Cybersecurity firm SpiderOak has launched an encryption-based zero-trust software for securing code in space systems and announced that it will be an open-source project. The project, called Aranya, is bsaed on SpiderOak’s OrbitSecure platform, which is used by the Department of Defense and was demonstrated on the International Space Station last year. It is designed for systems using distributed-ledger technology for managing encryption keys. Aranya allows developers to embed zero-trust cybersecurity features into their systems and is designed to harden systems against AI-assisted cyberattacks. By making the encryption software open-source, SpiderOak is enabling third parties to improve Aranya, leading to faster resolution of issues while ensuring customer-specific code remains safe and confidential. The target market is satellite software manufacturers in the defense and commercial sectors who seek to harden critical systems and potentially embed protections across entire networks. Third-party contributions to the project are analyzed by malware scanning services and reviewed by security-trained developers.
The zero-trust model assumes no implicit trust in any entity including networks or individual users. This model strengthens defense against potential cyberattacks including those assisted by AI, which is the primary goal of the Aranya project. This ensures that authenticated access to systems is always required, reducing the likelihood of breaches. In the context of satellite systems, this approach can be especially beneficial given that maintaining secure communications and data integrity is critical. The nature of making a project open-source has benefits and drawbacks. SpiderOak has claimed that the project is protected by malware scans and security reviews for any third-party contributions. Assuming that these controls are effective, it still presents the risk of espionage, where bad actors can make GitHub accounts to view and download the project and perform research on its features, functions, and design. This could provide attackers with the reconnaissance needed to plan and implement an attack against the system, even if the open-source code is not directly tampered with. Proactive monitoring and thorough vulnerability management would be necessary to prevent the possibility of vulnerabilities being discovered and leveraged by attackers.
Erwin, Sandra. “SpiderOak Announces Open-Source Initiative for Zero-Trust Cybersecurity .” SpaceNews, 17 Oct. 2024, https://spacenews.com/spideroak-announces-open-source-initiative-for-zero-trust-cybersecurity/.