The Federal Communications Commission (FCC) has introduced a proposal designed to strengthen the security of U.S. networks by improving internet routing protections.
The initiative would require internet service providers (ISPs) to produce confidential reports describing their current and planned efforts to address vulnerabilities in the Border Gateway Protocol (BGP), the core protocol that routes traffic across the global internet.
Under the proposal, the largest broadband providers in the United States would file quarterly public data showing their progress in reducing BGP risks. The goal is to strengthen routing security and provide the FCC and its national security partners with up-to-date information about actions taken to secure internet traffic.
FCC Chairwoman Jessica Rosenworcel emphasized the importance of protecting internet traffic and referenced a recent conversation with Vint Cerf, commonly called the “Father of the Internet.” Cerf reflected on the internet’s open origins and said he wishes the system had been designed with stronger security in mind. Rosenworcel noted how heavily everyday activities depend on reliable routing—from small business operations and online banking to telemedicine and emergency services.
BGP has been used for decades but was not built with intrinsic security features to validate routing information shared among independently operated networks. That lack of built-in trust creates opportunities for exploitation.
National security experts have warned that attackers can falsify routing information in what is known as “BGP hijacking.” Such incidents can expose personal data, enable theft and extortion, facilitate state-level espionage, and disrupt essential services.
FCC Commissioner Geoffrey Starks, who has focused on BGP security since 2022, highlighted how accidental or deliberate events can render networks unavailable or reroute traffic for malicious purposes. He cited past incidents such as the 2008 YouTube outage caused by a misconfiguration aimed at blocking access in Pakistan, Russia’s exploitation of routing vulnerabilities to restrict access to Twitter during its invasion of Ukraine, and China Telecom’s historic misroutes that redirected a significant portion of global traffic through China.
Starks underlined the value of tools such as the Resource Public Key Infrastructure (RPKI), promoted by initiatives like Mutually Agreed Norms for Routing Security (MANRS). RPKI provides a public, cryptographically authenticated record of legitimate BGP routes and is widely regarded as a key defense for protecting internet routing.
To address these issues, the FCC adopted a Notice of Proposed Rulemaking containing several core measures:
- Annual BGP security risk management plans: Broadband internet access providers would be required to prepare and update confidential BGP security risk management plans at least once a year. These plans should detail progress and strategies for deploying BGP security protections, including RPKI.
- Reporting by major broadband providers: The nine largest broadband providers would file their BGP plans confidentially with the FCC and submit quarterly public data to let the Commission track RPKI-based security implementation and assess the adequacy of those plans. Providers that demonstrate a sufficient level of security would be exempt from filing future detailed plans.
- Smaller broadband providers: Smaller providers would not be required to file plans with the FCC but would need to make their plans available upon request.
Starks said the proposed rules would encourage ISPs that have not begun deploying BGP mitigations to act, and that measuring RPKI deployment will help both industry and government understand what additional steps are necessary to secure networks. The proposal aligns with the National Cybersecurity Strategy Implementation Plan, specifically an initiative to increase adoption of secure internet routing techniques.
Rosenworcel recounted BGP’s modest beginnings—often joked about as the “three napkin protocol”—created in 1989 as a stopgap solution that ultimately supported the internet’s growth. Because it was not designed with explicit security features, BGP remains vulnerable to manipulation.
The FCC’s proposed rules respond to documented instances of BGP hijacking. Rosenworcel thanked the Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the Department of Justice for their collaboration and disclosures about incidents in which China Telecom misrouted U.S. internet traffic. Such hijacks can jeopardize personal information, interrupt financial transactions, and disrupt other critical operations.
The FCC is requesting public comment on the proposal and other steps to implement RPKI-based protections. While the agency recognized two decades of stakeholder efforts to address routing vulnerabilities, it emphasized that more work is required to secure internet routing for public safety and national security.
(Image Credit: FCC)
See also: NATO launches hub to safeguard critical undersea infrastructure
Interested in cybersecurity and cloud topics from industry leaders? Attend Cyber Security & Cloud Expo events held in Amsterdam, California, and London, which are co-located with related industry conferences covering blockchain, digital transformation, IoT, and AI & Big Data topics.
Explore other upcoming enterprise technology events and webinars powered by TechForge.