Regulation Won’t Fix Internet Routing Security –

Written by Douglas C. Sicker

Without the global internet routing system, you wouldn’t be reading this. You wouldn’t do anything online, actually. That routing system allows the internet to function by distributing countless bits of data around the world in a snap.

This is why routing system security is essential. It is imperative to maintain online privacy and ensure that your information is not hijacked by malicious actors and that information sent to and received from a business, critical infrastructure operator or government agency is trustworthy.

At the heart of the global Internet routing system is the Border gateway protocol, which crosses all networks in the world. From time to time, events have occurred in a network operator’s BGP configuration that have consequences for Internet users. Fortunately, most of these accidents they appear to be accidental. But others seem likely to be part of a malicious scheme to disrupt service or help achieve nefarious goals like spamming or credential theft.

Network operators and hardware manufacturers around the world have worked hard to make routing equipment and protocols as secure as possible. Persistent vulnerabilities in the system are not the result of backdoors in code or devices in need of patching, but rather of systemic weaknesses in evaluating the validity of information and how it is intended to propagate.

Earlier this year, the FCC opened a Notice of inquiry question network operators’ efforts to secure routing infrastructure, while also asking for comment on its authority to regulate Internet routing security measures. The commission named Moscow as a major adversary in cyberspace poised to exploit router vulnerabilities, noting that “Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking, including cases where traffic was redirected through Russia without explanation”.

While this is a real and urgent concern, a push for routing security regulation by federal agencies including the FCC, Department of Justice, and Department of Defense is unlikely to result in the kind of highly secure digital ecosystem that everyone we hope to keep.

Today’s network landscape is different from what it was then BGP was first implemented in the early 1990s. Of course, the risks to the modern internet are very different due to the increase in complexity and scale, the increase in cybercrime, nation-state cyber conflicts and many other threats. Furthermore, the global Internet routing system is highly interconnected and covers many jurisdictions around the world.

Since its first use, the businesses and organizations that make today’s web work have worked hard to ensure that BGP and routing security measures evolve and keep pace to address recent security challenges. But, simply put, routing security incidents are not an immediate existential threat to the Internet.

Industry groups want to work with the government on this issue and have long coordinated with agencies like the National Institute for Standards and Technology on BGP security. In his comments to the FCCThe National Telecommunications and Information Administration stressed the need to continue this cooperation, but warned that a move toward regulating an issue involving stakeholders around the world sends a troubling message.

“The success of the internet over time is testament to the wisdom of the multistakeholder approach, which the Biden administration reiterated last month in Statement for the future of the Internet,” NTIA wrote to the FCC. “In contrast to this view, authoritarian governments have tried and continue to try to establish intergovernmental control over Internet standards and governance in multilateral forums. The Commission’s regulation of Internet routing could set a harmful precedent in support of international regulation of the Internet, at odds with the USG’s permanent policy.

NTIA is not alone in their pushback. Just the other week, the Technical Working Group of the Broadband Internet Technical Advisory Group evaluated and released a detailed report outlining the work already being done to address route safety and the risks of unnecessary federal regulation.

As the BITAG report points out, federal regulation could harm actual progress in improving route safety. In fact, it runs the risk of blocking outdated methods. When implementing new technical standards, new operational factors often emerge as the system grows in scale. These considerations were often not anticipated during the development process, and this adaptability is critical to the foundation of the multistakeholder standards process the Internet and the industry has taken to address routing security. Prescriptive regulation threatens this progress.

Does this mean that federal policy makers should take a back seat and not get involved in working towards sustainable upgrades and protections? Obviously not. Rather, policymakers need to engage industry upfront and often as they seek to encourage improvements in routing security. Setting goals rather than specifying technologies is a better tactic when working in a dynamic ecosystem.

One critical area that policymakers should prioritize and would serve industry well is funding long-term monitoring programs needed to understand the pathway and effects of changes over time. The programs that exist and have so far made much progress possible are the result of collective goodwill and contribution. Strengthening this foundation through funding can help ensure the permanent availability of longitudinal data on the global Internet routing system.

Routing security is not something that can be fixed overnight. It is time for closer coordination between stakeholders and policy makers. Otherwise, we risk decades of progress.

Dr. Douglas C. Sicker is the Executive Director of the Broadband Internet Technical Advisory Group.