US Government Lagging on Border Gateway Protocol Security

The U.S. federal government acknowledged that it is lagging behind on border gateway protocol security practices. Officials from several government agencies, ISPs and cloud content providers organized a workshop to understand the latest security improvements underway.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The Cybersecurity and Infrastructure Security Agency’s director Jen Easterly, along with Federal Communications Commission Chairwoman Jessica Rosenworcel convened a workshop last week with federal partners from the Office of the National Cyber Director, the National Institute of Standards and Technology, the Office of the Director of National Intelligence, the Department of Justice and the National Telecommunications and Information Administration.

Along with the federal agencies, the workshop was attended by representatives from industry, including internet service providers, cloud content providers and nonprofit organizations.

BGP is a gateway protocol that enables the internet to exchange routing information between autonomous systems so that data gets where it’s supposed to go. By distributing routing information, BGP enables routers to connect users with specific IP address prefixes.

In September 2022, the departments of Justice and Defense called on the Federal Communications Commission to manage internet routing security vulnerabilities by requiring ISPs to implement technical security standards to lock down internet traffic routing as well as require “increased transparency” into real-world traffic flows. (See: Pentagon Backs Call for Internet Routing Security Fixes).

The Pentagon and DOJ’s recommendations echoed CISA’s call for the FCC to take a more active role in securing the border gateway protocol after the agency earlier this year asked for public comment about whether it should do so (see: Regulator Announces Border Gateway Protocol Security Review).

The BGPStream open-source framework for analyzing BGP data reported that in the first half of 2020, more than 3,400 outages were reported, of which 23% were “potential” hijacking attempts.

“I’ve lost track of the years I’ve been trying to warn about this,” Alan Woodward, a professor of computer science at the University of Surrey who’s an expert on cybercrime, told Information Security Media Group. “There are some putative standards to help the problem but low adoption. It’s all still down to trust and in the current world order that’s in short supply.”

Rosenworcel and Easterly said the workshop offered an opportunity to build on the FCC’s work with ISPs over the past year to better understand the security vulnerabilities and how to best reduce these risks.

The workshop focused on steps taken by stakeholders to enhance internet traffic routing security, efforts taken by the FCC to protect the nation’s communications networks from vulnerabilities posed by BGP, and how government and industry can collaborate effectively to facilitate the implementation of industry standards and best practices.

The workshop also recommended collaboration among industry partners to assist network operators on how to implement measures to help demonstrate the business case for others to follow in their footsteps.

“Network edge providers must send a clear signal to their ISP about the importance of BGP security and the implementation of route origin validation. We stand ready to support the development of industry commitments to quickly adopt critical measures to make BGP more secure,” Rosenworcel and Easterly said in a statement.

They also called out chief information officers and chief information security officers as they play an important role and need to send clear demand signals to their ISPs about the importance of BGP security, including whether they are implementing Route Origin Validation.

BGP was designed for expediency, not security, said Easterly and Rosenworcel in a blog post last week. They said it does not include explicit security features to ensure trust in the exchange of information. That results in adversaries deliberately falsifying BGP reachability information to redirect traffic. State-level actors have been suspected over the years of exploiting BGP vulnerabilities for hijacking.

These hijacks expose personal information, enable theft, extortion and state-level espionage and disrupt security-critical transactions, including in the financial sector.

In February 2022, in a similar hacking incident, unknown actors stole around $1.9 million from South Korean cryptocurrency platform KLAYswap using a BGP hack in the server infrastructure of one of its suppliers (see: Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack).

The hackers manipulated the network flow and configured it so that the users connected to KLAYswap could download malicious code from the server sent by the attacker rather than the normal software development kit file or KakaoTalk, a popular South Korean instant messaging, marketing and customer service application used by the cryptocurrency exchange platform.

Dr. Xinxin Fan, IoTeX co-founder and head of blockchain, described how these dedicated, crafted attacks leverage the BGP hijack to inject malicious code into a user’s browser and then steal the victim’s funds. Fan, a cryptographer and a cybersecurity expert who has worked for Facebook and Google, told Information Security Media Group in a February 2022 report that detailed the KLAYswap attack. “Such an attack highlights that security is a multilayer issue, and cryptocurrency platforms should apply the defense-in-depth approach to protect their customers’ assets.”