Framing MANRS into the Mosaic of Cybersecurity

As announced in November, the Global Cyber Alliance (GCA) is now formally the support organization for MANRS. We’ve been busy working in the background, learning the systems, and appreciating all the help from the Internet Society as they guide us on our way. At an operational level, we hope there’s been nothing to notice as we’ve taken the reins approving new participants, managing the Observatory, and transitioning all the back-end details into our infrastructure. 

Today, I’d like to step back and explain how MANRS fits into GCA’s work and highlight where we, collectively, might go from here to improve the state of routing security in the world.

Over a decade ago, one of the questions that launched MANRS was, “what can network operators reasonably do as part of their operational practice to improve routing security?” The discussion highlighted a number of things that were feasible, but not uniformly undertaken by all networks – things that could easily be seen as best security practices and promoted to encourage more uniform uptake. They were, in fact, Norms for Routing Security, which later became Mutually Agreed.

The discussion also underscored that some of the routing security ideas still on the drawing board were not operationally deployable at the time. A key reality is that the only effective security measures are ones that are put into operation – which requires both technical and business achievability. Advancing the security of the Internet as a whole requires an iterative discussion of the desirable and the feasible, with the hope of pushing the envelope on the latter. At its heart, this requires communication and collaboration – often between industry competitors. There is only one Internet, and it is what we collectively build it to be.

It’s not surprising, then, that routing security is not the only major Internet-related cybersecurity challenge that requires a collaborative approach to solve. No single entity (operator, regulator, or other organization) can unilaterally stop domain name abuse, unwanted traffic (for spam, phishing, breaches or DDoS attacks), or other forms of misrepresentation (spoofing, falsifying email sources, etc). None of those are best solved outside the industry that operates the services; all are best addressed with the industry’s operational input about technical and business feasibility, as well as prioritization. These are areas in which GCA’s Internet Integrity program is at work – with the AIDE and Domain Trust projects, and others in development.

MANRS remains uniquely focused on routing security as this community defines its needs and actions, while GCA’s activities in these other areas highlight that the support for MANRS has landed in an organization that is addressing like-sized problems elsewhere in the industry.

In stepping into the role of supporting MANRS, it’s fair to say that great progress has been made in the last decade, and much more work remains to be done. Some parts of the world are seeing increased motivation to improve routing security practices because of regulatory pressure. Others are not. How can we ensure that more networks are stepping up to the MANRS actions across the globe? What are the next (technically feasible and business friendly) steps in securing the routing system for the global Internet?

We’re listening. We’ve put together this feedback form where we’re asking for your input on what you appreciate about MANRS, what you’d like to change, and anything else you’d like to share with us. We’ll also be at a variety of network meetings throughout the year, so follow us on LinkedIn, X, or Facebook to stay connected.