That was the eye-catching subject line in a recent note from Randy Bush to the North American Network Operators Group (NANOG) about secure Border Gateway Protocol (S-BGP). His note critiqued a paper, Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security, which was presented recently at SIGCOMM and NANOG meetings. In the paper, researchers argued that given 1) modified S-BGP software, 2) adoption of S-BGP by a small group of influential Autonomous Systems (ASes), and 3) assuming ASes select certain routing paths based on security, the transition to secure routing in the Internet could be driven by ISPs' incentive to increase their revenue-generating
traffic. It prescriptively suggested that governments and industry associations could foster those conditions to facilitate the transition to secure BGP.
For those not familiar, “voodoo economics” refers to then presidential candidate George Bush Sr.'s (no relation to Randy, I think!) critique of Ronald Reagan's 1980's supply-side economic policy, which stated that you could cut tax rates and still get more government revenue. I guess Bush (Randy, that is) was voicing disagreement with the paper's supplier-oriented thesis. I won't go into detail here about the paper's assumptions about ISPs that he questioned. Needless to say, they inspired a discussion among network operators and the paper's authors that partially came down to the recognized need for better empirical data. This will likely result in an interesting paper being improved.
But Bush's main argument was that focusing on the economic incentives affecting ISP routing decisions in light of S-BGP may be missing the point. As he put it:
That is, Bush views it as an economic and institutional problem (i.e., rules, governance structures), one which we clearly identified in a special issue of Communications & Strategies on the Economics of Cybersecurity (contact me privately about the paper) earlier this year. In that paper, we argued that the introduction of RPKI dramatically changes the existing decentralized governance model by linking resource allocation and routing. And this change shapes the incentives of the various organizations involved to adopt the technology. The dilemma is clear to anyone following the debates between the RIRs or between ISPs and the RIRs over resource certification policy, or the back and forth between ICANN and the RIRs over creating a global RPKI trust anchor. The issue is who has hierarchical control over whom?
While there certainly is a need to understand the micro-foundations surrounding adoption of Internet security standards like RPKI, S-BGP or DNSSEC, understanding and resolving the institutional problems must happen
simultaneously. Why this hasn't been addressed more explicitly by researchers in the United States is probably two-fold. A substantial amount of attention to date has been focused on defining the technology and understanding operator incentives. Examples include long-standing DoD and DHS S&T initiatives, a decade of NSF studies, and most recently a FCC working group set to identify best practices and recommend a “framework” for industry agreement regarding adoption of specific procedures and protocols. A related point is that the USG and the Internet governance institutions themselves, given an understandable desire to preserve the institutional status quo, might want less attention paid to who runs the existing regime.