FCC Proposes New Obligations on ISPs to Mitigate Risk at Border Gateways

In the forty years I have been covering the telecommunications industry there has never been a year filled with more new regulations propagated by the FCC than this year. Between treating ISPs as public utilities, fighting so-called broadband discrimination, and lately requiring broadband labeling, the Commission continues to hamper investment in the Internet and stymies product innovation. Now, on June 6, 2024, the agency plans to propose its latest ISP requirements. These, to reduce the risk of misinformation crossing international borders over the Internet.

The FCC notes that the Internet consists of tens of thousands of interconnected, independently administered networks, and the “Border Gateway Protocol (BGP) is the global inter-domain routing protocol used to exchange reachability information amongst these networks to route traffic across the Internet.” However, the original BGP structure was very lax on security.

BGP’s initial design, which remains widely deployed today, did not include security features to ensure trust in the information that is relied upon to route Internet traffic. As a result, a malicious actor or adversary can exploit BGP’s vulnerabilities and deliberately falsify reachability information to redirect Internet traffic. Such exploits can expose Americans’ personally identifiable information, enable theft, extortion, and state-level espionage, and can disrupt services upon which the public or critical infrastructural sectors rely. (Docket 24-146, FCC Fact Sheet, released May 16, 2024).

For example, Facebook’s five-hour global outage in October 2021 was caused in part by a failure of its BGP routing, which removed routes to its authoritative Domain Name System servers and resulted in more than 1.2 trillion person-minutes of service unavailability.

While the FCC notes that ISPs have taken actions individually to increase boarder security, it believes that these actions have been insufficient. Thus, in a Notice of Proposed Rulemaking (NPRM) in Docket 24-146 that it will adopt on June 6, 2024, the Commission plans on taking the following steps:

  • Seek to increase the security of the information routed across the Internet by proposing certain obligations on providers of broadband Internet access services (service providers) and their use of the BGP and the Resource Public Key Infrastructure (RPKI). The RPKI helps to create trust in reachability information by enabling cryptographically verifiable associations between specific IP address blocks, or autonomous system numbers (ASNs), and the “holders” of those Internet number resources. Currently, only 22 percent of American networks allow for verification of their routing using the RPKI.
  • Require service providers to prepare and maintain confidential BGP Routing Security Risk Management Plans (BGP Plans) that describe and attest to the specific efforts they have made, and further plans they intend to undertake, to create and maintain Route Origin Authorizations (ROAs) in the RPKI. The BGP Plans, which could be risk-based performance plans, would also have to attest to the extent to which the service provider conducts Route Origin Validation (ROV) filtering at interconnection points with peers and clients.  The Plans would also provide goals and timetables for RPKI implementation. Nine large service providers would be required to file initial BGP Plans and resubmit updated versions annually thereafter. Subsequent BGP Plans would not need to be filed by large providers that attest that they are maintaining ROAs covering at least 90 percent of originated routes for IP address prefixes under their control.

The nine service providers would be required to file specific data quarterly to measure progress in ROA registrations and assess the reasonableness of the service provider’s BGP Plan. All plans would be treated as confidential by the Commission.

The nine ISPs covered by this proposal include, AT&T, Inc.; Altice USA; Charter Communications; Comcast Corporation; Cox Communications, Inc.; Lumen Technologies, Inc.; T-Mobile USA, Inc.; Telephone & Data Systems (including US Cellular); and Verizon Communications, Inc. These providers are likely to originate routes covering a large proportion of the IP address space in the United States.

The initial BGP plans prepared by service providers other than those listed above would not need to be filed with the Commission but must be made available to FCC staff upon request.

Industry comments on the Commission’s proposals will be due 30 days after the NPRM appears in the Federal Register. Reply comments will be due 45 days after the NPRM appears in the Federal Register.