Agencies accelerate efforts to ‘clean up’ insecure internet routing

The Office of the National Cyber Director is working with agencies to accelerate efforts to “clean up” insecure internet routing techniques that can lead to cybersecurity risks.

White House National Cyber Director Harry Coker expects that more than half of all advertised federal IP space will adopt more secure routing agreements by the end of this year. The goal is to get to Resource Public Key Infrastructure (RPKI), which provides security for internet routing to help prevent traffic from being hijacked by hackers.

During an address before the National Security Telecommunications Advisory Committee today, Coker said several Commerce Department agencies earlier this month signed contracts to register their IP space and create so-called “route origin agreements.” Such agreements are used by RPKI to verify the owners of IP addresses.

The contracts were pioneered by Commerce’s National Oceanic and Atmospheric Administration, Coker added.

“These contracts . . . are models for other agencies across the government to follow,” Coker said.

The work falls under a goal of the Biden administration’s National Cyber Strategy to secure the “technical foundations of the Internet,” including vulnerabilities in Border Gateway Protocol. BGP is the routing protocol of Internet, but hackers have leveraged flaws in the decades-old protocol to hijack traffic and create other cybersecurity issues.

“Such a ‘clean-up’ effort to reduce systemic risk requires identification of the most pressing of these security challenges, further development of effective security measures, and close collaboration between public and private sectors to reduce our risk exposure without disrupting the platforms and services built atop this infrastructure,” the strategy states.

Coker said the issue came to the forefront during the development of the national strategy, when unnamed ONCD partners raised challenges with RPKI adoption.

“They told us about the very real fear that failure to address the risks could put us in danger of disruption and espionage,” Coker said. “That’s why one of our strategic objectives specifically calls out BGP as a key protocol to secure.”

Accelerating the federal adoption of RPKI is part of the government’s effort to “getting our own house in order,” Coker added.

ONCD is also working with other federal agencies and the private sector on a roadmap to drive broader adoption of secure internet routing.

“We recognize that implementing RPKI is a first step in improving internet routing security,” Coker said. “Collectively, we have much more to do to secure the technical foundations of the Internet going forward, and we look forward to the government and private sector working together to address these critical challenges.”

SRMA funding

During a separate address this week, Coker also highlighted efforts to bolster the cybersecurity oversight of critical infrastructure through sector risk management agencies, or SRMAs. He said the Biden administration is requesting increased funding in fiscal 2025 for multiple SRMAs, including an additional $12 million for the Department of Health and Human Services’ Administration for Strategic Preparedness and Response. ASPR is responsible for overseeing cybersecurity across the health and public health sectors.

The Environment Protection Agency is also requesting $25 million to bolster its oversight of cybersecurity in the water sector. The agency also requested an additional $25 million to establish a dedicated cyber grant for water utilities. EPA warned earlier this week that more than 70% of the water utilities surveyed in recent years are falling short of basic cyber hygiene practices.

Coker’s discussion of SRMA capacity comes after President Joe Biden signed out a new national security memorandum bolstering the Cybersecurity and Infrastructure Security Agency’s role in overseeing critical infrastructure cybersecurity. But the memo also directed SRMAs to take a closer look at their capacity and requirements.

“These appropriations will be vital to continue implementation of the strategy and national security memorandum-22,” Coker said Wednesday at the Auburn University event. “And we’re looking to our partners in Congress, having kicked off conversations on SRMA responsibilities, to fund them.”

CISA is also taking a more detailed look at critical infrastructure organizations and relationships to define what are known as “systemically important entities.” Valerie Cofield, chief strategy officer at CISA, said the agency is developing a methodology for defining what constitutes an “SIE.”

“As we’ve seen in so many attacks, rarely is an incident just siloed into one sector –it usually has cascading impacts into different sectors,” Cofield said.

Under the new national security memo, CISA is working on a cross-sector risk assessment. Cofield said SIEs will likely fall under that evaluation.

And the cyber agency is also considering what kind of assistance SIEs will need once they are designated. Cofield said CISA offers free cybersecurity services, such as CyberSentry, that could help the most important entities manage cyber threats.

“[SIEs] should be first in line to receive tools like that, to be able to have that advanced detection, that we can really help monitor those enterprises,” Cofield said. “But that’s still something that we haven’t made final decisions on. Everything’s still pre-decisional. But we are thinking about all those things.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.