Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. But as we’ve come to rely on the Internet for nearly every facet of our lives, disruptions to BGP can have serious implications for the critical services Americans rely on every day.
For example, small business owners depend on BGP when they are using connections to engage with customers and suppliers. Nearly everyone relies on BGP for banking online, and many have had a telemedicine session with a healthcare provider or use it for other daily activities like online education. In all these instances, BGP is in the background, helping connect our critical infrastructure, supporting emergency services, keeping the financial sector running, and shoring up manufacturing.
However, BGP was designed for expediency, not security. BGP does not include explicit security features to ensure trust in exchange information. As a result, an adversary may deliberately falsify BGP reachability information to redirect traffic, and state-level actors have been suspected over the years of exploiting BGP’s vulnerability to hijacking. These “BGP hijacks” can expose personal information, enable theft, extortion, and state-level espionage, and disrupt security-critical transactions, including in the financial sector.
To move forward, all stakeholders from the private and public sectors must work together to make Internet routing more secure. This is why last year the Federal Communications Commission (FCC) launched an inquiry seeking input on the security risks posed by BGP’s vulnerabilities, including how to identify and quantify these cybersecurity incidents, industry’s present and future implementation of BGP security measures, and the Commission’s role in mitigating routing vulnerabilities.
And that’s why the FCC and the Cybersecurity and Infrastructure Security Agency (CISA) convened a workshop this week with federal partners from the Office of the National Cyber Director, the National Institute of Standards and Technology, the Office of the Director of National Intelligence, the Department of Justice and the National Telecommunications and Information Administration, in addition to representatives from industry, including Internet Service Providers (ISPs) and cloud content providers, and nonprofits. The goal of this workshop was to develop a common understanding of the latest BGP security improvements that are underway and planned—and what can and should be done to accelerate progress in both the near term and beyond.
At the end of the day, we need to understand where we are now to determine where to go next. This week’s workshop offered an opportunity to build on the FCC’s work with ISPs over the past year to better understand the security vulnerabilities within the BGP system and how to best to reduce these risks. Discussions focused on concrete steps stakeholders can take to enhance Internet traffic routing security; additional efforts the FCC should consider to protect the nation’s communications networks from vulnerabilities posed by BGP; and how government and industry can work together more effectively to facilitate the implementation of industry standards and best practices to mitigate the potential harms posed by these vulnerabilities.
Working together on BGP security is a great example of the broader U.S. government approach at the core of the recently released National Cybersecurity Strategy to create technology products that are Secure by Design. This means that strong security should be baked in, not bolted on, with software manufacturers ensuring that every technology product is purposefully developed, built, and tested to significantly reduce the number of exploitable flaws before they are introduced into the market for broad use.
These same principles apply to networking infrastructure and protocols. But here’s the catch: Everyone needs to agree on the networking design elements and implement them correctly and consistently. The designs must be practical, scalable, and secure against the full range of threats. And each software manufacturer must implement these designs knowing how past compromises have worked, and how our most advanced adversaries will up their game. On a regular basis, we see repeated software engineering mistakes—an example of why effective and consistent implementation of identified solutions must be a priority.
We applaud the many large network operators and ISPs who have stepped up and undertaken vitally important efforts to lay the foundations for a more secure routing system, including dedicating resources and expertise to implementing Resource Key Public Infrastructure and Route Origin Validation. More and more network operators are signing up to the Mutually Agreed Norms on Routing Security as well.
However, there is more we can—and must—do to make the Internet more secure. We need to ensure that all network operators—not just the largest—follow suit. This will require assistance from some of our larger industry partners who are well-versed in how to implement these measures to help demonstrate the business case for others to follow in their footsteps. And network edge providers must send a clear signal to their ISP about the importance of BGP security and the implementation of Route Origin Validation. We stand ready to support the development of industry commitments to quickly adopt critical measures to make BGP more secure.
Second, some of the most important steps toward BGP security must be accomplished at the network edge. In this context, Chief Information Officers and Chief Information Security Officers play an important role. They need to send clear demand signals to their ISPs about the importance of BGP security, to include whether they are implementing Route Origin Validation.
Finally, we fully acknowledge that the U.S. government is lagging behind on BGP security practices, and CISA is working hard to improve this, collaborating with the Office of the National Cyber Director and the Office of Management and Budget to chart a clear path toward cleaning up BGP security practices among all federal agencies. For its part, CISA is also working to improve data collection to more fully understand the risks of BGP vulnerabilities, as well as to help network operators respond to route leaks and BGP hijacks more quickly.
BGP security is a global problem that requires a community solution, and we look forward to continuing our partnership and making real progress in the coming year. Securing BGP is about a more secure Internet for all of us—and that’s an effort that we can all rally behind.