A review by the Government Accountability Office (GAO) has identified risks to key internet operations.
The internet is a vast system of interconnected networks used by billions of people. Its architecture is owned and governed by organizations around the world. No one organization is responsible for its policy, operation, or security.
The decentralized nature of the internet can help with resilience, but it nevertheless faces a variety of cyber and physical risks – both intentional and unintentional – that can impact its components.
The risks
GAO said in its report that cyber risks can impact two sets of protocols needed to ensure the uniqueness of names used in internet-based services and for facilitating the routing of data packets. Specifically, the domain name system translates names to numerical addresses used by computers and other devices to route data. Additionally, the border gateway protocol is used to exchange network availability and routing information about individual networks. Both of these protocols are threatened by intentional abuse by malicious actors, as well as by unintentional failure. Internet architecture can also be impacted by physical risks, such as cutting or removing fiber-optic cabling, extreme weather events, or bomb blasts as was the case with the December 2020 Nashville attack.
These and other risks may result in incidents that disrupt the proper functioning of the internet, including outages, degradation of performance, and interception of traffic. But a panel of experts told GAO that unless a threat actor with the necessary capabilities, such as a nation state, intended to do more severe damage, the impacts of incidents related to the risks identified would typically be limited to specific regions or service providers.
However, the panelists emphasized the risk associated with supply chains that support the internet architecture. They noted concerns about vulnerabilities built into networking components, disruption in the delivery of components, reliance on externally developed software code, and the lack of needed hardware components. In addition, panelists stated that entities lack visibility regarding these risks when purchasing components. Panelists also expressed concern about the trend toward centralization of internet services via cloud computing and the potential of this trend to create single points of failure, which could increase the impact of internet architecture security risks. Further, panelists stated that the risk of intentional incidents affecting the internet architecture depends on the capabilities and motives of malicious actors.
Panelists stressed that cyber risks to the internet architecture pose a greater threat than physical risks. They also cited the relative difficulty in attributing cyber incidents to perpetrators.
The response
The U.S. government has, over time, reduced its role regarding internet architecture components, including decommissioning early networks it had developed and relinquishing its oversight role of internet technical functions. Those responsibilities passed to the global multistakeholder community.
The federal government still fulfills a number of different roles that directly address risks to the internet architecture, however. GAO’s report notes that, for example, DHS worked with members of the communications and information technology critical infrastructure sectors to complete risk assessments on the sectors’ ability to provide internet functions. In addition, the Federal Communications Commission impacts the security of the internet architecture through licensing submarine cables and landing stations, and administering a program to remove and replace equipment determined to pose an unacceptable risk to national security.
Current Federal Roles in Infrastructure Architecture Security:
- Guiding Critical Infrastructure Protection and Performing Private Sector Engagement
- Engaging in International Cyber Diplomacy
- Supporting Cyber Research and Development
- Coordinating Cyber Incident Response
- Investigating and Prosecuting Cyber Criminal Activity
- Developing Security Standards
- Regulating Portions of the U.S. Communication Network
- Addressing Supply Chain Concerns Related to Data Routing Hardware and Services
- Operating Domain Name System Root Zone Servers
- Issuing Licenses to Land and Operate Submarine Cables
The expert panelists told GAO that the federal government could help monitor market conditions and take actions to address any internet architecture security issues that could arise. Specifically, the panelists suggested that regulation could possibly be used to drive additional transparency (e.g. physical and cyber incident and outage data collection) surrounding the internet architecture market. Panel members noted that there are potential challenges, such as cost, that could come with regulation.
