By: Andrew Regitsky
The Russian invasion of Ukraine has heightened fears that Russia will unleash a cyberattack on America due to the economic sanctions we are imposing on them. Last week, the Department of Defense warned U.S. companies and organizations that such an attack was possible, even likely. In response, the FCC immediately released a Notice of Inquiry (NOI) in Docket 22-90 to protect our communications networks by obtaining industry comments on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP), which is central to the Internet’s global routing system. The NOI will also examine the impact of these vulnerabilities on the transmission of data through email, e-commerce, bank transactions, interconnected Voice-over Internet Protocol (VoIP), and 911 calls—and how best to address these challenges.
FCC Chairwoman Jessica Rosenworcel described the problem our networks are facing with the Border Gateway Protocol:
BGP is the routing protocol used to exchange reachability information among independently managed networks on the Internet. BGP’s initial design, which remains widely deployed today, does not include explicit security features to ensure trust in this exchanged information. As a result, a bad network actor may deliberately falsify BGP reachability information to redirect traffic. Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking in the past. “BGP hijacks” can expose Americans’ personal information, enable theft, extortion, and state-level espionage, and disrupt otherwise-secure transactions. (FCC February 25, 2022, News Release).
Russian network operators have already been suspected of redirecting traffic through Russia without explanation. For example, in late 2017 traffic sent to and from Google, Facebook, Apple and Microsoft was briefly routed through an Internet service provider in Russia. That same year, traffic from several financial institutions, including MasterCard, Visa, and others was also routed through a Russian government-controlled telecommunications company under “unexplained” circumstances. And while this NOI focuses on Russia, we cannot ignore the danger coming from other bad actors, such as China and Iran.
Therefore, to protect our networks, the Commission seeks answers to the following questions:
To better understand the BGP ecosystem, the extent to which ISPs, public Internet Exchange Providers, and providers of interconnected VoIP service have deployed BGP routers in their networks, the Commission asks, do content delivery networks, and providers of cloud services operate BGP routers in their networks as well? What other types of entities operate BGP routers?
What threats to Internet routing should the Commission consider within the scope of this inquiry in addition to BGP hijacking? For example, to what extent could BGP security measures prevent pervasive monitoring?
Does the industry have defined metrics for identifying BGP routing security incidents and for quantifying their scope and impact?
To what extent are available tools, such as NIST’s RPKI Monitor, Automatic and Real-Time dEtection and Mitigation System (ARTEMIS), BGPstream, BGPMon, Kentik, and Traceroute, able to rapidly and accurately detect BGP hijacks or router misconfigurations? To what extent do these tools distinguish malicious routing changes from accidental ones? Do artificial intelligence and machine learning tools promise advancements in this area?
What security measures have been developed and deployed by industry to secure BGP?
What steps could the Commission, in coordination with other federal agencies, take to prevent BGP hijacking or otherwise promote secure Internet routing?
What role does the Commission legally have in helping U.S. network operators deploy BGP security measures? How can the Commission be most helpful?
What are the one-time and ongoing costs of implementing the BGP security measures discussed herein? How should these costs be paid for?
Industry comments are due 30 days after the NOI appears in the Federal Register. Unfortunately, any security improvements are months if not years away. Perhaps there should be an investigation to determine why the Commission did not act sooner to boost network security!