Pentagon Backs Call for Internet Routing Security FixesUS Communications Regulator Seeks to Manage Border Gateway Protocol Vulnerabilities
With concerns mounting over the risks posed by poor internet traffic routing security, there's growing momentum in the Biden administration to make internet service providers do more.
See Also: Preparing for New Cybersecurity Reporting Requirements
The departments of Justice and Defense on Wednesday called on the Federal Communications Commission to manage internet routing security vulnerabilities by requiring ISPs to implement technical security standards to lock down internet traffic routing as well as require "increased transparency" into real-world traffic flows.
Until that happens, they say, all internet users remain at risk from theft, extortion, espionage and sabotage.
The Pentagon and DOJ's recommendations voice support for the Cybersecurity and Infrastructure Security Agency's call for the FCC to take a more active role in securing the Border Gateway Protocol after the agency earlier this year asked for public comment about whether it should do so (see: Regulator Announces Border Gateway Protocol Security Review).
BGP is designed to get internet traffic where it needs to go by enabling the exchange of routing information between autonomous systems. By distributing routing information, the protocol enables routers to connect users with specific IP address prefixes.
The protocol was never designed with security in mind. Instead, it relies on a system of mutual trust, and it has been regularly abused both by nation-state attackers as well as criminals. In the hours before Russia invaded Ukraine, Ukrainian cyber defenders reported seeing BGP hijacking attempts, including against a Ukrainian bank.
The BGPStream open-source framework for analyzing BGP data reported that in the first half of 2020, there were more than over 3,400 outages, of which 23% were "potential" hijacking attempts.
"BGP is totally based upon trust at present, and if that is broken - by mistake or deliberately - then routing can be subverted," says Alan Woodward, a professor of computer science at the University of Surrey. "There are initiatives to try to secure BGP, such as Secure Inter-Domain Routing, but they will take a long time to be universal."
FCC Eyes More Active Role
Would the involvement of government regulators speed industry response?
That's one of the questions underlying the FCC's inquiry into internet global routing system vulnerabilities, which was launched by Chairwoman Jessica Rosenworcel the day after the Russia-Ukraine war began.
In her response to the FCC's call for comment, CISA Director Jen Easterly said that "industry and academics have identified costs, latency issues, lack of widespread commitment to implement measures, and liability concerns as reasons for not implementing solutions."
The time is right for the FCC to lead the charge - in coordination not just with private and public organizations, but also international partners - and push for more rapid improvements, she wrote.
"The threat to BGP security is high, and the current progress in adopting measures to mitigate vulnerabilities lacks the urgency needed to prevent consequences of disruption that could compromise our national security," Easterly said.
University of Surrey's Woodward says the recent moves by the U.S. to accelerate BGP security, including by mandating improvements, "comes as the global geopolitical situation shifts and a wholly trust-based system just is not going to cut the mustard anymore."
Industry Advocates for Voluntary Approach
Broadly, industry groups in their responses to the FCC argue against anything mandatory. Content delivery network provider Cloudflare said adoption of Resource Public Key Infrastructure, or RPKI, by large providers has already reached a point where it's serving as "an effective firewall against spreading BGP incidents," and that "most BGP incidents impact just a handful of networks."
RPKI is one of a number of add-ons that could help better secure BPG. "RPKI provides a secure way to connect internet number resource information, such as IP addresses, to a trust anchor, and it ensures that updates are secure and authentic," Jonathan Sullivan, CTO of NS1, an intelligent DNS and internet traffic management technology company based in New York, has told Information Security Media Group.
Also being implemented: BGP Security, or BGPsec, which "extends the RPKI by adding an additional BGPsec router certificate that binds public and corresponding private keys to validate and protect the routing path," Sullivan said.
BGPsec was first introduced in 2017, but not every organization that routes traffic has adopted it. To be effective, BGPsec must be adopted by a critical mass of global network providers.
Another initiative is the Internet Engineering Task Force's Secure Inter-Domain Routing. It's designed to create infrastructure that would allow an entity "to verifiably assert that it is the legitimate holder of a set of IP addresses or a set of Autonomous System (AS) numbers."
The Internet2 nonprofit computer networking consortium, which counts strong participation from the academic and research community, says in its response to the FCC that there are a number of legal and logistical challenges to implementing improvements such as BGPsec. It also warns that "mandates are unlikely to be helpful in securing more networks and more likely to 'freeze' aspects of an evolving security ecosystem in unhelpful states."
Networking equipment manufacturer Juniper, meanwhile, said that BGPsec deployment costs could be "many millions of dollars" for a large Tier 1 ISP, and that customers might not see such spending as a worthwhile investment.
Instead, the industry tends to favor approaches such as its Mutually Agreed Norms for Routing Security, or MANRS, which is voluntary. Backers include the Internet Society, or ISOC, which is a U.S. nonprofit organization focused on internet standards. In its response to the FCC, ISOC notes that "the BGPsec protocol is unlikely to see wide deployment" and that "existing and emerging technologies show great promise."
Needed: Awareness, Action
Beyond security extensions and protocols, what's also required, Internet2 says, is raising awareness of the importance of internet routing security and developing better tools to help and better transparency - beyond what commercial backbone providers currently offer - to allow users "to fully inspect all of the routing and performance parameters of individual backbone routers." It has also called for the creation of a new service provider framework, akin to the Cloud Security Alliance's Cloud Controls Matrix, "for assessing the routing integrity and security of an organization's network."
CISA's Easterly acknowledged there are hurdles to getting BGP security improvements in place and says there is no one, single solution. But she says there's never been a greater need to coordinate the nation's response and to identify and then pursue needed approaches - potentially including regulation - "to mitigate this critical risk."