The Satellite Encryption Gap: Why Everyday Citizens’ Communications Are at Risk

Commentary by Lauryn Williams and Kuhu Badgi

Published March 6, 2026

Demand for high-speed, ubiquitous communications is skyrocketing globally, including in rural and hard-to-reach areas. Commercial satellite constellations-alongside terrestrial technologies-are an increasingly important element of global digital infrastructure to sustain this runaway demand. Yet, this digital infrastructure has, in many cases, been built on insecure foundations.

Until recent years, few satellite developers considered that nefarious actors might exploit governments' and everyday consumers' dependence on satellites for all aspects of daily life. This failure of imagination produced arguably the greatest blind spot in satellite design: command links allowing communication between the ground terminal on Earth and satellites in orbit have historically been unencrypted. A 2025 academic study from researchers in California and Maryland illuminated in stark detail how this built-in vulnerability has left many satellite owners and operators' data susceptible to interception at a scale directly impacting U.S. (and global) economic and national security. Despite their physical distance, satellites are critical technologies that are more intertwined with U.S. economic and national security today than ever before.

The Satellite Cybersecurity Landscape

Today, satellites are essential enablers of modern life on Earth. Commercially, satellites allow passengers to access in-flight Wi-Fi, facilitate remote cellular backhaul, connect mobile network sites, and enable data transmission across communication and industrial systems. In the national security environment, satellites enable maritime operations and military and government communications.

These systems transmit large volumes of often sensitive information between space-based systems and ground terminals and users. Low Earth orbit satellites support essential services like broadband access in rural and remote areas, video conferencing and financial trading services, remote sensing, and even enable interconnected space-based and terrestrial-based networks. Medium Earth Orbit constellations, including the U.S. Global Positioning System (GPS) and others, provide critical positioning, navigation, and timing services. Higher up, satellites in geostationary orbit (GEO) provide continuous coverage for broadcasting, telecommunications, weather monitoring, and intelligence collection.

Across these orbits, satellites are highly attractive targets for adversaries seeking to compromise the integrity, confidentiality, and availability of those communications. Many satellites, particularly legacy systems operating long past their design life, rely on unencrypted or weakly protected command-and-control links, making them especially vulnerable to cyber exploitation. Regardless of orbit, mission-type, or payload, the security lesson remains the same: When sensitive data is transmitted over unsecured links, interception becomes a cheap, passive, and scalable tactic for adversaries.

While cyber threats to terrestrial infrastructure are well-documented-with IBM reporting that 70 percent of all observed cyberattacks in 2024 targeted critical infrastructure-the threat landscape for space systems is unique and less understood. Once in orbit, vulnerabilities are extremely challenging to patch, bugs are harder to fix, and intrusion-response is often slow or impossible. There is also the challenge of legacy satellites-those that have already completed missions or have outlived their expected lifespans. These satellites were often launched years or decades ago with little consideration for, or understanding of, modern cyber threats. If cybersecurity is not prioritized and embedded in system design before launch, space systems will lack the modern, advanced security capabilities needed to address cyber threats in real-time.

Exposing Satellite Cyber Vulnerabilities

Satellites' vulnerabilities to cyber threats are not just hypothetical; they have already been demonstrated in the real world.

In a 2025 study conducted by the University of California, San Diego (UCSD), and the University of Maryland (UMD), researchers developed and used an off-the-shelf $800 satellite receiver in La Jolla, California, to pick up communications from GEO satellites near their receiver. In just months of data collection and interpretation, they obtained an alarming swath of private data broadcast "in the clear," or, without using encrypted communications links; they found 50 percent of observed links lacking encryption.

The researchers collected everything from calls and text messages on T-Mobile's satellite cellular network, data from in-flight Wi-Fi users passing overhead, and communications with critical infrastructure operators, including electric utilities and oil and gas platforms. However, the data did not stop at seemingly innocuous civilian communications. The receiver also picked up extremely sensitive communications involving U.S. and Mexican military and law enforcement, which revealed the location of their personnel and facilities.

Taken together, this data exposes not only the vulnerability of unencrypted private communications passing through satellites but also sensitive metadata, such as location, movement patterns, and operational relationships, that can be exploited for surveillance, targeting, or physical harm. This vulnerability does not affect all users equally. Satellite links that broadcast in the clear disproportionately endanger users who rely on satellite connectivity as a primary telecommunications lifeline, such as the 24 million Americans who lack access to fixed terrestrial broadband.

This study starkly demonstrates the present and substantial threat posed by unencrypted satellite signals. If a commercially available, inexpensive receiver operated by academics can intercept such communications, satellite operators must assume well-resourced adversaries, such as the People's Republic of China (PRC) or Russia, can likely collect the same information at scale-and they have a clear interest in doing so.

These nation-state adversaries have demonstrated keen interest in expanding their cyber warfare strategies to target vulnerable space systems. In 2022, Viasat, a U.S. satellite communications company, was attacked by Russia immediately prior to its ground invasion of Ukraine. In 2024, Russia broadly indicated that U.S. satellites, such as those deployed by SpaceX, would be a legitimate target for military retaliation. Chinese military writings frame U.S. space systems as central to warfighting capability, emphasizing their role in accelerating U.S. decision making. Given this perceived U.S. reliance, China would likely target on-orbit and ground systems early in a conflict to downgrade military capabilities. Further, the PRC's Volt Typhoon cyber campaign-designed to pre-position inside, and eventually disrupt, U.S. terrestrial critical infrastructure early in a conflict-should not be ignored by space operators. Together, these developments underscore a growing consensus among U.S. adversaries that space systems are not merely support infrastructure, but viable and effective targets for disruption in modern conflict, including through cyber means.

The Case for Encryption

The UCSD/UMD study's findings demonstrate the broad vulnerability of unencrypted satellites in the United States and globally. While the researchers utilized the fixed position of GEO satellites to facilitate their data collection, this vulnerability is not orbit-specific; it is a fundamental flaw in any space system that transmits data "in the clear." The most direct path to reducing this exposure is straightforward: encryption should be the default for satellite design.

Encrypting satellite communications protects the confidentiality of space systems by making the contents of communications unreadable to unintended recipients, maintains the integrity of the data by preventing adversaries from altering it in transit, and assures the availability of satellite communications to the intended receiver. Additionally, it ensures the authentication of satellite systems by ensuring only legitimate entities can send valid commands or access confidential data traffic.

The authentication component of encryption is particularly important for satellite systems that rely on remote command-and-control links. These links serve as communication channels that use radio frequencies to send commands to space systems and receive data back. When signals are broadcast in the clear, adversaries gain easy options for interference. If commands are intercepted, the threat to these systems is no longer passive and could allow adversaries to actively manipulate or disrupt satellite operations.

The United States has spent years urging a "secure-by-design" cybersecurity approach for everything from consumer software to industrial control systems. Agencies have simultaneously called for implementing a "zero trust architecture" approach. Satellite systems underpinning terrestrial critical infrastructure should not be an exception.

Why Operators Do Not Encrypt Today

If encryption is an obvious solution, why has it not become a universal standard for satellite operators worldwide?

While some companies, including SpaceX, have prioritized cybersecurity in constellation design, there are a variety of issues that dissuade companies from automatically encrypting their communications today.

The UCSD and UMD researchers cited legacy systems, costs, overhead bandwidth, and lack of accountability across service providers as reasons satellites remain unencrypted. Further, in 2023 and 2024, the White House convened discussions on space cyber challenges with 125 U.S. and multinational space companies and government entities. During these engagements, industry representatives gave consistent feedback that retroactively adding cybersecurity and encryption requirements to satellite systems was incredibly difficult, emphasizing the "legacy" problem. These conversations also revealed a thorny challenge: While there is growing consensus around embedding encryption and cybersecurity into future space architectures, there is deep skepticism about the feasibility, cost, and operational viability of imposing modern security requirements on legacy systems already in orbit and for new systems going forward. At the end of the day, space operators' main priority in a competitive market is launching satellites fast, and cybersecurity has been considered a drag on cost and speed to orbit.

While none of these factors justify leaving space systems exposed, they explain why market incentives alone have not produced more secure outcomes in space. Optional, rather than mandatory, federal cybersecurity requirements often motivate operators to choose the cheapest solution or bypass them altogether, even at the cost of systemic exposure across networks that carry vast amounts of sensitive traffic.

Existing, but Incomplete, Policy Momentum

The U.S. government has warned for years that satellite communications remain a prime target for cyber adversaries. In 2022, the National Security Agency released guidance urging organizations to encrypt communications prior to transmission and to implement basic security hygiene, with the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation also sounding alarms. Particularly since the start of the conflict in Ukraine, the U.S. government has started to move to proactively protect federal space systems. The Biden administration's January 2025 Executive Order 14144 began to address this enormous gap in cyber procurement requirements across civil space systems operated by key government agencies. Specifically, Section 3 (e)(i)(A)(1) requires the federal government to address the protection of civil space systems through, among other actions, adopting a requirement for "encrypting commands to protect the confidentiality of communications." Also in recent years, the National Institute of Standards and Technology has released detailed, if voluntary, cyber guidelines to secure space system segments.

These steps are meaningful progress and demonstrate recognition at the highest levels of government that encryption is foundational to the baseline resiliency of space system cybersecurity. However, there is much more work to do.

Federal momentum in recent years has not yet addressed vulnerabilities within the commercial space ecosystem. Commercial providers, rather than the U.S. government, now account for most global space activity, about 71 percent of the world's space business, meaning the satellites carrying everyday civilian data are overwhelmingly privately owned and operated. Indeed, the UCSD and UMD findings implicated data from satellites that support backhaul, aviation connectivity, maritime operations, and industrial systems. In these sectors, encryption is often not required or standardized.

Cyber Policy Recommendations for Commercial Space Systems

To expand cyber protections to commercial space systems, which federal cybersecurity policy does not yet reach, the United States should adopt a targeted, risk-based framework that makes encryption the baseline for satellite communications traffic.

1. Set baseline encryption requirements for high-risk satellite traffic.
   
   Policymakers should require end-to-end command link and data encryption for commercial satellites that carry sensitive personal data, regulated critical infrastructure traffic, or safety of life communications. Encrypted communications are the standard practice across terrestrial networks, and satellite systems should meet the same cybersecurity threshold.
2. Require encrypt-by-default for new terminals and managed services.
   
   Encryption that is optional is often disabled. Policymakers should require satellite vendors to design systems where encryption is implemented by default.
3. Improve public-private information-sharing on cyber threats in space.
   
   Currently, information-sharing between federal government agencies and private sector space operators on adversary space cyber threats is limited and ad hoc. A greater shared threat picture awareness could drive private sector urgency to adopt cybersecurity best practices, including standards, and even post-quantum encryption.
4. Use federal procurement to drive commercial adoption.
   
   In January 2025, the Biden administration initiated the process of amending the Federal Acquisition Regulation for civil space systems, including the requirement of robust command-and-control link encryption. While not yet fully implemented, this action could help shape commercial market dynamics in favor of strong cybersecurity practices.
5. Build a public-private mitigation pathway.
   
   The UCSD and UMD study demonstrates that academic research can identify vulnerabilities that space operators may not immediately recognize. The U.S. government should support structures for reporting and mitigating satellite command link vulnerabilities, very similar to disclosure frameworks for software and critical infrastructure.
   

Federal policy in the United States is beginning to acknowledge and respond to space system cyber risks. But today, many commercial satellites carrying everyday citizens' sensitive traffic are, on average, still broadcasting in the clear. The UCSD and UMD study findings demonstrate that this vulnerability creates a low-cost, high-reward opportunity for adversaries to exploit societies' reliance on space and tacit assumptions that their data is secure. The time to incentivize stronger commercial space cybersecurity practices is now, starting with encryption, the most common-sense mitigation of all.

Lauryn Williams is the deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Kuhu Badgi is the program coordinator and research assistant for the Strategic Technologies Program at CSIS.

Programs & Projects