The U.S. Departments of Defense and Justice (DoD and DoJ) urged the Federal Communications Commission (FCC) to boost internet routing security through the implementation of unified technical standards and transparency requirements, despite insistence from ISPs that regulators in one country can’t solve the problem alone.
Back in February, the FCC asked interested parties for input on what measures might help prevent or mitigate attacks which leverage vulnerabilities in Border Gateway Protocol (BGP). In a nutshell, BGP is the foundation of the internet and is responsible for routing essentially all of the world’s traffic. However, as experts previously told Fierce, BGP isn’t inherently secure and the implementation of safeguards – including route validation systems like resource public key infrastructure (RPKI) – has been voluntary.
As Google put it in an April filing with the Commission, “BGP routing remains one of the top vulnerabilities in the global Internet infrastructure due to slow industry adoption of more secure methods” of routing.
ISPs were quick to weigh in on the matter, telling the FCC that it would be basically impossible for the agency to solve the problem on its own. In April, Comcast warned “there remain important financial, technical, and legal obstacles to the widespread deployment of a comprehensive solution…And some of the solutions, like RPKI, tackle only part of the issue.”
The following month, Verizon piled on, arguing the U.S. “cannot unilaterally solve its inherent security vulnerabilities, and that mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful.” On the whole, Verizon, Comcast and Google said the FCC should adopt a more advisory stance that is aimed at promoting BGP security research and adoption.
But the DoD and DoJ disagreed. In a filing this week, the pair backed an earlier recommendation from the Cybersecurity and Infrastructure Security Agency (CISA) that the FCC look for solutions beyond the status quo. According to the agencies, the vulnerabilities in the BGP present a significant risk to national security. They cited specific incidents in which China Telecom Americas provided erroneous route information, resulting in traffic from Verizon (2015-2017) and an Italian bank (2016) being rerouted through China and Google’s enterprise services going offline for more than an hour in 2018.
Though RPKI has been around for nearly a decade, they pointed out that it is only used for about 40% of routes across the Internet today.
“Even where broad consensus exists around the threat, the vulnerabilities, and the solution, industry can struggle to achieve broad adoption,” they wrote. “Many uncovered routes are likely to belong to smaller networks such as regional and local Internet Service Providers. These organizations are unlikely to implement BGP security measures without significant prodding, given the cost and lack of clear incentives to do so.”
“We believe that it is time to consider tackling this with comprehensive, industry-wide solutions rather than on a case-by-case basis,” they concluded.