Legal.io
Jun 21, 2024

FCC Proposes Rules to Strengthen BGP Security

The FCC has issued a Notice of Proposed Rulemaking to address security vulnerabilities in the Border Gateway Protocol (BGP), requiring large broadband providers to develop comprehensive BGP Risk Management Plans and submit detailed quarterly reports.

FCC Proposes Rules to Strengthen BGP Security

The Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) earlier this month. This notice is aimed at addressing some of the more significant security vulnerabilities in the Border Gateway Protocol (BGP), the foundational technology that routes internet traffic between networks.

This proposal pushes for retail broadband internet providers to develop and maintain comprehensive plans to mitigate any vulnerabilities. Doing this will enhance the overall security of internet traffic routing.

The FCC is the authority in charge of regulating this aspect of internet infrastructure and to make sure it is rooted in its recent classification of retail broadband internet access as a "telecommunications service,". This classification brings it within the scope of the FCCs regulatory jurisdiction.

Background on BGP and Its Vulnerabilities

The modern internet architecture available consists of numerous interconnected networks known as Autonomous Systems (ASes). These systems are designed to rely on routers to direct traffic, using routing tables to determine the optimal paths for data to travel.

Here is where BGP comes in, as it facilitates this process by enabling ASes to advertise routes they can handle, which other ASes then incorporate into their routing tables.

This decentralized and trust-based system, however, is vulnerable to misconfigurations and malicious attacks, such as BGP hijacking. If any attack is successful, there are significant disruptions, unauthorized surveillance, and data breaches, highlighting the need for robust security measures.

BGP Risk Management Plans

The NPRM requires large broadband providers to file detailed BGP Risk Management Plans with the FCC. To do this, broadband providers need to outline their strategies for implementing Resource Public Key Infrastructure (RPKI). RPKI is a cryptographic system designed to secure internet routing by verifying the legitimacy of route advertisements. The proposed BGP Plans must include:

  • Processes for creating and maintaining Route Origin Authorizations (ROAs)

  • Factors influencing the creation and maintenance of ROAs

  • Goals and timelines for ROA registrations

  • Criteria for measuring progress

  • Implementation of Route Origin Validation (ROV) filtering at interconnection points

  • Contractual requirements for upstream third parties to provide ROV filtering

While smaller providers may not be required to file these plans with the FCC, they must keep them available for inspection upon request. All BGP Plans will be treated as confidential, safeguarding the sensitive nature of the information.

Detailed Quarterly Reporting

In addition to the BGP Plans, large broadband providers must submit quarterly reports to the FCC, detailing their progress in securing internet routing. These reports will include:

  • Lists of Registry Org IDs and Autonomous System Numbers (ASNs)

  • Details of address holdings and reassignments

  • Information on IP prefixes in originated routes, including those covered by ROAs

  • The extent of ROV filtering performed for peers and customers

The FCC aims to gather data that is difficult to aggregate from public sources, ensuring comprehensive monitoring of the providers' efforts to secure internet routing.

Additional Measures and Implementation Timeline

With the risk management in check and the reports done, the NPRM is also seeking comments on: 

  • Imposing conditions on address space assignment contracts to ensure compliance with RPKI reporting

  • Setting deployment goals for RPKI implementation, proposing one year for large providers and two years for others

  • Requiring outreach and education efforts to support downstream providers

The first BGP plans are to be filed 90 days after the effective date of the rules, with quarterly reports starting 30 days after the necessary steps are concluded for the rule to take effect.

The FCC's Justification and Authority

The FCC asserts its regulatory authority based on several statutory grounds:

  • Title II and Title III of the Communications Act: These provisions empower the FCC to regulate telecommunications services, ensuring secure routing as part of a "just and reasonable" service.

  • Section 706 of the Telecommunications Act of 1996: This section authorizes the FCC to promote broadband deployment, which includes enhancing the security of internet routing.

  • Communications for Law Enforcement Act (CALEA): CALEA mandates that broadband providers prevent unauthorized interception of communications, providing a basis for requiring measures against BGP hijacking.

The FCC underscores the critical importance of BGP security for both public safety and national security, justifying its regulatory intervention in this area.

Next Steps

The proposed rules are set to affect all retail broadband service providers, with specific reporting obligations for the large providers identified in the NPRM. However, there is a 30-day window after the FCC's publication in the Federal Register for the providers to comment on the rules and a 45-day window for them to issue replies.

The NPRM proposed rules highlight the necessary steps being taken when it comes to the outing of internet traffic by addressing vulnerabilities in BGP. By requiring detailed risk management plans and regular reporting, the FCC aims to mitigate the risks associated with BGP misconfigurations and hijacking, ensuring a more secure and reliable internet infrastructure.

GovernmentInternet

Customer Stories

See how leading enterprise in-house teams have scaled smarter with Legal.io's high-caliber flex talent.

Plaid
How Plaid used Legal.io for Flexible, Cost Effective Legal Talent

FINANCE / ENTERPRISE

Medallia
How Medallia Managed Legal Overflow and Accelerated Deals with Legal.io

SAAS / ENTERPRISE

Verily
How Verily Addressed High-Volume Commercial Counsel Needs with Legal.io

HEALTHCARE / ENTERPRISE

Zoom
How Zoom Streamlined Legal Operations with Flexible Staffing

TECHNOLOGY / ENTERPRISE

More from Legal.io

Ironclad Introduces AI Chat Interface for Complex Contract Analysis
Ironclad Introduces AI Chat Interface for Complex Contract Analysis

Ironclad CAI is an “open book,” explaining the steps it took to perform the reasoning required to answer almost any contract-related question.

TechnologyContracts
Sep 13, 2023
Read More
Legal.io Newsletter - October 21, 2022
Legal.io Newsletter - October 21, 2022

Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.

Legal OperationsTechnology
Oct 21, 2022
Read More
Legal Insights
Utah Considers Ending Bar Exam for Law Practice Eligibility

Utah opened for public feedback a proposal to allow law graduates to become licensed without taking the bar exam, following the lead of other states that have adopted alternative licensing pathways in recent months.

Nov 06, 2024
Read More
Remote Work: How to Address It Effectively in Job Interviews
Remote Work: How to Address It Effectively in Job Interviews

Remote work is becoming more common among progressive legal technology companies. Although generally conservative, the legal industry has seen an increase in remote positions in general. Although this is not yet the norm in the legal industry, events such as COVID-19 have led many to wonder; how can my company implement an effective work from home policy? And, as a legal professional, how can I negotiate a remote work policy?

Career
Apr 15, 2020
Read More
Judge Throws Out Majority of Claims in GitHub Copilot Lawsuit
Judge Throws Out Majority of Claims in GitHub Copilot Lawsuit

Judge Tigar allows only two of the original 22 claims to proceed, signaling a significant shift in the way copyright law is interpreted in AI-generated content.

TechnologyCopyright
Jul 11, 2024
Read More
Ready to hire?

Schedule a free consultation to discuss your hiring needs.

Schedule Call
Free 15-min consultation
Legal.io Platform
5 star reviews
Hiring made smarter

Easy-to-use platform for hiring legal talent, managing spend, and optimizing your panel — plus an average savings of 50%.

Need Immediate Help?

Submit a hiring request and let our experts handle the entire process for you.

Submit Hiring Request