A month ago, the United States Federal Communications Commission (FCC) published a “Notice of Inquiry” (NOI) around a subject close to our hearts: secure Internet routing. In this NOI, the FCC asked a series of questions to the public about how data is routed around the Internet, and what kinds of security controls, standards, and efforts exist to protect those routes. (Note that the FCC is not proposing regulations currently, just asking for more information.)
We worked with our community to submit comments in this proceeding. We’ll describe the high notes here.
The Internet Society has incubated and supported the Mutually Agreed Norms for Routing Security (MANRS) initiative since 2014. Today it is a growing effort with more than 800 participants, each making commitments about what actions they will take to support secure routing. Cold War-era “mutually assured destruction” relied on a tense equilibrium of assured nuclear attack. Routing security, however, is a different kind of problem. Security will only be achieved by more and more networks taking actions to thwart entire classes of attacks and vulnerabilities. So, instead of a “promise to attack,” so to speak, MANRS is “a promise to thwart attacks.”
This is no easy problem! The routing system is based on chains of trust. Each network relies on not only its own security efforts, but those of its neighboring networks, which in turn rely on their neighbors. Efforts to deploy routing security measures do not necessarily produce proportional protection. While securing a network’s routing may protect it from certain vulnerabilities, that same network can still fall prey to routing vulnerabilities from networks that have not yet secured their routing. At the same time, routing security is open to “free-riding”—if other network operators implement secure routing measures, a given network may benefit from that additional protection even without deploying security controls themselves. This is all made more challenging by the fact that it is hard to determine if a particular network implements routing security measures.
In our comments we discuss these general considerations and then go on to answer specific questions from the FCC and make recommendations. We also include insight from a survey of MANRS participants that we conducted. (We’ll cover this on the MANRS blog soon, stay tuned!)
We can’t cover all 60-plus pages of our filing in this post, so please check out our full comments: “Internet Society’s Comments on Docket PS-22-90, Secure Internet Routing.”
Ultimately, we recommended against any hard mandates in this area given the early state of the technology and discipline of secure routing. We recommended that any action by the FCC focus on:
- Incentives to deploy routing security measures
- Encouraging procurement requirements that give preference to support for routing security
- A staged approach to any harder requirements in routing security, beginning with critical infrastructure sectors
Unlike other areas of technology and communications policy, such as network neutrality, routing security is somewhat of a blank slate for regulators like the FCC. It’s one of the last frontiers in Internet security and an area where we all must proceed very deliberately and carefully to make positive change. We look forward to collaborating more with all parties involved to identify and advocate for ways to better secure Internet routing.
Our first suggestion would, naturally, be that every network operator, Internet exchange point, cloud provider, content distribution network, and equipment vendor sign up for MANRS and secure all of our routes together.
Image credit: Harold Mendoza on Unsplash