FCC hopes to improve internet security

Many of the cybersecurity challenges that organizations face can be traced back to the way the Internet was developed. Way back in 1983, the goal was to create a network that would foster collaboration across multiple federal agencies based on the assumption that endpoints could be trusted. It never occurred to anyone at the time that the Internet would evolve into a backbone upon which much of the global economy, including a wide range of essential services, now depends. As a result, an opportunity to forestall many of the security issues that plague us today was lost.

Over the years, multiple proposals have been made to address these issues. The latest is a proposal the Federal Communications Commission (FCC) is considering that would require the nine largest providers of broadband networking services to confidentially disclose how they have strengthened the security of Border Gateway Protocol (BGP) that defines the rules used to determine the best routes for transmitting data around the Internet. Smaller providers of broadband services would be required to provide that same information upon request.

In theory, at least, making sure BGP is more secure would seem like a step in the right direction, but the Internet Society, a non-profit entity that advocates for the open development of the Internet, and the Global Cyber Alliance, a nonprofit organization dedicated to making the Internet safer, object. In a joint statement, the two advocacy groups said the proposal would slow down the pace at which improvements to Internet security are already being made.

Additionally, mandated routing regulations can harm small providers with limited resources, leading to network consolidation, fewer new providers, and additional barriers to entry.

Finally, mandated routing security measures could prompt other countries to impose conflicting standards, leading to degraded Internet security and interoperability as networks aim to meet different sets of requirements.

It’s not clear how a simple request for information might so adversely impact service providers but it’s clear that there is a significant amount of commercial interest in how the Internet will evolve. The challenge is that it’s hard to see how fundamental security issues involving BGP might be addressed without having any negative impact on those interests. The discussion will quickly shift toward the level of potential cost and inconvenience that organizations will accept. In that context, it will be important to remember that many organizations are already incurring major costs deploying zero-trust security infrastructure to make up for the lack of security that might better serve all if it were embedded in, for example, BGP or some other alternative. Many of the security leaders of those organizations are also under significant pressure to justify the return on those investments.

Over the years, multiple efforts have been made to fix the Internet, with mixed success. More than a few organizations have even gone so far as to set and maintain their own private Internet that connects to external services through gateways. All these efforts come at a cost that is created simply because cybercriminals have found multiple ways to exploit inherent Internet security weaknesses that, at some point, will inevitably need to be addressed. The longer that process takes, the more expensive it will ultimately be to apply the necessary fixes.