interconnected. They’re becoming more and more integrated. They’re becoming more and more multi-domain across space, air, ground and cyber. And the application of technology has to be able to perform in those very complex environments. And what connects all of those environments is, in fact, software, networks, data, and the cybersecurity constructs that assure protection in and across those domains.

It’s a natural outcome for us as a company to be thinking about having a sector that’s going to focus on not only advancing space capabilities for our nation and her Allies, but the cybersecurity components that go along with that: the data architectures, the interconnected communication systems in space, from space, to space, and with all domains that goes along with that.

And the interconnectivity, if you will, across those three assets: cybersecurity, data and communications. It’s only natural for us to think about the air domain and how air and space have to work well together to reinforce and enhance operations for each domain, across each domain, and with all the other domains of operation that our joint warfighting Combatant Commanders need to be able to assess and therefore also the cybersecurity data and network communications that needs to occur in the air, from the air, and between air and the other domains.

It’s just a natural evolution of what we, as Elara Nova, bring to bear and the expertise that we want to assure can be brought forward to help our industry partners satisfy and meet government demands of operating in those complex environments and help our government think about what kinds of capabilities are needed and how to leverage those capabilities most effectively with and in support of, all the other capabilities that they’re bringing forward.

41:15 – 41:54

This has been an episode of The Elara Edge. As a strategic advisory firm, Elara Nova is the trusted guiding partner that builds tailored teams to illuminate unseen opportunities and deliver impact across every domain.

With the trusted insight to deliver your decisive edge, Elara Nova is your source for expertise and guidance in cross-domain security.

If you liked what you heard today, please subscribe to our channel and leave us a rating. Music for this podcast was created by Patrick Watkins of PW Audio. This episode was edited and produced by Regia Multimedia Services. I’m your host, Scott King, and join us next time at the Elara Edge.

Episode 5: CMMC 2.0 and The Zero-Trust Strategy: How the DOD is Accelerating Cybersecurity Across the Defense-Industrial Base

The Elara Edge: Expert Insights on Space Security

Episode 5: CMMC 2.0 and The Zero-Trust Strategy: How the DOD is Accelerating Cybersecurity Across the Defense-Industrial Base

Host: Scott King

Subject Matter Experts: Lieutenant General (Ret.) Harry Raduege, Senior Partner at Elara Nova; Brigadier General (Ret.) Chad Raduege, Senior Partner at Elara Nova

00:00 – 01:42

In the waning years of the Cold War, the Department of Defense launched its Advanced Research Projects Agency Network, or ARPANET, one of the earliest iterations of the modern day Internet. In the decades since, cyberspace has become essential to streamlining decision-making up and down the kill chain.

Now, the threat landscape in the cyber domain is more malicious than ever. Nation-states, hacktivist groups, and individual actors are launching incessant cyberattacks against our military services, federal agencies, critical infrastructures and even commercial entities. In response, the DOD is implementing its Zero-Trust Strategy by 2027 to secure its cyber operations.

As part of this process, the DOD rolled out the Cybersecurity Maturity Model Certification 2.0 – or CMMC – providing a requirement framework for its defense-industrial base to follow.

Welcome to “The Elara Edge: Expert Insights on Space Security.” I’m your host – Scott King. And joining us today to discuss how the DOD is securing its cybersecurity practices across its military services and defense-industrial base is Elara Nova Senior Partners Retired Lieutenant General Harry Raduege and his son – recently Retired Brigadier General Chad Raduege.

Throughout each of their respective military careers, the Radueges have emerged as leaders in ensuring critical DOD information and operations are protected and secure.

Sirs, thank you for joining me at the Elara Edge today. Can you begin by describing the modern cyber threat the DOD and its defense industry partners face today?

01:42 – 03:08

Yeah, Scott, thanks for the question. I’m going to take lead on this and then let my dad pile on with his perspective.

There are three words that come to mind. One is constant. We are under constant attack in our DOD systems, the cyber capabilities that our adversaries are employing against us. We’ve had somewhere between, well, about 12,000 different cybersecurity attacks against our DOD systems since 2015. And that’s probably meeting a threshold of big cyber attacks and not just nuisances.

The second word is complexity. We are seeing our adversaries employ something that we call ‘Advanced Persistent Threats.’ This is them working over not just days and weeks, but really months and years to gain a foothold into our DOD systems and having the capability that they can activate at a time of their choosing. That complexity is what challenges our cybersecurity professionals on a daily basis.

The third word that I would use is one of determination. Our adversaries are determined. Our DOD systems are very elaborate. But where they’re finding the soft underbelly is really in our contract workforces, in our program offices. And so they’re targeting those particular avenues of approach. So they’re very determined to get in and then sit and wait.

03:08 – 03:48

Yeah. Thanks, Chad. Let me add a little bit there to what my son has mentioned. The threats that we’re seeing in the cybersecurity world have just continued to grow in intensity, sophistication and even approaches.

Successful breaches are conducted every day against all critical infrastructures, that being government, industry, banking and finance institutions, oil and gas companies, health care, retail, supply chain, etc., etc. Bottom line is no one is exempt from cybersecurity attacks these days.

03:49 – 04:07

Thank you. And so it appears the DOD is laying out two solutions in response to these threats: the Cybersecurity Maturity Model Certification 2.0 – CMMC – and its Zero-Trust Strategy.

Let’s begin with CMMC 2.0. What is the DOD attempting to do with this framework?

04:08 – 04:56

It’s all about establishing baseline security, really some expectations for companies. Anyone that’s part of our defense industrial base that is providing capabilities to our Department of Defense – this gives them the rules of the game.

This began with CMMC 1.0 back in about the 2020 timeline, and this was trying to identify the intersection between military and commercial capabilities and organizations. And so this was really a methodology of trying to get after protecting our supply chain.

We fully expect that the CMMC 2.0 criteria will give those companies, those members of the defense industrial base an idea of what are the rules of the game? What are the expectations in providing baseline security for our systems?

04:57 – 05:25

Yeah, let me just mention one quick thing: This 2.0 really does streamline the requirements from 1.0, which had five levels down to three levels of cybersecurity. And it also aligns the requirements at each of these three levels with well-known and widely accepted National Institute of Science and Technology – or NIST – cybersecurity standards.

05:26 – 05:33

How does CMMC 2.0 factor into the DOD’s approach to establishing its Zero-Trust Strategy by 2027?

05:34 – 06:43

The zero-trust really can be boiled down to ‘Never trust and always verify.’ So DOD requires an enhanced cybersecurity framework that’s built on these zero-trust principles, including the very important aspect of developing a zero-trust mindset among every employee. And so education and training in the cybersecurity area is really key to the success of any organization going forward.

We’re actually having some standardized level one CMMC self-assessments which adds an entry level self-assessment that you can do for gaining higher levels of CMMC performance and certification.

And this is particularly important I think for the small and medium businesses out there that don’t have the internal resources to either buy the cybersecurity expertise through personnel, or training or even consultants.

06:43 – 08:04

I think that’s a great point – that idea of mindset and education and training. Really, I think, Scott, what we need to remember with really both CMMC 2.0 as well as zero-trust – cybersecurity is a culture and it’s not a product.

It requires a commitment of building the culture through education and training, through funding, through investment. Cybersecurity is that culture and not just the product.

Just last fall, the Department of Defense released their ‘Zero-Trust Strategy.’ And in that strategy, it acknowledged that each of the services are different in the way that they operate, maintain and fund zero-trust strategies in the way that they’re building their cybersecurity culture.

And so they’re holding each of the services accountable for turning in a review of where you are. What does your zero trust strategy now look like? And DOD plans to review those over the next several months.

But still, what DOD is recognizing and acknowledging is that their timeline is 2027. And so we’ve been on an eight year journey to get zero-trust in not a unified fashion, but by service, implemented into the DOD – that’s optimistic. We’ll remain hopeful that that comes to fruition. But that’s where I think we are right now.

08:05 – 08:22

Space and cyberspace are inherently interconnected as warfighting domains. This is reflected in the Space Force’s founding as the military’s first fully “digital service.” So what role can the Space Force serve as a cybersecurity leader for the DOD and its defense-industrial base?

08:23 – 09:41

There are three things that come to mind when I think about the role that the Space Force is playing and could play moving forward. One is their size, because of their size, because of the way that they have streamlined their processes. I believe they have the agility to quickly and rapidly field capabilities and shape processes, tools, tactics, techniques and procedures.

The second one is they have unity of action. There is a unique thread that is being pulled through our Space Force right now from young Guardian to senior leader, where there is unity of effort in the way that they’re thinking about their role in the future, their role as a digital service.

The third thing that comes to mind when I think about the Space Force and their digital service capabilities – their relationships between the U.S. Space Force and industry. There is this collaboration, these relationships that take place between those that have the requirements and those that are delivering upon the requirements. And so if we could figure out some way to harness that relationship, tie together the military and our commercial providers, I believe there’s huge power moving forward.

09:42 – 10:09

I believe that digital services that are provided by the space and cyberspace domains and specifically U.S. Space Force and U.S. Cyber Command. These serve all the other operational domains: land, air, sea and themselves. So these digital services are critical to proper and efficient Department of Defense operations going forward.

10:10 – 10:48

I would just chime in and offer a perspective, as I went through a two year experience in the European theater and got to witness firsthand the initial stages of Russia’s drive into Ukraine.

The Russian attack into Ukraine was started by taking down ViaSat. They attempted to blind the Ukrainian people, Ukrainian command and control military forces and they attacked the ground stations. So that’s a real-world example of the way that kinetic and non-kinetic threats come together by, not only the space front but also on the cybersecurity front.

10:49 – 11:06

Why is it important for the Space Force to collaborate with its industry partners, through a framework like CMMC 2.0, to not only ensure appropriate cybersecurity protections are in place across the defense-industrial base, but also to adapt commercial cybersecurity solutions for the national security mission?

11:06 – 12:09

Yeah, me start with, if we don’t have this, then we can lose control, forfeit assets and experience manipulation by others, and that is across the space, government, the industry partners in particular. You must establish a comprehensive cybersecurity risk management plan. The CMMC 2.0 is a really great start of government and industry and academia, frankly, working together.

It’s essential that the Space Force and all of our military forces continue to leverage what they see and can gain from commercial cybersecurity measures and practices and innovation. We have the best commercial capabilities available and the capabilities that we have available to us are targets for other nations to gain access to and to leverage themselves.

12:10 – 13:50

We must remember that we’re all part of one big team and our adversaries are looking for the weakest link and so there’s what drives our commitment. The impacts of what space provides not only what my dad referenced before of the impact to every one of the other services and all of the domains – when you start talking about precision, navigation and timing, these are the things that drive all of our military capabilities and robustness.

Scott, I think this is the importance of establishing a relationship. All too often we sometimes in DOD point to the commercial industry in Silicon Valley and say, ‘They’re so much faster and they’re doing it so much better, let’s just adopt everything that they’re doing.’

In their line of business, that may work for them. In reality, as you start raising those risk calculus conversations to the national security level and implementation across our Department of Defense, that’s where I think that it is – at times – a little bit of an apples and oranges comparison. That doesn’t mean that we cannot learn an enormous amount from Silicon Valley in their agility, in their practices, the way that they harness speed to implementation. Those are all great things.

So what I would offer for the Space Force and learning from the commercial entity is the idea of a relationship, have the conversations, see what works and what doesn’t. But I think it’s a bridge too far to just say we’re going to scrap everything that we have done to maintain national security and implement a process without any further questions. It requires a dialogue.

13:51 – 14:06

Considering the depth and breadth of each of your experiences in cybersecurity and the service of our nation – how can Elara Nova facilitate the adoption of Zero-Trust principles for both the DOD and its industry partners?

14:07 – 14:47

The Elara Nova team has partners with years and years of unequaled experience across the space and cyberspace areas of operation. Chad and myself, we have years of experience working in space operations, network operations, cybersecurity, command and control, communications. Chad, having just short of 30 years. Myself, having over 35 years of military experience. So that’s 65 years experience total between just the two of us.

14:48 – 16:08

I would offer that there are two things that kind of come to mind as I look at the team of experts that Elara Nova has brought together and what we can offer by way of facilitating those stronger relationships and principles and partnerships moving forward.

One of those is just taking advantage of all of that expertise that my dad referenced. That expertise will translate into identifying best practices across a number of different areas and domains and capabilities and organizations and units. And so you have the opportunity of leveraging all of those best practices that we’ve seen over years of our time together for the benefit of our nation.

The second is really, I think, the power of Elara Nova and that’s in relationships and really the capability of being an integrator between our military, our commercial capabilities and academia as a whole. That ability to have established relationships over many, many years in uniform, out of uniform, at conferences, on real-world missions, the ability to leverage that relationship and be the integrator and facilitator of great talks is really the power of Elara Nova.

16:08 – 17:00

If you’re interested in learning more about the DOD’s approach to establishing and implementing a Zero-Trust Strategy across its services and defense-industrial base – visit our Insights page at www.elaranova.com.

This has been an episode of The Elara Edge: Expert Insights on Space Security. As a global consultancy and professional services firm focused on helping businesses and government agencies maximize the strategic advantages of the space domain, Elara Nova is your source for expertise and guidance in space security.

If you liked what you heard today, please subscribe to our channel and leave us a rating. This episode was edited and produced by Regia Multimedia Services. Music for this podcast was created by Patrick Watkins of PW Audio. I’m your host, Scott King, and join us next time at the Elara Edge.