Dutch Government Takes a Stand Against BGP Hijacking: Plans to Implement RPKI Across All IT Systems by 2024

In a recent announcement by the Dutch government, plans are underway to implement the RPKI (Resource Public Key Infrastructure) system across all government-owned IT systems by the end of 2024. This move aims to protect the government’s digital infrastructure from the increasingly prevalent threat of BGP hijacking.

BGP (Border Gateway Protocol) hijacking is a sophisticated form of cyber-attack, where malicious actors exploit vulnerabilities in the BGP protocol to manipulate or forge routing information. This allows them to hijack network traffic and redirect it through unauthorized pathways.

RPKI is a public key infrastructure designed to safeguard routing systems. It provides a means of verifying the authenticity and legitimacy of routing announcements between Autonomous Systems (AS), reducing the risk of BGP hijacking and other routing attacks.

The Dutch government’s objective is to prevent cybercriminals from exploiting BGP vulnerabilities and redirecting government IT system traffic to hacker-controlled areas. Such redirection not only risks data breaches but could also be used by hackers to spread disinformation and harmful content.

Over the past decade, instances of BGP hijacking have become more common, with some cases resulting from manual errors by administrators routing large-scale traffic to different AS systems, while others are deliberate attacks exploiting vulnerabilities or management issues.

Since 2019, the Dutch government has required its IT systems to adopt RPKI to prevent BGP hijacking. The latest policy mandates the completion of the RPKI implementation by the end of next year. Currently, the number of Dutch government systems not using RPKI is decreasing, with 77.9% of government websites and 75.1% of government email systems already employing RPKI.

Data released by Cloudflare last year revealed that approximately 400,000 IPv4 ROAs (Route Origin Authorization digital certificates) and 86,000 IPv6 ROAs were stored in the global RPKI system, accounting for 40% of the total volume.

By taking these proactive steps, the Dutch government is demonstrating its commitment to cybersecurity and ensuring the continued protection of its digital infrastructure against ever-evolving threats.