US ‘lagging behind’ on Border Gateway Protocol security practices, CISA and FCC chiefs say

The U.S. government is lagging behind other countries in instituting more stringent cybersecurity measures governing Border Gateway Protocol (BGP) – a set of technical rules responsible for routing data efficiently.

BGP is one of the most important facets of the internet, serving as the underpinning for everyday actions like banking, telemedicine visits and more. This week, FCC Chairwoman Jessica Rosenworcel and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly convened a meeting of senior government officials, internet service providers (ISPs) and cloud content providers, and nonprofits to discuss needed BGP security improvements that are underway and planned.

In a blog post, Easterly and Rosenworcel said they “fully acknowledge that the U.S. government is lagging behind on BGP security practices, and CISA is working hard to improve this, collaborating with the Office of the National Cyber Director and the Office of Management and Budget to chart a clear path toward cleaning up BGP security practices among all federal agencies.”

“For its part, CISA is also working to improve data collection to more fully understand the risks of BGP vulnerabilities, as well as to help network operators respond to route leaks and BGP hijacks more quickly,” the two said.

Last February, the FCC launched an inquiry into the security risks posed by BGP vulnerabilities, including how to identify and quantify these cybersecurity incidents, industry’s present and future implementation of BGP security measures, and the FCC’s role in mitigating routing vulnerabilities.

By September, both the Justice Department and Defense Department joined the inquiry due to concerns about telecommunications giants in other countries – namely China and Russia – abusing the BGP protocol to re-route and capture U.S. internet traffic.

Russia was accused of exploiting BGP vulnerabilities in attacks on Ukrainian banks last year. Russia also said the U.S. and Ukraine were doing the same thing to them.

In September, the Justice Department said BGP vulnerabilities were used to facilitate China Telecom America’s ability to misroute U.S. internet traffic to the People’s Republic of China (PRC).

“As an entity under the control of the PRC government, China Telecom’s exploitation of BGP vulnerabilities provided a foreign adversary of the United States with opportunities to disrupt, capture, examine and alter U.S. traffic,” the Justice Department said. “The nation’s longstanding reliance upon voluntary measures to secure sensitive U.S. data may no longer be sufficient to address this vulnerability.”

Other countries are already taking steps to secure BGP. In April, the Netherlands mandated that all government servers there use a new standard – called Resource Key Public Infrastructure – to cryptographically sign BPG routes and help prevent BGP leaks.

‘Expediency, not security’

The meeting held this week featured officials from the Office of the National Cyber Director, the National Institute of Standards and Technology, the Office of the Director of National Intelligence, the Department of Justice and the National Telecommunications and Information Administration in addition to industry stakeholders.

One of the main goals of the meeting was to understand what can and should be done to accelerate progress in both the near term and beyond.

“This week’s workshop offered an opportunity to build on the FCC’s work with ISPs over the past year to better understand the security vulnerabilities within the BGP system and how to best reduce these risks,” Rosenworcel and Easterly said.

“Discussions focused on concrete steps stakeholders can take to enhance Internet traffic routing security; additional efforts the FCC should consider to protect the nation’s communications networks from vulnerabilities posed by BGP; and how government and industry can work together more effectively to facilitate the implementation of industry standards and best practices to mitigate the potential harms posed by these vulnerabilities.”

Disruptions to BGP can have serious implications on the systems U.S. residents rely on every day, the two explained, noting a range of critical services built on top of BGP – including online education, emergency services, financial tools and manufacturing.

BGP was initially designed in 1989 but Easterly and Rosenworcel noted that it was designed for “expediency, not security” and does not include “explicit security features to ensure trust in exchange of information.”

The hijacking of this kind of traffic can result in the exposure of sensitive personal information and facilitate information theft, extortion and espionage. These security gaps allow hackers to essentially redirect traffic – something state-level actors in Russia and China have been accused of doing for years.

The two added that ISPs are already hard at work on laying the foundation for more secure systems, including implementing Resource Key Public Infrastructure and other tools like Route Origin Validation.

Large telecoms have at times balked at the FCC’s demands for BGP-related cybersecurity efforts. Verizon and lobbying organizations have argued the FCC does not have the legal authority to mandate rules in this domain.

"Verizon agrees with nearly all other commenters that the global nature of Internet routing means the United States cannot unilaterally solve its inherent security vulnerabilities, and that mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful," Verizon said in response to last year’s FCC inquiry.

"The record here overwhelmingly confirms that service providers need the flexibility to determine the right set of tools and practices to secure their own operations, and that it would be potentially highly problematic for the commission to impose prescriptive approaches to routing security."