Given the increase in awareness of routing security issues as a vulnerability in the digital supply chain, it should come as no surprise that governments around the world are looking at how they can play a role in cleaning up the global routing system.
The decisions these governments make will significantly impact the future of the globally distributed Internet routing system.
The MANRS team and some participants are working with policymakers who are discussing how their governments can assist with improving routing hygiene in their countries. Whether it is through participating in government workshops or through sharing knowledge through public comments or informal discussions, MANRS participants can help governments improve routing security.
Two recent examples where governments are focusing on routing security are the United States and the Netherlands.
United States Government Efforts Not Seeking to Impose Mandatory Regulations
There has been a flurry of activity in the United States recently surrounding routing security On 31 July, the United States Federal Communications Commission held a Border Gateway Protocol Security Workshop that highlighted the importance of addressing BGP vulnerabilities and securing Internet routing.
Also in July, the Biden-Harris Administration published the National Cybersecurity Strategy Implementation Plan, which identifies “collaborating with key stakeholders to drive secure Internet routing” as a key action item.
The U.S. Federal Government is also considering how to improve the routing security of its own networks.
It’s important to note that the U.S. government’s efforts are not seeking to impose mandatory regulations, but instead seeking to highlight the need for action by all network operators—governmental and in the private sector—to improve their networks’ security.
Netherlands Policy Requires Government Departments Deploy RPKI
In the Netherlands, the Dutch government has already forged ahead with its own activities for improving the routing security of government networks.
Through its “comply or explain” initiative, governmental departments must deploy RPKI or adequately explain why they cannot comply.
Similarly, a Dutch public-private partnership has developed a gold star program, providing private sector network operators a service (internet.nl) to show that they comply with routing security best practices.
Balancing Government Interest is Challenging
Whether it’s through government procurement policies or working closely with the private sector to improve routing security, governments have a key role in creating a safer Internet routing ecosystem. However, as governments attempt to improve routing security, they must take care not to undermine the globally distributed and decentralized nature of the Internet routing system.
The routing system’s architecture contributes to its resilience, scalability, and ease of adoption. There is no single point of failure or single controller, so the routing system is difficult to break on a global level. It also makes the Internet easy to connect to and to scale. When a path becomes congested or fails, networks can choose to route traffic around the problem areas.
Top-down attempts to improve routing security that would centralize the routing system undermine the qualities that have made the Internet so successful and enabled its growth. They also increase the risk that networks would be more open to security attacks.
As more governments prioritize routing security, they must work with various stakeholders, such as those in the industry, on solutions that prioritize the distributed nature of the Internet routing system while improving the use of best practices. MANRS participants are well placed to reach out and lend a hand as governments try to tackle this key issue.