FCC moves ahead on internet routing security rules
The Federal Communications Commission voted unanimously on Thursday to advance a proposal to improve the security of a foundational routing protocol for the internet.
Under the notice of proposed rulemaking on Border Gateway Protocol security, which now will go to a public comment period before final adoption, broadband internet providers would have to develop and maintain private BGP security plans. The top nine providers would be required to provide quarterly public reports on their progress to the FCC.
According to the Defense and Justice departments, a Chinese telecommunications company has used BGP vulnerabilities to misroute U.S. internet traffic at least six times, said FCC Chairwoman Jessica Rosenworcel. But BGP wasn’t designed with security in mind, she said.
“It is central to the global routing system of the internet, because it is the protocol that allows independently managed networks to send traffic to one another,” Rosenworcel said. “That means we all rely on BGP, every one of us, every day.”
Compared to earlier signals on its plans, FCC changes to the proposed BGP rules that eased concerns from some in industry and a couple of cyber-focused organizations also appeared to put Republican minds at ease.
Brendan Carr, the senior Republican on the commission, said he was glad to see the agency “focused here on reporting-type requirements rather than substantive conduct-style regulations.”
Industry is still wary of where the regulations will end up, however.
“USTelecom is working shoulder-to-shoulder with multiple government agencies on a risk-based, collaborative effort to advance routing security across the global digital ecosystem,” the trade group said in a statement. “We will continue working with the FCC to ensure this rulemaking does not lead to rigid, top-down regulations that undermine that important partnership.”
The commission also approved a pilot program for schools and libraries to purchase cybersecurity equipment. The three-year, $200 million “Schools and Libraries Cybersecurity Pilot Program” had enough GOP reservations to prompt that side of the aisle to vote against it.
Their opposition wasn’t to the goals of the program, but rather stemmed from their view that it stretched the E-Rate program for schools and universities beyond its legal underpinnings.
Rosenworcel said the pilot program would be used to gather data for future efforts.
“Ultimately we want to learn from this effort how to get the balance right and provide our local state and federal government partners with actionable data about the most effective and coordinated way to address this growing problem,” she said.