The White House is taking another step in trying to shore up the security issues with the Gateway Border Protocol (GBP), the behind-the-curtain rules that long have governed the routing of internet traffic around the internet but increasingly have become an attractive target of cybercriminals.

The Biden Administration has made hardening the BGP a part of its larger years-long effort to improve the security posture of the country’s government agencies and private-sector organizations, with the Federal Communications Commission (FCC) in June saying it was mulling requiring internet service providers (ISPs) to outline plans they had in plan or were developing to secure the protocol.

According to the White House, concerns about the security of BGP have been circulated to one degree or another for about a quarter-century.

This week, the White House White House Office of the National Cyber Director (ONCD) released a 19-page report designed to serve as a roadmap for address the vulnerabilities found in “the principal technology used to route traffic across the thousands of independent networks that comprise the Internet” but which lacks the security capabilities to allow it to safely do its job in today’s highly charged cybersecurity climate.

As with other technologies developed during the internet’s early days, BGP was created with the kind of security capabilities that are necessary to handle today’s sophisticated cyberthreats, according to the ONCD. That needs to change, White House National Cyber Director Harry Coker Jr. said.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” Coker said in a statement. “We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

Connecting the Networks

There are about 74,000 independent but interconnected networks – called autonomous systems, or ASes – that make up the internet, ranging from residential broadband and business and critical infrastructure networks to mobile wireless, cloud service, and content distribution networks, among others. Everyone relies on BGP to dynamically route via border routers information between other ASes they’re connected to.

However, the protocol can’t do such security tasks as verifying the authenticity of messages exchanged between neighboring networks, do the same for information from remote networks, or detect routing announcements that violate business policies between neighboring networks.

“As the Internet became essential to global commerce, critical infrastructure, and communications, malicious actors began purposefully exploiting these BGP vulnerabilities,” the authors of the ONCD report wrote. “Attackers began to falsify BGP information to cause data to be delivered to the wrong destinations, to divert paths across the Internet to pass through unintended networks, or to cause outages in Internet connectivity. Such incidents are generally called route hijacks because the action of a third party results in disruptive and often damaging changes in the routing of Internet traffic.”

Such routing hijacks can lead to sensitive personal information being exposed, data stolen, extortion scams run, espionage, and critical infrastructure operations being disrupted.

Focusing on RPKI

The OCND noted that, given the central role that BGP plays in keeping traffic running between tens of thousands of networks, no single technology will fix all of the protocol’s security issues. However, the report, “Roadmap to Enhancing Internet Routing Security,” focuses on the Resource Public Key Infrastructure (RPKI), a global trust infrastructure that was created to enable new BGP security mechanisms.

The first of these mechanisms to become commercially available is Route Origin Validation (ROV). A key BGP vulnerability is the inability to verify which networks were authorized to announce specific address blocks. Using Route Origin Authorization (ROA) data, ROV can address the security flaw, according to the report.

A ROA is a digitally-signed certificate signifying that a network is authorized to announce a specific block of internet space, like IP addresses, according to the ONCD. ROV is the process BGP routers use for ROA data to filter BGP announcements flagged as invalid. One needs the other: ROV can help protect a company’s internet address resources only if it has created ROAs.

The White House outlined a number of recommended “baseline” steps for all types of networks run by network service providers or those organizations that run enterprise networks or hold their own IP resources. They include developing a cyber-risk management plan to address security and resilience of internet routing, creating and publishing ROAs in the public RPKI repository, monitoring the status of their ROA data, routing security threats, and disruptions, and setting contracting requirements.

For internet providers, steps they should take include deploying ROV filtering on their networks, give customers the tools for creating ROA, and disclose the steps they’ve taken to secure the routing on their networks.