HWG Client Advisory
By: Paul J. Caritj, Annick Banoun, and Daeyeong Kim
On June 6, 2024, the Federal Communications Commission (“FCC”) unanimously adopted a Notice of Proposed Rulemaking (“NPRM”) designed to increase the security of the internet’s routing infrastructure.[1] As the NPRM highlights, the FCC considers the security of the internet’s routing system — and, specifically, vulnerabilities in the ubiquitous Border Gateway Protocol (“BGP”) — to be a vital national security issue.
The NPRM would require all broadband internet access providers (“service providers”) to maintain written plans describing the efforts they have made to address vulnerabilities in the BGP by implementing the Resource Public Key Infrastructure (“RPKI”) and other techniques.
The nine largest service providers[2] would be required to file these routing security plans with the FCC.[3] These providers would also be required to resubmit their plans annually until they certify that they have met specific milestones in their RPKI implementations.[4] The nine largest service providers would also be required to file specific data quarterly in order to allow the FCC to measure progress in the implementation of RPKI-based security measures and assess the reasonableness of the service providers’ routing security plans.[5] Other service providers would not be required to file plans or quarterly data reports, but would be required to provide their routing security plans to the FCC upon request.[6]
In addition to these filing requirements, the FCC is exploring whether to impose more specific mandates to encourage (or require) service providers’ registration of routes via Route Origin Authorizations (“ROAs”) and use of Route Origin Validation (“ROV”). For instance, the NPRM seeks comment on whether the FCC should prohibit service providers from entering into contracts for traffic exchange involving routes without ROAs under certain circumstances or whether certain service providers should be required to implement ROVs.[7]
The NPRM also seeks comment on a number of related topics including:
- Who should be required to file routing security plans?
- What criteria should service providers be required to include in their plans to gauge their progress in addressing routing security issues?
- How should the FCC assess these plans?
- What should a service provider do if RPKI is not appropriate for their business?
- How should the FCC maintain the confidentiality of service providers’ routing security plans while complying with the Freedom of Information Act?
- Are there other measures that could increase routing security other than RPKI?
Comments are due on July 17, 2024; reply comments are due on August 1, 2024.
* * * *
For more information on the NPRM, please contact Paul Caritj, Annick Banoun, or Daeyeong Kim.
This advisory is not intended to convey legal advice. It is circulated publicly as a convenience and does not reflect or create an attorney-client relationship.
[1] Reporting on Border Gateway Protocol Risk Mitigation Progress; Secure Internet Routing, Notice of Proposed Rulemaking, FCC 24-62, PS Docket Nos. 24-146, 22-90 (rel. June 7, 2024) (“NPRM”).
[2] These providers are AT&T, Inc., Altice USA, Charter Communications, Comcast Corporation, Cox Communications, Inc., Lumen Technologies, Inc., T-Mobile USA, Inc., Telephone & Data Systems (including US Cellular), and Verizon Communications, Inc. Id. ¶ 39.
[3] Id. ¶ 37.
[4] See id. ¶ 54
[5] Id. ¶ 60.
[6] See id. ¶ 65.
[7] See id. ¶¶ 71-74.