by Justin Sherman
Executive summary
The private sector’s influence on the Internet’s shape and behavior—and, therefore, its security—is enormous yet understudied. This infrastructural influence, spanning companies like Internet service providers and cloud services providers, is also underappreciated in US policy. The US government was the exclusive driver of Internet development for its first twenty-four years, and states continue to shape the Internet today through regulation, capacity-building, and direct participation in Internet processes. But Internet governance is now largely privatized. This report argues that the US private sector’s unique influence on global Internet infrastructure gives it an opportunity and responsibility to improve Internet security, and that the US government should better collaborate with those actors and leverage that influence.
This argument matters because Internet insecurity is a national security issue for the United States and every other nation. Internet insecurity is also a selling point for the several authoritarian countries seeking to undermine trust in the free and open Internet model and replace it with a state-controlled, “sovereign” version. The US private sector, through its influence on the Internet’s technology, protocols, standards, and operational practices, has an opportunity and responsibility to address these problems by reshaping the Internet to make it more secure—but many firms are not maximally using their influence to do so. It is critically important that US policymakers better understand this private sector influence on the Internet so it can help shape incentives for security.
This report examines two protocols as examples of private sector influence over presently vulnerable systems key to the Internet’s function: the Border Gateway Protocol (BGP), used to route Internet traffic, and the Domain Name System (DNS), used to address Internet traffic. These two case studies detail how the protocols work, why they are vulnerable or error-prone, and what the private sector can do about it. This report uses empirical data on attacks and current protections.
This report concludes with a set of actionable recommendations for US policymakers. The US government should add Internet protocol security best practices to federal procurement rules, targeting major players with outsized influence on Internet infrastructure. The US government should also leverage its public-private partnerships to convene forward-looking discussions about the next set of Internet protocol security challenges. This report recommends that the US government require Internet protocol protections for federal agencies. It recommends private sector dialogues on threat data sharing for Internet protocol attacks. And it recommends a concerted US reinvestment in cyber diplomacy at the State Department to help establish state norms of nonaggression against key parts of the Internet’s infrastructure.
1. Introduction
The private sector plays a crucial role in defining the changing shape of the Internet, especially its security. Any renewed US strategy to secure cyberspace must recognize and leverage this private sector influence, which spans everything from undersea fiber optic cables and the management of Internet exchange points to the definition of Internet standards and the management of cryptographic keys. Internet protocols for packet addressing and routing are a useful way to examine how the private sector and the US government can collaborate to improve global Internet security. Where the private sector may not maximally use its influence to shape these digital behaviors for security, the US government can incentivize firms to do so.
Governments influence the shape of the global Internet today by diverse means: laws around online content takedowns, commercial encryption, and data localization; interactions with standard-setting bodies like the Internet Engineering Task Force (IETF) and norm-setting bodies like the United Nations Group of Government Experts (UN GGE); and, more directly, via the procurement and construction of public infrastructure. Through regulation, standard-setting, diplomatic negotiations, overseas capacity-building and investment, trade agreements, and other mechanisms of statecraft, national governments can influence everything from the content flowing across the web to the undersea fiber optic cables that carry it.
But to an even greater degree, since the National Information Infrastructure (NII) plan of 1992, the Internet has been shaped by the private sector. Private corporations, especially those incorporated in the United States, are increasingly shaping the topology of the Internet (cables, servers, etc.) as well as its policies and procedures, like those that define how data traffic is routed from origin to destination. Multistakeholder Internet governance has in many ways become “the privatization of governance” with functions handled by the state in other domains overseen principally by the private sector in this one.1 The private sector influences how the Internet is shaped and how it behaves through the design, construction, management, and ownership of Internet infrastructure and intellectual property. This is especially true where government regulation, norm-setting, or standard-setting in the technology sphere is slower than unilateral private sector action or is lacking altogether. All told, the private sector’s role in this space is enormous yet incompletely studied and could be better leveraged in US government policy.
As some elements of the US government2 work to increase the security of the Internet and its users—journalists, diplomats, businesses, citizens—they must address the influence of the private sector on global Internet security. Internet insecurity is a national security issue for the United States and every other nation. It has become even more important during the COVID-19 pandemic as citizens, businesses, and governments massively increase online activity that must be secured. Internet insecurity is also a selling point for many authoritarian countries which seek to promote a state-controlled replacement for the current Internet. Many private companies have influence over Internet infrastructure, and thus the power to improve Internet security, but are not maximally using it—which is where the US government can provide better incentives.
Internet protocols for packet addressing and routing are a prime point of this influence. They are defined by the Internet Engineering Task Force (IETF), a multistakeholder body composed of many different experts. That, in turn, tends to be mostly those companies which profit from new or improved standards: like Amazon and Google, AT&T and Verizon, Akamai and Cloudflare. How these companies help define and subsequently implement Internet protocols may seem obscure and geopolitically inconsequential, but it is quite the opposite. Packet addressing and routing protocols have profound impacts on the Internet—and so do their vulnerabilities. The National Institute of Standards and Technology (NIST) in 2019 called “BGP hijacking” attacks against the Internet’s system of traffic routing “one of the greatest current threats to today’s Internet.”3
This report argues that the US government should collaborate with the private sector and integrate these firms’ infrastructural influence over the Internet into a national strategy to bolster Internet security. US companies have a unique opportunity and responsibility to improve Internet security through their influence on Internet infrastructure, but many are not acting where they could. This report focuses on two protocols which are insecure and a considerable point of vulnerability on the global network, but which private companies can better protect and thus improve global Internet security—the Border Gateway Protocol (BGP) and the Domain Name System (DNS). This doesn’t mean to suggest that these are the only protocols worth examining, nor that the discussed protections are the only ones—far from it—but that the BGP and the DNS are useful case studies.
The first section examines the rising influence of corporations on the topology and digital rules of the Internet and the opportunity that provides to improve security. It examines Internet protocols as a case study.
The next section is a case study of the BGP, its vulnerabilities, and one example of how companies can better protect it.
The next section examines private sector influence on the DNS, major security vulnerabilities, and one example of how companies can better protect it.
The final section makes five recommendations for the US government to build the private sector’s influence on Internet infrastructure into a strategy for securing the Internet’s digital rules.
2. Mapping private sector influence on the Internet: Starting with Internet protocols
It is a misconception to imagine that “the laws of cyberspace [are] immutable.”4 They are constantly evolving. The Internet’s topology and digital rules are not a given, and government policy should not take them as such. Humans created the global Internet, from conceiving of the idea itself to building hardware and coding software to developing working groups on Internet standards. Today, private corporations increasingly influence the Internet’s topology and digital rules.5 These firms—Internet service providers (ISPs), content delivery networks (CDNs), cloud services providers, and social media companies—shape the Internet’s topology by building server farms and laying fiber optic cables to connect their data centers to customers. They also shape the Internet’s digital rules by implementing protocols that address and route Internet packets.
Where the US government was the principal architect and sole sponsor of Internet infrastructure from the inception of the ARPANET in 1968 to the implementation of the NII in 1992, subsequently, much network ownership and control has been in the private sector’s hands. This means the firms controlling this Internet infrastructure can improve Internet security at scale by better protecting these protocols against manipulation. Broadly speaking, the digital rules by which Internet systems interoperate—including the BGP and the DNS, both discussed later—are developed, and maintained, by humans.
Companies routinely shape the Internet’s topology and digital rules both of their own volition and in response to requirements or incentivization by governments. Google has recently participated in financing the construction of more than a dozen undersea cables.6 Amazon, Facebook, Microsoft, and other companies have likewise invested in cable-building to enable faster Internet connectivity between population centers and their data centers.7 Cloud service providers continue building Internet infrastructure, like data storage centers and the peripheral infrastructure to support them, as their customer bases and computing demands grow.8 Cloud companies and content delivery networks may also use their own proprietary, internal traffic routing protocols to move data.9 Companies beyond the United States are notably shaping the Internet’s layout and rules in this way as well. For instance, China Telecom, the largest Chinese state-owned telecommunications company, continues to work with companies across the Philippines, Taiwan, Malaysia, Japan, and other countries in the Asia-Pacific region to develop undersea Internet cables to route global Internet data in a more Sino-centric way.10
Sometimes, this influence is deployed at the behest of governments. In China, the state maintains lists of keywords against which private companies must filter content—limiting the free flow of data.11 The Iranian government requires Internet service providers to prioritize access to domestic Internet resources over foreign ones.12 India’s Parliament is considering requiring local storage of data on Indian citizens and thus compelling foreign cloud providers to build local data centers.13 The US National Security Agency has authority to compel ISPs, CDNs, and cloud service providers to provide real-time data collection for intelligence purposes and to maintain that access if requested.14 In the European Union (EU), the General Data Protection Regulation (GDPR) forced companies to change data routing and storage practices to protect EU citizens’ privacy and security.15 All of these actions affect the flow of content around the Internet and directly or indirectly impact the Internet’s topology. It is a stark reality that users in China have a different-looking and -behaving Internet than users in the United States, for example, in large part due to these technical changes and this infrastructural influence of the private sector.
How Internet data is addressed and routed is a prime example of this influence. Generally, Internet traffic needs two things to be sent around the world: it needs an address and a route to get there from its origin. It’s companies that are often setting these addresses on their devices and systems and defining and choosing the routes. Put another way, firms controlling Internet infrastructure can influence the digital rules for how data flows through that infrastructure—and thus impact the Internet’s behavior for billions of people. These name-resolution and traffic-routing decisions occur continuously, whether triggered by a user sending an email to a friend or a government agency communicating over encrypted messenger with a spy abroad. Where Internet data travels, and why, can have significant geopolitical effects.
This effectively makes some private firms foreign policy actors,16 as their decisions about technology design, deployment, and operation can have global effects on politics, trade, and security. Faster and more reliable data routing enables faster business transactions. More secure data routing means it’s safer for researchers to share proprietary data and for journalists to talk to sources. States, nonstate cyber proxies, and cybercriminals alike also spy and launch attacks over a physical Internet controlled by the often-overlooked parties operating “Autonomous Systems.”
Each Autonomous System, or “AS,” is one of the constituent networks of which the Internet is composed. An AS is uniquely identified by an Autonomous System Number (ASN), and is defined by having a unique, consistent, and centrally defined routing policy.17 Internet users depend on the policies defined and enacted by these ASes every day to send emails, watch Netflix, collaborate on Google Drive, Zoom with friends and coworkers, and tweet the latest hot takes. These ASes are the “units” of routing on the global Internet, and they send Internet traffic both between servers in their network and externally to other ASes.18 While often unrecognized, interconnection between ASes is a vital “inter” part of the Internet—traffic “hops” between these nodes when moving across the globe.
FIGURE 1: Four categories of network operators delineated by their connectedness
Source: Justin Sherman, adapted from Packet Clearing House, licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public LicenseThe three key categories of firms that manage these global network hubs are Internet service providers, content delivery networks, and cloud services providers. ISPs, like AT&T, CenturyLink, Comcast, and Verizon, transport Internet bandwidth from Internet exchange points to locations where users consume it, connecting devices like home routers and mobile phones to the web. CDNs like Akamai, Cloudflare, Limelight Networks, and Fastly provide servers that specifically deliver content, like streaming video, to end users.19 Cloud providers like Amazon, Google, Microsoft, and Oracle rent out their digital resources (i.e., memory, storage, processing power) for customers to run applications and services, and are likewise responsible for routing large amounts of data and building some of their own Internet infrastructure.20 These companies manage their own ASes and interconnect them with others to exchange traffic on the global Internet.
These firms—ISPs, CDNs, and cloud services providers—shape the Internet’s topology by building server farms and laying fiber optic cables to deliver data to customers. They also shape the Internet’s digital rules and substantially impact the security of the Internet by implementing protocols to address and route Internet packets.21 These protocols determine where, when, and how data is routed, including if it is sent to the intended destination or on a safe path. They include, among others, the Border Gateway Protocol and the Domain Name System.
The BGP and the DNS help determine the outcome of major network failures, and their smooth operation across new or unexpected forms of failure helps determine the Internet’s resilience. For instance, if a massive attack or technical disruption brings down servers in an Autonomous System, companies administering the DNS can maintain connectivity for users by rerouting queries to servers located away from the failure. If a major portion of the global network is jammed with traffic, to give another example, BGP implementors could change BGP policies to route traffic around the blockage. These are not just questions of security—for example, is the data encrypted or headed to the right destination—but also resilience, ensuring that Internet traffic moves from origin to destination even if there are failures in the network. This was a key component of the Internet’s original design.
The BGP and the DNS are geopolitically significant because they are the mechanisms which link the Internet’s constituent networks, and countries, together. These digital rules are implemented all around the world. The Internet exchange points (IXPs) at which inter-AS BGP connections occur, and at which most of the core DNS is hosted, are the centers of Internet bandwidth production—key to the Internet economy and locations where attackers can surveil, modify, redirect, or cut off Internet traffic.22 Yet, it’s not just about data security. The BGP and the DNS also affect this idea of resilience: failure to appropriately address or route traffic can lead to failure to keep users’ data flowing. Vulnerabilities in the BGP and the DNS undermine security and resilience across the Internet ecosystem for the billions of users connected online every day: their flaws can have massively scaled effects on economic and national security.
Today, the BGP and the DNS are insecure because security was not a top priority when each was designed.23 If anything, their core design principles, like many other protocols developed at the time, were interoperability—ensuring devices could communicate with one another—and resilience—ensuring that, in the event of a network failure, traffic would still reach its destination.24 This gets to a broader point about the Internet and geopolitics, which is that companies that could hypothetically leverage their influence to improve Internet security, like with the BGP and the DNS, are often not doing so as much as they could.
Many of the companies maintaining Autonomous Systems today—ISPs, CDNs, and cloud services providers—are developing and updating services at the speed of a competitive market which struggles to incentivize good security practices. This leads to a recurring trend of features and performance being prioritized more highly than, or to the exclusion of, effective security. In 2018, for example, there was a campaign out of Iran to hack numerous DNS servers and steal information.25 In June 2019, Verizon began using bad BGP routing information, diverting the traffic of other Internet companies away from its intended destination, because it hadn’t implemented BGP safeguards even though it could have.26 Numerous other examples are discussed in later sections of this report. Industry has engaged in work to fix some of these security problems.27 But many aspects of the BGP and the DNS remain vulnerable to manipulation, leaving users, universities, businesses, and government agencies at risk.
The following sections build case studies of private sector influence on the security of the BGP and the DNS, demonstrating the reach and impact this influence can have on the security and resilience of the global Internet ecosystem. These protocols, and the protections subsequently discussed, are hardly the only examples of this phenomenon—but they are valuables ones. The principal argument is that companies with the potential to improve Internet security and resilience can do much more, which presents an opportunity and a need for governments, including in the United States, to introduce the right incentives.
3. Routing and Border Gateway Protocol
3.1 How the BGP works
The Border Gateway Protocol communicates potential paths that Internet packets can take from their origin to their destination. It’s the Internet’s “GPS” for traffic and a key part of the Internet’s digital rules. There are multiple physical routes available to send an email from Washington, D.C., to a user in Berlin, because the Internet is made up of these meshed Autonomous Systems. But one of these paths must be picked and used. The BGP allows ASes like those operated by ISPs like Verizon, CDNs like Cloudflare, and cloud providers like Amazon and Google to communicate possible routes to each other. Then, for each packet which must be forwarded, each AS makes a routing decision—selecting a possible path it learned via the BGP from its neighboring ASes. These routing decisions typically prioritize the least-expensive or highest-performance routes.
FIGURE 2: Visual of BGP use between interconnected Autonomous Systems
Source: Justin ShermanCore to BGP routing is trust. ASes implicitly trust routing information received from neighboring ASes28 because like many of the Internet’s early protocols the BGP wasn’t designed for security. Each time a packet moves from one AS to another (say, Verizon to Amazon), the sender assumes its own routing table (based on information from its neighbors, received via the BGP) reasonably approximates the actual topology of the Internet.29 This blind trust problem explains the BGP’s many malfunctions and exploitations.
3.2 How the BGP malfunctions and gets exploited
ASes semi-regularly announce incorrect or inefficient paths—potentially forming a “route leak,” where bad BGP data causes Internet traffic to move through unintended places, over highly inefficient routes, or to the wrong destination.30 Companies may quickly correct them (shaping the Internet’s behavior through real-time policy changes), but route leaks still disrupt traffic and produce unintended, sometimes disastrous, results. Human mistakes, like BGP misconfiguration, are a frequent cause of BGP routing errors.31 And many ASes use BGP optimizers, which try to override other ASes’ policies by taking advantage of their preference for specific routes—what one network engineer compared to prioritizing the destination “Buckingham Palace” over “London.”32 The problem is, this means that if any AS passes along a BGP route that’s inefficient or incorrect but more specific, other ASes will typically blindly accept it.
These BGP errors occur daily, and they are not always innocuous. Route leaks can be malicious, where attackers abuse the BGP to hijack data along an unintended path or to an incorrect destination—allowing traffic to be blocked, modified, stolen, or spied upon. Attackers could break into an AS and change its BGP table’s routing data. There’s a good chance this maliciously designed route (i.e., sending traffic through a compromised midpoint) will be blindly accepted by neighboring ASes, leading to a propagation of the reroute. Alternatively, the legitimate operator of an AS could carelessly edit its routing information or policies, or could be compromised via an insider threat, achieving the same rerouting effects. The entire AS could also be malicious, set up for the sole purpose of injecting bogus routes.
The National Institute of Standards and Technology identifies five possible consequences of these hijacks: (1) denying access to Internet services; (2) redirecting Internet traffic through midpoints, either for eavesdropping at the midpoint or for adding in malicious code to attack the destination endpoint; (3) redirecting Internet traffic to the wrong endpoint; (4) undermining Internet Protocol-based reputation and filtering systems; and (5) undermining the Internet’s routing stability.33 The first and the third consequences are often connected, as delivering traffic to the wrong place is a way to deny a user access to services. The fourth and fifth consequences occur when incorrect or inefficient routes are propagated, as errors in and exploitations of the BGP undermine trust in the BGP itself and, more broadly, the Internet’s ability to safely and reliably route data. In all cases of BGP route leaks, companies such as ISPs, CDNs, and cloud services providers using the BGP in an unsafe manner can undermine security across the global Internet.
Route leaks occur with unsettling frequency. Data from BGPStream (an open-source BGP monitoring tool) indicates that in May 2020 alone, there were hundreds of BGP errors impacting ASes around the world.44 These kinds of BGP events have impacted major technology firms like Facebook and Google, banking and financial services firms like MasterCard, and even US government agencies like the Department of Defense, a particularly frequent victim of inadvertent hijackings as a consequence of its broad holdings of IP addresses.45 BGP route leaks can also vary in duration. Some last for hours and crash small companies’ websites with misdirected traffic, like the second June 2019 incident in Table 2, or they could last for mere minutes but affect millions more people, compromising data from the likes of Google or Microsoft by routing traffic through a Russian state-owned telecom, as happened in April 2020.
These BGP incidents can have several, often overlapping effects, as noted using NIST’s consequences of BGP events to code Table 2. Just one BGP routing error, like Google’s traffic getting rerouted in November 2018 through MainOne Cable Company in Nigeria, can redirect traffic through an unanticipated midpoint, and undermine IP-based filtering systems and routing stability. BGP redirections, like Amazon user traffic going to a phishing website in April 2018, can send data to the wrong endpoint and compromise users’ access credentials and identities. Malfunctions and exploitations of the BGP often go beyond just slightly delaying the delivery of traffic from one point to another. But again, these “major events” (Table 2) are just a snapshot; these protocol malfunctions and potential manipulations occur all the time. Global BGP incidents from January 1 through May 31 of 2020 can be seen in Figures 3 and 4.
Using the open-source BGPStream, data on BGP incidents from January 1, 2020, through May 31, 2020, show thousands of individual outages, BGP leaks, and possible BGP hijacks (Figure 3). The data are incomplete as different BGP monitoring tools have different perspectives on and visibility of the global network infrastructure, but BGPStream’s data are a representative sample of the whole. Sixty-five percent of these events were outages, where BGP data transmission stopped working, but that still leaves 12 percent of incidents as BGP leaks (638 of them) and 23 percent as possible hijacks (1,193 of them). Many of these individual incidents may be collectively perceived by the media or analysts as one “event,” but the data go to show that a single BGP malfunction or exploitation can impact numerous government agencies, companies, or end users.
There are many BGP routing incidents with difficult-to-establish causes, thus making them hard to sort into the category of malicious hijack or accident, and BGPStream’s qualifying of hijacks as “potential” goes exactly to that point. Because of the implicit trust many ASes place in BGP route announcements, changes can propagate quickly and without malicious assistance.47 It can be very difficult to discern intent. For example, in June 2019, traffic from multiple European networks was routed through China Telecom, the Chinese state-owned telecom, for two hours.48 The BGP “route leak” occurred at Safe Host, a Swiss data colocation firm. It was possible for China Telecom to correct the BGP error once it received the traffic. Instead, China Telecom accepted the incorrect routes and began receiving traffic from European networks in the Netherlands, Switzerland, France, and more. “If any other ISP would have caused this incident, it would have likely been ignored,” one journalist wrote.49 But China Telecom’s previous entanglement with BGP hijacks of long durations50 meant this event raised some eyebrows.
The suspicion of China Telecom is not unique, as the BGP has been abused by a handful of serial offenders over the past decade. China Telecom has already been the source of a dozen unique BGP incidents (leaks and possible hijacks) between January 1 and May 31 of 2020 alone. Russian state-owned telecommunications giant Rostelecom has been the source of numerous events over the past few years, including an April 2020 hijack that was one “incident” overall but encompassed the hijacking of dozens of different ASes’ traffic (Table 2). AS operators in Angola, the Netherlands, and Hong Kong, and CenturyLink in the United States, were also detected by BGPStream as origins of numerous potential BGP hijacks in 2020 (Tables 3 and 4). Turla, widely believed to be a Russian state-sponsored espionage group,51 has used BGP hijacks in tandem with other tools to deliver malware.52 The Iranian government is no stranger to the BGP either, hijacking routes to target Iranian users of Instagram and the encrypted messaging app Telegram.53 All this begs the question: if companies like AT&T and Verizon, Akamai and Cloudflare, Amazon and Google see BGP route leaks on the Internet every day, what can these Internet infrastructure operators do about it?
3.3 Influencing the BGP’s security
There are tools readily available to protect the BGP. One such tool is Resource Public Key Infrastructure (RPKI) for Route Origin Validation, used to sign and filter BGP origin data.54 RPKI highlights the potential for the private sector to shape the Internet’s digital rules for security and the reasons firms may not do so.55 This makes it an exemplary case study for how the US government can help shape incentives—though just as the BGP is just one protocol that illustrates the private sector’s influence on global Internet security, RPKI is just one mechanism for adding safeguards around the BGP.
RPKI is a way to cryptographically sign records that link IP addresses to their originating AS.56 A regional Internet registry (RIR)—a nonprofit which manages Internet address space in different regions of the world—cryptographically signs assertions of IP address ownership. Then, the owner of said IP addresses signs a set of AS operators who can originate routes to those addresses. An AS operator like Amazon can download a local copy of the signed information.57 Then, whenever Amazon receives new route announcements from neighboring ASes, it can check against this signed information to discard bad routes.58 RPKI for Route Origin Validation only verifies legitimate destinations, not legitimate paths, but it builds more trust into Internet routing59 and makes it easier for AS operators like Google and Cloudflare to route Internet data correctly.
It’s up to the private sector to make these changes. AS operators can implement these protections to help secure Internet traffic routing at scale—improving security and resilience for every Internet user that needs traffic routed via the BGP, and protecting economic and national security in the process. The point is to raise costs: companies that put these safeguards around the BGP, the Internet’s “GPS,” make it harder for malicious actors to hijack the BGP and make it harder for those that still hijack the BGP to do so without detection. Keeping in mind that RPKI for Route Origin Validation is just one safeguard (just as the BGP is just one protocol), many other efforts, like machine learning to detect hijack patterns,60 can further supplement Internet routing security.
This one illustrative solution isn’t perfect; precisely because the Internet is human-made, from hardware cables to phone apps, it will always contain imperfections of human origin. Cryptographically signed routing tables can be compromised, pattern detection systems can make errors, and malicious actors could pose as authorized AS operators to pass bad BGP routes to Google, for example, even with RPKI, hijacking content bound for a government service or large company.61 But the private sector implementing these protections at scale would contribute massive improvements over the status quo. As one network engineer put it, “only a small specific group of densely connected organizations” needs to deploy RPKI on top of those already doing it “to positively impact the Internet experience for billions of end users.”62 More AS operators like AT&T or Verizon or Google or Cloudflare checking their BGP routes means a lower frequency of routing failures. This shapes the Internet’s digital rules to improve security.
Yet, many have not signed and filtered routes with RPKI. Implementation of this protection on a regional basis—broken down by the five regional Internet registries which manage Internet address space for respective regions—varies as well, with the highest rate of adoption in Europe and the rate of adoption lagging within the North American region served by the American Registry for Internet Numbers (ARIN) (Figure 5).
Routing security is a collective action problem; it takes more than one company to shape the Internet’s digital rules. Benefits scale with the number of AS operators which implement routing security improvements. Marginal costs of implementation for one operator—including time and resources, concern about complexity and malfunctions, and concern about liability for those malfunctions—can outweigh perceived benefits if deployment is not widespread. And, clearly, deployment is not as widespread as it could be, though RPKI protections implemented by operators within ARIN have been rising (Figure 6). Firms might only partially employ this BGP safeguard,64 and a lack of action at the global level illuminates the need for better government-private sector cooperation on this issue set. This is especially true in North America, where technology companies have an outsized influence on global Internet security.
Companies face several important disincentives to RPKI adoption which policymakers can help to address:
Coordination: RPKI must be implemented at scale, across many different AS operators, for it to effectively improve routing security. Telecommunications companies may privately say they support improvements to BGP security, for instance, but will not act if other companies won’t either—the risks are not worth it. Coordinating this action at scale is difficult. Policymakers can help by putting RPKI into federal procurement rules, which is a way to incentivize security best practices in the industry without legislative regulation (see Recommendation 1). Policymakers can also invest more in cyber diplomacy to develop norms around the protection of and noninterference with the BGP (see Recommendation 5).
Cost: While many ISPs, CDNs, and cloud services providers are investing much more in security today than they were ten years ago, that investment has not focused on networking as heavily as other areas. Many companies still favor fast and resilient systems over deployment of more secure routing. Competition among firms, particularly for large operators, is a key part of the calculus as well. Policymakers could leverage public-private partnerships to explore other ways to incentivize firms and lower costs (see Recommendation 2). Policymakers can also push for RPKI protections on government systems to add another set of large AS operators to the list of those using RPKI (see Recommendation 3). Firms themselves can also share threat data from their insights into the Internet infrastructure (see Recommendation 4).
Uptime: BGP routing is key to the Internet’s infrastructure. Network operators worry about RPKI causing even temporary errors in routing (or slightly slower routing), especially when scaled up for large operators where technical problems could have broader effects. This uptime issue affects other critical infrastructure, for example, delays in patching electrical power generation and distribution equipment which is operating near constantly. Industry and policymakers cultivating communities of knowledge among RPKI operators could help lower these risks (see Recommendation 2), as could pushing firms to implement protections at the same time via federal procurement rules (see Recommendation 1).
Liability: US network operators and ARIN, the regional Internet registry for North America, have conflicting risk tolerances for liability in the event of an RPKI malfunction. In other words, these entities have different stances on who should be liable for possible damages if an RPKI implementation malfunctions. Presently, many network operators maintain that they cannot or will not sign onto using RPKI with ARIN because of indemnification language in ARIN’s services agreement, which they assert is too broad in its shielding of ARIN from liability.65 ARIN, which recently made some revisions to the indemnification language, maintains that this language is necessary for an entity with a critical role in the global Internet and a significantly smaller budget than many network operators. This remains, in the words of one observer, a “logjam.” The government can thus use its public-private partnerships and convening power to push further dialogue on this issue (see Recommendation 2).
AS operators can modify their processes to integrate RPKI and other routing security methods to better protect the Internet from routing attacks and errors. These operators wield tremendous influence over this infrastructure. But routing is just one example of poor incentives for firms to do as much as they can to shape the Internet for security, just as RPKI as discussed here is merely one protection for the BGP. The following section examines similar issues in another key Internet protocol—the DNS—to frame the paper’s five recommendations in the final section.
4. Addressing the Domain Name System
4.1 How the DNS works
Before networks can route traffic around the world for Netflix or Skype or Facebook or Google Drive, they must know its address. The source of these addresses is the Domain Name System, often referred to as “the Internet’s phone book,” which translates domain names (i.e., atlanticcouncil.org) typed into a browser, or included in the right-hand side of an email address, to their respective Internet Protocol (IP) address (i.e., 104.20.20.178) to direct Internet traffic to its proper destination.66 Like the BGP, the DNS is a protocol that is both critical to the Internet’s digital rules and quite vulnerable to hacking and manipulation—and illustrates the potential for better government-private sector coordination on securing the Internet. It is again just one case study, and the protections for DNS integrity discussed within are only one protection available, like years-long government and industry efforts around DNS confidentiality.67
Similar to the BGP, the DNS can be run internally to a network, like a firewalled corporate intranet, but the discussion here focuses on its use on the global Internet.”
FIGURE 7: DNS in operation
First, a user types a website name into a browser; second, the computer sends this name over the Internet to a DNS “recursive resolver”; and third, this recursive resolver queries a hierarchy of subsequent servers to fetch the Internet address information: a “root name server,” a “top-level domain name server,” and a “second-level domain name server.”68 Private companies have a notable hand in these digital rules. They can maintain mappings of website names to IP addresses. A few organizations can even filter DNS queries for security reasons.69 Every day, private companies are implementing the DNS with geopolitical and security consequences.Speed and resilience were priorities for the Internet’s design, and the DNS is no exception. The DNS does provide numerous benefits; users only have to remember website names, not IP addresses, and when IP addresses change, as when Google or Amazon physically relocate servers supporting their cloud services, website names stay the same while being mapped to new IP addresses. The DNS’s abstraction layer also allows companies to link a single domain name to multiple IP addresses, and multiple domain names to single IP addresses, allowing a company like Verizon or Akamai to route data to users from the closest or fastest available server and to distribute the impact of large denial-of-service (DoS) attacks.70
4.2 How the DNS gets exploited
The DNS is vulnerable to manipulation, and here this focuses on integrity (as opposed to, say, confidentiality). Attackers can intercept and maliciously edit DNS queries and responses to send users to malware-laden websites instead of their intended destination. Users might expect their banking website but instead be disclosing their banking credentials to a visually indistinguishable but malicious imposter. This could happen on the user’s device, between the user and their recursive resolver, within the recursive resolver itself or, most commonly, between the recursive resolver and authoritative servers. This last attack is most broadly effective as it can change Internet packet addressing for all downstream devices.71
The DNS is also vulnerable because of a process called caching. Because it’s costly (in time and resources) for computers to repeatedly request the same information from upstream servers, they store copies of the answers they receive in a local cache, thereby speeding up subsequent queries and vastly reducing demand on the network and servers. But cache maintenance requires many rules and policies, and this is another “attack surface” subject to exploitation. Using “DNS tunneling,” hackers can also use channels of DNS communication between a computer and a DNS server to exfiltrate information or facilitate malware command-and-control through firewalls, which may not be able to validate DNS traffic.72 It’s a way to covertly steal data.
There have been numerous DNS hijacks over the past few years, including a notable global DNS hijack campaign—dubbed “DNSpionage”—by actors with apparent links to Iran, that illustrate this problem. In November 2018, Cisco’s Talos unit reported on “a new campaign targeting Lebanon and the United Arab Emirates” which impacted .gov domains and a Lebanese airline. The attackers also compromised the DNS of legitimate .gov and private domains in target countries, potentially redirecting traffic.73 Yet this is hardly the only large-scale DNS hijacking incident. In April 2019, Cisco Talos published a report detailing another DNS hijacking campaign with public and private targets, “including national security organizations.” Talos dubbed the operation, likely beginning as early as January 2017 and continuing into 2019, “Sea Turtle.” It expressed concern that the operation’s success would “lead to actors more broadly attacking the global DNS system.”74 However, these hijacks are not always as related to geopolitical and state security interests; other separate DNS hijacks have targeted individuals as well. For instance, cryptocurrency service MyEtherWallet was hit with a DNS hijack in August 2018 that stole more than $150,000 in cryptocurrency from the site’s users.75 In total, these incidents underscore poor security on the part of the DNS.
4.3 Influencing the DNS’ security
DNS hijacks and abuse hurt users and civil society organizations, businesses, and governments. Like other human-designed Internet rules, the DNS is not set in stone; in fact, companies with infrastructural influence over the Internet are rapidly reshaping the DNS protocol suite. To protect the DNS, AS operators, website hosts, and other companies or institutions that connect their constituents’ systems to the Internet (e.g., for corporate and university networks) can implement DNS Security Extensions (DNSSEC). This is but one protection for the DNS, which is again one protocol—but collectively a valuable case study for private sector Internet influence.
DNSSEC uses public key cryptography to create a trust model for DNS records—it yields records that are verifiable by anyone receiving them.76 This beneficially separates the data’s integrity from the security of the servers and networks which handle it,77 the equivalent of a detective sealing evidence in a tamper-evident bag.78 A court can still verify the integrity of the evidence inside, regardless of whose hands it passed through between the detective and the court. Like RPKI, to implement DNSSEC, users must both create signatures and verify them.79 One party signing the data is a necessary precursor to another party using the signature to verify the data’s integrity—but the system as a whole is not secure until and unless both steps have been completed.
FIGURE 8: DNSSEC in operation
In the first step, the server operator must generate cryptographic key pairs for every “zone”—a portion of the Internet address space managed by a particular entity80—and then be able to communicate those signed records.81 In the second step, the operator must be able to verify incoming cryptographic signatures from others to evaluate DNS record trustworthiness. Like with the BGP, the Internet’s “GPS,” companies can implement these protections for the DNS, the Internet’s “phone book,” to better protect Internet packet addressing.Just as the DNS is one protocol that highlights the private sector’s overlooked, vital impact on global Internet security, DNSSEC is just one DNS protection. It doesn’t solve all DNS security problems by itself. DNSSEC data is signed but not encrypted: computers can check a DNS record’s authenticity (e.g., a user can verify the IP address they received for atlanticcouncil.org is the correct one), but the transaction’s confidentiality is not protected (e.g., someone could see the user wants to connect to atlanticcouncil.org).82 DNSSEC can also be implemented incorrectly,83 and DNSSEC cannot protect users from mistyping domain names; “typosquatting” is a frequent form of attack—for example, catching users who type “atlanticouncil.org”84 or “atlanticcouncil.com” instead of “atlanticcouncil.org.” It’s up to the private sector to act, but that action is not widespread.
Globally, 65.7 percent of end users are neither performing DNSSEC validation nor trusting a recursive resolver to do it for them (Figure 9); they are still reliant on the DNS in its original and less-secure form. Once again, North America trails much of the world with only 28.5 percent of users seeing validated DNSSEC connections relative to 38.5 percent in Oceania and 29.5 percent in Europe. North America also lags in partial DNSSEC validation, with partial validation86 much higher in Africa and Asia (Figure 10). Private industry plays a major role in this, underscoring an urgent need for government action and government-private sector coordination on poor market incentives, collective action problems, and a lack of available tools, particularly for small firms. But even on the government side, North America is behind: for instance, the United Kingdom’s National Cyber Security Centre offers up a Protective Domain Name System (implemented by Nominet UK, the .uk domain name registry) to make DNS protections easier in the UK,87 whereas US government agencies are still lagging in DNSSEC adoption despite existing requirements for its implementation.88
Protections for the DNS, a key Internet protocol, are an example of a strong opportunity for the private sector to use its influence over the Internet to improve security for all. Yet, there are several barriers to wider action and adoption:
Collective Action: Like RPKI, the benefits of DNSSEC scale with the number of entities using it. Implementing DNSSEC does take work, yet more companies and individuals doing that work to implement DNSSEC measures on their end devices could add pressure on domain name server operators to implement DNSSEC themselves.90 Policymakers could introduce federal procurement requirements here to encourage protections among large private sector operators (see Recommendation 1). They could also push the government to implement protections on its systems (see Recommendation 3).
Cost: Implementation of DNSSEC requires time and resources, like configuring signed addresses for one’s domains. This is an obstacle for network operators and DNS providers in a constant race to maintain and improve network speed and stability.91 Deploying protections at scale, like with many protocol protections, can also yield its own challenges and technical side effects. Policymakers can thus use the government’s coordinating functions to convene public-private dialogues on this Internet protocol security challenge (see Recommendation 2).
Stability: DNSSEC implementations fail safe, by design. When anything goes wrong, the user cannot proceed because doing so would leave them open to compromise. For instance, nameservers might incorrectly sign records and thus prevent users from accurately validating DNSSEC-signed addresses.92 Policymakers can use the government’s coordinating and best-practice-sharing functions to help address stability issues when firms shape the Internet for security (see Recommendation 2). Policymakers can also invest in norm development for protecting and not interfering with the DNS (see Recommendation 5).
Tough to DIY: Many users depend on third-party nameservers, like a cloud provider, to operate their website and resolve the DNS. This means relying on these third parties to adopt DNSSEC and to maintain it over time, including the necessary cryptographic signing process.93 Policymakers can help lower barriers through convenings and public-private partnerships, for instance, like the UK’s resources for DNSSEC implementation (see Recommendation 2).
5. Recommendations and conclusions
The Internet’s shape and behavior are not set in stone. The private sector continuously revises the Internet’s topology and policies, changing its behavior for users, businesses, and governments across the world. Resulting effects on personal, economic, and national security are enormous, for these are not just decisions about a single database used by one company but about physical infrastructure and digital rules that impact millions if not billions of Internet users every day. The COVID-19 pandemic has underscored society’s fundamental reliance on the Internet, and Internet dependence and connectivity will only grow in the years to come as more of the global population comes online; as the cloud market continues to expand in offering services to individuals and enterprise; as more work and learning becomes virtual; as government agencies turn to the cloud and to artificial intelligence for government functions; and as emerging technologies like 5G telecommunications empower the Internet of Things and autonomous vehicles to constantly connect and communicate data. Securing the addressing and routing of all of that data—making sure it arrives quickly, safely, securely, and via the right paths—is vital.
The US government has an opportunity to better integrate the unique influence the US private sector has on the Internet’s topology and behavior, and thus its security, into a national policy for securing cyberspace. Yet, private firms must also recognize the opportunities and responsibility their influence gives them to improve Internet security and resilience at scale. Consequently, there is an urgent need not just for better government-introduced incentives for the private sector to act to the benefit of Internet security, but also for better government-private sector cooperation and coordination on these issues.
The BGP and the DNS show the poor pace of progress in driving these more secure Internet protocols to wide adoption—and underline the disconnect between private sector firms’ influence and incentive to change. However, they are only two protocols, and the safeguards discussed in this report’s case studies are only two of many safeguards for bolstering those protocols’ security. Questions about BGP security have grown over the past few years, and the coming years will only bring new issues to the fore that will take on their own urgency. This is where leveraging this report’s case studies on the BGP and the DNS—on the protocols, their vulnerabilities, the barriers to action—will help the government and the private sector build policy and strategy around incentives and coordinated action to tackle the next set of challenges. The United States should be looking ahead when building a strategy to secure the Internet with an appreciation of the private sector’s influence.
To this end, this report makes the following five recommendations:
The US government should place Internet protocol security best practices in federal procurement rules. Incentivizing a few big players to change their behavior, especially ones in the United States with an outsized influence on Internet infrastructure, can have significant consequences for the Internet ecosystem and lower the barrier to collective action on the part of small and medium-sized network operators. This would compel ISPs, CDNs, cloud services providers, and other Internet infrastructure operators vying for federal contracts to adopt these safeguards. Those implementing these procurement rules should include the Departments of Defense, Veterans Affairs, Homeland Security, and Health and Human Services, which are the four biggest IT spenders in the US government. Looking beyond the case studies in this report, these rules could also draw from other security best practices for Internet addressing and routing, like those enumerated in Mutually Agreed Norms for Routing Security (MANRS),94 or those laid out in previous work by the NIST.95
The US government should convene public and private stakeholders to tackle the next set of challenges on Internet protocol security. The US private sector’s outsized influence on Internet infrastructure means the US government must better understand its security challenges and the incentives around them—which also presents an opportunity to be forward-looking. The key for any convening is to be voluntary, to have a well-defined scope, and to involve representatives with subject matter expertise as well as global stakeholders. Interagency buy-in from the government side is also essential for driving consensus on potentially coordinated or collaborative activities, and the involvement of a technical-expert agency like the NIST can help with the optics of a public-private convening on protocol modifications. Additionally, bringing operators to the table—those who technically work on these challenges that have business, policy, and geopolitical effects—could help drive substantive conversation at a convening spanning problems, how they can be addressed, and barriers to those solutions. There is also an educational role here insofar as some security issues with the Internet’s digital rules come back to network operators’ “hygiene” practices. Ensuring trust in a route’s path, not just its origin, is one example of a “next big challenge.”
The US government should require federal agencies to implement these Internet protocol security best practices in their own systems. While the US private sector has key influence on Internet topology and behavior worldwide, the US government maintains its own domestic networks that also should be secured. Government agencies, especially the Department of Defense, operate large networks that use many of the same digital rules as private operators. Policymakers should promote security best practices within these agencies,96 such as through the Office of Management and Budget,97 in coordination with the NIST. This can also include producing reports on the status quo within government agencies, building on previous work.
Large, private sector network operators should share and then leverage data on Internet protocol attacks. The US private sector’s influence on global Internet topology and behavior provides key and unique insights into security threats around the world, such as attacks on the Internet’s core digital rules. Some corporate aversion to naming and shaming is understandable, but ISPs, CDNs, and cloud services providers collectively have a depth and breadth of insight into the infrastructure that researchers cannot find elsewhere—meaning they also have insight into attacks and repeat offenders for, say, traffic routing malfunctions. Much like the public-private convening on future challenges in Internet protocol security, data sharing here would need buy-in not just from business leadership but also from operator-level personnel at those companies. A convening discussion about this issue should also address operator concerns about liability for increased data sharing, including with researchers who would greatly benefit from data on protocol attacks. This could occur through any number of existing private sector efforts to share threat information, such as through sector-specific information-sharing analysis centers (ISACs) or through nonprofit efforts like the Shadowserver Foundation.
The US government should invest more in the State Department’s cyber diplomacy efforts to develop norms against manipulating core Internet protocols. Not only does the US private sector have enormous influence over global Internet infrastructure, but the United States has historically played a key leadership role in promoting and protecting practices around a relatively free and global Internet—which also means security is a critical issue. Existing intergovernmental and nongovernmental efforts to push these protections, like the Global Commission on the Stability of Cyberspace’s “Call to Protect the Public Core of the Internet,” already focus on this issue—developing norms around state and nonstate noninterference in Internet traffic addressing and routing protocols key to the Internet’s functionality.98 This could also involve the leveraging of private sector data on incidents like BGP hijacks. The United Nations Group of Governmental Experts (UN GGE) and UN Open-Ended Working Group (OEWG) are two forums through which this investment could occur, in addition to bilateral and multilateral engagements with allies and partners who share an interest in better securing the global Internet.
These recommendations are not a silver bullet. But they zoom out far beyond the illustrative case studies on the BGP and the DNS in this report and recommend the US government reassess its current strategy toward and relationship with the private sector with respect to Internet security. The private sector’s role in Internet geopolitics on the infrastructural level cannot be ignored or sidelined any longer. Further, challenges that have plagued Internet routing and addressing security in the past can provide valuable lessons for the future.
On both of these points, Internet name resolution and packet routing protocols are exemplary case studies. The BGP and the DNS show how private sector influence over Internet infrastructure gives firms leverage to better protect Internet packet addressing and routing at scale—in ways that better protect personal, economic, and national security, as well as the overall resilience of the global Internet. This matters for global cybersecurity as well as for growing “cyber sovereignty” measures around the world, including the so-called fragmentation of the global Internet, which are driven in part by concerns about cybersecurity threats. Working to better secure the Internet will promote confidence in its continued viability as a global network of networks and, perhaps, slow the decline toward a fragmented and tribal information ecosystem.99
No comments:
Post a Comment