The Federal Communications Commission (FCC) has voted to advance a proposal to improve the security of America’s communications networks, pointing to past incidents of a Chinese state-run carrier hijacking U.S. internet traffic.
The proposed initiative mandates that broadband providers file confidential reports, detailing their plans and steps to address vulnerabilities in the Border Gateway Protocol (BGP), which is a system that routes internet traffic across the globe.
The FCC is now opening a public comment period before finalizing the proposal.
“Today we begin a rulemaking to help make our internet routing more secure,” FCC Chairwoman Jessica Rosenworcel said in a statement on June 6, explaining that BGP is “central to the global routing system of the internet because it is the protocol that allows independently managed networks to send traffic to one another.”
“That means we all rely on BGP. Every one of us, every day,” she added.
“While BGP has allowed network operators to grow and evolve the modern internet, it was not designed with explicit security features to ensure trust in exchanged information,” she continued. “That means bad actors can use this protocol to maliciously misdirect and exploit internet traffic.”
Ms. Rosenworcel noted that the Department of Defense and the Department of Justice (DOJ) had recently publicly disclosed that China Telecom, one of China’s largest state-owned telecommunication companies, used BGP vulnerabilities “to misroute United States internet traffic on at least six occasions.”
“These ‘BGP hijacks’ can expose personal information, enable theft, extortion, and state-level espionage. They can also disrupt sensitive transactions that require security, like those in the financial sector,” Ms. Rosenworcel explained.
In 2021, the FCC voted to terminate China Telecom’s U.S. subsidiary, China Telecom Americas, from providing domestic and international services within the United States, over national security concerns.
In January, the Pentagon named China Telecom as one of the “Chinese military companies” listed in the National Defense Authorization Act for fiscal year 2021.A draft of the proposal rulemaking that was released on June 7 references a 2018 analysis by an Oracle researcher, showing that for two and a half years, China Telecom had used BGP to divert U.S. domestic internet traffic to China before directing them to their destinations.
“This misdirection of U.S. routes occurred because an autonomous system [AS] on the China Telecom backbone ‘incorrectly handled routing announcements for AS703, an [AS] belonging to Verizon,’” the draft reads.
Another BGP hijacking incident happened in 2019 when China Telecom diverted European mobile traffic through China for two hours.
Under the current proposal, the FCC said broadband providers must “prepare and update confidential BGP security risk management plans at least annually.”
“The nine largest broadband providers file their BGP plans confidentially with the Commission as well as file quarterly data available to the public that would allow the Commission to measure progress in the implementation of RPKI-based security measures and assess the reasonableness of the BGP plans,” the FCC said, referring to a security framework known as Resource Public Key Infrastructure (RPKI).
The nine broadband providers would be AT&T, Altice, Charter, Comcast, Cox, Lumen, T-Mobile, TDS, and Verizon, the draft said, before adding that “these significant providers are likely to originate routes covering a large proportion of the IP address space in the United States and will play critical roles ensuring effective implementation of [Route Origin Validation] filtering.”
In a statement, FCC Commissioner Geoffrey Starks also pointed to other past BGP incidents, such as Pakistan making YouTube inaccessible for much of the world in 2008 and Russia limiting access to Twitter during its invasion of Ukraine. He emphasized that the FCC’s proposal is part of a “multi-pronged approach” by the U.S. government to secure the U.S. networks.
The FCC launched an inquiry into vulnerabilities threatening BGP in 2022, an action that drew applause from the Pentagon and the DOJ.