New OECD Report on Routing Security for Policymakers

Last month, the Organization for Economic Co-operation and Development (OECD) published its report on “Routing security: BGP incidents, mitigation techniques and policy actions”. The report provides an overview of the vulnerabilities in the routing system, approaches to manage the risks associated with those vulnerabilities, and incentives to deploy necessary security controls.

Much of the paper is a primer on what routing security is and why it matters; regular readers of MANRS materials should be well informed of such technical details. But the OECD writes papers directed at policymakers who regulate various markets. The fact that routing security has warranted such a report is a telling sign.

The routing system is a foundational element of the Internet, the network of networks that make our digitized societies flourish. And when there are potential systemic risks to our societies, policymakers start to pay attention. This report fills that niche with the addition of a set of policy recommendation, in addition to a more technical inventory, to:

1. Promote measurement — the report observes a lack of longitudinal studies and high-quality data sources, which can prevent or delay informed decision making.
2. Promote awareness — the report identifies a role for policy makers in raising awareness around routing security, with examples such as the Dutch ‘comply or explain’ procurement process.
3. Facilitate information sharing — the report calls for clear mechanisms to share information on routing incidents between stakeholders. Interestingly, the report mentions the realm of CERTS and CSIRTS, but does not mention the role of information sharing in network operators groups.
4. Define a common framework with industry to improve routing security — the report calls for governments to work with industry and technical experts on a framework that would establish targeted actions to improve routing security within a set time frame. It’s a call for a multistakeholder approach, using MANRS as an example. But this section also talks about the threat of regulation that could put the technical community in motion.

As this paper makes its way to the desks of policymakers, the MANRS community has long been proactive in implementing these recommendations. In fact, I dare say the report took inspiration from it. Our existing MANRS Primer for Policymakers includes a set of recommendations that are not dissimilar from those in the OECD report.

We’re happy to see MANRS repeatedly listed as an information source in this report, and thank the Internet Society’s Andrei Robachevsky for his input as one of its authors. We encourage policymakers to work with network and infrastructure operators, critical infrastructure protection agencies, and standards bodies, among others, to improve global routing security while also preserving vital aspects of the system that have allowed the Internet to be open and universal.