Routing Security Needs Addressing, but How Is Unclear, Cybersecurity Experts Say
There's a lot of government interest in fortifying U.S. internet traffic routing security, but it's less clear what it can and should do, said Wilkinson Barker cybersecurity lawyer Clete Johnson Tuesday on an FCBA cybersecurity committee webinar. Noting the FCC's open proceeding on routing security that was launched in the wake of Russia's invasion of Ukraine, he said routing security doesn't line up well with traditional regulatory tools and their focus on prescriptive compliance. Johnson said the complexity of the issue doesn't necessarily match that approach.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Routing is the process by which packets are forwarded across networks to an endpoint IP address, using the border gateway protocol to handle the hand-off between network operators.
The FCC's diving into a regulatory look at routing security "took a lot of people by surprise" because the agency's approach has been to promote technical solutions through its advisory Communications Security, Reliability and Interoperability Council, Johnson said. He said the record in the docket 22-90 routing vulnerabilities proceeding points to a big, unanswered policy question of how the U.S. can bring in all the government, private sector and international organizations that need to be involved in advancing talks about standards and protocols. He said a wide array of stakeholders needs to be around that table -- not just telecom providers but everyone from cloud providers to large enterprises that operate their own autonomous systems, he said. Johnson said it's also unclear how to set up assurance and accountability mechanisms that aren't prescriptive compliant, "which will always be far too simple" for the complex internet routing system.
Another big challenge is looping end customers -- "the bank, the power company, the bakery" -- into security policy discussions, said Kathryn Condello, Lumen senior director-national security and emergency preparedness. Route validation gives three choices for data moving from network to network -- valid and it moves on, invalid and it gets duped, and "unknown," which still gets passed along, she said. The vast majority of that "unknown" traffic is unknown because those end customers with that IP address haven't published their routes, she said. That leaves "a big gaping hole ... in locking things down," she said.
Most routing problems that arise are more the result of mistakes -- "fat-fingering, that sort of thing," when mistyping an IP address in a router configuration -- than deliberate acts, said Tony Tauber, Comcast distinguished engineer-network architecture and engineering. He said that beyond ISPs, responsibility for routing security falls on numerous shoulders, including edge companies, equipment vendors, open-source software developers and regional internet registries.
NCTA Vice President-Broadband Technology Matt Tooley said the private sector has been active in developing routing security tools that include validation of IP addresses or ensuring sessions between routers are hard to break. "Industry has not been sitting still," he said. He said government could do more in encouraging various stakeholders to use applicable fixes, such as patches.