The Federal Communications Commission is considering requiring broadband providers to improve the cybersecurity of the networks that route traffic around the internet, an issue the FCC and other government agencies have been working on for more than a year.

The proposal would require ISPs to generate confidential reports that would outline what they have done – or plan to do – to strengthen the security of the Border Gateway Protocol (BGP), which are rules that determine the best network routes for transmitting data around the internet.

The problem is that the initial designed for BGP was developed decades ago and doesn’t include what the FCC calls “intrinsic security features” needed to instill trust in the information that is running over the independently managed communications networks. A bad actor could hack into a network and falsely claim ownership of IP addresses or redirect traffic that can then be intercepted or manipulated.

They also could alter the BGP in ways to prevent traffic from reaching the intended target, create false routes or disable valid ones, or divert the traffic through a malicious network. Such schemes can lead to the theft of personal information, extortion, state-level espionage, or the disruption of services, according to the FCC.

Chairwoman Jessica Rosenworcel said it’s taking steps to strengthen the security of networks carrying the internet traffic, noting in a statement that the BGP initially was meant to be short-term solution but has become a lynchpin for worldwide internet communications.

“While BGP has allowed network operators to grow and evolve the modern internet, it was not designed with explicit security features to ensure trust in exchanged information,” Rosenworcel said in statement. “That means bad actors can use this protocol to maliciously misdirect and exploit internet traffic.”

She also said that China Telecom has used BGP vulnerabilities at least six times to misroute U.S. internet traffic.

Little-Known but Critical

In a blog post last year, Rosenworcel and CISA Director Jen Easterly wrote that few people know how much they depend on the BGP, even given its foundational nature for everything from online banking and remote working to telehealth and ecommerce. They said making BGP – and thus communications networks – more secure will require work by both the public and private sectors, pointing to the government’s Security by Design push to have software developers integrating security into their offerings rather than bolting it on a finished product.

“These same principles apply to networking infrastructure and protocols,” Rosenworcel and Easterly wrote. “But here’s the catch: Everyone needs to agree on the networking design elements and implement them correctly and consistently. The designs must be practical, scalable, and secure against the full range of threats.”

They pointed to the work by ISPs and large network operators did to make the routing system more secure, including implementing Resource Key Public Infrastructure (RKPI) – a public database of authenticated BGP routes – and Route Origin Validation and signing onto the Mutually Agreed Norms on Routing Security.

Playing Catch-Up

That said, the United States is trailing other nations in securing the BGP and more needs to be done to catch up, they wrote.

That’s where the latest effort around notifications comes in, according to FCC Commissioner Geoffrey Starks.

“In proposing that ISPs providing broadband Internet access service create BGP security risk management plans, ISPs that otherwise have not yet begun the process to deploy BGP mitigations will do so,” Starks said in a statement. “In proposing to measure RPKI deployment, we will help inform both the private and public sectors about what more needs to be done to secure our networks.”

The proposed requirements would require broadband internet access service providers at least once a year to prepare and update their confidential BGP risk mitigation plans, including their progress implementing RKPI, and the nine largest broadband providers to not only file their confidential plans but also public data that would let the FCC measure how effective their plans are.

Smaller broadband companies would have to make their plans available to the FCC upon request rather than file them with the FCC.

Pushing Back

The agency is looking for public comment on the proposal and other steps related to implementing RPKI-based security, and it’s bound to get some. The FCC in early April released a 435-page draft of a Declaratory Ruling and Order in the Open Internet Proceeding that, in one paragraph, suggested the agency could require service providers to deploy BPG security solutions or establish security requirements to prevent bad actors from hijacking the BGP and redirecting traffic.

In response, the Internet Society and Global Cyber Alliance sent a joint statement to the FCC pushing back at the idea of the agency setting security regulations for the protocol. The Internet Society wrote in an accompanying column that “while the FCC’s motives may be well-intentioned, regulating BGP routing security could have a catastrophic impact on the Internet, not just in the United States but globally.”

A top-down regulatory approach would slow what the organizations said has been “substantial progress” in developing routing security best practices and would make it more difficult for smaller providers to compete and access networks, which would lead to network consolidation. It also could prompt other countries to institute conflicting standards that could further internet fragmentation, degraded internet security, and interoperability issues.