A recent paper in the journal Military Cyber Affairs, co-authored by researchers at U.S. Naval War College and Tel Aviv University, details how four BGP hijacks occurring between 2016-2017 took place, re-routing potentially sensitive Internet traffic through China. It made the rounds, promoted by some threat intelligence company and cybersecurity pundits with prior stints in the USG. More recently, the paper has been cited by the USTR in advance of this week’s G-20 meetings as evidence of China being a bad actor.
The paper’s strength is that it provides a good non-technical primer how hijacking of BGP traffic (and potential surveillance of that traffic) can work. The paper’s weakness is that it unproductively feeds into the national securitization of Internet governance. It suggests a curious policy of “Access Reciprocity” to curb hijacks, making a trade-like argument, that advocates for allowing US-based network operator Points of Presence (PoP) in China (something which already exists to some degree). We assume the premise is that opening the Chinese market (or more cynically, enabling an outside government to conduct similar PoP-based hijacking and surveillance) would keep dueling superpowers honest and improve overall Internet security. It suggests that if reciprocity is not achievable, “defense policy” should not allow “traffic to or from or across the US or ally to enter a [China Telecom] PoP in the US or in the ally’s networks.” Unfortunately, under that scenario, private global network operators, who compete on providing Internet connectivity, might be forced to choose between offering services to defense organizations or Chinese network operators serving one of the world’s largest markets.
The authors also fail to acknowledge industry developments and broader context of routing hijacks. First, ISPs have become very sophisticated about how they deal with hijacking and other BGP routing problems. A whole industry sector has grown around network monitoring, reputation measurement, discerning between malicious and legitimate but abused networks, and other ex post solutions to routing insecurity, something we’ve covered in other work. Operators have a bevy of tools and practices to combat what are daily problems for some of them. Second, the article (and similar hijack accounts) defines hijacks as having malicious intent, but fails to compare their prevalence to all possible hijack types (malicious, accidental). This is important because, even if one wants to frame hijacks as a US national security problem, current data doesn’t necessarily support it.
The table below shows a subset of the 1,668 possible hijacks captured by BGPStream between April and October 2018, each of which involve a pair of Autonomous Systems (ASes), i.e., a network operated by an organization. For every hijack, one AS is the “perpetrator”, the other an “impacted” AS. We associated ASes with organizations and grouped them by country as assigned by the RIRs. For sake of argument, we made the same assumption the authors of the above paper did, that adversarial governments can abuse private operators’ networks to achieve their political interests, and that the hijacks identified are malicious. To be clear, it’s dangerous to directly associate an AS with a country. From an operational perspective, an AS can be used transnationally in the Internet’s routing topography and might not map cleanly onto a territory. But for purposes of this exercise it’s useful because it helps illustrate the folly of territorializing Internet governance.
Number of hijacks involving adversarial countries (out of a total of 1,668)
| Impacted AS by country | Perpetrating AS by country | |||||||
| AU | CA | CN | GB | IR | RU | US | Grand Total |
|
| AU | 1 | 1 | ||||||
| CA | 1 | 1 | ||||||
| CN | 2 | 1 | 11 | 14 | ||||
| GB | 5 | 1 | 6 | |||||
| IR | 1 | 1 | ||||||
| RU | 2 | 2 | 7 | 11 | ||||
| US | 8 | 2 | 3 | 13 | ||||
| Grand Total | 4 | 1 | 8 | 2 | 7 | 6 | 19 | 47 |
Under this set of assumptions, only 2.8% (47) of the 1,668 known hijacks are between well known adversaries. The greatest number of those hijacks (19, 40%) are actually “perpetrated” by the US, with impacted countries mostly likely being China (11) and Russia (7). If you include US allies, they would account for 26 (55%) of hijacks perpetrated. China (8) and Iran (7) and Russia (6) together account for 21 (45%). As for being impacted by hijacks, China, the US and Russia suffered almost equally, with 14, 13, and 11 hijacks, respectively. The US appears disproportionately impacted by hijacks perpetrated by China-based ASes (8), when compared to a total of five hijacks from ASes based in other countries. But the same can be said for China, which was impacted more by hijacks perpetrated by US-based ASes (11) compared to three hijacks from other countries. Something might appear to be going on between the US and China with regard to hijacks, but similar things could be said about US-Russia or Great Britain-Iran country pairs.
More importantly, even if our assumptions hold perfectly, the numbers of adversarial hijacks are exceedingly small compared to the overall number of hijacks. Moreover, inferring from hijacking is complicated. Obviously, just because an operator is based in a country doesn’t mean it is the agent of that government. A country’s predominance in “perpetrating” hijacks could simply be due to the high number of ASes operated by domestic organizations. Applying territorial-based policy frameworks to govern hijacks is even more difficult, potentially destroying more than it protects. Detailed case studies, like the one mentioned above, are helpful to understand specific hijacks and clearly explain suspicious activity. Similar examinations of a wide range of actors should probably happen more frequently.
But basing internal policy decisions that could have widespread ramifications for the Internet on four likely outlier hijacks from almost two years ago seems imprudent. To be clear, malicious or accidental hijacks impose real (but varying) costs to network operators and their customers. We are in need of better datasets, allowing researchers to accurately measure where and at what rate malicious and accidental hijacking is occurring, and attribute to the actor(s) responsible. We also need to acknowledge the risk to the global Internet in framing a routing insecurity as a national security problem.
