FCC might require telecoms to report on securing internet's BGP technology

The Federal Communications Commission is considering requiring internet service providers to file regular updates with the agency on the efforts to secure Border Gateway Protocol (BGP) — a key component of internet architecture that regulatory agencies have warned lacks sufficient safeguards. 

The BGP behaves like an internet traffic controller, routing data as efficiently as possible. It can get “hijacked,” however, resulting in traffic being diverted to malicious sites.  

“These ‘BGP hijacks’ can expose personal information, enable theft, extortion, and state-level espionage, and disrupt security-critical transactions, including in the financial sector,” the FCC warned last year. 

If approved by the five-member body in June, the proposal by FCC Chairwoman Jessica Rosenworcel on Wednesday would mandate that broadband providers supply regular data on how they are handling BGP security. 

It would require them to develop BGP security plans and to document how they plan to, or are already, using what’s known as the Resource Public Key Infrastructure — a security framework using cryptography created in 2008. 

Nine of the largest providers would need to file their plans with the FCC, as well as quarterly data “that would allow the Commission to measure progress in the implementation of RPKI-based security measures and assess the reasonableness of their BGP Plans.” 

“It is vital that communication over the internet remains secure,” Rosenworcel said in an agency announcement.  “Although there have been efforts to help mitigate BGP's security risks since its original design, more work needs to be done.”

Concerns about BGP security have ramped up in recent years. In February 2022, the FCC first launched an inquiry on the matter, citing specific incidents in which sensitive internet traffic routed through Russian government-controlled telecommunications companies. The Departments of Justice and Defense later endorsed the inquiry, saying “voluntary measures to secure sensitive U.S. data may no longer be sufficient to address this vulnerability.”

The efforts have in the past been met with resistance from telecom companies, including Verizon. 

"Verizon agrees with nearly all other commenters that the global nature of Internet routing means the United States cannot unilaterally solve its inherent security vulnerabilities, and that mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful," the company said in response to last year’s FCC inquiry.