A new strategy report from the White House Office of the National Cyber Director (ONCD) is addressing some established issues with internet routing security, centered on the Border Gateway Protocol (BGP) that underpins networks throughout the world. The BGP security plan calls for adoption of the Resource Public Key Infrastructure (RPKI) as an immediate reinforcement against a number of potential vulnerabilities, something that federal agencies are now being encouraged to adopt. The agency is also establishing a number of implementation and coordination councils to promote broader adoption of the plan and provide resources for network operators.
White House sees internet routing security as a priority
The roadmap grows out of the 2023 National Cybersecurity Strategy Implementation Plan, which first mentioned BGP security as one of the necessary techniques to secure the internet’s technical foundation. The document is not meant to be a technical implementation guide, but does collect existing guidance and includes plans that federal agencies will use to promote BGP security as well as more general recommendations for improving internet routing.
BGP is the communication protocol used by about 74,000 global Autonomous Systems (ASes) that are part of the backbone of the world’s internet access. BGP security risks include potential lapses in the ability to verify integrity of the messages exchanged between these networks, to verify the authority of remote networks to originate announcements to specific destinations, and to detect internet routing announcements that violate policies between neighboring networks.
Attackers have already demonstrated the ability to exploit these weaknesses and cause massive internet routing issues. CISA has published warnings in recent years on the efforts of foreign adversaries to exploit BGP security holes as means of espionage and attacks on critical infrastructure. But the issue is far from having a simple fix. BGP transcends all of the world’s borders and must remain in place and in operation even as any security improvements to it might be made.
RPKI adoption key to BGP security
ONCD’s central strategy for BGP security is adoption of RPKI, an already existing digital security certificate system that draws on distributed repositories for verification. Adoption is already fairly substantial in Europe, but it has faced uptake issues in North America due to both a general lack of awareness of internet routing risks and a combination of limited resources and administrative barriers.
There are no mandatory BGP security actions as of yet, but the agency is strongly recommending that all federal departments implement a list of baseline actions. It also proposes federal collaboration with private industry stakeholders to begin taking action, and to that end it is forming a joint working group in collaboration with the Communications and IT Sector Coordinating Councils to develop resources and materials to support and encourage implementation.
This development also follows a June proposal by the Federal Communications Commission (FCC) to improve BGP security after China Telecom was found to have intentionally misrouted US internet traffic on at least a few occasions. However, it is important to note that RPKI is not a “silver bullet” one-shot solution to attacks such as these. It is a cornerstone of the overall strategy, but US officials are also considering other supplemental security techniques.
Federal agencies are likely to be among the first entities to roll out these internet routing improvements, and among private partners the first to be targeted appear to be network service providers. These will be asked to deploy a major component of RPKI, Route Origin Validation filtering, for their customers. Critical infrastructure companies and state and local government agencies are also likely to be pressured to be early adopters.
Central to the BGP security issue is that it is such an old standard, first developed in 1989 before the internet was even available for home use. Cloudflare has noted that only about half of all internet networks have implemented RPKI at this point and that attacks are not limited to sophisticated nation-state APT groups, with private criminal groups also having been observed using the vulnerabilities to steal large amounts of cryptocurrency. BGP attacks have stolen as much as $29 million, but can also be used for a variety of other purposes, such as obtaining IP addresses to use in spam campaigns or DDoS attacks. Attacks of this type date as far back as the initial rollout of the standard, and sometimes an “attack” is simply a matter of an unwitting technical error; for example, in 2008, there was a short global outage of YouTube when a Pakistani telecom company mistakenly redirected traffic to its address space.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that there are potentially better options for BGP security but that focusing on RPKI is much better than doing nothing: “We are decades late in securing BGP. Now we have a few good ways to better secure BGP. The US government supports one of the methods…not the best…but an incremental way forward, and all we need to do is get vendors and organizations to implement it. Getting CISA involved is one great way to accomplish this. I’m not usually very optimistic for any good cybersecurity standard to be well-implemented in a timely manner, but I have great hope for this one. If it is pulled off like we all want it to, in a year or two, BGP will finally be harder to compromise than it has been for decades.”