A new paper from Mutually Agreed Norms for Routing Security (MANRS) makes a straightforward argument: Internet routing is a critical but under-managed dependency in the enterprise digital supply chain. For organizations that rely on cloud platforms, Content Delivery Networks (CDNs), and Software-Defined Wide Area Networks (SD-WANs), routing security failures are business risks with operational, financial, and reputational consequences.
Rather than rehashing known protocol weaknesses, the paper examines Internet routing as a governance and procurement issue for enterprises. Its core message is that demand-side pressure, not just operator goodwill, is essential for routing security to improve at scale.
Most enterprise security models focus inward by hardening endpoints, securing applications, encrypting data, and managing identity. The paper argues that this perspective misses a layer — the global Internet routing system that determines how traffic reaches those assets.
Internet routing is operated through thousands of independent networks using the Border Gateway Protocol (BGP). Without built-in security, BGP cannot verify whether routing information is legitimate. As a result, routing incidents such as route hijacks and route leaks can redirect, intercept, or blackhole traffic far beyond the organization where the mistake or attack originated.
Crucially for enterprises, these incidents often occur outside their direct control. A misconfiguration or attack on an upstream provider, or even several networks away, can disrupt services regardless of how well the enterprise has secured its own infrastructure.
The collective action problem
Routing security has always suffered from a collective action problem. Individual network operators bear the costs of deploying security controls, while the benefits are shared across the Internet ecosystem. This dynamic has slowed the adoption of effective protections, even when the technical solutions are well understood.
MANRS was created to address this problem by defining a set of agreed actions that reduce the most common routing threats. Until now, these actions have focused on peer-to-peer expectations between network operators, Internet Exchange Points, cloud providers, and equipment vendors. This new MANRS paper highlights the missing actor in this system — the enterprise customer.
Across common connectivity models, enterprises typically depend on a small number of providers that effectively determine reachability and resilience. This concentration creates leverage. If enterprises begin to require verifiable routing security practices from their providers, the market dynamics change. Routing security becomes a requirement rather than a voluntary best practice.
The paper is clear about the practical consequences of insecure routing. When route hijacks or leaks occur, enterprises may experience service outages, denial-of-service, or traffic interception. In some cases, attackers can impersonate legitimate services or position themselves as intermediaries, enabling surveillance or manipulation of data flows.
Existing mitigations are considered insufficient due to outdated, unauthenticated data. The current best practice is RPKI, which uses cryptographic validation to verify route origins. Yet adoption remains incomplete, leaving large portions of the Internet address space unprotected.
For enterprises, the takeaway is not to master routing technology, but to recognize which controls matter and to expect their providers to implement them.
A call to enterprise action
The paper is explicit in its call to action — progress will stall unless enterprises act. Providers are unlikely to invest in stronger routing controls if customers do not ask for them, and enterprises rarely ask because expectations are unclear.
To break this cycle, the paper introduces the concept of MANRS+, an elevated participation tier that’s under active development. MANRS+ would define which routing security controls are most critical from an enterprise perspective and clarify what responsibilities enterprises themselves should assume, particularly when operating their own networks.
The paper invites enterprises to participate in shaping these requirements, framing this as an opportunity to influence not just individual supply chains, but the resilience of the Internet itself.
The full paper, ‘The Internet routing supply chain: your most overlooked dependency‘, was produced by the Global Cyber Alliance, which manages the MANRS Secretariat. It is well worth reading in full, particularly for those interested in how technical Internet infrastructure intersects with enterprise risk, governance, and market forces.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.