FCC looks into BGP vulnerabilities, in light of Russian hacking threat

The FCC is launching an inquiry into security issues surrounding the Border Gateway Protocol (BGP), a widely used standard used to manage interconnectivity between large portions of the Internet.

The move, announced Monday, was issued in response to “Russia’s escalating actions inside of Ukraine,” according to the commission’s notice of inquiry.

BGP is, in essence, a method of ensuring that independently managed networks that make up the global internet are able to communicate with one another. Its initial design, which the FCC said is still in widespread use today, does not contain important security features, meaning that, simply by misconfiguring its own BGP information, a bad actor could potentially redirect Internet traffic wherever it sees fit. This could let that attacker send incorrect information to its targets, read and compromise login credentials, or simply shut down whichever kinds of traffic it wishes.

The potential consequences of a BGP hack are extreme, the FCC said, noting that the types of network effects such an attack can cause include fallout for critical infrastructure like financial markets, transportation and utility systems.

There are security frameworks out there for BGP — the Internet Engineering Task Force and National Institute of Standards and Technology have both created several standards to make BGP more secure, among other projects with that aim in mind — but the FCC said that many networks have not taken advantage of them and remain vulnerable.

Hence, the commission’s inquiry has several goals, including the identification of the possible harms that could result from malicious attacks on BGP, methods of monitoring for BGP attacks, and any potential ways to accelerate the deployment of security standards for BGP.

“Ensuring continued U.S. leadership requires that we explore opportunities to spur trustworthy innovation for more secure communications and critical infrastructure,” the FCC said.

BGP hijacks can occur by mistake, rather than through malicious activity — but either way, their effect can be far-reaching. One incident, in April 2020, saw traffic meant for some of the biggest names on the internet, including Google, Facebook and Amazon, briefly redirected through Russia’s state-owned ISP, Rostelecom.

A second “hijack” that same month sent traffic to Rostelecom from Visa and Mastercard, among others. The Mutually Agreed Norms for Routing Security (or MANRS) project, run by the Internet Society, said that it identified about 775 incidents as possible BGP hijacks in 2021 alone.

“The FCCs announcement is about issues inherent to BGP but it also applies to the ecosystem of network providers and operators. It asks for comments on security mitigations, controls, and the degree of regulatory oversight necessary across the ecosystem of network operators and providers (and quite a bit more than that),” said Forrester Vice Presidnet and Principal Analyst Jeff Pollard.

 “This is less about discovering what’s new or interesting with respect to BGP and more about building momentum to make necessary changes that make BGP more secure given its importance. The internet doesn’t work without it,” Pollard said.