
ESA Space CyberSecurity Call for Ideas - crowcat
https://ideas.esa.int/servlet/hype/IMT?documentTableId=45087581261201651&userAction=Browse&templateName=&documentId=783b8cb6a2548ffe797c6ac7e6086e23
======
motohagiography
Interesting effort. I do think their Expected Ideas, perpetuate the
presumptions that cause security issues in the first place.

" Data and link security, Ground and space equipment security, Protection of
classified information, Keys management through full life cycle, Monitoring,
situational awareness and forensic analysis of cyber-attacks, Technological
enablers and transversal building blocks. "

The most interesting thing I've found over the last 18 months is how few CISOs
and secdevops people actually know what they are protecting, and from whom.
Their worldview seems to end at, "the business!" which is a black box to them.

Often, the sophistication and complexity of security technologies subtly moves
risk out of the domain of business owners, and onto operations staff who
aren't equipped to hold or meaningfully mitigate it, and the effect is that
we're left with transferring risk to empty compliance rituals, or a company
security troll who can be periodically scape-goated.

I've got a horse in this race, but the solution is not for techs to educate
business partners on security, but for owners to align their teams around the
business risks that actually matter and let techs do what they do best, which
is solve problems.

ESA would benefit most from a tool that educated all their engineers and
product owners on the things the agency and projects value, and the risks to
them it perceives.

~~~
youdontknowtho
Wow. That is the most well informed security comment I think I have ever read
on this site.

There are multiple ways that business will push risk onto tech employees. This
seems to be really prevalent in highly decentralized businesses where tech
can't push back on decisions and the business unit can't really judge overall
risk to the entire enterprise.

It goes beyond security or, maybe more accurately, security and risk are more
expansive than just technical security measures.

------
jcims
One use case that I've long thought might be interesting is an orbital
certificate authority/notary that is accessible directly via RF. Hard to beat
the physical security and it would democratize access to a fairly mature and
useful encryption ecosystem.

~~~
marsRoverDev
Currently I believe that comms are E2E encrypted.

------
skullum
> The Campaign is open for submissions from academia, research institutes and
> economic operators registered in any of the GSTP participating states:
> Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France,
> Germany, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway,
> Poland, Portugal, Romania, Slovenia, Spain, Sweden, Switzerland, United
> Kingdom, Canada.

Not open for submissions from the USA in case anyone else from there was
getting excited :(

~~~
JetSpiegel
I would hapily passthrough any ideas, with attribution!

------
duked
Interesting but I wonder about the volume of submissions they will receive.
Since the outcome is very vague in terms of potential business: "Ideas that
meet the evaluation criteria of this call - in consultation with the proposers
of the ideas - will be considered for the preparation of technology
development activity proposals."

If you are in this line of work, I think people would rather spend their time
to respond to an RFP.

