The Federal Communications Commission will vote Thursday on reinstating landmark net neutrality rules that the commission says will strengthen its position to write more cybersecurity rules, but the industry and some cyber-focused organizations have warned that those potential new rules could lead to less security. no more.
As part of its effort to restore net neutrality rules, the FCC anticipates it will be better positioned to take action to protect what FCC Chairwoman Jessica Rosenworcel and Cybersecurity and Infrastructure Security Agency Director Jen Easterly described in a blog post last year as “the most important part of the Internet you’ve probably never heard of” – the Border Gateway Protocol, or BGP.
BGP is a set of technical rules for routing Internet data, and Rosenworcel and Easterly argued last year that the US is “lagging behind” in BGP security.
“BGP does not include explicit security features to ensure trust in exchange information,” they wrote. “As a result, an adversary can deliberately falsify BGP reachability information to redirect traffic, and state-level actors have been suspected over the years of exploiting BGP’s vulnerability to hijacking. These ‘BGP hijacks’ can expose personal information, enable state-level theft, extortion and espionage, and disrupt security-critical transactions, including in the financial sector.”
The FCC first raised the possibility of regulation of BGP in 2022, and discussed it again in the net neutrality rule released on April 4.
“The Commission may consider requiring service providers to deploy solutions to address BGP vulnerabilities, such as BGP hijacks,” the FCC wrote in the proposed April rule. “The agency could also consider establishing cybersecurity requirements for BGP, including “security features to ensure trust in the information it is used to exchange,” which could prevent bad actors from “intentionally spoofing.”[ing] Information about the reachability of BGP to redirect traffic to itself or through a specific third-party network and prevent traffic from reaching the intended recipient.”
When the FCC first considered regulations on BGP two years ago, USTelecom — which represents companies like Verizon and AT&T — suggested that the FCC’s claims of regulatory authority on the issue were legally questionable.
The FCC wrote in the April 4 document that acting on net neutrality would put the agency “in a stronger position to address vulnerabilities that threaten the security and integrity of the Border Gateway Protocol.”
But some question the wisdom of the FCC’s regulations on BGP. The Internet Society, a nonprofit organization that advocates for an open and secure Internet, and the Global Cyber Alliance, a nonprofit organization focused on reducing cyber risks, recently wrote a letter to the FCC to address their concerns. express.
“If the FCC were to go ahead and issue rules on how to address certain security threats, those rules would remain static,” said John Morris, director of U.S. internet policy and advocacy at the Internet Society. “Providers would adhere to those rules, and they may not do more than that.”
The Global Cyber Alliance leads an international voluntary industry initiative known as the Mutually Agreed Norms for Routing Security, once led by the Internet Society. “We also want a secure routing system,” said Leslie Daigle, chief technology officer at the Global Cyber Alliance. “It would be great to see more support for industry-led efforts to achieve that goal, rather than having to regulate it.”
The two groups also worry that other countries could respond to the FCC’s action by producing conflicting standards that would fragment the Internet, leading to further security risks.
That stance also reflects industry concerns about BGP regulation that surfaced when the FCC began investigating the issue in 2022.
“Verizon agrees with almost all other commentators that the global nature of Internet routing means that the United States cannot unilaterally solve its inherent security problems, and that mandating the adoption of a particular set of technologies or standards would be counterproductive or even harmful ,” the company wrote. .
Under the Biden administration, a slew of agencies have issued cybersecurity regulations and guidance, but many are focused on high-risk targets within a particular sector. FCC regulations could impact thousands of Internet service providers and networks, Morris said.
Despite private sector skepticism, federal agencies appear largely supportive of the FCC’s approach. In 2022, multiple agencies supported the FCC’s efforts to secure BGP.
“We understand that the global nature of the Internet increases the challenges associated with making BGP more secure,” the Departments of Justice and Defense wrote in a joint filing. “From a national security perspective, however, we believe that establishing an industry-wide baseline of BGP security measures would go a long way toward protecting the transmission of data and communications of U.S. persons in an ever-evolving threat environment. The status quo has not—and cannot—achieve that goal.”
The FCC also suggested that reinstating net neutrality rules could help it take action to address security threats associated with the domain name system. The Internet Society and Global Cyber Alliance said they would have similar doubts if the FCC did this.
Multiple industry groups did not respond to requests for comment on the FCC’s comments on BGP regulation in the April 4 document. The FCC did not respond to requests for comment on concerns from industry and others.
More broadly, the FCC has made cybersecurity a small part of its push to restore net neutrality. Some have also questioned other elements of the FCC’s cybersecurity policy, such as whether it would give the commission the authority to go after broadband service providers it considers security risks.
