FCC to propose requiring internet providers mitigate security flaws in core data routing protocol

The Federal Communications Commission is taking another step into the world of cybersecurity, teeing up a rule aimed at bolstering the security posture of a crucial worldwide data routing framework.

The agency next month will vote on a proposal that would require the nine largest U.S. broadband providers to regularly file confidential documents to the commission that describe plans they’re developing to bolster the cybersecurity of the Border Gateway Protocol, a backbone data transmission algorithm that determines the optimal pathways data packets should take to move across networks.

The commission, as part of the forthcoming vote, will weigh how its recently restored net neutrality rules may provide the legal authority needed to compel the internet service companies to supply them with the documentation. The notice of proposed rulemaking was released Thursday afternoon. The FCC is seeking comments from stakeholders and the public on several sources of legal authority, including those under the net neutrality reclassification.

The FCC has used the restoration — backed by Title II of the Communications Act — as a legal basis to augment internet security because it would allow the agency to stamp out foreign internet companies deemed national security risks.

The BGP functionality was first engineered in 1989 to help data swiftly move between computers. The protocol, in essence, helps data find the fastest, least resistant transmission path between point A and point B in a network. But BGP was built on the premise that all routed data could be trusted. In 2024, that assumption is practically impossible.

“It is vital that communication over the internet remains secure,” said agency Chairwoman Jessica Rosenworcel. “Although there have been efforts to help mitigate BGP's security risks since its original design, more work needs to be done.”

In addition to confidential filings, major broadband providers like Comcast, AT&T and Verizon would need to release publicly available data to the agency on a quarterly basis to help them measure their progress. 

Specifically, those findings center on implementing BGP security measures using the Resource Public Key Infrastructure, an encryption framework that applies digital certificates to protect the protocol from attacks like BGP hijacks, where hackers take over groups of IP addresses by sabotaging the routing pathways used by BGP.

The FCC over the past several years has been working with government partners to shield networks from certain communications operators, arguing they might facilitate cyber espionage, launch cyberattacks against critical infrastructure or engage in other malicious activities. It maintains a list of entities that are deemed an “unacceptable risk” to national security.

In the days following Russia’s February 2022 invasion of Ukraine, the FCC launched a proceeding into the BGP, amid concerns that the conflict could widen into cyberattacks on U.S. infrastructure. It also followed a mass hack carried out by Russian operatives in the beginning hours of the invasion that crippled reams of Ukrainian Viasat modems.

The Cybersecurity and Infrastructure Security Agency has also leaned in on BGP matters, holding a workshop with the FCC and private sector cloud providers last July.

The agencies “fully acknowledge that the U.S. government is lagging behind on BGP security practices,” a blog post said after the workshop.

It’s not entirely clear how the final vote tally will look once the commission takes up the proposal next month. National security matters have historically been bipartisan in the FCC, but the authorities supporting the proposed BGP regulation, established in part by the recent party-line net neutrality vote, may lead the agency’s two Republican-appointed commissioners to oppose the rule.

At least two tech and cyber industry groups are hesitant about BGP regulations, arguing they would slow progress on routing security developments and create new barriers to entry for small internet service providers.