Cybersecurity: Internet Architecture Considered Resilient, But Federal Agencies Continue To Address Risk

What GAO thought

The communications industry operates the multiple, independent networks that underpin the Internet. To support the exchange of network traffic, service providers manage and monitor core infrastructure elements with numerous components, including Internet interchange points and submarine cable landing stations that connect to both domestic and international networks (see figure). Multiple US service providers operate several core networks that crisscross the country and are interconnected at various points.

How US core internet networks connect to service providers

\\vdifs02\FR_Data\BeckerB\Desktop\FY21_ALL_STAFF-#920789-v12-GRAPHIC_PROOF-ITC-104560_CGB.bmp

While experts consider the internet architecture to be resilient, it still faces a variety of cyber and physical risks that can affect its components; such risks may be intentional or unintentional (see table). In particular, cyber-related risks can affect two sets of protocols needed to ensure the uniqueness of names used in Internet-based services and to facilitate the routing of data packets. Specifically, the domain name system translates names such as: www.gao.gov, to numeric addresses used by computers and other devices to route data. In addition, the border gateway protocol is used to exchange network availability and routing information about individual networks (ie destinations). Both protocols are threatened by willful misuse by malicious actors, as well as accidental failure. In addition, the internet architecture can be affected by physical risks, such as cutting or removing fiber optic cabling.

Internet Architecture Risks

Cyber ​​intentionally

  • Denial-of-service attacks
  • Abuse of Border Gateway Protocol (BGP)
  • Domain Name System (DNS) Abuse
  • Supply Chain Operation
  • Malicious Insider(s)

Cyber ​​unintentionally

  • BGP Failures
  • DNS errors
  • Hardware failures
  • Software errors
  • Operator error

Physically intentional

  • Deliberate damage to fiber optic cabling
  • Attack on an Internet architecture facility or related infrastructure

Physically unintentional

  • Accidental damage to fiber optic cabling
  • Serious Natural Event

Source: GAO Analysis of Federal and Non-Federal Reports. † GAO-22-104560

Risks, if realized, can lead to incidents that disrupt the proper functioning of the Internet, including outages, performance degradation, and traffic interception. Panelists serving on two panels convened by GAO also stated that the risk of deliberate incidents affecting Internet architecture depends on the capabilities and motives of malicious actors. GAO and others have reported on threats from criminal groups and nation-states, among others, who could potentially use their capabilities to influence components of Internet architecture. For example, a 2017 Department of Homeland Security information technology-related risk assessment identified organized crime and nation-states as threats to operations that provide domain name routing services.

When the US government reduced its role in relation to Internet architecture components, including dismantling early networks it had developed and relinquishing its oversight role of Internet engineering functions, those responsibilities passed to the global multi-stakeholder community. No organization is responsible for all internet policy, operations and security. However, the federal government fulfills a number of different roles that directly address the risks to the Internet architecture (see table). In order to fulfill these roles, agencies have taken actions. For example, DHS worked with members of the critical infrastructure sectors in the communications and information technology sectors to, among other things, conduct risk assessments on the sectors’ ability to deliver Internet functions. In addition, the Federal Communications Commission influences internet architecture security by licensing submarine cables and landing stations and administering a program to remove and replace equipment determined to pose an unacceptable risk to national security.

Federal Roles in Infrastructure Architecture Security

Guiding Critical Infrastructure Protection and Conducting Private Sector Engagement

Involved in international cyber diplomacy

Cyber ​​Research and Development Support

Cyber ​​Incident Response Coordination

Cybercrime Investigation and Prosecution

Developing security standards

Controlling parts of the US communications network

Addressing supply chain issues related to data routing hardware and services

Control Domain Name System Root Zone Servers

Licensing to Land and Operate Submarine Cables

Source: GAO Analysis of Federal Law and Policy, Agency Documentation, and Past GAO Reports. † GAO-22-104560

Why GAO Did This Study?

The Internet is a global system of interconnected networks used by billions of people around the world to perform personal, educational, commercial and government tasks. Over time, the US government has relinquished its oversight role of the internet. A global multi-stakeholder community, made up of many organizations, shapes Internet policy, operations and security. But the continued and increasing reliance on the Internet underscores the need to understand the risks to the underlying architecture.

The House Committee on Armed Services Report at the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 contained a provision for GAO to examine the security of Internet architecture. This report (1) identifies Internet architecture security vulnerabilities and (2) determines the extent to which U.S. federal agencies have taken action to address Internet architecture security risks.

GAO collected and analyzed publicly available reports from federal and non-federal organizations to identify risks to Internet architecture components (Internet exchange points, submarine cabling, the domain name system and border gateway protocol, among others). GAO has also reviewed federal law and policy and its previous work to identify the security roles and responsible bodies of the federal Internet architecture. Based on the roles of the agencies, GAO collected and analyzed relevant documents and conducted interviews with officials from the responsible agencies.

In addition, GAO has convened two panels of subject matter experts. The panelists have experience in various aspects of Internet architecture, such as owning and operating infrastructure components, participating in and contributing to standards-setting organizations, and studying and participating in various multi-stakeholder governance entities.

During the panel sessions, GAO presented previously identified cyber and physical risks and requested the experts to identify additional risks or issues that were not identified. GAO and the experts also discussed the federal government’s involvement in addressing the risks.

For more information, contact David B. Hinchman at (214) 777-5719 or: [email protected]

Leave a Comment

Your email address will not be published.