The US government has set out measures to improve the security for a key part of the internet.
The Office of the National Cyber Director (ONCD) has released a roadmap to improve internet routing security, by tackling weaknesses associated with the Border Gateway Protocol (BGP).
The ONCD’s roadmap calls for wider adoption of Resource Public Key Infrastructure (RPKI). RPKI, which is an IETF standard framework, improves security by preventing route hijacking, route leaks and IP resource hijacks.
By using RPKI, organizations including public internet service providers, and enterprises operating their own routing, can ensure that BGP announcements, or route updates, between public networks are valid and secure.
The ONCD is recommending that all network types, including ISPs, enterprises operating networks and those that hold their own IP address resources, adopt RKPI.
The ONCD says that securing BGP through RPKI is especially important for operators of critical infrastructure, state and local governments, and organizations that depend on the internet for “high value” purposes.
“Internet security is too important to ignore, which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director, Harry Coker, Jr, announcing the report.
As well as issuing its report, the ONCD is setting up a public-private stakeholder working group and is co-chairing the Internet Routing Security Working Group. The working group will develop a framework to help network operators to assess risk and prioritize IP address resources and critical route originations.
A Foundational Framework
According to the ONCD, BGP is a foundational internet protocol that controls interactions between over 70,000 independent networks, with BGP routing traffic between them. It is used by a range of organizations beyond ISPs, including cloud providers, government, universities and energy providers.
However, as the ONCD points out, BGP was not designed with the security measures needed by today’s internet. This allows internet traffic to be diverted, accidentally or maliciously, putting critical infrastructure at risk and potentially providing cover for espionage, theft and data breaches.
The internet infrastructure provider Cloudflare points out that only around half of networks use RPKI. The firm has identified a number of BGP breaches, including an attack that allowed the theft of $100,000 of cryptocurrency.
“For years, internet routing prioritized trust over security, relying on global goodwill to prevent data rerouting, which is unrealistic and irresponsible – like sending valuable cargo on a ship ensured by nothing more than a handshake and a smile,” Eidan Siniver, CTO of specialist venture group Team8 told Infosecurity.
“Businesses often transmit sensitive data between global sites, and compromised routes present a major security risk. Network operators should certainly adopt RPKI and similar frameworks, establishing reliable standards that offer businesses enhanced visibility and control over their data in transit, prioritizing security over trust.”