By addressing vulnerabilities in the Border Gateway Protocol, ONCD is taking on a hard problem that has long-threatened the security of internet traffic
September 3, 2024
Today, the White House Office of the National Cyber Director (ONCD) released a Roadmap to Enhancing Internet Routing Security, which aims to address a key security vulnerability associated with the Border Gateway Protocol (BGP) – the protocol that underpins the way information is routed across networks.
By addressing BGP, ONCD is taking on a hard problem that has long threatened the security of internet traffic. Given today’s cyber threat landscape, ONCD continues to underscore that a secure and open internet is critical to the economic prosperity and national security of the United States.
ONCD’s Implementation Plan of the National Cybersecurity Strategy serves as a blueprint for championing security in the digital ecosystem. The roadmap released today advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate vulnerabilities in BGP. This includes recommended actions applicable to all network types, i.e., all network service providers and entities that operate enterprise networks or hold their own IP address resources. These recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.
By the end of the year,it is expected that over 60% of the Federal government’s advertised IP spacewill be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.
To meet this goal, ONCD led an effort to develop a Federal RSA template Addendum that Federal agencies are encouraged to use to facilitate their adoption of RPKI. The provisions in this template addendum are supported by Federal laws and principles that necessitated modifications to the requirements in the standard RSA. A Federal RPKI Playbook was also developed by the National Oceanic and Atmospheric Administration to support the process of executing the RSA and establishing ROAs on Federal networks.
In addition to releasing the report, ONCD is today acting on one of the key recommendations in the roadmap by establishing a public-private stakeholder working group. ONCD is co-chairing the Internet Routing Security Working Group, alongside the Cybersecurity and Infrastructure Security Agency and the Communications and Information Technology Sector Coordinating Councils, to develop resources and materials to collectively advance these objectives. This working group will develop a framework for network operators to assess risk and prioritize IP address resources and critical route originations (such as those for government use and critical infrastructure operations) for the application of routing security controls such as ROAs and Route Origin Validation.
“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry co*ker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”
“Securing BGP is essential to safeguarding the integrity of our digital infrastructure. Through strong partnerships–both with industry and with government agencies–we can enhance the resilience of our internet routing, ensuring a secure and reliable internet for our nation,” said CISA Director Jen Easterly. “This roadmap is a good step forward in achieving that goal. We’re excited to co-lead the collaborative effort in the Internet Routing Security Working Group and look forward to developing meaningful resources.”
“We must work together to improve internet routing security, and the ONCD’s roadmap sets a path for collaboration and progress, ” said Chairwoman Rosenworcel. “The FCC recently proposed having broadband providers report to us on their efforts to address BGP security, and the roadmap both complements and advances our work towards this goal.”
“NIST has a long history of working collaboratively with industry to design, measure, and standardize technologies that make internet protocols more resilient and secure,” said NIST Director Laurie E. Locascio.“This roadmap establishes a clear plan of action to expedite the adoption of current, commercially viable BGP security technologies while highlighting the need for further research and development of additional solutions.”
“Internet routing security is a vital part of network security that, when overlooked, can lead to loss of service, theft of data, and other malicious attacks,” saidAssistant Secretary of Commerce for Communications and Information and NTIA Administrator Alan Davidson. “ONCD’s roadmap is an important step towards helping the entire Internet ecosystem protect users from these threats.”
“The roadmap reflects a deep understanding of the complex Internet ecosystem landscape,” said RobertMayer, Sr. Vice President, Cybersecurity & Innovation, USTelecom and Chair of the Communications Sector Coordinating Council. “It’s sensible and prudentapproach calls for a collaborative industry and government effort to develop an informed, risk-based strategy.We look forwardto working with our government partners to make meaningful progress to address this critical issue.”
“Securing internet routing has been a long-term effort. It is a difficult one because it takes a lot of different players all taking action to be useful,” said Ari Schwartz, Coordinator of the Center for Cybersecurity Policy and Law. “The Roadmap is showing us how to get secure routing done and starting up the collective action efforts needed to get us to the finish line.”
BGP is one of the foundational protocols that enables over 70 thousand independent networks to operate as what is known as the internet. Internet traffic is routed between networks using BGP to announce what destinations can be reached through those networks. BGP is used by many different types of networks ranging from cloud providers, Internet Service Providers, universities, energy companies, and federal, state, and local governments. BGP binds together the modern internet.
Like too many technologies developed in the early days of the internet, BGP was not built with the security needed for today’s digital ecosystem. Internet traffic can be inadvertently or purposely diverted, which may expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations. The potential for widespread disruption to internet infrastructure, whether carried out accidentally or maliciously, is a national security concern.
ONCD is encouraging every network operator use a risk-based approach to address BGP vulnerabilities. ONCD worked with Federal partners, industry stakeholders, and subject-matter experts to consider the complexities of the internet routing ecosystem, map longstanding barriers to improving security, and recommend incentives to overcome those barriers. The roadmap provides 18 recommended actions as a result of this collaborative undertaking.
You can review the Roadmap to Enhancing Internet Routing Security here, the Federal RSA Template Addendum here, and an accompanying fact sheet here.
###