The White House’s Office of the National Cyber Director (ONCD) today released its Roadmap to Enhancing Internet Routing Security, offering more than a dozen recommendations to network operators and service providers as well as the Federal government to secure the internet ecosystem.
ONCD, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), also announced it is establishing an Internet Routing Security Working Group to develop resources and materials to collectively advance the roadmap’s recommendations.
ONCD’s 19-page roadmap aims to address a key security vulnerability associated with the Border Gateway Protocol (BGP) – the protocol that underpins the way information is routed across networks.
According to ONCD, BGP’s original design properties do not adequately address the threat to, and resilience requirements of, today’s internet ecosystem. As a result, traffic can be inadvertently or purposely diverted, which may: expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations.
The potential for widespread disruption of internet infrastructure, whether carried out accidentally or maliciously, “is a national security concern,” the report’s corresponding fact sheet says.
“By addressing BGP, ONCD is taking on a hard problem that has long threatened the security of internet traffic,” the press release says. “Given today’s cyber threat landscape, ONCD continues to underscore that a secure and open internet is critical to the economic prosperity and national security of the United States.”
In line with the President’s National Cybersecurity Strategy Implementation Plan, ONCD collaborated with Federal government partners, industry stakeholders, and subject-matter experts to consider the complexities of the internet routing ecosystem, map longstanding barriers to improving security, and recommend incentives to overcome those barriers. Their inputs informed the 18 recommended actions highlighted in the roadmap.
“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”
While there is no single solution to address all internet routing vulnerabilities, ONCD’s new roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities.
RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV).
An ROA is a digitally signed certificate that a network is authorized to announce a specific IP address. ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid.
ONCD announced today that by the end of the year, it is expected that over 60 percent of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish ROA for Federal networks.
ONCD led an effort to develop a Federal RSA template addendum that Federal agencies are encouraged to use to facilitate their adoption of RPKI.
In May, the National Oceanic and Atmospheric Administration developed a Federal RPKI Playbook to support the process of executing the RSA and establishing ROAs on Federal networks.
ONCD said the new roadmap and its 18 recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.
Baseline actions for all network operators include risk-based planning; ROA publication; contracting requirements; and monitoring.
ONCD also recommended the Federal government take on several tasks, including directing the Office of Management and Budget (OMB) to establish guidance for agencies to implement ROAs in a timely manner as well as create contracting requirements. The roadmap also recommends that OMB establish a reporting mechanism for measuring Federal agency adoption of ROA.
The report calls on CISA to conduct outreach and education on the benefits of ROA and ROV and asks the State Department to highlight the importance of internet routing security at the international level.
In addition to releasing the report today, ONCD established a public-private stakeholder working group.
ONCD is co-chairing the Internet Routing Security Working Group, alongside CISA and the Communications and Information Technology Sector Coordinating Councils, to develop resources and materials to collectively advance the roadmap’s objectives.
“Securing BGP is essential to safeguarding the integrity of our digital infrastructure. Through strong partnerships – both with industry and with government agencies – we can enhance the resilience of our internet routing, ensuring a secure and reliable internet for our nation,” said CISA Director Jen Easterly. “This roadmap is a good step forward in achieving that goal. We’re excited to co-lead the collaborative effort in the Internet Routing Security Working Group and look forward to developing meaningful resources.”
Specifically, the working group will develop a framework for network operators to assess risk and prioritize IP address resources and critical route originations – such as those for government use and critical infrastructure operations – for the application of routing security controls such as ROA and ROV. The group will also develop a network service provider playbook for customers.
“The roadmap reflects a deep understanding of the complex Internet ecosystem landscape,” said Robert Mayer, chair of the Communications Sector Coordinating Council. “It’s sensible and prudent approach calls for a collaborative industry and government effort to develop an informed, risk-based strategy. We look forward to working with our government partners to make meaningful progress to address this critical issue.”
