Cyber Has Become the Centre of Gravity in Counterspace

The Secure World Foundation published its Global Counterspace Capabilities 2026 report in April, and the cyber chapter deserves more attention than it will probably get. For nine years, SWF has produced one of the best open source assessments of how states are developing the tools to disrupt, deny, degrade, or destroy space systems. The 2026 edition is the first in which the cyber section feels like the most consequential part of the volume.

Senior US military figures are now saying so in public. SWF quotes a Space Force commander calling cyber "the soft underbelly" of space operations, another describing it as his "number one concern", and a third going as far as to identify it as the top counterspace threat. That is a meaningful shift from earlier editions, where the centre of attention sat firmly with Chinese direct-ascent ASATs and Russian rendezvous activity.

The evidence base has shifted with the rhetoric. Researchers at UC San Diego and the University of Maryland published work in October 2025 showing that a surprising proportion of GEO traffic is sent in the clear. They pointed a low-cost dish at geostationary orbit and pulled down unencrypted cellular backhaul, VOIP, government and military communications, in-flight Wi-Fi, retail networks, aviation data, banking traffic, and critical infrastructure telemetry. Their finding, in plain terms, was that operators have been treating satellite links as though they were internal corporate wiring rather than broadcast channels that anyone with cheap kit can listen to.

A December 2024 paper at IEEE CyberRCI went further. The authors demonstrated, in an emulated LEO satellite environment using NASA’s Core Flight System, a widely used open-source flight software package, that a ransomware infection could be delivered via command injection over the radio uplink. No supply-chain compromise. No stolen credentials. Other commonly used mission-control packages, including Yamcs and OpenC3 Cosmos, have shown similar weaknesses. Reporting in 2025 also pointed to malware activity targeting satellite command-and-control environments, although the public evidence base remains thinner than that for the GEO encryption and open-source flight software cases.

The operational picture is equally stark. Research by Clémence Poirier, cited in the SWF report, documents 161 cyber operations against the space sector in the Russo-Ukrainian war alone, between February 2022 and March 2025, targeting 72 entities on both sides. The Dozor-Teleport attack in June 2023 took a Russian military satcom provider offline for fourteen hours. Russian operators hijacked a telecoms satellite on Victory Day in May 2025 and broadcast military imagery to Ukrainian viewers. A mass AIS interference event swept through the Baltic in November 2024. The line between civilian, commercial, and military targets has collapsed, and Russia's submission to the ITU declaring that Western commercial satellites supporting Ukraine are "legitimate targets" puts that on the record.

Kinetic counterspace threats still matter, of course. They are also rare, expensive, and politically costly to use. Cyber operations are none of those things. They are cheap, deniable, already operating in active conflicts, and they exploit weaknesses that most operators have never assessed within their own estates. The ransomware research showed that an attacker no longer needs a supply chain foothold to reach a spacecraft. The encryption research showed that for a meaningful number of operators, an attacker may not need to compromise anything at all.

The practical implication for satellite operators, ground segment providers, and the institutions that depend on them is uncomfortable but straightforward. Operators best positioned to weather a sustained campaign will be those who have already done the work to understand where they sit. The state of patching for mission control software. Link-layer encryption on uplinks and downlinks. Command authentication. Segmentation between ground networks and corporate networks. Supply chain visibility into the defence industrial base. Tested incident response that includes the space segment rather than treating it as someone else's problem. None of that is novel from a cybersecurity perspective. What has changed is that open-source evidence has finally caught up with the threat model.

The capabilities to do this work exist, even if the market for them has been thin until very recently. That is starting to change. The question for operators is whether they get ahead of it or wait for a Viasat-scale incident to force the issue.

A separate observation from this edition is worth its own piece. For a report landing in 2026, AI receives remarkably little attention. It amounts to a single paragraph in the cyber chapter and a passing reference in the Russian SSA section. That is a notable gap given how much of the current defence conversation centres on AI in threat detection, autonomous rendezvous, machine learning in SSA fusion, and AI-enabled cyber operations on both sides of the wire. I will return to what the report does not say about AI and why it matters in a follow-up post shortly.