Cybersecurity Experts Urge Widespread Adoption of Gateway Security Best Practices
Cybersecurity officials and industry experts urged widespread implementation of best practices to improve border gateway protocol (BGP) security, speaking during a hybrid FCC event Monday on securing internet routing (see 2306160050). Many agreed more collaboration between the public and private sector is needed to strengthen BGP security.
It's "vital to our nation's economy that communication over the internet is secure," said Chairwoman Jessica Rosenworcel: "We're going to need a common understanding of what current activities are underway, what is planned, and how best to ensure that we are moving rapidly to identify and deploy necessary to secure internet routing." BGP security "has been a known problem since the first version was published," said Ben Goldsmith, DOJ principal scientific officer-National Security Division, noting it's "important to focus on building a strategy for collective action."
There's "much agreement that BGP security can be improved by network operators through the widespread implementation of recommendations and best practices," said FCC Public Safety and Homeland Security Bureau Chief Debra Jordan, including "BGP monitoring and event detection, BGP information coordination, path filtering, cryptographic route origin validation and authentication, and preventing IP spoofing." CISA Director Jen Easterly, Cybersecurity and Infrastructure Security Agency director, agreed, saying "we fully acknowledge the U.S. government is lagging behind on BGP security practices and we are working to improve here."
Part of the challenge in addressing BGP security "has been some of the market dynamics" and the risk of deploying "new and unproven technologies," said Comcast Engineering Fellow Tony Tauber. "It can be harder to get the ball rolling because the first movers assume bigger risk," Tauber said. "We would like to see a continued partnership with both the public sector and private sector to reduce global risk without disrupting platforms," said Verizon Legal Counsel Elizabeth Gray Nunez.
Securing internet routing requires all industries, including larger-sized cloud and content providers, to implement best practices and solutions, said NTCA Regulatory Counsel Tamber Ray. "If the commission's focus is on protecting citizens from nefarious actors that misdirect the flow of traffic, large content providers should be a part of the solution," Ray said: It should also be "mindful of ensuring secure routing methods are financially and technically feasible."
Some panelists urged policymakers to take a more active role in educating industries about the significance of BGP security. There's a "potential role for government" to explain to enterprise businesses considered essential or important to "at least understand that there might be a risk and they can make a risk decision about whether or not they want to ... move forward," said Kathryn Condello, Lumen senior director-national security and emergency preparedness. Nunez agreed, saying it would be helpful for the government to play a role in "zeroing in" on sectors where there isn't as widespread adoption, interest, or understanding of the issue.
"BGP security is important, threats are real, [and] they are complex as the internet is complex," Jordan said, noting there has been a lot of collaboration between the public and private sector: "We all acknowledge there is more to be done, and I think that working with the stakeholder group going forward is going to help us further secure the internet."