The departments cited comments from the Cybersecurity and Infrastructure Security Agency and said a regulatory approach would have a greater impact “industry-wide” than dealing with entities case-by-case.
A well-crafted rule would be the best way to increase industry adoption of measures that can effectively mitigate security vulnerabilities in the internet’s routing protocol, the departments of Defense and Justice told the Federal Communications Commission, highlighting a rift within the administration.
The Border Gateway Protocol, or BGP, is analogous to a postal service. Finding the most efficient ways to route information across the internet, it allows users to access websites hosted on servers from across the globe in an instant. But according to a notice of inquiry the FCC issued in the wake of Russia’s invasion of Ukraine, it can and has been tricked by malicious actors who are able to misdirect and exfiltrate network traffic.
“The nation’s longstanding reliance upon voluntary measures to secure sensitive U.S. data may no longer be sufficient to address this vulnerability,” DOD and DOJ wrote in a press release flagging their response to the FCC’s inquiry. “As a result, the Justice Department and DOD support FCC’s initiation of a process to better secure BGP, including through technical security and transparency measures that will help safeguard the data and communications that are so central to U.S. national security interests.”
The departments specified support for "carefully constructed rules, issued in concert with other government actions," in comments to the FCC Wednesday. Their position conflicts with that of the National Telecommunications and Information Administration—a Commerce Department agency—which in May advised the FCC against a regulatory approach.
“BGP security solutions are … complex and incomplete, and as a result, may even introduce new vulnerabilities. Some BGP security solutions are computationally resource demanding and become increasingly more demanding as implementation scales. Security requires costly investments, placing significant demands on limited budgets,” the NTIA wrote, summarizing comments from Cisco and Juniper Networks. “NTIA notes commenters and relevant literature suggest that regulations to address BGP security would be ineffective and that regulatory mandates could inadvertently impede security efforts.”
But other commenters in the FCC’s docket said existing mitigation measures such as Resource Public Key Infrastructure—a cryptographic mechanism which essentially functions the same as requiring the correct recipient’s signature when a package is delivered—are effective, and they highlight the much greater degree to which it is implemented in Europe.
DOD and DOJ cited those commenters and their own experience in arguing for the FCC to take more comprehensive action than the U.S. has thus far through individual removal orders for entities like China Unicom and Pacific Networks, which can take more than a year to process.
“Our experience suggests that existing routing security measures, like Resource Public Key Infrastructure, can help mitigate this risk,” the departments wrote in their comments, adding, “additional transparency measures, such as requirements to report peering and interconnection partners and to monitor and periodically audit traffic routing to ensure traffic is not being misrouted over untrusted networks, may also be necessary and appropriate.”
In July, Cybersecurity and Infrastructure Security Agency Director Jen Easterly also weighed in on the issue. Taking more of a middle road between the departments’ and NTIA’s contrasting views, she acknowledged the cost concerns of some in industry but said the FCC should remain open to regulatory and non-regulatory actions to protect national security.
“From a national security perspective,” DOJ and DOD wrote, referencing CISA’s comment, “we believe that establishing an industry-wide baseline of BGP security measures would go a long way towards protecting the transmission of U.S.-person data and communications in a constantly changing threat environment. The status quo has not achieved—and cannot achieve—that objective.”