The Federal Communications Commission (FCC) heard from key stakeholders about innovations in Internet security, giving the agency a lot to chew on as it evaluates next steps and its role in the complex Internet ecosystem. Tech companies, network operators, content delivery networks, and others invested in network security should look out for future action by the FCC in this and related areas.
In March, FCC issued a Notice of Inquiry (NOI) seeking information about vulnerabilities related to the Border Gateway Protocol (BGP), one of the foundational standards that routes data across the Internet. Comments were due April 11, 2022. Reply Comments were due to the FCC on May 10, 2022. The docket contains substantive comments from an array of Internet economy participants and suggests that the FCC should go slow in any regulatory activity, letting promising work continue to expand.
About 40 organizations and several individuals submitted comments, which shed light on industry practices and reveal significant interest in secure routing in academia and standards bodies. From major ISPs to researchers to security companies, the tech sector is engaged on BGP security and in this proceeding.
While the direction of any future FCC attention to BGP is unclear, this proceeding is an example of the agency seeking meaningful input (factual, policy, and legal) to inform its consideration of relevant issues. Such early input can help shape future activities and can demonstrate when regulatory action may not be needed at all.
What are Stakeholders Saying?
Commenters in the main told the FCC that routing security is an important and complex, global, multi-stakeholder issue that does not lend itself to U.S. regulation. Comments highlighted ongoing attention to known problems and the significant progress made in cooperative standards bodies and academic research. As research and education network provider Internet2 put it, “The first and most important aspect of ensuring routing security is collaboration among network operators.”
Commenters pointed out that efforts such as the industry-led voluntary consortium, Mutually Agreed Norms for Routing Security (MANRS) have developed best practices for network operators, Internet Exchange Point operators, Content Delivery Network and cloud providers, and equipment vendors. Adoption of cryptographic methods of route origin authorization and verification through the Resource Public Key Infrastructure (RPKI) has increased over the past several years.
Multiple commenters noted that the “BGPsec” tool highlighted in the NOI is not an ideal solution and is not likely to be widely adopted. Instead, commenters highlighted ways the FCC can help the Internet ecosystem continue to improve on the security of the foundational protocols.
- Internet services firm Cloudflare commented that “the real situation in terms of BGP security is better than the measurements […] suggest. Adoption of RPKI by the largest transit providers has dramatically decreased the impact of BGP leaks and hijacks.”
- The Internet Society added, “Given the evolution and direction of existing and emerging technologies in routing security, mandates are unlikely to be helpful in securing more networks and more likely to ‘freeze’ aspects of an evolving security ecosystem in unhelpful states.”
Commenters suggested several activities the FCC could promote to improve routing security. Several responses highlighted the need for increased research to obtain solid data on the scope and type of routing security issues and mitigation measure adoption—some noted existing Internet “observatories” operated by academic groups, industry, and government organizations that require dedicated funding.
- The Asia-Pacific Regional Internet Registry (APNIC)’s Chief Scientist Geoffrey Houston noted: “The FCC and other interested parties would be well advised to perform a critical assessment of the current state of these mechanisms and potentially consider ways and means to support further research into these questions before embarking on a course of encouraging broad industry adoption.”
Many commenters encouraged the FCC to coordinate with international regulators and organizations to raise awareness of BGP security issues and existing best practices that Internet infrastructure operators can adopt. Other groups pointed out the need for better coordination within the Federal government on research funding and security implementation for Federal networks.
Many organizations recommended that the FCC task its Communications Security, Reliability, and Interoperability Council (CSRIC) to update its studies and recommendations on routing security. Some commenters also suggested the FCC develop incentives to encourage security tool adoption among smaller, resource-constrained ISPs.
Notably, the National Telecommunications and Information Administration (NTIA) filed reply comments, as it frequently does to express the views of the Executive Branch to the FCC. NTIA’s recommendations were consistent with the views of most commenters, highlighting the value and progress of the global multistakeholder Internet standards community, and pointing out that FCC regulations on Internet routing “could set a damaging precedent in support of international Internet regulation, in contrast to standing USG policy.”
This NOI is part of broader work by the FCC on cybersecurity
The Notice of Inquiry on Internet routing security is part of the FCC’s efforts to increase its involvement in cybersecurity policy. Chairwoman Rosenworcel has made clear her intent that the FCC should have a seat at the table on cybersecurity and announced in February that she will serve as co-chair of the relaunched Cybersecurity Forum for Independent and Executive Branch Regulators. In September 2021, the then-acting Chairwoman re-chartered CSRIC with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) service as co-chair for the first time, noting “collaboration with CISA, and with the additional government partners on the Council, will help advance a whole-of-government approach to security and ensure that the relevant federal expertise is informing policymaking at the FCC.”
All of this comes as others look at cybersecurity as a potential area for increased regulation. The SEC recently proposed mandatory public reporting of cybersecurity incidents. Congress has emphasized the importance of ensuring that agencies across the federal government coordinate to limit the impacts of these mandates on the private sector. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 directs the Secretary of Homeland Security to lead a federal Cyber Incident Reporting Council to “coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations.”
 P.L. 117-103, Sec. 2246(a).
*Not admitted to the District of Columbia Bar. Supervised by principals of the firm who are members of the District of Columbia Bar.