Over the last several years, the Federal Communications Commission (FCC) has been taking a more active role both in anticipating the need for ever greater communications network security measures necessary to counter threats as well as potentially forging a new role in protecting the integrity of data that flows through the Internet. The latest evidence of this security consciousness is a recent Notice of Inquiry (“Notice”) adopted by the FCC seeking information to better understand the scope of Border Gateway Protocol (BGP) routing system security vulnerabilities, and the means to address them.
While the FCC acts in tandem with federal partners — National Institute of Standards and Technology (NIST), the Department of Homeland Security, and the National Telecommunications and Information Administration — and consistently urges the communications sector to defend against cyber threats, the private ownership of U.S. communications networks means this sector often must rely upon the diligence of private parties to strengthen the cybersecurity of vital communications services and critical infrastructure. This Notice seeks comment on vulnerabilities threatening the security and integrity of the BGP, which is central to the Internet’s global routing system. The FCC also wants to understand these vulnerabilities’ effects on the trustworthiness of transmission of data from email, e-commerce, and bank transactions to interconnected Voice-over-Internet-Protocol (VoIP) and 9-1-1 calls, as well as how best to address them.
BGP is the routing protocol used to exchange reachability information among independently managed networks on the Internet. BGP was not initially designed to include security features to ensure trust in the information that it is used to exchange. As a result, a bad network actor can deliberately falsify BGP reachability information to redirect traffic to itself or through a specific third-party network and prevent that traffic from reaching its intended recipient. Such “BGP hijacks” can expose U.S. citizens’ personal information, enable theft, extortion and state-level espionage, as well as can disrupt otherwise-secure transactions.
The Notice seeks comment on steps that the FCC might take to help protect and strengthen the nation’s communications network and other critical infrastructure from these vulnerabilities. The FCC seeks to learn the extent to which Internet Service Providers, public Internet Exchange Providers and providers of interconnected VoIP service have deployed BGP routers in their networks. In order to understand the scope of the issue, the FCC seeks comments to elicit, for example, whether providers of cloud services operate BGP routers in their networks and what other types of entities operate BGP routers.
There are several regional, national and local Internet registries that manage the allocation and registration of Internet number resources. For example, the Internet Corporation for Assigned Names and Numbers (ICANN), through its affiliate, Internet Assigned Numbers Authority (IANA), has responsibility for coordinating the Internet’s unique identifiers. The FCC seeks to understand what role ICANN or other entities, including vendors of BGP routers or other networking equipment, have in supporting the development and implementation of BGP security practices.
The Notice also asks about the use of available tools, such as NIST’s RPKI Monitor, Automatic and Real-Time dEtection and MItigation System (ARTEMIS), BGPstream, BGPMon, Kentik and Traceroute, to timely and accurately detect BGP hijacks or router misconfigurations as well as whether these tools are able to distinguish malicious routing changes from accidental ones. The Notice also notes the existence of security measures developed and deployed by the industry to secure BGP and asks how broadly industry standards or best practices have been implemented as well as whether there are available means to assess, measure, demonstrate or increase the effectiveness of these security measures.
While the specification for the BGPsec extension to BGP — a specification that addresses malicious misrouting issues — became available in 2017, the FCC notes that BGPsec has not been widely deployed. The Notice asks why network operators have not taken more aggressive steps to adopt BGPsec, including whether there are cost, comparability, performance or other obstacles or concerns about BGPsec that have slowed its adoption.
Finally, the Notice seeks comment on steps the FCC, in coordination with other federal agencies, could take to prevent BGP hijacking or promote more secure Internet routing. The FCC seeks comment on its legal authority to promote the security of Internet routing through regulations as well as to apply these regulations to wireless and wireline Internet Service Providers, Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers, and other enterprise and organizational stakeholders.
Comments are due at the FCC on the Notice 30 days after the Notice is published in the Federal Register, which has not yet occurred as of the date when this post is published. Reply Comments due within 60 days of that publication date.
