The Office of the National Cyber Director is working with agencies to accelerate efforts to “clean up” insecure internet routing technologies that may pose cybersecurity risks.
White House national cyber director Harry Corker expects that by the end of this year, more than half of the advertised federal IP space will have adopted the more secure routing agreements. The goal is to reach the Resource Public Key Infrastructure (RPKI) that provides security for internet routing to prevent hackers from hijacking traffic.
Speaking to the National Security Communications Advisory Committee today, Corker said that several Commerce Department agencies signed agreements earlier this month to register IP space and create so-called “root origin agreements.” Such agreements are used by the RPKI to verify the ownership of IP addresses.
Coker added that these contracts were pioneered by the Commerce Department's National Oceanic and Atmospheric Administration.
“These contracts serve as a model for other agencies across government to follow,” Corker said.
The work falls under the Biden administration's national cyber strategy goal of securing “the technical foundations of the internet,” including vulnerabilities in the Border Gateway Protocol. BGP is the internet's routing protocol, but hackers have exploited flaws in the decades-old protocol to hijack traffic and cause other cybersecurity problems.
“Such 'clean-up' efforts to mitigate systemic risks will require close public-private collaboration to identify the most pressing security challenges, further develop effective security measures, and reduce risk exposure without disrupting the platforms and services built on this infrastructure,” the strategy states.
Coker said the issue came to the forefront during the development of the national strategy when an ONCD partner, whom he did not want to name, raised objections to the introduction of RPKI.
“They shared with us very real concerns that if we didn't address the risks, they could be at risk of disruption or espionage,” Coker said, “which is why one of our strategic objectives specifically lists BGP as a critical protocol to secure.”
Accelerating the federal government's adoption of RPKI is part of the government's efforts to “get itself in order,” Corker added.
ONCD is also working with other Federal agencies and the private sector on a roadmap to advance the broader adoption of secure Internet routing.
“We recognize that implementing RPKI is a first step in improving Internet routing security,” said Coker. “Looking forward, we still have much more work to do collectively to protect the technical foundations of the Internet, and we look forward to government and the private sector working together to address these important challenges.”
SRMA Funding
In a separate speech this week, Corker also highlighted efforts to strengthen cybersecurity oversight of critical infrastructure through Sector Risk Management Authorities (SRMAs). He said the Biden administration is requesting budget increases for several SRMAs in fiscal year 2025, including an additional $12 million for the Department of Health and Human Services' Strategic Preparedness and Response Office. ASPR is responsible for overseeing cybersecurity across the health and public health sector.
The Environmental Protection Agency is also seeking $25 million to strengthen cybersecurity oversight in the water sector, and another $25 million to create cyber grants specifically for water suppliers. The EPA warned earlier this week that more than 70% of water suppliers it surveyed in recent years were failing to implement basic cyber hygiene measures.
Corker's discussion of SRMA capabilities came after President Joe Biden signed a new national security memorandum that strengthens the Cybersecurity and Infrastructure Security Agency's role in overseeing cybersecurity for critical infrastructure, but the memorandum also directs SRMA to take a closer look at its capabilities and requirements.
“These appropriations are essential to continue implementing the strategy and National Security Memorandum 22,” Corker said Wednesday at an Auburn University event, “and we look to our partners in Congress, who have begun conversations around SRMA accountability, to provide them.”
CISA is also taking a more detailed look at critical infrastructure organizations and their relationships, defining what it calls “systemically important organizations.'' Valerie Cofield, CISA's chief strategy officer, said the agency is developing a methodology for defining what constitutes a “SIE.''
“As we have seen with many attacks in the past, incidents are rarely contained to one sector and usually have a cascading effect across many different sectors,” Coffield said.
Based on the new national security memo, CISA is working on a cross-sector risk assessment, which Cofield said will likely include SIE.
Cyber agencies are also considering what kind of assistance the SIEs will need after they are designated. Cofield said CISA offers free cybersecurity services, such as CyberSentry, that could help the most critical organizations manage cyber threats.
“[SIEs] “They should be the first to receive the advanced detection tools that would really help us monitor these companies,” Cofield said. “But we haven't made any final decisions yet. It's all still in the early stages, but we're looking at all of these things.”
Copyright © 2024 Federal News Network. All Rights Reserved. This website is not intended for users within the European Economic Area.
