FCC Chairwoman Proposes New Measures to Enhance Internet Security
The proposal would require broadband providers to report to the FCC on their efforts to implement industry standards.
Ted Hearn
WASHINGTON, May 16, 2024 – In a move aimed at bolstering Internet security, FCC Chairwoman Jessica Rosenworcel on Wednesday advanced a proposal that would require major broadband providers to submit confidential reports on Border Gateway Protocol (BGP) security.
The initiative is intended to enable the FCC and its national security counterparts to gather more current data on this pivotal Internet routing nexus.
“It is vital that communication over the Internet remains secure,” Rosenworcel said in a statement. “Although there have been efforts to help mitigate BGP's security risks since its original design, more work needs to be done. With this proposal, we would require broadband providers to report to the FCC on their efforts to implement industry standards and best practices that address BGP security.”
BGP serves as the backbone technology for routing information across the vast expanse of the Internet's physical and digital infrastructure. National security experts have raised concerns about BGP vulnerabilities that could potentially be exploited by malicious actors. Such exploitation could lead to disruptions in critical services reliant on the Internet, along with the interception, manipulation, or misdirection of data.
In her statement, Rosenworcel said Russian network operators have been suspected of exploiting BGP to hijack “Americans’ personal information, enable theft, extortion, state-level espionage, and disrupt otherwise-secure transactions.”
Rosenworcel stressed the importance of BGP in keeping the Internet functioning properly.
“This technology is essential to the Internet and has been referred to as the “glue” that enables modern connectivity,” Rosenworcel’s statement said, adding that the agency is seeking to rely on Resource Public Key Infrastructure (RPKI) to increase BGP security. RPKI allows for validation of a route’s origin.
In the FCC’s new Net Neutrality rules, the agency said that classifying broadband ISPs as common carriers under Title II of the Communications Act “places the [FCC] in a stronger position to address vulnerabilities threatening the security and integrity of BGP, which impacts the transmission of data from email, e-commerce, and bank transactions to interconnected Voice-over-Internet Protocol (VoIP) and 9-1-1 calls.”
In comments filed before the Net Neutrality rules were adopted, USTelecom said that Title II and BGP were not a good fit. “Reclassification of broadband would not enable the FCC to resolve BGP vulnerabilities because unilateral action by a single country’s regulator will not prevent misrouting or hijacking of data traffic,” said USTelecom, a trade association with AT&T and Verizon as members.
Rosenworcel emphasized the significance of safeguarding Internet communications, highlighting the ongoing efforts to mitigate BGP's security risks. Despite strides made since its inception, she stressed the necessity for further action. Under the proposed mandate, broadband providers would be obligated to report to the FCC regarding their endeavors to implement industry standards and best practices addressing BGP security.
Rosenworcel’s plan calls for the release of a Notice of Proposed Rulemaking that she intends to bring up for a vote at the agency’s June open meeting in Washington. Among other things, the NPRM would formally propose that:
- Broadband Internet Access Service providers develop BGP routing and security risk management plans that describe in detail their specific progress, and plans for, implementing BGP security measures that utilize RPKI;
- The nine largest service providers file their BGP Plans confidentially with the FCC as well as file publicly available quarterly data, allowing the FCC to measure progress in the implementation of RPKI-based security measures and assess the reasonableness of their BGP plans; and
- The FCC seek comment on other measures related to implementing RPKI-based security.