The FCC voted 5-0 on Thursday to propose action to help protect U.S. communications networks against cyberattacks by improving internet routing security. Broadband providers would be required to create confidential reports on the steps they’ve taken, and plan to undertake, to mitigate vulnerabilities in the Border Gateway Protocol (BGP,) according to the Notice of Proposed Rulemaking (NPRM).
The BGP is the technical protocol used to route information across the internet.
“We have come to rely on the internet for nearly everything in our lives and ensuring internet traffic is secure is essential. That is where border gateway protocol comes in,” said Chairwoman Jessica Rosenworcel during the vote.
Rosenworcel explained, “BJP manages how packets of data get transmitted between networks. It is central to the global routing system of the internet because it is the protocol that allows independently managed networks to send traffic to one another.”
That means “we all rely on the BGP, every one of us every day. That is true if you are running a small business and using connections to engage with customers and suppliers,” the Chairwoman added.
BGP’s initial decades-old design remains widely deployed today. It doesn’t include security features to ensure trust in the information that is relied on to exchange traffic among independently managed networks on the internet, according to agency officials. BGP national security experts have raised concerns that a bad network actor may deliberately falsify BGP “reachability” information to redirect traffic.
Commissioner Geoffrey Starks said accidental or malicious actions that send erroneous routing traffic information can make networks unavailable, or worse, can be used to redirect traffic to allow for cyberattacks, data theft, or espionage. “Russia took advantage of BGP vulnerabilities to limit access to Twitter as part of its invasion of Ukraine. And China Telecom misdirected 15 percent of the world’s internet traffic, and routed domestic United States internet traffic through China, by hijacking BGP,” he said.
These “BGP hijacks” can expose Americans’ personal information; enable theft, extortion, and state-level espionage; and disrupt services upon which the public or critical infrastructure sectors rely, explains the agency.
Commissioner Brendan Carr also supported the NPRM. “We seek comment on ways we can look at additional flexibility for reporting requirements so BJP can continue to develop and adapt and meet all of the challenges that you indicated that we have seen so far.”
Under the NPRM, the nine largest broadband ISPs would prepare and update confidential BGP security risk management plans at least annually. These plans would detail their progress and plans for implementing BGP security measures that use the Resource Public Key Infrastructure, what the Commission calls a “critical” component of BGP security.
The ISPs would not have to file subsequent detailed plans with the Commission if they met a certain security threshold. They would need to file specific public data on a quarterly basis demonstrating their BGP risk mitigation progress.
Smaller broadband providers would not be required to file their plans with the Commission but rather make them available to the Commission upon request.
By Leslie Stimson, Inside Towers Washington Bureau Chief