Data-driven policy recommendations and sector-specific routing security analysis in Pakistan

In this post, I will explore a project I was involved in during my MANRS Ambassador role that analysed the Internet routing security policies of three main sectors in Pakistan: Telecom-ISP, Financial, and Enterprise-data centre.

Our in-depth analysis examines compliance with Internet Routing Registry (IRR) information and Resource Public Key Infrastructure (RPKI), identifying unique challenges and compliance levels across these sectors. The insights lead to sector-specific policy recommendations, underlining the necessity of data-driven strategies for enhancing digital security and connectivity in Pakistan.

This post highlights the importance of targeted policies in improving Internet reliability and security.

Understanding the dataset

Our journey begins with a careful examination of the dataset. It encompasses various fields, including Autonomous System Numbers (ASNs), holders, sectors, and metrics related to routing information practices (IRR and RPKI).

Understanding the dataset's structure was pivotal in selecting the most relevant columns for analysis. Thankfully, the MANRS Observatory dataset's well-organized nature facilitated a smoother transition to the next stage of our analysis.

Categorizing compliance - the methodology

To align with the interests and concerns of relevant stakeholders, the 264 ASNs within Pakistan were strategically categorized into three distinct sectors. This approach ensured that policy recommendations were specifically tailored to address the unique needs of regulatory entities in each sector, thereby fostering compliance.

Telecom-ISP sector: This sector includes ASN holders primarily engaged in telecommunications services, such as ISPs, telecom operators, and network service providers. These entities are crucial in providing Internet communication infrastructure.

Financial sector: ASN holders from the banking, financial services, and insurance industries fall under this category. Organizations in this sector depend heavily on secure and reliable Internet routing, particularly for online banking and financial transactions.

Enterprise-data centre sector: This sector covers ASN holders from several industries and organizations, including healthcare, education, government, and more. It represents a diverse group with varying levels of routing security compliance.

A clear framework was established for the categorization of readiness:

• No compliance - Entities with a score of 0.
• Lagging - low compliance: Scores above 0 but ≤ 0.5.
• Aspiring - moderate compliance: Scores > 0.500 but < 1.0.
• Ready - full compliance: A score of 1.0.

The ratio of 'No compliance' for both RPKI and IRR, sector-wise, is as follows:

Insights from sector-wise grouping

While commendable adherence to routing security practices exists, variations in RPKI compliance present avenues for enhancement.

Enterprise-data centre sector: This sector demonstrates strong compliance in both Routing Information practices. In RPKI compliance, there are 74 entities with full compliance, seven with low compliance, six with moderate compliance, and 24 with no compliance. In IRR compliance, 103 entities exhibit full compliance, two have low compliance, five have moderate compliance, and only one has no compliance. This sector has a notably better performance in terms of IRR compliance.

Financial sector: The Financial sector shows a mixed performance in Routing Information practices. In RPKI compliance, there are 10 entities with full compliance, one with low compliance, and 17 with no compliance. In IRR compliance, 27 entities are fully compliant, and one has low compliance. This sector has a high level of compliance in IRR but a notable gap in RPKI compliance.

Telecom-ISP sector: This sector leads in RPKI compliance with 88 entities having full compliance, 10 with low compliance, 17 with moderate compliance, and 10 with no compliance. In IRR compliance, 111 entities exhibit full compliance, two have low compliance, 10 have moderate compliance, and two have no compliance. While this sector demonstrates strong compliance, there is room for improvement in RPKI compliance.

Key risks associated with non-compliance of IRR and RPKI - Internet routing domain

Non-compliance with implementing IRR and RPKI poses specific risks to each sector. A common risk associated with noncompliance for all three sectors is that it undermines the overall trust in digital infrastructure critical for modern business and communication.

Here's a non-exhaustive list of key risks associated with non-compliance in each sector:

Enterprise-data centre sector:

1. Non-compliance increases susceptibility to attacks like route hijacking or traffic interception, jeopardizing client data and services.
2. Incidents resulting from poor routing security can lead to significant reputational damage, affecting client trust and business viability.
3. Routing incidents can disrupt operations, leading to downtime, loss of service, and financial losses.

Financial sector:

1. The financial sector is a prime target for cybercriminals. Non-compliance can lead to financial fraud or data breaches, impacting the institutions and their customers.
2. Security incidents can erode consumer confidence, essential for financial institutions, potentially leading to loss of business.

Telecom-ISP sector:

1. ISPs face network instability or downtime risks due to routing security incidents, impacting many users and businesses.
2. Non-compliance can lead to compromised network integrity, making the network unreliable for users and businesses that depend on it.
3. ISPs can inadvertently become vectors for the spread of cyberattacks, affecting broader network segments.

Policy recommendations

The insights derived from this data-driven analysis serve as the foundation for informed policy recommendations tailored to address sector-specific challenges and harness opportunities for improvement.

1. Enterprise-data centre sector: Maintain high IRR compliance and work towards reducing RPKI compliance variability. Encourage best practices sharing among entities. The National Computer Emergency Response Teams (NCERT) provides capacity-building training in these areas for data centres and enterprise networks through sectorial CERTs.
2. Financial sector: Leverage strong IRR compliance as a foundation for improving RPKI practices. Invest in RPKI training and awareness programs. The compliance framework of the State Bank requires an update, for which input should be sought from the Electronic Certificate Accreditation Council (ECAC) regarding the national infrastructure readiness for Public Key Infrastructure (PKI).
3. Telecom-ISP sector: Focus on elevating moderate compliance entities to full compliance in both IRR and RPKI. Establish a system of credits or ratings that highlights and incentivizes adherence to best practices in routing security. This approach acknowledges the efforts of compliant entities and motivates others in the industry to elevate their security standards, ultimately leading to a more robust and secure Internet infrastructure.

Conclusion

These insights empower us to forge policies that enhance the security and accessibility of the Internet, safeguarding its future as a reliable global resource.

As the MANRS community, including the Mentors and Ambassadors, navigate the waters of routing security, our collective effort to uphold and advance these essential security measures will shape the digital landscape for generations to come. Data-driven insights are our compass, guiding us toward a more secure and connected future.

Mujtaba Hussain has 12 years of experience in ICT and cybersecurity. He was a 2023 MANRS Ambassador, working with guidance from Harish Chowdhary and Ryan Polk.

The 2023 MANRS Mentors and Ambassadors program was sponsored by the APNIC Foundation and APNOG.

Originally published on the MANRS blog.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.