Standards, Regulations & Compliance
FCC Advances BGP Security Rules for Broadband Providers
Regulatory Body Approves Notice of Proposed Rulemaking Targeting BGP HijackingThe U.S. Federal Communications Commission is moving forward with security mandates for leading internet providers while targeting major vulnerabilities in the Border Gateway Protocol.
See Also: Live Webinar | C-SCRM: CIS Benchmarking & Impending Regulation Changes
The regulatory body unanimously approved a notice of proposed rulemaking Friday that would require the nine largest U.S. broadband providers to establish confidential BGP security risk management plans. The commission noted that BGP's initial design "remains widely deployed today" but lacks critical security features that help ensure trust in the routing information sent over thousands of complex, independently administered systems across the web.
The confidential security plans must include specific efforts to create and maintain route origin authorizations through Resource Public Key Infrastructure, which adds a lawyer of public key and certificate infrastructure to internet routing across autonomous systems. Experts have recently warned that hackers target BGP vulnerabilities to disrupt critical services.
The FCC launched an inquiry into BGP security in 2022 after Ukrainian authorities observed an alleged Russian-linked BGP hijacking less than 24 hours before Russian troops invaded the country (see: Regulator Announces Border Gateway Protocol Security Review). BGP is an essential component in facilitating the routing of internet traffic and ensuring data packets are sent to their correct destinations, but wasn't built with global cybersecurity in mind.
The proposed security plans would also be required to provide goals and timetables for RPKI implementation, and must be updated and resubmitted annually under the new rules.
Additional details regarding the confidential plans would remain unknown under the proposed rules, but "the state of an ISP’s routing security, including information about deployment of RPKI, is largely public information," said Alissa Starzak, vice president of public policy for the security firm Cloudflare.
"Because the actions that companies take are public, there is a fair level of public transparency and accountability," Starzak told Information Security Media Group about how the leading broadband providers might go about implementing BGP security.
The proposed rulemaking details how real-life examples of BGP hijacking have resulted in sites like Facebook effectively disappearing from the internet, adding that "the security of BGP is not only critical to public safety but is also critical to national security."
The FCC is also proposing that smaller providers prepare and maintain BGP plans "and make such plans available within 48 hours of a commission request," rather than submitted their plans to the commission annually. The proposed rulemaking notes how smaller service providers "may have relatively fewer in-house resources available than larger Tier 1 providers to secure internet routing."