Arguably, one of the most crucial Internet routing protocols, Border Gateway Protocol (BGP), is one of the least secure, but regulators around the globe—including the Federal Communications Commission (FCC) here in the U.S.—are increasing their focus on BGP. In the last few years, government agencies have begun focusing on inherent vulnerabilities in BGP. While BGP is efficient and effective, the openness and trust that are built into the protocol are deeply at odds with the need to prevent malicious re-routing of internet traffic.
But let’s take a step back and set BGP in context. What is BGP, why does it matter, what is the FCC’s role, and, ultimately, what does this mean for U.S. companies?
What is BGP?
Simplistically, BGP is an internet routing protocol that enables internet traffic to journey from Point A to Point B. Each time a user searches for a new website, BGP is responsible for determining the most efficient path to connect the user’s device to the sought-after webpage. The internet, in its most basic form, is devices talking to each other through data packets that relay important information including how to best route a search request. Think of BGP as akin to a navigation app, like Waze, that provides drivers with the most efficient route to their destination. Just like Waze finds the most efficient driving route, BGP similarly picks the best digital path to transmit data and route internet traffic. Waze uses traffic updates to provide real-time information about which street or highway will get you to your destination faster – BGP does the same, but for internet traffic. BGP uses information from autonomous systems for its determination. Autonomous systems are smaller networks that connect to more extensive networks, or essentially a group of routers that talk to other groups of routers. Autonomous systems are typically run by Internet Service Providers (ISPs) or other large tech firms.
Why Does it Matter?
While BGP provides routing efficiency, the autonomous systems on which BGP relies each operate independently and function under a “trust” model – meaning that each autonomous system trusts the recommended pathways from another autonomous system without any mandatory verification. Currently, there is no international organization that is responsible for rulemaking for the Internet which leaves the regulation of BGP up to individual countries. As a result, the adoption of requirements that would secure BGP, such as RPKI, is slow and uneven across the globe. This leaves BGP ripe for accidental or even malicious disruption. For example, one of the first notable BGP disruptions was in 2004 when TTNet accidentally sent out incorrect internet routes via BGP that effectively routed all internet traffic through Turkey for several hours. Another example occurred in 2008, when a Pakistani ISP tried to prevent Pakistani users from accessing YouTube, but instead made YouTube inaccessible for many users around the world by advertising black-hole BGP routes-sending them to dead ends. Malicious actors have also taken advantage of BGP vulnerabilities by intentionally re-routing traffic for criminal purposes – also known as BGP hijacking. In 2018, cyber attackers purposefully rerouted traffic via BGP away from AWS through their networks and stole over $100,000 in cryptocurrency. Nation states are even more capable of BGP hijacking—in fact, China has done so. In 2018, China Telecom, a Chinese government-run company, diverted U.S. internet traffic through China before sending traffic to the correct destination. China Telecom’s incorrect routing announcements, which were explained as an error, exposed huge amounts of U.S. internet traffic to interception by the Chinese government. This is one of many instances where Chinese companies have rerouted entire countries’ internet traffic through manipulating BGP.
Due to the distributed network of trust, adding security to BGP will require collaboration and consensus. For example, a significant majority of network operators would need to implement an encryption mechanism, such as resource public key infrastructure (RPKI), before it would be truly effective. Until enough ISPs and other network providers secure BGP based on a consensus approach, attackers can continue to leverage BGP to target businesses and consumers, both domestically and abroad. Existing vulnerabilities in BGP continue to threaten public and private enterprises, creating heightened risks for sabotage, espionage, and theft by both state and non-state actors.
The FCC’s Role
In 2022, the FCC issued a Notice of Inquiry seeking comments on how the Commission should protect communication networks from the vulnerabilities posed by BGP. The Department of Justice and the Department of Defense (DoD) filed a submission of support with the FCC’s Notice and the action to improve internet routing security. In their submission, the Justice Department and DoD recommended that the FCC take an active role in managing BGP-related vulnerabilities by imposing technical standards and increasing transparency.
In July 2023, the FCC and the Cybersecurity and Infrastructure Security Agency (CISA) hosted a workshop with other federal agencies like the Office of the National Cyber Director, the National Institute of Standards and Technology, and the National Telecommunications and Information Administration. The workshop aimed to identify plans to secure BGP, both underway and forthcoming. This recent workshop is part of the broader FCC action plan for BGP. Over the last year, the FCC has been working with ISPs to learn about BGP vulnerabilities and how to mitigate these risks. Just last week, the FCC reopened the years-long battle over net neutrality and, in doing so, elevated the need to better secure BGP as a rationale for reclassifying broadband internet access as a more highly regulated telecommunications service.
Other Global Regulators
The FCC is not the only regulatory agency looking at BGP and its role in strengthening the backbone of the internet. In fact, the Netherlands plans to upgrade its security by 2024 across the public sector. All information and communication technologies (ICT) managed by the Dutch government must use the RPKI standard by 2024. RPKI utilizes cryptographic verification of the advertised routes to send data packets and other information between systems. Implementing an encryption mechanism for BGP would ensure that network operators and autonomous systems provide legitimate pathways before sending IP addresses down a determined path. The new Dutch requirements will apply to both existing and newly added ICTs within the government. It is within reason to suspect the Netherlands’ new BGP standards will spur action among other European countries to do the same if GDPR’s impact on global privacy laws is any indication. Regulators in the U.S., such as NIST have devised several proposals for enhancing BGP security, but adoption has been slow. For now, U.S.-based agencies are just beginning the discussion about the future of BGP.
Impact on U.S. Companies
If the U.S. is behind in improving requirements for BGP, what does this mean for U.S. companies? A likely result within the Netherlands is that after the widespread adoption of RPKI in the public sector, the private sector will be encouraged or mandated to follow suit. European nations are also likely to start implementing requirements for BGP to follow suit. While the U.S. navigates its approach to securing BGP, it’s foreseeable that some form of federal directive will be issued requiring the most important government ICTs to implement route origin validation (which relies on RPKI) as promulgated by CISA standards. CISA has previously identified key industries and systems, such as critical infrastructure, that are now required under the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) to adhere to certain cybersecurity standards and mandatory breach notification requirements. It seems likely that the federal government will require enhanced BGP security and in turn, private industry will follow as the operation of some of the nation’s most essential services falls under the scope of private companies. For now, the future of BGP is undecided but the U.S. government is heading toward a more secure future—which means companies should explore BGP security enhancements now.