Written by Douglas C. Sicker
Without the global Internet routing system, you wouldn’t be reading this. You wouldn’t actually do anything online. This routing system keeps the internet running by distributing countless bits of data around the world at all times.
This is why the security of the routing system is essential. It is essential to maintain privacy online and to ensure that your information is not hacked by malicious actors and that the information that a company, critical infrastructure operator or government agency sends and receives is worthy of trust.
At the heart of the Internet’s global routing system is the Border Gateway Protocol, which runs on every network in the world. From time to time, events have occurred in a network operator’s BGP configuration that affect Internet users. Fortunately, most of these incidents appear to be accidental. But others appear to be part of a malicious scheme to disrupt service or achieve nefarious purposes such as spamming or credential theft.
Network operators and hardware manufacturers around the world have worked for a long time to make equipment and routing protocols as secure as possible. Persistent system vulnerabilities do not result from backdoors in code or devices requiring patching, but rather from systemic weaknesses in assessing the validity of information and how it is intended to propagate.
Earlier this year, the FCC opened a notice of investigation questioning network operators’ efforts to secure routing infrastructure, while also calling for comment on its authority to regulate Internet routing security measures. . The commission singled out Moscow as one of the main adversaries in cyberspace poised to exploit router vulnerabilities, noting that “Russian network operators have been suspected of exploiting BGP’s vulnerability to hacking, including cases in which traffic was redirected via Russia without explanation”.
While this is a real and pressing concern, a push for safety regulation by federal agencies, including the FCC, Department of Justice, and Department of Defence, results in the kind of highly secure digital ecosystem that we all hope to maintain.
The network landscape today is different from when BGP was first implemented in the early 1990s. Of course, the risks facing the modern Internet are very different due to an increase in complexity and scale, the rise of cybercrime, cyberconflicts between nation states and many other threats. Additionally, the global Internet routing system is highly interconnected and spans many jurisdictions around the world.
Since its early use, the companies and organizations that make today’s web function have worked hard to ensure that BGP and routing security measures have evolved and kept pace to meet recent security challenges. . But, put simply, routing security incidents do not pose an immediate existential threat to the Internet.
Industry groups want to work with the government on this issue and have long coordinated with agencies such as the National Institute of Standards and Technology on BGP Security. In its comments to the FCC, the National Telecommunications and Information Administration stressed the need for continued cooperation, but warned that a move toward regulating an issue that involves stakeholders around the world sends a disturbing message.
“The success of the internet over time is a testament to the wisdom of the multi-stakeholder approach, which the Biden administration reaffirmed last month in the Declaration for the Future of the Internet,” the NTIA wrote to the FCC. “Contrary to this view, authoritarian governments have sought and continue to seek to establish intergovernmental control over Internet standards and governance in multilateral forums. The Commission’s regulation of Internet Routing could set a damaging precedent for international Internet regulation, contrary to ongoing US government policy.
The NTIA is not alone in its refusal. Last week, the Broadband Internet Technical Advisory Group Technical Working Group weighed in and released a detailed report outlining the work already done to address routing security and the risks of unnecessary federal regulation.
As the BITAG report points out, federal regulation could impede real progress in improving routing security. In fact, it may lock out deprecated methods. When deploying new technical standards, new operational factors will often emerge as the system develops. These considerations were often not anticipated during the development process and this adaptability is essential to the basis of the multi-stakeholder standards process Internet and industry has taken to address routing security. Prescriptive regulation threatens this progress.
Does this mean that federal policymakers should sit back and not be involved in the work for updates and durable protections? Of course not. Instead, policy makers should engage the industry early and often when seeking to encourage improvements in routing security. Setting goals rather than specifying technologies is a better tactic when working in a dynamic ecosystem.
A critical area that policy makers should prioritize and which would provide excellent service to industry is funding long-term monitoring programs needed to understand the routing and effects of changes over time. The programs that exist that have largely enabled much of the progress made to date are the result of community goodwill and collective contribution. Strengthening this foundation through funding can help ensure the continued availability of longitudinal data on the global Internet routing system.
Routing security is not something that can be solved overnight. It is time to strengthen coordination between stakeholders and policy makers. Otherwise, we will jeopardize decades of progress.
Dr. Douglas C. Sicker is the Executive Director of the Broadband Internet Technical Advisory Group.
#Regulation #wont #solve #Internet #routing #security