White House Targets Internet Routing Flaws with BGP Security Protocol Plan

The White House Office of the National Cyber Director (ONCD) has unveiled a new strategy aimed at strengthening internet routing security by addressing vulnerabilities within the Border Gateway Protocol (BGP), the system responsible for global network communications.

This plan emphasizes the implementation of the Resource Public Key Infrastructure (RPKI) to safeguard networks from potential breaches and attacks, urging federal agencies to adopt this security measure. The ONCD is also forming councils to facilitate the broader adoption of RPKI and provide resources to help network operators strengthen their systems.

BGP enables communication between around 74,000 global Autonomous Systems (ASes), the building blocks of the world's internet. However, BGP’s vulnerabilities allow attackers to manipulate data exchanges between networks, posing risks like unauthorized route announcements and violations of inter-network policies.

In recent years, incidents have shown how these flaws can be exploited for espionage and attacks on critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about foreign adversaries targeting BGP vulnerabilities for malicious purposes. As the internet relies on BGP, addressing its security flaws remains a complex challenge, requiring careful coordination and continuous operation during upgrades.

RPKI as a Key Solution for BGP Security ONCD’s core strategy to reinforce BGP security centers on adopting RPKI, a digital certification system that uses distributed repositories for verification. While RPKI has been widely implemented in Europe, it has encountered challenges in the U.S. due to limited resources, administrative barriers, and a lack of awareness about internet routing risks.

Though the ONCD’s recommendations are not mandatory, they strongly encourage federal agencies to take action and adopt RPKI as a baseline. To facilitate this transition, the White House is partnering with the Communications and IT Sector Coordinating Councils to establish a working group that will develop resources and encourage industry-wide adoption.

In a related move, the Federal Communications Commission (FCC) proposed measures to enhance BGP security in June, following incidents where China Telecom was found to have deliberately misrouted U.S. internet traffic. Despite this, it’s important to note that RPKI is not a one-size-fits-all solution but rather a foundational element of a broader strategy that may include additional security protocols.

Call for Broader Industry Adoption Private sector collaboration is crucial to the success of this plan, with network service providers expected to implement Route Origin Validation filtering as part of the RPKI adoption. Critical infrastructure and local government agencies are also likely to be encouraged to adopt these measures in the near future.

BGP, created in 1989, was never designed with the complexities of modern internet security in mind. Cloudflare reports that only half of global networks have implemented RPKI, leaving the door open for attacks ranging from cryptocurrency theft to malicious redirection of traffic. BGP attacks have led to significant financial losses and can also be used for purposes like IP hijacking and launching spam or DDoS campaigns.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, believes RPKI adoption is an essential step forward, though not without its limitations: “We are decades behind in securing BGP. Now we have a few viable options, and while RPKI might not be the best solution, it's a significant improvement. If we can achieve widespread adoption, we could finally make BGP more secure than it has ever been.”