The White House is reportedly about to sanction Russia for a recently discovered campaign of cyber espionage that has rocked the national security world. Just as the Biden-Harris administration is getting off the ground, this major incident — known colloquially as SolarWinds — is taking up all the oxygen in the room. But while the SolarWinds breach was indeed a landmark incident, it must not overshadow a different risk that demands urgent attention from the White House: a glaring security problem at the very heart of the internet. It is a looming threat to economic and national security, and a rare place to achieve big security gains at relatively low costs.
All activities on the internet, from corporate bank transactions and military logistics to Instagram and Twitter, depend on a hidden foundation of software and hardware called the public core. This is shared internet infrastructure that everyone uses, from the Border Gateway Protocol that allows networks to route internet data correctly to the Domain Name System that creates online web addresses that humans can remember.
The public core is what makes the internet work. Without it, users cannot access websites, data cannot reach its destination, criminals can read supposedly secret messages, and the network itself can’t route around failure.
Most people don’t know about this essential element of critical infrastructure because its inner workings are highly technical and operate behind the scenes, invisible to users. The media rarely covers it; Congress ignores it, and federal agencies do not issue plans for protecting it. For those who distrust government projects, this arrangement might strike them as ideal. Who wants bureaucrats in Washington mucking around with a privately-run internet that usually works as advertised?
The unfortunate truth is that while the public core might work well most of the time, it is highly vulnerable to manipulation and disruption that could inflict terrible damage on the United States. Some of its most important components lack basic security mechanisms to prevent someone from spying on or redirecting vast swaths of internet traffic for malicious reasons. This makes the public core a tantalizing target for anyone who wants to manipulate or shut down data flows, either secretly or in the open. A chief reason why the SolarWinds attack was so damaging is because Russian attackers exploited a software product used by nearly 18,000 customers, allowing them to target thousands of organizations through the internet simultaneously. By comparison, attacking the public core — a shared global infrastructure that all internet-connected organizations use — allows attackers to target millions or hundreds of millions of victims.
This is not a theoretical problem. Take the Border Gateway Protocol, which is essentially the digital map of the internet that tells computers where internet data should go. Due to a longstanding quirk of the system’s design, computers operate on blind trust and thus find it very difficult to verify whether the map they have is the correct one. That creates an excellent opportunity for attackers. Over 1,000 times in the first five months of 2020 alone, malicious actors seemingly manipulated this internet route map to reroute global internet data at will. In April 2020, a Russian state-owned telecom hijacked traffic for just an hour, yet rerouted data intended for hundreds of companies. The protocol also malfunctioned thousands of times.
Other elements of the public core remain dangerously insecure. The Domain Name System converts domain names that humans can actually remember into machine-readable web addresses, but these requests aren’t properly secured against interception and manipulation. Our space-based Global Positioning System distributes critical positioning and timing information for multiple industries, including banking and transportation. Yet most existing GPS receivers (including the ones in your phone) are highly vulnerable to jamming or “spoofing” that can deny users access to this critical data. As the Aspen Cybersecurity Group puts it: “The situation is unacceptable.”
Yet in the face of these glaring vulnerabilities at the very heart of the internet, closing them should be a Biden-Harris administration priority to achieve better security and resiliency at scale, with big gains at low costs.
The good news is that experts understand the technical measures needed to dramatically reduce the risks outlined above. The bad news: the nature of the public core means no one organization is in charge of improving its security, and progress will require painstaking coordination across many companies and countries. Success will depend on building awareness throughout many different industries and incentivizing proactive collaboration among rival companies. We need large telecommunications companies that manage internet traffic to commit publicly to securing the Border Gateway Protocol and provide transparency into how they are doing it. We need device manufacturers to actually follow established guidelines for building jam-resistant GPS receivers. And we need to plan now to accelerate the years-long process of hardening today’s data encryption systems against tomorrow’s quantum computers.
This is why securing the public core should be a key priority for the Biden-Harris administration. With many cyber policy issues on the docket, incoming officials in the Biden-Harris administration must prioritize scale — achieving big gains at relatively low cost.
The public core underpins data transmission across the global internet, supporting billions of internet users each day and tying its operation with national and economic security. Living, learning, and working during the pandemic have only accelerated global reliance on the internet’s public core as online activity rises to ever-higher levels. This growth in technology use, meshed with a failure of imagination with past attacks, means there is even greater risk of a much broader, more disruptive attack on the internet’s public core in the future.
Hardening the public core would increase security across the global internet ecosystem, and the U.S. government could leverage the American private sector’s influence on internet architecture to do it: delivering big gains at relatively low costs.
David Forscey is Managing Director of the Aspen Cybersecurity Group.
Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.