CISA Welcomes FCC Focus on Border Gateway Protocol Security, Sees Regulation as Possible
The Cybersecurity and Infrastructure Security Agency is focused on border gateway protocol (BGP) security and resilience and welcomes the FCC’s recent focus on gateway issues (see 2204110057), said CISA Executive Director Brandon Wales during an NTCA webinar Monday. The webinar was sponsored by the Competitive Carriers Association, the Rural Wireless Association, the Wireless ISP Association and other groups, and targeted small carriers.
BGP security “is a significant enough national security issue that FCC should really consider using all its available resources to address it,” Wales said: “CISA is not saying that regulation is the answer, but it is one of many tools that could be used.” Bad actors have attempted to exploit vulnerabilities in the past “and we have seen potential disruptions in BGP fairly routinely,” he said. Wales said CISA also supports “harmonization” of incident reports by companies. “We know that there are multiple reporting requirements that currently fall on industry,” he said.
“The threat of BGP insecurity is critical and widespread,” CISA and NTIA said in recent comments on an FCC notice of inquiry. “Because the internet enables critical functions from banking to healthcare to emergency communications, BGP disruption can result in cascading effects on an international scale,” the agencies said in docket 22-90: “In distributing and computing pathways between independently managed networks around the world, BGP is central to the function of the Internet. However, it was not primarily designed with the security considerations necessary in today’s internet environment, as the original infrastructure was built to rely on mutual trust.”
Experts say BGP security is part of the FCC’s broader focus on curbing risks posed by Russia (see 2203180051).
“Cyber has been a key part of the Russian invasion of Ukraine, [but] what we have not seen, luckily, is targeting of the United States,” Wales said. “That is something that we want to be on guard against,” he said. Some Russian actors have been active in the U.S., but “there has not been a significant disruption of critical infrastructure,” he said. The U.S. made clear that targeting this country won’t be “cost free” and, regardless of how the invasion plays out, Russia will remain a threat, he said.
Software offered for use on smartphones is a big challenge “because of the scale of apps … that come out into stores,” Wales said. “Our most important guidance is to use the official app stores” offered by operating system companies, he said. “If people are side-loading apps, not going through the official app stores, jail-breaking devices and loading apps that way, that’s where you start to dramatically increase your risk,” he said.
Wales said companies that are attacked should contact their local FBI field office or CISA representative. The agencies work together and there’s no need to contact both, he said. “It is much easier to put in place the protections you need today and avoid an attack” than having to do “clean up” after, he said. Unpatched networks are easier to attack, he said. “We want to see improved software development practices,” he said: “We want to see software go through due diligence upfront before it gets out into the wild and vulnerabilities are easily discovered and exploited.”