Fact Sheet: Biden-Harris Administration Releases Roadmap to Enhance Internet Routing Security
September 3, 2024
Today, the White House Office of the National Cyber Director (ONCD) released a Roadmap to Enhancing Internet Routing Security, which aims to address a key security vulnerability associated with the Border Gateway Protocol (BGP) – the protocol that underpins the way information is routed across networks. In addition to releasing the report, ONCD, in coordination with the Cybersecurity and Infrastructure Security Agency, is establishing a public-private stakeholder working group to develop resources and materials to collectively advance the report’s recommendations.
BGP’s original design properties do not adequately address the threat to and resilience requirements of today’s internet ecosystem. As a result, traffic can be inadvertently or purposely diverted, which may expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations. The potential for widespread disruption of internet infrastructure, whether carried out accidentally or maliciously, is a national security concern.
While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.
Pursuant to the President’s National Cybersecurity Strategy Implementation Plan, ONCD collaborated with Federal Government partners, industry stakeholders, and subject-matter experts to consider the complexities of the internet routing ecosystem, map longstanding barriers to improving security, and recommend incentives to overcome those barriers. Their inputs informed the 18 recommended actions highlighted in the roadmap, which are separated by network type:
Baseline Actions for All Network Operators
The recommended actions below apply to all network types, meaning all network service providers and entities that operate enterprise networks or hold their own IP address resources. These recommendations are of particular importance to the networks used by critical infrastructure; state, local, Tribal, and territorial governments; and any organization dependent on internet access for purposes that the entity considers to be of high value.
- Risk-Based Planning. Every network operator should develop, maintain, and periodically update a cybersecurity risk management plan. To inform both near- and long-term plans to implement BGP security measures, all network operatorsshould explicitly address the security and resilience of internet routing in their organization’s cybersecurity risk assessment, cybersecurity risk management analysis, and operational plans and procedures.
- ROA Publication. All network operators and entities holding IP address resources should create and publish ROAs in the public RPKI repository hosted by, or delegated from, the appropriate Regional Internet Registry (RIR). Operators should use their risk-based cybersecurity risk management plan to prioritize the publication of ROAs for address prefixes they assess as high-value or high-risk first.
- Contracting Requirements. Network operators using contractedexternal services (e.g., IP transit services, infrastructure services, cloud and content services) should include explicit requirements in future service contracts for their providers to validate BGP-enabled routes.
- Monitoring. Network operatorsshould monitor the status of their ROA data, routing security threats, outages, and disruptions and assess the quality of their internet routing services. Such monitoring can be done in-house or contracted through commercial monitoring services.
Additional Actions for Network Service Providers
In addition to the baseline recommendations above, network service providers are uniquely positioned to enhance routing security for the broader ecosystem. These actions include:
- ROV Deployment. Network service providers should deploy ROV filtering for their customers or arrange for upstream providers to do so. Large and small providers alike bear responsibility for ROV filtering, and larger providers are encouraged to implement ROV on behalf of smaller client networks.
- Facilitate Customer ROA Creation. Network service providers that allocate address space to customers should provide tools and guidance to enable their clients to create ROAs, for example through the network service provider’s service portals. Network service providers should provide guidance to their customers encouraging their enrollment in RIR RPKI services. Network service providers should consider providing or creating services to support customers willing to delegate ROA creation to their service providers.
- Routing Security Practices Disclosure. Network service providers should disclose their actions to implement routing security on their networks. Providers should establish a standardized means and format for disclosure of security practices.
Actions for Federal Government and Communications and Information Technology Sector Stakeholder Collaboration
The Federal Government is working collaboratively with communications and IT sector stakeholders to take specific actions to improve internet routing security. The Cybersecurity and Infrastructure Security Agency (CISA), as the Sector Risk Management Agency for the Communications and IT critical infrastructure sectors, in coordination with ONCD and in collaboration with the Communications and IT Sector Coordinating Councils, is establishing a joint working group under the auspices of the Critical Infrastructure Partnership Advisory Council to develop resources and materials to advance ROA and ROV implementation and internet routing security. The working group will consider:
- Risk Criteria and Prioritization Framework Development. The working group will develop criteria and a framework for network operators to assess risk and prioritize IP address resources and critical route originations (such as government use, critical infrastructure operations, etc.) for the application of routing security efforts to include ROA and ROV. Additionally, the working group will determine meaningful measures of progress, and create a standardized set of templates for network service providers to disclose routing security practices.
- Network Service Provider Playbook for Customers. The working group will develop a playbook, informed by diverse industry perspectives and parts of the internet service ecosystem, that outlines steps for customers to establish ROAs.
- Additional Activities and Progress Updates. The working group will stay informed of updates within the community and deliver a periodic update to the Federal Government that addresses priority issue areas.
Policy Actions Specific to the Federal Government
U. S. Federal departments and agencies should implement routing security on their networks, incorporate routing security in procurement requirements, engage in outreach with critical stakeholder communities, assess data from outages caused by routing incidents, promote and incentivize routing security best practices, provide training, reduce barriers to routing security, and monitor threats to routing security.
- Guidance to the Federal Enterprise. The Office of Management and Budget (OMB) should establish guidance for Federal departments and agencies to implement ROAs in a timely manner, aligned with agency risk assessments.
- Contracting Requirements. OMB, working through the Federal Acquisition Regulatory Council and in coordination with the General Services Administration, should require the Federal Government’s contracted service providers to adopt and deploy current commercially-viable internet routing security technologies, and perform ROV filtering on the contracted services connecting to the internet.
- Federal Grant Guidance. Federal agencies providing grant funding to build critical infrastructure that includes internet-connected systems or technologies, especially broadband networks, should require that grant recipients incorporate routing security measures into their projects.
- Metrics and Progress Reporting. OMB should establish a reporting mechanism for measuring Federal agency adoption of ROA, monitoring progress, and conducting analytics, where appropriate. The effort should leverage existing data sources and tools provided by academic and third-party partners.
- Standards and Technology Development. The National Institute for Standards and Technology (NIST) should continue to lead and coordinate USG efforts to research, standardize, and foster commercialization of BGP security and resilience mechanisms to address the remaining BGP vulnerabilities, including malicious BGP path manipulations, route leak mitigation, and peering authentication. NIST should also continue to develop monitoring and measurement tools to assess the progress and correctness of the global deployment of these additional mechanisms.
- Outreach and Education. CISA, through its public-private engagement efforts, should conduct an outreach campaign to increase U.S.-based enterprise network owners’ awareness of the benefits of ROA and ROV. CISA should continue to enhance network defenders’ tactical understanding of normal routing behavior, routing anomalies, and route-specific risks that impact network security policy.
- International Engagement. The Department of State, in coordination with appropriate agencies, should highlight internet routing security efforts and best practices in engagements with international partners to increase awareness of the benefits of the adoption of internet routing security measures.
- Research and Development. Research-funding agencies should continue to fund the development of internet routing-focused measurement, monitoring, and alerting technology to facilitate U.S. and global internet routing security deployment efforts. Funding should support government entities, academic institutions, and independent subject matter experts equipped to measure progress, develop solutions, and inform future innovation. Continued investment should also address the next generation of threats and solutions.
###