BGP security has been an issue at the core of the internet’s architecture since the protocol was introduced some 35 years ago, and it may be getting at least something of a boost thanks to renewed attention from the US government. A new paper from the Office of the National Cyber Director (ONCD) is promoting Resource Public Key Infrastructure (RPKI) as a standard to be pushed, a solution that is old and not perfect but would represent a significant upgrade to internet routing security if it could be universally adopted.
US wants improved BGP security after foreign incursions
Though it is not the only element of the plan, the published roadmap focuses on uptake of RPKI as the central means of improving BGP security. The system uses digital certificates and signatures that are verified by distributed repositories, and is already pretty widely in use. Unfortunately most of that use is not in North America, where uptake lags for a variety of reasons.
The internet routing plan is still in its initial phases, and due to the nature of the impacted Autonomous Systems (ASes) it will require a lot of convincing of numerous stakeholders. At the moment there is no mandatory action on the table, but the ONCD is firming up plans for both federal agency implementation and public-private work that may include support provided to key organizations and vendors.
Attacks by both state-backed and private criminal actors are not uncommon, as BGP security issues have been known and documented for as long as the protocol has existed. As of late, it has been exploited at least several times for major thefts of crypto. But a specific trigger for action on internet routing security seems to have been a recent attack by China Telecom in which traffic from the US was intentionally misrouted for malicious purposes in at least six known cases.
Rolling out RPKI will require the collaboration of federal agencies, network service providers, hardware and software vendors, state and local governments, and critical infrastructure firms among others. All of these entities do have barriers to implementation, chiefly technical and lack of IT manpower. But the roadmap indicates that the most critical participants can expect to be approached in the very near future, if they have not been already, and that the government will likely offer coordination assistance and some forms of material support as it now sees internet routing security as a high cyber priority.
Internet routing plan stems from 2023 cybersecurity strategy announcement
The focus on internet routing security was a key element of the 2023 National Cybersecurity Strategy Implementation Plan, which overall is still in its early stages. The government has not yet released technical assistance on BGP security, but does link to existing guidance from other sources.
The ambitious plan addresses a system of over 74,000 ASes throughout the world, which can be exploited when they fail to verify the integrity of messages and announcements that they exchange. In recent years threat actors have been able to exploit this for a number of crypto thefts ranging from $100,000 to $29 million per incident, as well as more simple approaches such as DDoS attacks.
While RPKI does not solve all internet routing and BGP security issues, it would be a significant improvement with enough buy-in from all participants. ONCD and CISA efforts in this area will likely make or break the strategy.