Cybersecurity
Regulations would require providers to submit annual reports on risk mitigation.
Image by DALL-E
WASHINGTON, June 7, 2024 – The Federal Communications Commission proposed a new regulation that would seek to mitigate vulnerabilities in the Border Gateway Protocol, the technical protocol that routes information across the internet, through provider reporting at its open meeting on Thursday.
If the rules are adopted, internet service providers would be required to file data on their BGP risk mitigation progress on a quarterly basis. Providers would submit reports to the FCC on what steps they have taken and plan to undertake to mitigate the protocol’s vulnerabilities.
The BGP serves as the backbone technology for routing information across the vast expanse of the internet’s physical and digital infrastructure. It chooses the best route for each packet of data, usually involving hopping between autonomous systems.
However, its design, which is decades-old, does not include security features. BGP national security experts have raised concerns that a bad actor could deliberately falsify BGP reachability information to redirect internet traffic. In doing so, these bad actors can expose Americans’ personal information, enable theft, and disrupt services that support critical services and sectors.
The proposed rulemaking would also require ISPs to prepare and update confidential BGP security risk management plans, which detail how each provider intends to use the Resource Public Key Infrastructure, a critical component of BGP security, at least annually. RPKI allows for validation of a route’s origin.
Only the nine largest ISPs will be required to file public data that would allow the FCC to measure overall industry progress of security measures. Smaller broadband providers will not be required to file plans with the FCC, but would be required to make them available to the agency upon request.
“Today’s proposal would promote more secure internet routing and provide the FCC and its national security partners with up-to-date information on this critical issue,” said the FCC in a statement.
Chairwoman Jessica Rosenworcel advanced the proposal in May. “It is vital that communication over the internet remains secure,” she stated. “Although there have been efforts to help mitigate BGP’s security risks since its original design, more work needs to be done. With this proposal, we would require broadband providers to report to the FCC on their efforts to implement industry standards and best practices that address BGP security.”
The proposal passed unanimously with support from both republican and democrat commissioners. The FCC is seeking comment on these proposals and other measures related to implementing RPKI-based security.
