“Many aspects of the Internet’s architecture and ecosystem, including the principal technology used to route traffic across the thousands of independent networks that comprise the Internet, do not provide adequate security for the threats we face today,” the White House said in a new report.
Warnings homed in on the Border Gateway Protocol, which is key to how information is routed across networks. There’s risk that online traffic could be diverted deliberately or accidentally “which may expose personal information; enable theft, extortion and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations,” the announcement said.
The Internet is made up of roughly 74,000 independently operated but interconnected networks, per the White House. They all use Border Gateway Protocol to exchange routing information with other networks. But that protocol wasn’t designed to face today’s security challenges.
The federal government also released a new road map detailing recommendations for network operators, communications and IT sector stakeholders, and federal agencies and departments. Alongside this, the Cybersecurity and Infrastructure Security Agency and Office of the National Cyber Director plan to launch a public-private working group with the Communications and IT Sector Coordinating Councils. That group intends to create resources and materials to help get the recommendations implemented.
There isn’t one fix to solve everything, the White House cautions, but adopting Resource Public Key Infrastructure could be a big step. That infrastructure involves two key parts. One is Route Origin Authorization (ROA), “a digitally signed certificate that a network is authorized to announce a specific block of Internet space (i.e., IP addresses).” The other is Route Origin Validation, “the process by which BGP [Border Gateway Protocol] routers use ROA data to filter BGP announcements flagged as invalid.”
The road map encourages network operators — especially those who provide networks used by state, local, tribal or territorial governments or by critical infrastructure entities — to take certain steps. One is to develop, maintain and regularly update cybersecurity risk management plans that address Internet routing security and resilience. Another is to ensure any new external services they contract require providers to validate Border Gateway Protocol-enabled routes. And network operators that have IP address resources should publish Route Origin Authorizations in the relevant Resource Public Key Infrastructure repository.
The road map also includes steps specifically for network service providers, such as advising them to deploy Route Origin Validation filtering for their customers. Other recommendations speak specifically to the federal government, such as around securing its own networks and reaching out to ensure enterprise network owners learn about the importance of Route Origin Authorization and Route Origin Validation.
