The Federal Communications Commission (FCC) heard from key stakeholders about innovations in Internet security, giving the agency plenty to ponder as it assesses next steps and its role in the complex Internet ecosystem. Technology companies, network operators, content delivery networks, and others who invest in network security should be vigilant for future FCC action in this and related areas.
In March, the FCC issued a Warning of Query (NOI) for information on vulnerabilities related to Border Gateway Protocol (BGP), one of the fundamental standards that routes data across the Internet. Comments expired on April 11, 2022. The responsive comments were due to be submitted to the FCC by May 10, 2022. The docket contains substantive comments from a variety of Internet economy participants and suggests that the FCC should move slowly on any regulatory activity, allowing promising work to be done. continue to expand.
About 40 organizations and several individuals submitted comments, which shed light on industry practices and reveal significant interest in secure routing in academia and standards bodies. From major ISPs to researchers and security companies, the tech industry is involved in BGP security and procedure.
While the direction of any future FCC attention to BGP is unclear, this proceeding is an example of the agency seeking significant input (factual, policy, and legal) to inform its consideration of relevant issues. Such early input can help shape future activities and can demonstrate when regulatory action may not be needed at all.
What do stakeholders say?
Commenters generally told the FCC that routing security is an important and complex, global, multi-stakeholder issue that does not lend itself to U.S. regulation. Comments highlighted continued attention to known issues. and the significant progress made in cooperative standards bodies and academic research. As a provider of the Internet2 research and education network put it“The first and most important aspect of ensuring routing security is collaboration between network operators.”
Commenters noted that efforts such as the industry-led voluntary Mutually Agreed Standards for Routing Security (MANRS) consortium have developed best practices for network operators, Internet exchange point operators, network delivery content and cloud providers, and equipment providers. The adoption of cryptographic methods of authorizing and verifying the origin of the path through the resource public key infrastructure (RPKI) has increased in recent years.
Several commenters noted that the “BGPsec” tool highlighted in the NOI is not an ideal solution and is not likely to be widely adopted. Instead, commenters highlighted ways the FCC can help the Internet ecosystem continue to improve the security of critical protocols.
- Internet service company Cloudflare commented that “the real situation in terms of BGP security is better than the measures […] suggest. The adoption of RPKI by the largest transit providers has dramatically lessened the impact of BGP leaks and hijacks.”
- The Internet Society additional“Given the evolution and direction of existing and emerging technologies in routing security, mandates are unlikely to be useful in securing more networks and are more likely to ‘freeze’ aspects of an evolving security ecosystem in unpredictable states.” tools”.
Commenters suggested several activities that the FCC could promote to improve routing security. Several responses highlighted the need for further research to obtain solid data on the scope and type of routing security problems and the adoption of mitigation measures; some pointed to existing Internet “observatories” operated by academic groups, industry, and government organizations that require dedicated funding.
- Geoffrey Houston, Chief Scientist of the Asia-Pacific Regional Internet Registry (APNIC) indicated: “The FCC and other interested parties would do well to critically assess the current state of these mechanisms and potentially consider ways and means to support further investigation of these questions before embarking on a course of fostering broad industry adoption.” “.
Many commenters encouraged the FCC to coordinate with international regulators and organizations to raise awareness of BGP security issues and existing best practices that Internet infrastructure operators can adopt. Other groups pointed to the need for better coordination within the federal government on research funding and security implementation for federal networks.
Many organizations recommended that the FCC direct its Communications Security, Reliability, and Interoperability Council (CSRIC) to update its studies and recommendations on routing security. Some commenters also suggested that the FCC develop incentives to encourage the adoption of security tools among smaller ISPs with limited resources.
In particular, the National Telecommunications and Information Administration (NTIA) submitted responsive comments, as it frequently does to express Executive Branch views to the FCC. NTIA’s recommendations were consistent with the views of most commenters, highlighting the value and progress of the multistakeholder global Internet standards community, and noting that FCC regulations on Internet routing “could set a damaging precedent in support of international Internet regulation, in contrast to existing norms.” Policy of the Government of the United States”.
This NOI is part of the FCC’s broader work on cybersecurity.
The Advisory Notice on Internet Routing Security is part of the FCC’s efforts to increase its involvement in cybersecurity policy. Chair Rosenworcel has made clear her intent for the FCC to have a seat at the table on cybersecurity, announcing in February that she will serve as co-chair of the relaunched Cybersecurity Forum for Independent Regulators and the Executive Power. In September 2021, the then acting president re-chartered CSRIC with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) service as co-chair for the first time, noting that “collaboration with CISA, and with additional government partners on the Council, will help advance a government comprehensive approach to security and ensuring that relevant federal expertise is informing policymaking at the FCC.”
All of this occurs as others view cybersecurity as a potential area for further regulation. The SEC recently proposed mandatory public notification of cybersecurity incidents. Congress has emphasized the importance of ensuring that federal government agencies coordinate to limit the impacts of these mandates on the private sector. Cyber incident reports for critical infrastructure Law of 2022 directs the Secretary of Homeland Security to direct a Federal Cyber Incident Reporting Council to “coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulations.”
 PL 117-103, sec. 2246(a).
*Not admitted to the District of Columbia Bar. Supervised by firm directors who are members of the District of Columbia Bar Association.