Just days after Russia invaded Ukraine earlier this year, cybersecurity experts reported hacks against a number of targets in Ukraine, including a Ukrainian bank. The attacks used weaknesses in Border Gateway Protocol (BGP) technology, which is a basic routing protocol used to exchange information among various networks on the Internet.
In response, just days after Russia's invasion began, the FCC opened an inquiry into how it might better secure the technology. "BGP's initial design, which remains widely deployed today, does not include explicit security features to ensure trust in this exchanged information. As a result, a bad network actor may deliberately falsify BGP reachability information to redirect traffic," the FCC warned. The situation, according to the FCC, could impact Americans' email, bank transactions and 911 calls, among other online activities.
Now, debate over the issue is pitting top federal cybersecurity experts against some of the biggest Internet service providers (ISPs) in the US, including Verizon and Fastly. At the heart of the issue is whether the US government should require BGP security updates across US and international networks, or whether it should continue to rely on telecom companies to essentially police themselves.
In a new filing to the FCC, the US Department of Justice (DoJ) and the US Department of Defense (DoD) warned of serious security holes in BGP.
"BGP vulnerabilities put US-person data and communications (including government communications) at risk of theft, espionage, and sabotage by foreign adversaries, both directly and through third parties. These are not hypothetical concerns," the two agencies wrote in a joint filing.
Indeed, they pointed to several instances, stretching from 2010 to 2019, where China Telecom Americas (CTA) routed US traffic into China. Other companies and agencies cited similar BGP hacks, including one instance earlier this year where cyber attackers used a BGP hack to steal approximately $2 million worth of cryptocurrency from users of the Korean crypto exchange KLAYswap.
In their filing to the FCC, the DoJ and DoD acknowledged a number of proposals intended to enhance the security around BGP. Such technologies range from Resource Public Key Infrastructure (RPKI) to the Internet Society's Mutually Agreed Norms for Routing Security (MANRS) to the BGPSec upgrade.
Broadly, though, the DoJ and DoD argued that such security improvements to BGP haven't been implemented widely enough to make a difference.
"In short, inconsistent approaches to BGP security – of whatever kind and for whatever reason – makes protecting US-person data that much harder in the ever-changing national security landscape," they wrote. "We believe that it is time to consider tackling this with comprehensive, industry-wide solutions rather than on a case-by-case basis."
The comments from the DoD and DoJ largely dovetail with an earlier filing from the Cybersecurity and Infrastructure Security Agency (CISA), an agency of the US Department of Homeland Security.
A fear of mandates
That kind of approach clearly rankles many of the nation's biggest telecom companies.
"Verizon agrees with nearly all other commenters that the global nature of Internet routing means the United States cannot unilaterally solve its inherent security vulnerabilities, and that mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful," the company wrote in its own filing.
Broadly, Verizon argued it has worked to secure its network operations, and that the FCC and other US agencies should play a supportive role to industry-led security efforts.
"The record here overwhelmingly confirms that service providers need the flexibility to determine the right set of tools and practices to secure their own operations, and that it would be potentially highly problematic for the commission to impose prescriptive approaches to routing security," Verizon wrote.
"While Fastly applauds the FCC for drawing attention to this issue, and encourages the commission to support secure routing technology adoption, it would be premature for any regulator to attempt to impose mandates for particular technological solutions," the company wrote.
Indeed, the USTelecom lobbying association – which represents many of the nation's largest Internet providers – argued that the FCC doesn't have the legal authority to impose detailed security mandates on BGP technologies.
Another issue raised by a number of comments: The cost of implementing new security protocols. As noted by GovInfoSecurity, network equipment vendor Juniper Networks argued that it might cost a large ISP "many millions of dollars" to fully deploy the BGPsec upgrade.
- What Is BGP Security and Why Does Your Network Need It?
- 5G security suffering from too many cooks in the kitchen
- Dish's 5G sales pitch thickens around security