The Federal Communications Commission (FCC) has unveiled a proposal aimed at bolstering the security of America’s networks against cyberattacks by improving internet routing security.
The new initiative mandates that ISPs produce confidential reports detailing their efforts and plans to address vulnerabilities in the Border Gateway Protocol (BGP), a fundamental technical protocol used for routing information across the internet.
Under the proposal, the largest broadband providers in the US would be required to submit quarterly public data showcasing their progress in mitigating BGP risks. This move aims to enhance internet routing security and furnish the FCC and its national security partners with current information on this critical matter.
In a statement, FCC Chairwoman Jessica Rosenworcel highlighted the significance of securing internet traffic, referencing a recent conversation with Vint Cerf, often described as the “Father of the Internet.”
Reflecting on the origins and open architecture of the internet, Cerf remarked that he wished he had known the internet would need more security. Rosenworcel agreed, noting the critical reliance on BGP for various everyday activities—from small business operations and online banking, to telemedicine and emergency services.
BGP, which has been in use for decades, was not originally designed with intrinsic security features to ensure trust in the information exchanged among independently managed networks on the internet.
National security experts have voiced concerns that malicious actors could exploit BGP by falsifying reachability information, a tactic known as “BGP hijacking.” Such attacks could expose personal data, facilitate theft and extortion, enable state-level espionage, and disrupt essential services.
FCC Commissioner Geoffrey Starks underscored the importance of BGP security, having focused on this issue since 2022.
In a statement, Starks pointed out that accidental or malicious actions can make networks unavailable or redirect traffic for cyberattacks, data theft, or espionage. Starks cited notable incidents such as the 2008 YouTube blackout caused by Pakistan’s attempt to block access within its borders and Russia’s exploitation of BGP vulnerabilities to limit access to Twitter during its invasion of Ukraine. He also highlighted China Telecom’s hijacking of BGP to misdirect 15% of the world’s internet traffic through China.
Starks emphasised that tools like the Resource Public Key Infrastructure (RPKI), developed by the Mutually Agreed Norms for Routing Security (MANRS), are critical for enhancing BGP security. RPKI acts as a public database of authenticated BGP routes and is considered the gold standard for protecting internet routing.
To address these concerns, the FCC has adopted a Notice of Proposed Rulemaking, which includes the following key measures:
- Annual BGP security risk management plans: Broadband internet access service providers would be required to prepare and update confidential BGP security risk management plans at least annually. These plans should detail the providers’ progress and strategies for implementing BGP security measures using RPKI.
- Reporting by major broadband providers: The nine largest broadband providers would need to file their BGP plans confidentially with the FCC. Additionally, they would submit quarterly public data to allow the Commission to track the implementation of RPKI-based security measures and evaluate the adequacy of the BGP plans. Providers that meet a certain security threshold would be exempt from filing subsequent detailed plans.
- Smaller broadband providers: These providers would not be required to file their plans with the FCC but must make them available upon request.
Starks added that the proposed rules would prompt ISPs that have not yet started deploying BGP mitigations to do so and that measuring RPKI deployment would help both the private and public sectors understand what more needs to be done to secure networks. This initiative aligns with the National Cybersecurity Strategy Implementation Plan, specifically Initiative 4.1.5, which aims to increase the adoption of secure internet routing techniques.
Rosenworcel recounted the humble origins of BGP, often referred to as the “three napkin protocol.” Created in 1989 by engineers at an Internet Engineering Task Force meeting, BGP was a short-term solution that evolved to support the burgeoning internet. Despite its foundational role in network growth, BGP was not designed with explicit security features, making it vulnerable to exploitation.
The FCC’s proposed rules come in response to documented incidents of BGP hijacking. Rosenworcel thanked the Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the Department of Justice for their collaboration and disclosure of BGP vulnerabilities exploited by China Telecom to misroute US internet traffic. These hijacks not only compromise personal information but also disrupt critical financial transactions and other sensitive operations.
The FCC is soliciting public comments on these proposals and other measures related to the implementation of RPKI-based security. In announcing this initiative, the FCC acknowledged the significant efforts by various stakeholders over the past two decades to address BGP vulnerabilities. However, it emphasised that more work is needed to secure internet routing for public safety and national security.
(Image Credit: FCC)
See also: NATO launches hub to safeguard critical undersea infrastructure
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
👇Follow more 👇
👉 bdphone.com
👉 ultraactivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com