The Federal Communications Commission (FCC) aims to ensure that Internet service providers (ISPs) bolster their defenses against vulnerabilities in the Border Gateway Protocol (BGP). On Wednesday, the FCC unanimously approved a Notice of Proposed Rulemaking that obliges ISPs to submit confidential reports outlining their progress and plans for implementing BGP security measures using the Resource Public Key Infrastructure (RPKI).
“Today, we begin a rulemaking to help make our Internet routing more secure,” FCC Chairwoman Jessica Rosenworcel stated. The proposed rulemaking entails that ISPs prepare and update confidential BGP security risk management plans annually and submit quarterly reports for the largest providers. These plans would include Route Origin Authorizations (ROAs) and Route Origin Validation (ROV) practices.
In prior attacks, such as a 2022 incident involving Amazon’s cloud service, hackers exploited BGP vulnerabilities to hijack over 250 IP addresses, resulting in the theft of $235,000 in cryptocurrency. The FCC argues that the initial BGP design lacks intrinsic security features, making it susceptible to BGP hijacks that threaten personal information and critical infrastructure.
The FCC will collect public comments on the proposed rulemaking for 45 days post-publication in the Federal Register, with regulations possibly finalized within months. Under these proposals, notable ISPs including AT&T, Comcast, and Verizon would need to file their annual BGP plans confidentially with the Commission and submit quarterly data on their progress.
Smaller ISPs may also be asked to submit plans upon request, though they are not required to file them routinely. The proposed rules allow larger providers to cease annual filings once they attest to maintaining ROAs for at least 90 percent of their originated routes. Cable lobby group NCTA-The Internet & Television Association supports eliminating the annual reporting requirement once ISPs reach the 90 percent threshold but also urges the FCC to remove the quarterly data submission mandate for compliant ISPs.
Further details are available on Ars Technica.