05/10/2024 | Press release | Distributed by Public on 05/09/2024 17:02
In this post, I will explore a project I was involved in during my MANRS Ambassador role that analysed the Internet routing security policies of three main sectors in Pakistan: Telecom-ISP, Financial, and Enterprise-data centre.
Our in-depth analysis examines compliance with Internet Routing Registry (IRR) information and Resource Public Key Infrastructure (RPKI), identifying unique challenges and compliance levels across these sectors. The insights lead to sector-specific policy recommendations, underlining the necessity of data-driven strategies for enhancing digital security and connectivity in Pakistan.
This post highlights the importance of targeted policies in improving Internet reliability and security.
Understanding the dataset
Our journey begins with a careful examination of the dataset. It encompasses various fields, including Autonomous System Numbers (ASNs), holders, sectors, and metrics related to routing information practices (IRR and RPKI).
Understanding the dataset's structure was pivotal in selecting the most relevant columns for analysis. Thankfully, the MANRS Observatory dataset's well-organized nature facilitated a smoother transition to the next stage of our analysis.
Categorizing compliance - the methodology
To align with the interests and concerns of relevant stakeholders, the 264 ASNs within Pakistan were strategically categorized into three distinct sectors. This approach ensured that policy recommendations were specifically tailored to address the unique needs of regulatory entities in each sector, thereby fostering compliance.
Telecom-ISP sector: This sector includes ASN holders primarily engaged in telecommunications services, such as ISPs, telecom operators, and network service providers. These entities are crucial in providing Internet communication infrastructure.
Financial sector: ASN holders from the banking, financial services, and insurance industries fall under this category. Organizations in this sector depend heavily on secure and reliable Internet routing, particularly for online banking and financial transactions.
Enterprise-data centre sector: This sector covers ASN holders from several industries and organizations, including healthcare, education, government, and more. It represents a diverse group with varying levels of routing security compliance.
A clear framework was established for the categorization of readiness:
The ratio of 'No compliance' for both RPKI and IRR, sector-wise, is as follows:
Insights from sector-wise grouping
While commendable adherence to routing security practices exists, variations in RPKI compliance present avenues for enhancement.
Enterprise-data centre sector: This sector demonstrates strong compliance in both Routing Information practices. In RPKI compliance, there are 74 entities with full compliance, seven with low compliance, six with moderate compliance, and 24 with no compliance. In IRR compliance, 103 entities exhibit full compliance, two have low compliance, five have moderate compliance, and only one has no compliance. This sector has a notably better performance in terms of IRR compliance.
Financial sector: The Financial sector shows a mixed performance in Routing Information practices. In RPKI compliance, there are 10 entities with full compliance, one with low compliance, and 17 with no compliance. In IRR compliance, 27 entities are fully compliant, and one has low compliance. This sector has a high level of compliance in IRR but a notable gap in RPKI compliance.
Telecom-ISP sector: This sector leads in RPKI compliance with 88 entities having full compliance, 10 with low compliance, 17 with moderate compliance, and 10 with no compliance. In IRR compliance, 111 entities exhibit full compliance, two have low compliance, 10 have moderate compliance, and two have no compliance. While this sector demonstrates strong compliance, there is room for improvement in RPKI compliance.
Key risks associated with non-compliance of IRR and RPKI - Internet routing domain
Non-compliance with implementing IRR and RPKI poses specific risks to each sector. A common risk associated with noncompliance for all three sectors is that it undermines the overall trust in digital infrastructure critical for modern business and communication.
Here's a non-exhaustive list of key risks associated with non-compliance in each sector:
Enterprise-data centre sector:
Financial sector:
Telecom-ISP sector:
Policy recommendations
The insights derived from this data-driven analysis serve as the foundation for informed policy recommendations tailored to address sector-specific challenges and harness opportunities for improvement.
Conclusion
These insights empower us to forge policies that enhance the security and accessibility of the Internet, safeguarding its future as a reliable global resource.
As the MANRS community, including the Mentors and Ambassadors, navigate the waters of routing security, our collective effort to uphold and advance these essential security measures will shape the digital landscape for generations to come. Data-driven insights are our compass, guiding us toward a more secure and connected future.
Mujtaba Hussain has 12 years of experience in ICT and cybersecurity. He was a 2023 MANRS Ambassador, working with guidance from Harish Chowdhary and Ryan Polk.
The 2023 MANRS Mentors and Ambassadors program was sponsored by the APNIC Foundation and APNOG.
Originally published on the MANRS blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.