Securing the Internet’s Public Core

December 2, 2020  • US Cybersecurity Group

Global leadership requires protecting the foundation of the Internet.

What is the public core?

Most individuals and organizations interact with the Internet through personal computers, mobile devices, servers, and software applications. These are the technologies that users touch, feel, purchase, and control. As a result, cybersecurity companies and policymakers tend to invest the majority of their time and resources in protecting them. But all Internet services depend on a vast, global, interconnected foundation of hardware and software infrastructure—the public core—that most stakeholders take for granted. This bedrock operates below the surface of our digital lives, always in the background, and always out of sight.

Yet without this shared infrastructure, the Internet and the endless services it provides would cease to function. The public core comprises a combination of rules, processes, and technology systems that are responsible for:

  • Internet Addressing: Determining who owns and controls which digital addresses, i.e., IP addresses.
  • Naming: Translating IP addresses into domain names that humans can understand and communicate.
  • Routing: Logically and physically transmitting data between a sender and the intended recipient.
  • Cabling: Physical communications cables for transmitting data between networks.
  • Cryptography: Allowing Internet users to exchange data securely without ever meeting in person.
  • Position, Navigation, and Timing (PNT): Providing precise timing and positioning data to digital systems.
Why is this a priority?

Most elements of the public core were originally developed long ago without robust security features. By the time their designers recognized their central importance to the Internet and the global economy, it was too late to replace them with more secure alternatives. Security improvements instead relied on partial modifications that have left many critical vulnerabilities unaddressed.

The situation is unacceptable. Because any of the organization or services that use the Internet depends on the same elements of the public core, these shared vulnerabilities affect all Internet users. The clear risks for Internet resilience prompted the Global Commission on the Stability of Cyberspace in 2018 to propose a universal norm that “state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.” Little has changed since then, and the corruption, manipulation, and disruption of the public core continues to present a systemic threat to the global Internet and, therefore, the economic and social stability of the United States and its allies and partners.

  • Increased security, reliability, and resilience for the public core.
  • Defined roles and responsibilities for federal agencies vis-à-vis the public core.
  • S. leadership in international dialogue to secure and modernize the public core.
What have been the obstacles to progress?
  • No one in charge: There is no single organization responsible for protecting the public core. Efforts to improve its security and stability depend on global coordination between a variety of stakeholders, some with opposing interests. Further, different groups control different parts of the public core, making coordination more difficult.
  • Privately-owned commons – The public core is generally managed by private companies and international nonprofits. Government agencies play a marginal role in managing or overseeing the public core, leading many to dismiss the role of federal policy in securing the public core.
  • No first-mover advantage: The Internet generates network effects that create a strong disincentive to be the first organization to adopt a new standard or protocol that might enhance security for some element of the public core. Yet adoption is only effective if many or all organizations participate as well.
Action Steps
  1. Designate the commercial space sector as critical infrastructure. Space satellites and their command and control networks are an overlooked and increasingly important part of the public core. More and more critical services depend on timing information transmitted by GPS satellites or Earth observation data, and important Internet communications transit orbiting infrastructure, with the global 5G networks being built now. Space Policy Directive-5 articulates the federal government’s interest in promoting cybersecurity best practices in the space sector. Operationalizing SPD-5 should include concerted efforts to (a) persuade all space companies—from large Original Equipment Manufacturers to new startups—to implement reasonable cybersecurity practices and (b) facilitate government and industry assistance to accelerate implementation.To that end, designating the commercial space sector as critical infrastructure will facilitate prioritization of limited government resources, grow personal relationships between industry operators and policymakers, and help overcome obstacles to interagency coordination. This could be accomplished either by (a) amending federal law to expressly name space as a critical infrastructure sector or (b) designating space infrastructure as a subsector of an existing sector, following the precedent of election infrastructure in 2017. This designation would not create any new regulatory authority or impose any mandatory burdens on commercial space companies.
  2. Publish a national strategy to secure the public core. While threats to the public core imperil national security, the federal role in protecting this infrastructure should be limited as it is fundamentally a private and nonprofit ecosystem. But federal agencies can assist public core stakeholders in important ways. NIST is managing a competition to select new cryptographic protocols that can withstand potential attacks from quantum computers. The Department of Homeland Security is leading an effort to define and enhance PNT resiliency. The National Security Agency has published guidance suggesting methods for network operators and users to mitigate vulnerabilities in the Internet routing system, while the U.S. Cyberspace Solarium Commission has recommended that DHS and the NTIA do the same for the Domain Name System (naming) and the Border Gateway Protocol (routing). These and other programs should be combined into a single interagency strategy that communicates the compelling reason to protect the public core and outlines a clear path toward resiliency. It should also identify incentives and processes to speed the adoption of security practices. While a strategy document might strike some as unambitious, it is the most helpful first step for at least two reasons. These are outlined below.
    • Awareness. Many potential corporate and institutional victims of attacks on public core infrastructure are simply unaware of how the compromise of systems like the Domain Name System, the Border Gateway Protocol, and Global Positioning System can affect their core business interests. Similarly, they do not recognize their potential to promote a more secure public core by coalescing and requesting as a unified customer base that responsible stakeholders take certain steps. Many of the largest barriers to a more resilient public core are not technical, but rather organizational. Better security is a matter of prioritization and leadership from the right entities. A highly visible, coherent strategy will facilitate more serious and focused discussions with the right decision makers in industry.
    • International leadership. Because the public core spans the globe, its resilience depends on transnational coordination. This is especially important in the case of reinforcing norms—such as those outlined by Global Commission on Stability in Cyberspace or pursued through the United Nations Group of Governmental Experts—and in circumstances where some governments might decide to institute new guidelines or standards related to the public core specifically. A coherent strategy will clearly and consistently communicate American priorities for public core resiliency and ensure they are integrated with current efforts to strengthen norms. In addition, aside from international standards, successful efforts to secure the public core will depend on international coalitions of industry stakeholders, from software developers to network operators, that can coordinate operational security practices. A public core strategy should also outline new transnational, public-private processes for securing elements of the public core that fall outside of the scope of today’s Internet governance regimes.
  3. Restore federal capacity for international engagement by creating a new cyberspace office within the Department of State led by an Assistant Secretary. In recent years, the United States has withdrawn from international fora and partnerships that aim to agree on norms and standards for creating a resilient public core. Restoring (and in some cases, creating for the first time) American leadership on public core security demands a dedicated office backed by a senior political appointee who can become an expert on the issues and defend public core priorities during interagency negotiations. Per the U.S. Cyberspace Solarium Commission, Congress should create a “Bureau of Cyberspace Security and Emerging Technologies” to lead these efforts and “ensure the coherence of U.S. efforts abroad and ensure the alignment of these efforts with U.S. national strategy.”
Dig Deeper on Protecting the Internet’s Public Core:

Learn More

Legislation, Regulations, Executive Orders, and Guidance