FCC vote on tap for rules to secure fundamental component of the internet

The Federal Communications Commission is set to vote Thursday on advancing a proposal to improve security for a key component of the modern internet, a rule that eases some — but not all — of the criticisms of the agency’s previously stated plans for strengthening the Border Gateway Protocol.

Under the proposed rule, broadband internet providers would have to develop and maintain secure internet routing plans. The nine largest providers would be required to file quarterly reports with the FCC on their efforts.

“Whether you’re banking online, using telemedicine to see the doctor, or attending school remotely, you rely on a set of technical rules called the Border Gateway Protocol (BGP) to route your data efficiently,” FCC Chairwoman Jessica Rosenworcel said in May when announcing the rule. “This protocol was designed for expediency, not security. Accordingly, it lacks explicit security features, which has allowed criminals to ‘hijack’ online traffic.”

If the FCC votes to approve the Notice of Proposed Rulemaking it would advance the rule one step closer toward final adoption by opening it to public comment. To make the case for strengthening the security of BGP, the notice cites an incident in which attackers used BGP hijacking to steal cryptocurrency and another in which Russian network operators are suspected of exploiting the vulnerability of BGP to disrupt financial services ahead of the invasion of Ukraine.

The telecommunications industry and some groups that work toward a secure and open internet had raised concerns both when the FCC first floated the idea for BGP security regulations in 2022 and again when the commission resurfaced the notion during debate over restoring net neutrality rules. Those concerns included fears that the then-vague FCC discussions would lead to overly prescriptive regulations that could spawn conflicting proposals from other nations.

The nonprofit Global Cyber Alliance, whose partners include a who’s-who of large tech companies, wrote to the FCC in April, alongside the non-profit Internet Society, about those worries. But the Notice of Proposed Rulemaking (NPRM) that spelled out the specifics put some of the Global Cyber Alliance’s concerns at ease. 

“Appreciating that progress in Internet infrastructure improvements can appear glacial at times, it seemed like the FCC might have been poised for something more prescriptive in terms of requirements in the routing infrastructure,” said Leslie Daigle, the chief technical officer and internet integrity program director at the alliance. “To the extent that the NPRM is supporting the direction the industry is already heading, setting some targets and focusing on having explanations when companies don’t live up to them, this does mitigate the primary concerns expressed in our filing.”

The Internet Society, an advocacy group that works to support internet infrastructure and has the backing of major technology companies, also saw improvements in the FCC proposal but not enough to back the measure.

“We appreciate that the Commission took a lighter initial approach to BGP security than they had suggested in their Open Internet Order, but the entire tenor of the NPRM leans heavily toward more top-down regulation,” the Internet Society’s John Morris and Ryan Polk said in a statement. “This includes problematic regulatory ideas that threaten to undermine the pre-existing global multi-stakeholder processes important to the Internet.” 

In Morris and Polk’s view, the FCC’s proposal, “seems to indicate a lack of understanding of multistakeholder governance of the Internet, and we hope the Commission acts carefully in this space moving forward.”

The NCTA, which represents the broadband and cable television industry, is also still seeking changes to the BGP proposal. The trade group wants the FCC to remove the quarterly reporting requirements once providers hit a high level of secure deployment.

Doing so “would both reduce compliance costs and burdens on those companies that are best helping to achieve the Commission’s goals and free up important resources for those providers to continue other efforts to enhance security for their customers,” as well as provide incentives for providers to move quickly, the group wrote last month. Ultimately, the NCTA’s members “believe that prescriptive rules are not needed in this area,” it wrote.

The FCC proposal is nonetheless a positive response to some of the industry feedback, said Daigle of the Global Cyber Alliance, whose organization is the formal support organization for a voluntary BGP security initiative. It’s “a good signal to industry that the FCC is serious about seeing improvements in the security of the routing infrastructure, while leaving considerable leeway for industry to determine how best to do that,” she said.