Regulation won’t fix internet routing security
Without the global internet routing system, you wouldn’t be reading this. You wouldn’t be doing anything online, actually. That routing system enables the internet to function by distributing countless bits of data around the world at a moment’s notice.
That’s why routing system security is essential. It’s critical to maintaining privacy online and making sure your information isn’t hijacked by malicious actors and that the information a business, critical infrastructure operator or government agency sends — and receives — is trustworthy.
At the heart of the global internet routing system is the Border Gateway Protocol, which runs across all the networks in the world. From time to time, there have been occurrences in a network operator’s BGP configuration that have consequences for internet users. Thankfully, most of these incidents appear to be accidental. But others do seem likely part of some malicious scheme to disrupt service or help achieve nefarious objectives such as spamming or credential theft.
Network operators and hardware manufacturers globally have long worked to make routing equipment and protocols as secure as possible. Persistent vulnerabilities in the system aren’t the result of backdoors in code or devices that need patching but instead systemic weaknesses in assessing the validity of the information and how it is intended to propagate.
Earlier this year, the FCC opened a Notice of Inquiry questioning network operators’ efforts to secure routing infrastructure, while also calling for comment on its authority to regulate internet routing security measures. The commission pointed to Moscow as one of the main adversaries in cyberspace poised to exploit router vulnerabilities, noting that “Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking, including instances in which traffic has been redirected through Russia without explanation.”
Even though that’s a real and pressing concern, a push for routing security regulation from federal agencies including the FCC, Department of Justice and Department of Defense is unlikely to result in the sort of highly secure digital ecosystem that we’re all hoping to maintain.
Today’s network landscape is unlike it was at the time when BGP was first implemented in the early 1990s. Of course, the risks facing the modern internet are vastly different due to an increase in complexity and scale, the rise of cybercrime, nation-state cyberconflicts and many other threats. Additionally, the global internet routing system is highly interconnected and spans many jurisdictions across the globe.
Since its early use, the companies and organizations that make today’s web function have worked hard to ensure BGP and routing security measures have evolved and kept pace to meet recent security challenges. But, simply put, routing security incidents are not an immediate existential threat to the internet.
Industry groups want to work with the government on this issue and have long coordinated with agencies such as the National Institute for Standards and Technology on BGP security. In its comments to the FCC, the National Telecommunications and Information Administration emphasized the need to continue this cooperation but warned that a move toward regulation of an issue that involves stakeholders around the world sends a troubling message.
“The Internet’s success over time is testament to the wisdom of the multistakeholder approach, which the Biden Administration reaffirmed last month in the Declaration for the Future of the Internet,” NTIA wrote to the FCC. “In contrast to this vision, authoritarian governments have sought and continue to seek to establish intergovernmental control over Internet standards and governance in multilateral fora. Regulation by the Commission over Internet routing could set a damaging precedent in support of international Internet regulation, in contrast to standing USG policy.”
NTIA is not alone in their pushback. Just the other week, the Broadband Internet Technical Advisory Group Technical Working Group weighed in and released a detailed report outlining the work being done already to address routing security and the risks of unnecessary federal regulation.
As the BITAG report points out, federal regulation could damage actual progress on enhancing routing security. In fact, it runs the risk of locking in outdated methods. While deploying new technical standards, often new operational factors will come up as the system grows in scale. These considerations were often not foreseen during the development process and this adaptability is critical to the internet’s foundation of multistakeholder standards process and the industry has taken to address routing security. Prescriptive regulation threatens this progress.
Does this mean that federal policymakers should take a back seat and not be involved in working toward sustainable updates and protections? Of course not. Rather, policymakers must engage the industry early and often when looking to encourage routing security enhancements. Setting goals rather than specifying technologies is a better tactic when working in a dynamic ecosystem.
A critical area that policymakers should prioritize and would provide a great service to the industry is in the funding of long-term monitoring programs needed to understand routing and effects of changes over time. The programs that exist and have significantly enabled much of the progress so far are the result of communal goodwill and collective contribution. Bolstering this foundation through funding can help ensure the persistent availability of longitudinal data about the global internet routing system.
Routing security is not something that is solved overnight. It’s time for closer coordination between stakeholders and policymakers. Otherwise, we put decades of progress at risk.
Dr. Douglas C. Sicker is the executive director of the Broadband Internet Technical Advisory Group.