Communications Litigation Today was a Warren News publication.
Risk-Based Approach?

ISPs: FCC Should Reconsider Proposed Border Gateway Reporting Requirements

The FCC should proceed with caution or reconsider entirely a proposal that imposes on the nine largest ISPs specific reporting requirements on their border gateway protocol (BGP) security practices, ISPs and industry groups said in comments posted through Thursday in docket 24-146 (see 2406060028). The Biden administration "supports properly implemented and narrowly constructed" BGP reporting requirements, NTIA said. "The FCC's action should be appropriately tailored to preserve the highly successful multistakeholder model of internet governance."

The proposal "puts forward a regulatory approach to routing security of our industry" that would "require attorneys to drive cybersecurity prioritization" rather than engineers and subject-matter experts, USTelecom said. The group opposed imposing specific requirements. "This focus is misplaced given the robust security posture already achieved by these providers and the marginal utility."

Instead, USTelecom suggested encouraging "broad adoption of route origin authorizations" by other stakeholders with autonomous systems. "Any move toward fragmentation undermines decades of bipartisan U.S. policy to promote global interoperability," USTelecom said, adding that the proposal exceeds the commission's authority.

The FCC "appears to be stepping away from the cross-agency and multi-stakeholder collaborative approach to a paradigm that centers on regulation of the communications sector," CTIA said. The group warned that "more prescriptive operational mandates" could come next if the commission "is not satisfied with the plans and progress made."

ACA Connects called the proposed rules "out of step" with the federal government's "whole of government" approach to cybersecurity. The FCC should instead "maintain and support the multi-stakeholder collaborative approach that has created success in the cybersecurity space," the group said. BGP adoption "continues to accelerate without the need for prescriptive government intervention and unnecessary reporting."

T-Mobile urged that the FCC take “a risk-based approach” to BGP reporting “that avoids reference to specific standards-driven implementation thresholds and provides wide latitude for providers to develop secure Internet routing plans that map to their specific network profile.” The FCC should exempt from reporting requirements providers that “attest to full implementation of their secure routing plan,” T-Mobile said. The carrier noted it covers nearly all its subscriber IP addresses with route origin authorization (ROA), cryptographically signed certificates stating that T-Mobile’s autonomous system is authorized to originate those particular IP addresses.

Verizon described itself as an “industry leader” in routing security, saying it dedicates “substantial resources to maintaining that strong posture.” Verizon called for a collaborative, risk-based approach. Avoid “rules that drive service providers to prioritize specific BGP technologies in specific ways, whether through overly burdensome reporting targets coupled with arbitrary safe harbors or through direct regulatory mandates.”

Verizon also questioned the FCC’s legal authority to impose rules. The NPRM “strays from lawful or sound public policy by proposing to apply transit-specific BGP obligations such as Route Origin Validation filtering to the few … providers that happen to have transit operations … while leaving the majority of major U.S. internet transit providers completely unaffected.”

Proceed cautiously” in imposing rules, Cisco advised. The FCC should “expressly respect and promote the role of industry-led standards bodies in defining Internet security standards and avoid prescriptive and misaligned requirements that could chill technologists’ efforts to secure Internet routing,” the company said: Efforts should also “integrate with and align with ongoing efforts to secure the Internet routing ecosystem at the broader U.S. government and global Internet community level.”

NTCA and the Wireless ISP Association also urged the FCC to move cautiously in joint comments. The groups backed a "multi-step approach" of implementing route origin authorization and said removing obstacles to the process "would facilitate increased adoption of BGP." The FCC should align its proposal with ISPs' incentives and progress in network security, NCTA said. It noted that cable ISPs utilize a variety of secure routing tools and protocols, including those of the FCC's communications security, reliability, and interoperability council. WTA sought clarification on "BGP compliance responsibilities and alternatives for [rural local exchange carriers] and other ISPs where an upstream transit provider does not provide ROA registration and maintenance."