Standards exist for network operators to implement, but there is no rule forcing them to do so.
The Federal Communications Commission cited Russia’s aggression against Ukraine in announcing its unanimous approval of a notice of inquiry for secure use of the Border Gateway Protocol, the internet’s routing system.
“Last week, the Department of Homeland Security warned U.S. organizations at all levels that they could face cyber threats stemming from the Russia-Ukraine conflict,” reads a Monday press release from the FCC. “This notice will begin an inquiry into the vulnerabilities of the internet’s global routing system. The inquiry will also examine the impact of these vulnerabilities on the transmission of data through email, e-commerce, bank transactions, interconnected Voice-over Internet Protocol and 911 calls—and how best to address these challenges.”
Used in conjunction with a botnet—an army of devices that is under remote control after being infected with malware—BGP can be manipulated to execute distributed denial of service attacks like those recently experienced in Ukraine. The U.S. has attributed those DDoS attacks to Russia. The FCC’s notice explains how adversaries can also exploit vulnerabilities in BGP to redirect traffic and steal data. The agency referenced reports in 2017 of traffic to and from major U.S. tech and financial-sector companies suspiciously taking an out-of-the-way path through telecommunications companies in Russia.
The notice lists various efforts over the years from both within and outside the commission to establish secure use of BGP. The National Institute of Standards and Technology, the Internet Engineering Task Force, the Internet Society and the FCC’s own Communications Security Reliability and Interoperability Council have all documented best practices to address the security risks associated with the protocol. But those have not been comprehensively implemented by internet service providers.
“Notwithstanding this work, available information suggests that the voluntary adoption and deployment of such measures has been such that many of the independently managed networks that comprise the Internet remain vulnerable because they have not taken advantage of these measures,” the FCC wrote.
Among other things, security measures include encryption and the use of certain routers.
“We seek comment on whether and to what extent network operators anticipate integrating BGPsec-capable routers into their networks,” the notice reads. “The specification for the BGPsec extension to BGP became available in 2017, but it appears that BGPsec has not been widely deployed despite BGP’s known vulnerabilities. Why have network operators not taken more aggressive steps to adopt BGPsec? What particular obstacles or concerns about BGPsec have slowed their adoption? To what extent does the introduction of BGPsec routers potentially introduce compatibility issues among managed networks or introduce delays?”
The commission is also seeking comments on its authority to regulate secure internet routing, not just through wireline and wireless ISPs, but also “Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers and other enterprise and organizational stakeholders.”
“We seek comment on whether regulatory clarity could help network operators prioritize investments in the security of their networks,” the FCC wrote.
Comments are due within 30 days of the notice being entered into the Federal Register, with reply comments due within the succeeding 30 days.