We expect the Internet to be always available and to give us the information we want instantaneously. We trust it with our money as we make purchases online and use our banking apps. We even share deeply private information and conversations across the Internet in the belief that they are secure from prying eyes. The Internet manages to do all these things. But not always.

On October 4, 2021, for over five hours, Meta’s close to 3.5 billion users could not access Facebook, Instagram, Messenger, or WhatsApp – a total service cut off that affected small businesses and communication around the world. In February of this year, criminals targeted cryptocurrency sites and stole hundreds of thousands of dollars from unsuspecting users. And in July, Internet traffic intended for Apple may have been re-routed through a Russian ISP, giving potential attackers an opportunity to monitor or analyse the rerouted traffic.

All these incidents have one thing in common: they leverage vulnerabilities in the Internet’s routing system. This routing system defines how your traffic, wrapped as data packets, travels across the Internet to get to your requested page. At each step of the way, there are routers that act as signposts to tell the data packet where to go to reach its destination and that together form a vast map of the global Internet. To determine the best route for the data package to take, routers tell each other about changes to the “map” using the so-called border gateway protocol (BGP). This system – built in 1989 – is based on an idea of mutual trust and hasn’t changed much since its inception 33 years ago. However, the world around it has changed since then.

While the idea of mutual trust was beneficial in the early days of the Internet, the ubiquity of the Internet means that we have outgrown its initial model.

While the idea of mutual trust was beneficial in the early days of the Internet, the ubiquity of the Internet means that we have outgrown its initial model. With billions of people and devices using the Internet every day come security incidents that disrupt the Internet’s function, compromise the availability of services, and threaten the integrity and confidentiality of Internet traffic. The examples above barely scratch the surface; these so-called BGP hijacks and leaks happen every day.

So why hasn’t routing evolved to be more secure? Securing the routing system has been a topic of discussion for decades and several techniques exist that aim to secure it in some way. From Internet Routing Registries (IRR) to the Resource Public Key Infrastructure (RPKI) or the sophisticated, yet hard to implement, BGPsec, there are a host of different techniques that aim to mitigate the Internet routing system’s vulnerabilities. Unfortunately, each has their own drawbacks and in practice they only address parts of the problem. One critical reason for that is because the overall security of the routing system depends on the decisions of many diverse actors across the global Internet, with the actions of one impacting the actions of another.

While the burden of responsibility to improve routing security should be shared among the different stakeholders who participate in the Internet, policy makers also have a key role to play. 

What can we do? While the burden of responsibility to improve routing security should be shared among the different stakeholders who participate in the Internet, policy makers also have a key role to play. A new report from the OECD explores the current state of play of routing security and – importantly – how policy makers can make an impact to improve it: See it here.  The report underlines governments’ important role in funding the collection, publication, and analysis of data on routing incidents and suggests that policy makers could promote the awareness and deployment of actionable security techniques, facilitate information exchange on routing incidents, and define a common framework to improve routing security.

The Internet underpins our societies, our economies, and our daily lives –increasing its security is a critical priority for us all.