The visible chokepoints have flags. The hidden ones have owners. But the most dangerous category has neither — only convention, community, and inherited trust accumulated over decades of the internet's construction. BGP, root certificate authorities, and software package registries are the ungoverned foundations on which every other system now rests. No sanctions can secure them. No diplomacy can compel their reform. They fail not through attack but through the collective inaction of thousands of actors, each rational, none responsible. This is the chokepoint the unwar forgot to name.

This article draws on research developed in the context of Prosilience Thinkletter #64, “The Chokepoints Unwar” (March 2025), by Christopher H. Cordey.

Let’s begin

In June 2025, eight of the internet’s thirteen root DNS servers were hijacked simultaneously. For ninety minutes, the addressing system that translates every domain name — every URL you have ever typed — into a routable location was compromised. Not disrupted. Not slowed. Compromised, silently, by a BGP attack that most of the world never heard about and that no government officially acknowledged.

The incident lasted less than two hours. The damage was contained. And it illustrated, with unusual clarity, something that most strategic thinking about chokepoints consistently misses: the most dangerous pressure points in global systems are not the ones being fought over. They are the ones nobody is watching, because nobody owns them.

We Think We Know Where the Chokepoints Are

The past decade has been a masterclass in visible chokepoint warfare. Semiconductors, shipping lanes, rare earth processing, energy pipelines, chemical intrants, grain corridors — the strategic conversation has become fluent in the language of bottlenecks. Governments map them. Think tanks rank them. Sanctions target them. The Strait of Hormuz, TSMC’s fabs, China’s gallium export controls — these are contested, monitored, and fought over in real time.

But the chokepoint landscape is not flat. Not all of them are equally visible, equally attributed, or equally governable. Before we can understand the most dangerous category, we need a map of the terrain.

1. Visible chokepoints are the ones that make headlines. They have a flag on them — a state, a cartel, a corporation that controls the flow and knows it does. The Strait of Hormuz, through which roughly 20% of global oil passes, is a visible chokepoint. So is China’s near-monopoly on gallium refining, which it has been actively using as leverage since 2023. These are contested precisely because their strategic value is understood by all parties. They can be negotiated, sanctioned, bypassed — or fought over. The control is real, but so is the accountability.

2. Hidden chokepoints are structural, material, and invisible until they fail. They have an owner — or at least a geography — but that ownership is not wielded as power until a crisis exposes it. A mountain district in North Carolina called Spruce Pine produces the world’s only economically viable source of ultra-high-purity quartz, an obscure mineral without which semiconductor fabrication crucibles cannot be made and global chip production halts within weeks. Nobody fights over Spruce Pine. Nobody has had to. But one serious flood, one seismic event, and the global semiconductor industry discovers a chokepoint it had forgotten to notice.

3. Unflagged chokepoints have no owner, thus the one that should concern us most. No flag. No responsible state, no accountable corporation, no treaty to invoke. They are operated by communities, by convention, by inherited trust accumulated over decades of the internet’s construction. They cannot be sanctioned into compliance. They cannot be diplomacized into security. They are the load-bearing walls of the digital world — and they are governed, to the extent that word applies, by nobody in particular.

Three of them underpin almost everything else.

1) The Internet Routes on Trust Alone: BGP

Think of the internet as a vast postal system — not a single network, but roughly 75,000 separate networks, each run by an ISP, a corporation, a university, or a government, all agreeing to pass each other’s packets toward their destinations. The Border Gateway Protocol — BGP — is the system by which these networks communicate their routes to each other. It is what makes global internet routing possible.

Here is the critical fact: BGP was designed without built-in authentication. There is no cryptographic verification that the network announcing “I know the best route to this block of addresses” actually owns or controls those addresses. It operates, in the words of one security researcher, like a postal system that trusts anyone with a mailbag. Any network can announce any route. And by default, the rest of the internet believes it.

This is not a theoretical vulnerability. In June 2024, a single Brazilian internet provider accidentally announced that it owned the IP address of Cloudflare’s global DNS resolver. Tier-1 carriers — the backbone of the internet — accepted the announcement. Within minutes, Cloudflare’s DNS service became unreachable in 300 networks across 70 countries. The provider had not been hacked. It had simply made a mistake. The damage was contained within hours. But it took one misconfiguration, at one mid-sized ISP, to disrupt a service relied on by hundreds of millions of people.

The defensive fix — a system called RPKI, which cryptographically certifies who owns which IP addresses — exists and works. The problem is adoption. As of 2024, only about half of global IP prefixes are covered, and not all carriers enforce the validation even where coverage exists. More troubling: researchers have now documented “stealthy” BGP hijacking, in which traffic is silently diverted while the victim’s own routing tables show nothing wrong. The attack has become invisible precisely because partial deployment of the fix creates blind spots in detection.

The governance problem is straightforward and intractable: there is no authority that can compel any of the 75,000 autonomous systems on the internet to implement BGP security. The Internet Engineering Task Force writes standards. Regional Internet Registries allocate addresses. But enforcement is voluntary, adoption is uneven, and the collective action mathematics are unforgiving. Defending the system requires universal participation. Attacking it requires finding one weak link.

2) Every Padlock Rests on a Private Committee: Root CAs

Every time you see the padlock in your browser — every encrypted connection, every secure login, every financial transaction online — that security rests on a certificate. The certificate was issued by a Certificate Authority, whose trustworthiness was vouched for by a root Certificate Authority, whose inclusion in a trusted list is managed by browser makers and operating systems.

There are roughly 150 root CAs trusted by major browsers. Their certificates come pre-installed on every device shipped anywhere in the world. They are the institutional bedrock of authenticated internet communication, and they are governed by a body called the CA/Browser Forum — a private committee where browser makers (Google, Mozilla, Apple, Microsoft) and certificate authorities negotiate the rules together, with no government mandate, no international treaty, and no public accountability mechanism.

The consequences of a root CA compromise are not theoretical. In 2011, Dutch certificate authority DigiNotar was hacked. The attackers — later attributed to Iranian state actors — issued fraudulent certificates for Google, enabling them to intercept the Gmail communications of hundreds of thousands of Iranian users. When the breach was discovered, DigiNotar was removed from browser trust stores within days and was forced into bankruptcy within weeks. The system self-corrected. But only because the compromise was discovered quickly, and only because the attacker was not in a position to suppress that discovery.

In November 2024, Google Chrome stopped trusting all new certificates issued by Entrust, one of North America’s largest CAs, citing years of compliance failures. Mozilla followed days later. The effect was immediate and severe: any website with a newly issued Entrust certificate displayed security warnings to users of major browsers. This was the correct security decision. But observe what it reveals: two or three browser makers, acting through informal consensus, hold the power to functionally destroy a major global institution overnight — or, under different circumstances, to selectively extend trust where they should not.

The deeper structural problem approaches on a longer timeline: quantum computing. All current certificate infrastructure relies on mathematical problems that a sufficiently powerful quantum computer will be able to solve. The migration to post-quantum cryptography is underway, but far from complete. Every root CA, every certificate chain, every trust store on every device will need to be replaced — a transition of extraordinary scale, with no central authority to coordinate it, no enforcement mechanism to compel it, and no clear deadline before which it must be finished.

3) Software is Assembled from Strangers’ Code: Package Registries

Modern software is not written from scratch. It is assembled. A typical web application pulls in hundreds of packages — reusable modules of code that handle encryption, authentication, data parsing, network requests — written by developers the application’s authors have never met, maintained by volunteers with no formal accountability, and delivered through registries governed by corporations the end user has never contracted with.

The largest of these registries, npm, hosts over 2.5 million packages and serves tens of billions of downloads every month. It is owned by GitHub, which is owned by Microsoft. PyPI, the Python equivalent, is governed by the Python Software Foundation. Each is, in its own way, a single point of failure for an enormous share of global software — one database, one authentication system, one security team.

The attack vector is not the registry’s code. It is the trust that flows through it. In 2025, a self-propagating worm called Shai-Hulud demonstrated what this looks like at scale: compromised maintainer credentials were used to publish malicious updates to legitimate, widely-used packages. Those packages were downloaded automatically by developers’ build systems worldwide. The infected developers’ own credentials were then harvested and used to compromise packages they maintained, propagating further. It was not a technical exploit. It was an attack on the social contract of open-source: the assumption that code signed by a known maintainer is safe.

The compounding problem is depth. Most organizations have no clear picture of their software’s full dependency tree. The average enterprise application depends — indirectly, through chains of packages depending on packages — on thousands of pieces of code. The 2021 Log4Shell vulnerability affected hundreds of millions of systems, not because organizations had deliberately installed the vulnerable library, but because it was embedded several layers down in software they used every day. The attack surface was invisible until it was not.

The Anatomy of the Unflagged

These three systems — BGP, root CAs, and package registries — share a common profile that separates them from every other chokepoint on the strategic map.

This is the political economy of the unflagged chokepoint. The danger is documented. The remedies are available. The will is absent, because responsibility is distributed until it disappears.

The Ground the Ants Build On

The Prosilience framework — developed through the Thinkletter series — argues that the strategic winners of the coming era will not be those who fight to control chokepoints, but those who build systems that make them irrelevant. The ants in the fable don’t fight the wolves for the crossing. They tunnel underneath it.

This is correct, and important. But it rests on an assumption that deserves scrutiny: that the ground the tunnels run through is stable.

BGP carries the ants’ communications. Root CAs authenticate their transactions. Package registries assemble the software they use to build their alternatives. The unflagged chokepoints are not pressure points within the digital world. They are pressure points of it — the substrate beneath every other system, physical and digital, that civilization now depends on.

The chokepoints unwar asked who would be first to live without them. The unflagged chokepoints ask a harder question: what happens when the infrastructure of alternatives is itself ungoverned? Who builds the ground that the builders stand on — and who is responsible when it gives way?

Nobody owns these chokepoints. And in 2026, that is precisely the problem.

Key References

1. Prosilience Thinkletter #64 — “The Chokepoints Unwar” Christopher H. Cordey, prosilience.ch, March 2025 Primary conceptual framework for the article.

2. “Understanding BGP hijacking: risks, real-world examples, and how to protect your network in 2025” Qrator Labs, 2025 Core source on the Cloudflare 1.1.1.1 incident and RPKI adoption statistics. https://qrator.net/blog/details/why-bgp-hijacking-still-threatens-global-networks

3. “Understanding stealthy BGP hijacking risk in the ROV era” APNIC Blog, October 2025 Documents the evolution toward undetectable BGP hijacking under partial RPKI deployment. https://blog.apnic.net/2025/10/16/understanding-stealthy-bgp-hijacking-risk-in-the-rov-era/

4. “Border Gateway Protocol (BGP): A Security-First Guide” SentinelOne, February 2026 Source for the June 2025 root DNS server hijack — the article’s opening incident. https://www.sentinelone.com/cybersecurity-101/cybersecurity/border-gateway-protocol/

5. “A Survey of Advanced Border Gateway Protocol Attack Detection Techniques” PMC / MDPI, October 2024 Documents nation-state BGP rerouting incidents affecting Amazon, Google, Microsoft and others. https://pmc.ncbi.nlm.nih.gov/articles/PMC11479385/

6. “Entrust Will Stop Operating As Trusted Certificate Authority” BankInfoSecurity, November 2024 Demonstrates the unaccountable power browser makers hold over the CA ecosystem. https://www.bankinfosecurity.com/say-goodbye-to-entrust-as-trusted-certificate-authority-a-26766

7. “What is the Digital Certificate Chain of Trust?” PacketLabs, December 2025 Covers the DigiNotar compromise and the structural fragility of the root CA model. https://www.packetlabs.net/posts/what-is-the-digital-certificate-chain-of-trust/

8. “Most Notable Supply-Chain Attacks of 2025” Kaspersky Blog, 2025 Primary source on the Shai-Hulud self-propagating npm worm and the trust-as-attack-vector dynamic. https://www.kaspersky.com/blog/supply-chain-attacks-in-2025/55522/