Cybercrime , Fraud Management & Cybercrime , Government
FCC Targets BGP Vulnerabilities with New Security Mandates
FCC to Vote on Proposed Security Regulations for Leading Broadband ProvidersThe Federal Communications Commission is considering new security mandates for the top U.S. internet providers to begin tackling major vulnerabilities in Border Gateway Protocol that enable hackers to disrupt critical services, conduct espionage and expose sensitive data.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The FCC will vote in June on a series of proposed rules for nine of the largest U.S. broadband providers to establish confidential BGP security risk management plans while significantly expanding the commission's security oversight of traffic routed across the web. BGP plans must be updated annually and include specific efforts made to create and maintain route-origin authorizations, a key component of the Resource Public Key Infrastructure system designed to enhance internet routing security.
BGP serves as a critical backbone of the internet, facilitating the exchange of routing information across complex, interconnected systems and thousands of independently administered networks. The commission acknowledged in a Thursday notice of proposed rule-making that the protocol's initial design - created nearly 35 years ago - "remains widely deployed today" without built-in security features to ensure trust in the data used to route internet traffic.
"A malicious actor or adversary can exploit BGP's vulnerabilities and deliberately falsify reachability information to redirect internet traffic," the commission said, adding that such exploits "can expose Americans' personally identifiable information, enable theft, extortion and state-level espionage," among other risks.
FCC Chairwoman Jessica Rosenworcel, who proposed the rules that would apply to the leading broadband providers in the U.S., including AT&T, Comcast and Verizon, said in a statement that "it is vital that communication over the internet remains secure."
"Although there have been efforts to help mitigate BGP's security risks since its original design, more work needs to be done," the statement says.
The proposal relies on origin validation and the Resource Public Key Infrastructure to verify that a network is authorized to route to a specific IP address, while also validating the route's origin through cryptographically verifiable associations, according to Rosenworcel's office. The FCC first issued a notice of inquiry in February 2022 related to BGP vulnerabilities and held a workshop with the Homeland Security Bureau last year on BGP security.
Stakeholders and the public have 30 days after the date of publication in the Federal Register to provide comment. The proposal follows the 2023 release of the national cybersecurity strategy, which includes a section on securing the technical foundation of the internet and addressing BGP vulnerabilities.
The proposal also identifies a number of real-life scenarios in which BGP vulnerabilities have led to major disruptions, including Facebook's five-hour October 2021 global outage, which was in part due to a BGP routing failure. The issues made it appear as though Facebook and its services "disappeared from the internet," according to the proposal, resulting in 1.2 trillion person-minutes of service unavailability.
Other instances include deliberate BGP hijacking against cryptocurrency services for theft and Russian network operators suspected of exploiting BGP vulnerabilities to disrupt financial services on the eve of Russia's 2022 invasion of Ukraine.