BGP upgrade: Internet’s security sucks, US wants to fix it

There’s a fundamental problem in the internet’s fabric, of how it routes traffic from one point or network to another, that makes it less secure than what it should be. You don’t think about it every single time when you fire up your favourite websites on your smartphone or computer’s web browser, or generally whenever you access any information over the internet, but this design flaw of how the internet functions at its core remains. The weakest link in the internet’s chain? BGP or Border Gateway Protocol

Despite being the foundational protocol governing internet routing, BGP has long been plagued by security vulnerabilities – which we’ll get to later in the article. To address this critical issue, the White House Office of the National Cyber Director (ONCD) has released a BGP upgrade roadmap, which essentially calls for the widespread adoption of Resource Public Key Infrastructure (RPKI) to mitigate BGP’s risks. Additionally, the US government is also establishing a public-private working group to develop resources and materials to support the implementation of internet’s routing security controls going forward.

What is BGP: How does it enable the internet to work?

First described as a networking routing technique as early as 1989, it wasn’t until 1994 that BGP or Border Gateway Protocol became ingrained into the basic fabric of the internet as we know it. That makes BGP a 30-year-old technology, as far as the internet’s concerned, with precious little upgrades. This is a problem, because BGP is responsible for determining the best path for data to travel across the internet. It helps routers exchange information about reachable networks and routes traffic in an efficient manner.

According to the White House report, the internet is made up of nearly 74,000 independently operated but interconnected networks called Autonomous Systems (ASes) – these include everything from residential broadband to top-secret government networks, business and critical infrastructure enterprise, mobile wireless, cloud service and internet transit networks. One thing that all these networks have in common is the use of BGP to help exchange data and information.

The internet needs three key pieces to function – TCP/IP protocol, BGP, and DNS (Domain Name Server). Without getting into too many technicalities, think of the internet as a town – where TCP/IP is the underlying infrastructure of roads that connects various different sections of the town, DNS service is like a directory of all the names and locations of homes and business spread across the town, and BGP is like the GPS navigation that plans the most efficient route for you to travel from one location in the town to another.

Also read: CrowdStrike BSOD error: Risking future of AI in cybersecurity?

Regardless of whether you connect to the internet from your phone or laptop (or any other device, for that matter), whenever you do something online you are essentially sending or receiving data. And when you type a website’s address in your web browser and press enter or launch Amazon’s shopping app on your phone to buy something instantly, data that’s going out of your home / office / public network’s router or gateway has several ways to reach its desired destination – which is to locate the website address you typed, Amazon or otherwise. Similarly, data that’s coming to you from the internet has various paths it can choose to take. It boils down to BGP for finding the shortest, most efficient and therefore the quickest route for data coming and going to and from the internet. 

Whether it’s undersea inter-continental cables that carry 99% of the internet traffic around the world through fibre optic technology at terabits per second speeds, or terrestrial radio-based 4G / 5G wireless telecommunication networks with gigabits per second speeds, even space-based satellite-powered networks capable of megabits per second speeds, one way or another they all connect to the internet via BGP. Despite being such an essential ingredient of the internet’s recipe, BGP has some huge red flags.

What’s wrong with BGP: How’s it a security risk?

In fact, concerns about the fundamental security vulnerabilities in BGP have been there for all to see for “more than 25 years,” according to the report by the White House Office of the National Cyber Director. “As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face,” the report goes on to say. What are some of these BGP security risks?

Simply put, BGP doesn’t have built-in security features, it operates on implicit trust. BGP’s designed for network efficiency – not security in mind. This means BGP can’t verify the authenticity of routing information or protect against attacks like route hijacking. It doesn’t verify the authority of a network claiming a route, leaving it vulnerable to attacks like route hijacking. 

In route hijacking or BGP hijacking attacks, internet traffic is rerouted. Attackers accomplish this by falsely announcing ownership of groups of IP addresses, called IP prefixes, that they do not actually own, control, or route to, according to Cloudflare. A BGP hijack is similar to someone replacing all the road signs on a highway, causing drivers to take wrong exits and get lost, or send them to unintended hazardous and dangerous destinations. 

One of the most recent BGP-related snafu was recorded when Facebook, WhatsApp and Instagram went offline for over 6 hours on October 4, 2021 for 3.5 billion users. The issue was caused by a faulty configuration change that disconnected Facebook’s data centres from the internet. Specifically, BGP routes to Facebook’s DNS servers were withdrawn, making it impossible for users to resolve Facebook domain names, according to Cloudflare. 

Also read: AI impact on cyber security future: The good, bad and ugly

The US government strongly supports the FCC’s investigation into BGP security risks. In a joint letter dating June 2024, the US Justice and Defense Departments highlighted how China Telecom Americas (CTA) intentionally misdirected American internet traffic to China between 2010 and 2019, exploiting BGP hijacking. This kind of manipulation poses a serious security threat to network security and data integrity, and the FCC ultimately revoked CTA’s US operating licence in 2021, according to Reuters.

These are just a couple of the various small and big global incidents where BGP security and routing issues have adversely impacted people’s ability to access the internet in a safe and secure manner. So, what’s the fix for this glaring vulnerability that underpins our daily digital lives? 

Beyond BGP: RPKI and the road to internet safety

Enter Resource Public Key Infrastructure, or RPKI for short. Think of RPKI as a sort of driver’s licence system for the internet’s routing paths, if we take the earlier example above. It helps verify that the network claiming to route traffic to a particular IP address is indeed authorised to do so. The US government, recognizing the critical nature of BGP’s weaknesses, is throwing its weight behind RPKI as a potential industry-wide solution.

The White House’s Office of the National Cyber Director (ONCD) is actively calling for widespread adoption of RPKI to shore up BGP’s security flaws. By digitally signing BGP route announcements, RPKI can prevent malicious actors from hijacking routes and misdirecting internet traffic. It’s like adding a layer of authentication to ensure that when you’re sending data to a particular destination, it’s actually going to its intended destination.

But, of course, implementing RPKI across the vast, sprawling expanse of the internet isn’t as simple as flipping a switch. There are challenges – technical, operational, and even political. For one, not all network operators are on board yet. Smaller internet service providers may lack the resources or expertise to implement RPKI effectively. There’s also the matter of global coordination; the internet doesn’t respect national borders, and a piecemeal adoption could leave gaps in security.

Also read: Cybersecurity in Age of AI: Black Hat 2024’s top 3 LLM security risks

Moreover, concerns about centralisation and control linger. Some stakeholders worry that RPKI could give undue power to regional internet registries or governments, potentially leading to censorship or overreach. Balancing these concerns with the pressing need for enhanced security is a tightrope walk that requires careful navigation.

Despite these hurdles, the opportunities presented by adopting RPKI are substantial. A more secure BGP means a more resilient internet, less prone to disruptions that can cost businesses millions and erode user trust. It also means thwarting malicious activities like traffic interception, phishing, and denial-of-service attacks that exploit BGP’s vulnerabilities.

Balancing an open and secure internet

Staring at the endless stream of data coursing through my router’s blinking lights, I can’t help but ponder the irony. The very protocol that ensures our internet works is also its Achilles’ heel. The push for RPKI adoption represents a critical juncture – a chance to patch up a decades-old vulnerability that’s become untenable in today’s digital threat landscape.

The US government’s proactive stance is a significant step, but it’s just one piece of a global puzzle. By its very nature, internet security is – and should be – a collective responsibility. Network operators, ISPs, governments, and even end-users have a role to play. After all, what’s the point of a secure internet protocol if it’s not widely accepted or correctly implemented?

There’s also an underlying lesson in the ongoing BGP saga which shows us how the internet has evolved since its beginning, how many of its foundational technologies weren’t built with today’s security challenges in mind. As we’ve piled on the complexity, the internet’s cracks have begun to show. Addressing BGP’s shortcomings isn’t just about fixing a single protocol, it’s about reexamining and reinforcing the very pillars of our digital world. Let’s hope we get it right.

Also read: PQC encryption standardised: How they secure our digital future in quantum computing era