Is regulated BGP security coming

You may have seen the Internet Society's (ISOC's) response to the US Federal Communications Commission's (FCC) recently published "Draft Declaratory Ruling and Order in the Open Internet Proceeding" where certain language concerning Border Gateway Protocol (BGP) security is sparking some concern within the community. ISOC's post states this ruling "… strongly implies the FCC's intention to regulate (BGP) routing security."

The post casts this as an area of concern, with ISOC and the Global Cyber Alliance (GCA) recommending against regulating BGP security. This is for three stated reasons:

1. The effect regulation often has of slowing progress as the industry reviews its obligations and legal implications
2. Competitive tension that can arise from regulated behaviour.
3. Concerns of fragmentation as other economies rush to reflect this decision but implement different strategies.

While these risks are real, they are unlikely to prevent the FCC from acting.

Firstly, telecommunications has always been regulated. In recent decades regulators may have tended toward a soft-touch approach. Still, carriers have both protections (in the form of common-carrier defences against the conduct of messages over their systems) and obligations (such as the need to provide lawful interception services under judicial process).

Secondly, the risks to the integrity of the function of the Internet are real. These threats stem from malicious criminal entities, adversarial states, and even from within the economy. They disrupt vital functions of the Internet, which are crucial for basic communications, emergency services, and state operations like power and water delivery.

Given the Internet's central role in modern society, it's reasonable to expect actors responsible for configuring BGP to adhere to basic standards of hygiene and documentation for their resources, ensuring their trustworthiness.

Currently, in economies like New Zealand, ISPs are required to report significant routing state changes to authorities or to account for loss of service under cyber threats (such as in Australia where Internet entities can be declared national strategic resources with reporting obligations).

The ISOC / GCA stance is not particularly surprising because few industry organizations in the Internet governance sphere typically advocate for or support increased regulation - industry self-regulation tends to be the default position. However, when it comes to BGP security and the potential risks posed to the state, the light-touch approach may reach the limits of risk that a government is prepared to accept without intervention.

Have a read of the FCC report, and the ISOC / GCA response, and let me know what you think!

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Public link

Please use the above public link if you want to share this noodl on another website.