Open-source Leader Advocates Strong FCC Enforcement of Routing Security

The Federal Communications Commission should consider imposing comprehensive tests and fines—after fair warning and guidance—to ensure internet service providers are taking minimal steps to protect the global internet routing system from malicious hackers, according to comments a leader in the open-source security community submitted to the agency.

“Voluntary compliance has failed to ensure compliance with even basic measures; companies have negligently allowed hijacking for decades, even when well-known and practical countermeasures exist,” wrote David Wheeler, director of open source supply-chain security for the Linux Foundation. “The FCC should establish a testing regime to ensure that Internet routing, if depended on by others, strongly resists hijacks using currently practical measures such as [Resource Public Key Infrastructure]”

Comments were due Monday in response to an inquiry the FCC made on the issue in the wake of the Russia-Ukraine conflict. The commission is concerned about hackers’—particularly powerful nation-state actors’—ability to manipulate the Border Gateway Protocol to redirect internet traffic by pretending to offer a more efficient network path. Resource Public Key Infrastructure, or RPKI, refers to a system of certificates and cryptographic attestation for stakeholders to validate the origin and authorize the route internet traffic should take. 

In response to the FCC asking about the extent to which network operators have implemented available security measures, Wheeler pointed to a test established by the content distribution network Cloudflare. The test is a simple red-team exercise that advertises a route known to be spurious. Cloudflare committed to implementing RPKI in the fall of 2018.   

“Those US organizations who fail should be notified, provided guidance on how to fix the problem, & given a grace period … to (re)gain compliance,” Wheeler said. “After the grace period there need to be incentives for failing US organizations to change to implement at least minimal efforts … These incentives should include grants if the organization is a not-for-profit, publishing a list of non-compliant entities, and then increasing fines over time … These organizations who negligently continue to leave the Internet so vulnerable, by failing to apply known best practices and existing technologies, are creating a hazard for everyone.”  

Comments USTelecom—the leading trade association for major internet service providers—made to the FCC noted an endorsement of RPKI implementation. But they said adoption has been increasing without a requirement on the books.

“The majority of routes are still not signed, but the trajectory is good, we are up from less than 10% in 2018 to more than 35% as of this writing,” the group wrote, adding, “Buy-in from broad sets of stakeholders is essential, not just domestically, but also internationally.”

Also in the FCC’s docket on secure internet routing were comments from ETNO, the European Telecommunications Network Operators’ Association. The organization, internet service providing members of which have deployed BGP-specific routers in their networks, shared their system for coordination and noted wide support for RPKI implementation.

“The fr.telecom [Local Internet Registry] – serving the needs of Orange France and [Orange Business Services], for example, has “close to 100% of its resources associated with an ROA – Route Origin Authorization,” the group said.