FCC wants rules for ‘most important part of the internet you’ve probably never heard of’
The Federal Communications Commission is set to vote Thursday on restoring landmark net neutrality rules that the commission says will strengthen its footing to write more cybersecurity regulations, but industry and some cyber-focused organizations have warned that those potential new rules could lead to less security, not more.
As part of its bid to reinstate the net neutrality rules, the FCC envisions being better positioned to take action to protect what FCC Chairwoman Jessica Rosenworcel and Cybersecurity and Infrastructure Security Agency Director Jen Easterly described in a blog post last year as “the most important part of the internet you’ve probably never heard of” — the Border Gateway Protocol, or BGP.
BGP is a set of technical rules for internet data routing, and Rosenworcel and Easterly argued last year that the U.S. is “lagging behind” on BGP security.
“BGP does not include explicit security features to ensure trust in exchange information,” they wrote. “As a result, an adversary may deliberately falsify BGP reachability information to redirect traffic, and state-level actors have been suspected over the years of exploiting BGP’s vulnerability to hijacking. These ‘BGP hijacks’ can expose personal information, enable theft, extortion, and state-level espionage, and disrupt security-critical transactions, including in the financial sector.”
The FCC first raised the possibility of regulations on BGP in 2022, and discussed it again in the net neutrality rule it released April 4.
“The Commission could consider requiring service providers to deploy solutions to address BGP vulnerabilities, such as BGP hijacks,” the FCC wrote in the proposed April rule. “The agency could also consider establishing cybersecurity requirements for BGP, including ‘security features to ensure trust in the information that it is used to exchange,’ which could prevent bad actors from ‘deliberately falsify[ing] BGP reachability information to redirect traffic to itself or through a specific third-party network, and prevent that traffic from reaching its intended recipient.’”
When the FCC first contemplated regulations on BGP two years ago, USTelecom — which represents companies like Verizon and AT&T — suggested that the FCC’s claims to regulatory authority on the matter were legally dubious.
The FCC wrote in the April 4 document that acting on net neutrality would put the agency “in a stronger position to address vulnerabilities threatening the security and integrity of the Border Gateway Protocol.”
But some question the wisdom of FCC regulations on BGP. The Internet Society, a nonprofit that advocates for an open and secure internet, and the Global Cyber Alliance, a nonprofit focused on reducing cyber risk, recently wrote to the FCC to raise their concerns.
“If the FCC were to proceed and issue regulations about how to address certain security threats, those regulations would stay static,” said John Morris, principal on U.S. internet policy and advocacy at the Internet Society. “Providers would comply with those regulations, and they perhaps would not do anything more than that.”
The Global Cyber Alliance leads an international voluntary industry initiative known as the Mutually Agreed Norms for Routing Security, once led by the Internet Society. “We too would like a secure routing system,” said Leslie Daigle, chief technology officer at the Global Cyber Alliance. “It would be great to see more support for the industry-led effort to achieve that end rather than having to regulate it.”
The two groups also worry that other countries could respond to the FCC action by producing conflicting standards that would fragment the internet, leading to further security risks.
That position also reflects industry concerns about BGP regulation that surfaced when the FCC began exploring the issue in 2022.
“Verizon agrees with nearly all other commenters that the global nature of Internet routing means the United States cannot unilaterally solve its inherent security vulnerabilities, and that mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful,” the company wrote.
Under the Biden administration, a bevy of agencies have produced cybersecurity regulations and directives, but many of those are focused on high-risk targets within a given industry. FCC regulations could impact thousands of internet service providers and networks, Morris said.
Despite the private sector’s skepticism, federal agencies appear to mostly back the FCC’s approach. In 2022, multiple agencies signaled support for the FCC’s efforts to secure BGP.
“We understand that the global nature of the internet increases the challenges associated with making BGP more secure,” the Justice and Defense departments wrote in a joint filing. “From a national security perspective, however, we believe that establishing an industry-wide baseline of BGP security measures would go a long way towards protecting the transmission of U.S.-person data and communications in a constantly changing threat environment. The status quo has not achieved — and cannot achieve — that objective.”
The FCC also suggested that reinstating net neutrality rules could help it take action to address security threats related to the Domain Name System. The Internet Society and Global Cyber Alliance said they’d have similar doubts about the FCC doing so.
Multiple industry groups did not respond to requests for comment on the FCC’s comments about BGP regulation in the April 4 document. The FCC did not respond to requests for comment on the concerns from industry and others.
More broadly, the FCC has made cybersecurity a small part of its pitch for reinstating net neutrality. Some have also questioned other elements of the FCC’s cybersecurity pitch, such as whether it would empower the commission to go after broadband service providers it sees as security risks.