National Cyber Director (NCD) Harry Coker is promising a strong effort by the Federal government to shore up internet router security – particularly in the area of Border Gateway Protocol (BGP) rules that determine the best network route for data transmission on the internet – in light of attacks over the past 15 years that have leveraged weak BGP security.
Coker made that commitment at a May 23 meeting of the National Security Telecommunications Advisory Committee (NSTAC). The committee is housed within the Cybersecurity and Infrastructure Security Agency (CISA) and is made up of private sector experts who advise the White House on telecommunications issues that affect national security and emergency preparedness.
During his remarks, Coker said the security effort centers around increasing the Federal government’s adoption of Resource Public Key Infrastructure (RPKI), which he said is an existing and available security upgrade through which “we can ensure that BGP hijacking is a thing of the past.”
While RPKI technology has been around for more than a decade, “it was only recently that a bare majority of global Internet addresses were appropriately registered in RPKI to allow internet service providers to filter false routing advertisements and prevent attempts to hijack them,” the NCD said.
On the government front, Coker said “we’re working with interagency partners and the private sector on a roadmap to drive RPKI adoption across the board.”
As part of that effort, he said several Commerce Department component agencies two weeks ago “signed model contracts – Registration Service Agreements – to register their address space and create ‘route origin authorizations,’ or ROAs.”
Those contracts, he said, are based on work done by the National Oceanic and Atmospheric Administration (NOAA), and “are models for other agencies across the government to follow.”
Coker said he’s looking for strong progress on the effort this year.
“By the end of the year, we expect over 50 percent of the Federal advertised IP space to be covered by Registration Service Agreements, paving the way to establish ROAs for Federal networks,” he told the NSTAC.
“We recognize that implementing RPKI is a first step in improving internet routing security,” Coker said. “Collectively, we have much more to do to secure the technical foundations of the Internet going forward, and we look forward to the government and private sector working together to address these critical challenges.”
During his NSTAC presentation, Coker recounted BGP security problems stretching back as far as 2008, and a finding from 2018 that internet traffic from western countries was being routed far out of its way through servers in China.
“More recently, we have seen the sophistication of BGP hijacks increase,” Coker said. “These hijacks are often used as stepping-stone attacks to subvert other foundational Internet Protocols, including domain name systems and the web public key infrastructure. The end objective of these BGP attacks is often to gather account credentials or install malware used to steal cryptocurrency. Recent incidents have resulted in losses in the millions of dollars.”
