David Simpson, a former national security bureau chief, says FCC Chairwoman Jessica Rosenworcel’s interest in securing Border Gateway Protocol could be an important part of the FCC’s development of cyber-focused policies moving forward.
The Federal Communications Commission approved a notice of inquiry last week asking for stakeholder input on how the agency could play a part addressing vulnerabilities in BGP, an internet routing protocol which the FCC said in the NOI is “used to exchange reachability information amongst independently managed networks on the Internet” and has security vulnerabilities.
The NOI was developed as part of the FCC’s response to an increase in Russian cyber attacks.
“Many of the items in the NOI could fall under the FCC’s National Security and Public Safety authorities. The regulatory activity would be better accomplished with Net Neutrality in place, but the heightened risk to our Nations networks today, suggests we should not wait,” Simpson told Inside Cybersecurity.
Simpson said, “The restoral of the court approved Net Neutrality rules (Title II jurisdiction for ISPs) would provide additional authorities from which to best balance privacy, cybersecurity and market objectives but is not a requirement for the FCC to take action. The Commission’s authorities regarding public safety and national security should be sufficient to address the most important elements of the security shortfalls in BGP and other system wide protocols.”
He noted that, “Now that phone calls, texts and sensor reports to 9-1-1 ride over the internet backbone and national security functions have strong internet backbone dependencies, the Commission must take affirmative steps to make sure that essential public safety and defense issues are addressed.”
Simpson, a retired rear admiral, was chief of the Public Safety and Homeland Security Bureau under former Chairman Tom Wheeler. During his time at the FCC, he was a strong proponent in making cybersecurity an important part of net neutrality regulations.
“The NOI does a good job of teeing up the technical, implementation and market points,” Simpson said. “We lost several years on our adversaries as the FCC shifted focus to other areas from 2017 to now. The heightened threat to critical infrastructure from Russian and other malign actors during our current Ukrainian crisis suggests the Commission should move expeditiously either to rulemaking or a strong commitment from the industry to move out on their own in a manner that is binding for each provider participant.”
Simpson said the recently revived Cybersecurity Forum for Independent and Executive Branch Regulators can play an important rule “to bring pressure from the other CI sectors for timely implementation.”
The FCC shifted away from cyber-focused regulations under Wheeler’s successor Ajit Pai, who repealed net neutrality regulations that were on the FCC’s books during his time at the commission.
The national security effort with the most support from the entire commission today is the rip-and-replace program to reimburse telecoms that receive funding from the Universal Service Fund for replacing Huawei and ZTE equipment and services.
Rosenworcel proposed using similar equipment authorization regulations to boost security practices for Internet of Things devices last year, but the effort was heavily criticized by industry.
The Communications Security, Reliability and Interoperability Council VIII, inaugurated by Rosenworcel in September, is focused on different areas of 5G security, including the exploration of 911 service over WiFi, managing software and cloud services supply chain security, and 5G signaling protocols security. Simpson explained potential cybersecurity opportunities that CSRIC VIII could bring up in a January interview with Inside Cybersecurity.
Regarding the BGP proposal, Simpson said, “The FCC has been aware of the vulnerabilities inherent in the implementation of BGP and other protocols in support of the domestic market. These route security vulnerabilities impact our information economy at home and across the global information economy.”
“The FCC has a record of the Internet Engineering Task Force and other expert bodies recommending implementable security features,” Simpson said. “The FCC has a record that supports a finding that the technical solutions would be affordable by the carriers tasked with implementation.”
He added, “The FCC should additionally use the NOI to fully characterize the benefit to both consumers, critical infrastructure sectors and communities from reduced risk from route based cyber attacks. Based on their refresh of the record from the NOI, I’m hopeful they’ll take expeditious steps to harden our information infrastructure from route-based attacks.” -- Sara Friedman (sfriedman@iwpnews.com)