FCC Adopts BGP, School Cybersecurity Plans
The Federal Communications Commission (FCC) today took steps to make internet use safer in the U.S., approving a $200 million program to improve cybersecurity in schools and proposing to require broadband providers to report on their Border Gateway Protocol (BGP) risk mitigation processes.
The three-year Schools and Libraries Cybersecurity Pilot Program will study which cybersecurity services and equipment would best help K-12 schools and libraries address growing cyber threats and attacks against their broadband networks.
The pilot program will help the Commission “better understand whether and how universal service funds could be used to support the cybersecurity needs of schools and libraries and to share lessons learned with our federal partners to jointly combat this growing problem.”
The program will be kept separate from the FCC’s E-Rate program “to ensure gains in enhanced cybersecurity do not undermine E-Rate’s success in connecting schools and libraries and promoting digital equity.”
This pilot program is part of FCC Chair Jessica Rosenworcel’s Learn Without Limits initiative to improve connectivity in schools and libraries “so everyone, everywhere has access to high-speed internet services.” That initiative supports Wi-Fi on school buses, E-Rate support for libraries in Tribal communities, and funding from the E-Rate program for off-premises use of Wi-Fi hotspots and wireless internet access services.
BGP Security Targeted by FCC
The BGP security initiative stops short of mandating security standards for broadband service providers, and instead would simply require them to report on the effectiveness of those efforts. The measure will be open for public comment before it can be finalized.
Broadband providers would be required to “create confidential reports on the steps they have taken, and plan to undertake, to mitigate vulnerabilities in the Border Gateway Protocol (BGP), the technical protocol used to route information across the internet. The nation’s largest broadband providers would also be required to file specific public data on a quarterly basis demonstrating their BGP risk mitigation progress.”
The decades-old protocol, widely used for communication between networks, “does not include intrinsic security features to ensure trust in the information that is relied upon to exchange traffic among independently managed networks on the internet,” the FCC said in a press release. “BGP national security experts have raised concerns that a bad network actor may deliberately falsify BGP reachability information to redirect traffic. These ‘BGP hijacks’ can expose Americans’ personal information; enable theft, extortion, and state-level espionage; and disrupt services upon which the public or critical infrastructure sectors rely.”
The Notice of Proposed Rulemaking adopted today would require that broadband internet access service providers “prepare and update confidential BGP security risk management plans at least annually. These plans would detail their progress and plans for implementing BGP security measures that utilize the Resource Public Key Infrastructure (RPKI), a critical component of BGP security.”
The nine largest providers would also have to file publicly available quarterly data assessing progress in the implementation of RPKI-based security measures. These large providers won’t have to file subsequent detailed plans with the FCC if they meet a certain security threshold.
Smaller broadband providers would not be required to file their plans with the Commission, but would make them available to the FCC upon request.
BGP Hijacked by China Telecom 6 Times
In a statement, Rosenworcel noted that BGP is also known as the “three-napkin protocol.”
“Back in 1989, the internet, then a novelty for computer scientists like Vint Cerf, was expanding—fast,” she said. “But the internet’s basic protocols at the time could not handle this growth. So on their lunch break from an Internet Engineering Task Force meeting in Austin, Texas, a pair of engineers sketched out the ideas for BGP on three ketchup-stained paper napkins. What was meant to be a short-term solution developed on the sidelines of an internet engineering conference is still with us today.”
Rosenworcel thanked the Cybersecurity and Infrastructure Security Agency “for working with my office and jointly holding a BGP public forum to discuss this problem.”
She also thanked the Department of Defense and Department of Justice “for publicly disclosing in our record that China Telecom used BGP vulnerabilities to misroute United States internet traffic on at least six occasions.
“These ‘BGP hijacks’ can expose personal information, enable theft, extortion, and state-level espionage,” she said. “They can also disrupt sensitive transactions that require security, like those in the financial sector.”