Today, the Cybersecurity Tech Accord endorses the Mutually Agreed Norms for Routing Security (MANRS), an initiative launched in 2014 by a group of network operators and managed by the Internet Society (ISOC), a non-profit organization promoting the development of an open Internet. The pledge to promote the MANRS initiative and support its ongoing work to help increase the resilience and security of the Internet’s global routing system, is the first public step demonstrating the principles that bind the Cybersecurity Tech Accord signatories.
“This is an important first step for the Cybersecurity Tech Accord. Challenges related to routing security are real and pressing, impacting citizens’ and business interactions online daily. These challenges will only be resolved through the coordinated action and activities of the many divergent parties. The MANRS initiative reflects the values at the core of the Cybersecurity Tech Accord: to identify cybersecurity challenges that we can only address as a collective and act to solve them.” – the Cybersecurity Tech Accord signatories.
The speed and continuity of our communications requires a stable and secure online environment. The reality is that accessing an online website, paying with a credit card, as well as looking for and exchanging information can be delayed at any time by incidents affecting routing infrastructure. In 2017 alone, more than 14,000 routing outages or attacks, such as hijacking, leaks, or spoofing led to stolen data, lost revenue and reputational damage. One example is the hijacking event from April 2018 affecting the Ethereum cryptocurrency. Connecting to the service (MyEtherWallet), users were faced with an insecure SSL certificate, a broken link in the site’s verification. Clicking through that, they were redirected to a server in Russia, which proceeded to empty their wallet (the attackers appear to have taken $13,000 in Ethereum during two hours before the attack was shut down).
It is therefore clear that much needs to be done to address the very common challenges related to routing security. The MANRS initiative focuses on four actionable measures that can deliver immediate results in the online security environment. They include:
- Filtering, to help combat the propagation of incorrect routing information. This measure aims to ensure the correctness of operator and customer routing announcements to adjacent networks with prefix and AS-path granularity;
- Anti-spoofing, a measure by which network operators implement a system that enables source address validation for at least single-homed stub customer networks, their own-end users and infrastructure. The goal is to prevent packets with an incorrect source IP address from entering and leaving the network;
- Coordination, to ensure that network operators maintain globally accessible up-to-date contact information in common routing databases and coordination with their peers; and
- Global validation, to enable network operators to publish routing data, so others can validate routing information on a global scale.
The Cybersecurity Tech Accord signatories strongly believe that a more robust and secure global routing infrastructure demands shared responsibility and coordinated actions from the community of security-minded organizations. We see the efforts undertaken so far under the MANRS initiative as a fantastic example of different stakeholders coming together and partnering towards a common objective – a more secure environment, benefiting all of us – from users, to governments and the industry. As such, we believe this effort firmly falls under the 4th principle guiding our efforts – partnering with each other and with likeminded groups to enhance cybersecurity.
Two of our signatories – KPN and Swisscom – already actively participate in the MANRS initiative today, whilst many of our signatories are considering steps to become more involved going forward. As a group, we will promote MANRS itself, as well as raise awareness of the challenges of routing security and encourage actions to address those, in addition to prompting the culture of collective responsibility of the Internet’s global routing system.
Furthermore, we have today established a working group between the Cybersecurity Tech Accord and the MANRS initiative that will investigate how companies beyond network operators and IXPs can contribute to routing security. We hope to announce concrete steps that will help to evolve the initiative and create a framework for technology companies in the coming weeks and months.
About the Internet Society (ISOC)
Founded by Internet pioneers, the Internet Society (ISOC) is a non-profit organization dedicated to ensuring the open development, evolution and use of the Internet. Working through a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure, and advocates for policies that enable universal access. The Internet Society is also the organizational home of the Internet Engineering Task Force (IETF).
About the Cybersecurity Tech Accord
The Cybersecurity Tech Accord is a public commitment among 44 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. Learn more at www.cybertechaccord.org