CISA Urges FCC to Prioritize National Security in Internet Routing Probe

The Federal Communications Commission should put national security concerns ahead of those internet service providers have expressed regarding measures to address vulnerabilities in the internet’s routing protocol, according to the director of the Cybersecurity and Infrastructure Security Agency.  

In comments delivered to the FCC on July 7, CISA Director Jen Easterly summarized the concerns of internet service providers—including lack of a sufficient return on the investment that would be necessary—noting they shouldn’t stop the commission from considering a regulatory approach. 

“While the obstacles discussed are valid to various degrees, they must be viewed in the context of the national security risk posed by insecure [Border Gateway Protocol],” Easterly wrote. "The Commission should keep a variety of tools available to respond to BGP threats. Including regulatory and non-regulatory responses.” 

CISA’s comments assert the agency’s position as the sector risk management agency for the information technology and communications sectors. But CISA, under the Department of Homeland Security, is not a regulatory agency. Regulatory authority for the security of information and communications technology, particularly for cloud service providers, is still a contested space.

“It's not clear who would be setting the standards for this industry, and that's why CISA is going to have to have outreach with with regulatory organizations like the FCC,” Mark Montgomery, the former executive director of the Cyberspace Solarium Commission, who is now a senior fellow at the Foundation for Defense of Democracies, told Nextgov.

The FCC’s February notice of inquiry for securing the Border Gateway Protocol—issued in the context of the conflict with Ukraine—cited Russian attempts to reroute internet traffic, including in ways that could be used to take control of robot armies online. CISA noted examples where nation-state actors from China could also exploit weaknesses in the protocol.

But that kind of high-level activity makes it hard to justify the cost of implementing a more secure protocol, Juniper Networks suggested in comments to the FCC. 

“The return on investment for businesses isn’t readily apparent because customers may not appreciate nor be aware of the security benefits,” Easterly wrote, characterizing the concern.

But, she said: “The FCC should determine which authorities it could use domestically to address the gaps left unfilled by voluntary approaches.” She specifically noted the Government Accountability Office’s recommendation that the commission could use its regulatory authority to drive transparency by requiring the collection of data on cyber incidents.