Cybersecurity Industry Fighting Uphill Battle Against GDPR

Private cybersecurity researchers are pushing to regain access to domain registration information after new European privacy rules shut them out.

AP Photo/Tim Hales
Oct. 31, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation went into effect in May, regulators and privacy advocates touted the new rules as a long-overdue shield to protect internet users against nefarious online activity.

But several months into its implementation, cybersecurity analysts now say overzealous application of the GDPR is in fact making the internet less safe by protecting the privacy of bad actors along with good ones.

“Has it lowered our ability to identify malicious actors and their infrastructure? Of course it has,” said Andrei Barysevich, the director of advanced collection at cybersecurity firm Recorded Future.

Barysevich believes private cybersecurity firms were blindsided when the GDPR severely curtailed the public’s access to WHOIS—a global database of domain-registration information that lists the name, email address, phone number, street address, and other identifying data for any individual who purchases a domain name. And his concerns are shared by a global group of private cybersecurity professionals, some of whom travelled to Barcelona last week to urge the Internet Corporation for Assigned Names and Numbers to grant cybersecurity researchers an exemption.

Tim Chen, the chief executive of threat-intelligence firm DomainTools, was one of those professionals. While he supports the GDPR’s overarching goal, Chen worries that ICANN’s overbroad application of the new rules are shutting security researchers out of information they need to identify and respond to botnets, spammers, and other malicious infrastructure now flourishing online.

You’re basically making this a worldwide law that applies to everybody, even though it’s only an EU law and only applies to individual persons,” said Chen. “And doing that kind of an application does weaken security of the internet.”

Chen and others hope to convince ICANN to create a system where private cybersecurity analysts are granted special dispensation to examine domain-name information in order to protect online targets from criminal enterprises—including those run by Russia and other state actors.

But after the discussions he had in Barcelona last week, Chen thinks it’s unlikely that access to WHOIS will be extended beyond law enforcement officials. “I’m pessimistic on any other access, unfortunately,” he told National Journal.

Until the GDPR went live on May 25, WHOIS was publicly available for any and all to review. And though it was far from perfect, cybersecurity researchers say the domain-registration database often provided the breadcrumbs needed to identify, track and ultimately dismantle the online infrastructure of cybercriminals operating worldwide.

John Bambenek, a vice president at cybersecurity firm ThreatSTOP and a professor at the University of Illinois, said access to WHOIS data was a crucial part of the response to Russia’s election meddling in 2016 and afterwards.

“One of the ways we were able to see what the Russians were targeting before they actually attacked was this data,” said Bambenek, explaining how automated tools were routinely employed to scan domain-registration information for suspicious names, numbers or addresses.

“We put alerts so anytime they registered a domain, we knew about it before they started launching attacks, and we could interdict it,” said Bambenek. “That’s how we caught the meddling in the French election. We saw it in Germany. We saw it in the United States. We cannot do that anymore.”

On paper, the GDPR’s enhanced online-privacy protections apply only to EU citizens. But companies around the world quickly discovered the difficulty of determining which of their users is from an EU member state. And given the hefty fines imposed for noncompliance, domain name registrars like GoDaddy soon decided it was safest to apply the strictest interpretation of GDPR to their global set of customers.

ICANN requires registrars to submit all domain-name information to WHOIS. But though registrars must follow ICANN’s policies, the organization is forbidden from forcing them to violate local laws. And in a bid to limit their legal exposure to the GDPR, the registrars successfully convinced ICANN to pull a veil of secrecy over all domain registration information submitted after May 25 of this year.

The publication of that data had been the norm for two decades prior to GDPR. And even if law enforcement ultimately maintains access, cybersecurity researchers worry about the consequences for the internet ecosystem should WHOIS remain off-limits for everyone else.

“The FBI doesn’t open computer crime cases unless somebody like me brings it to them in the first place, with enough data to say it’s worth their time,” said Bambenek.

Not everyone is convinced that the GDPR has broken a key tool for cybersecurity research. Paul Vixie, the chief executive of cybersecurity firm Farsight Security and a key architect of several domain name system protocols, said increasing efforts by both bad actors and other users to hide their true identities had largely ruined WHOIS long before GDPR came along.

“It’s true the GDPR is putting some pressure on WHOIS,” he told National Journal. “But it’s not like WHOIS was pretty healthy until May 25 of this year. WHOIS was mostly dead, and now it’s on its way to being all dead.”

Vixie also pointed out that even under the old system, domain name registrants could pay extra for a private listing.

But while Barysevich acknowledged WHOIS’s limitations, he warned against discounting its usefulness in tracking down experienced cybercriminals. “We think that nation-state attackers are not making any mistakes, but they do,” he said, explaining that even sophisticated hackers must provide real email addresses or risk being shut out of their domains.

“There is no such thing as total invisibility,” Barysevich said. “There’s always some level of exposure.”

Bambenek noted the existence of private domain names under the old system, but argued that malicious actors almost never used them because it raised a “big red flag” for the sensitive institutions targeted. Organizations like the State Department typically screen out emails, or any other proposed interaction, that emanate from private domain names.

ICANN’s decision to make WHOIS private remains under review, and cybersecurity professionals are hopeful that accommodations can be made to ensure their access to the database while still maintaining user privacy. But that would require assurances from EU regulators that they won’t punish GoDaddy or other domain-name registrars for granting analysts access. And so far, Chen says those regulators have been “remarkably hands-off” during the ongoing debate.

“The law is in their minds clear, and people need to follow it,” said Chen. “And that’s it.”

Walter van Holst, a technology lawyer and a member of the privacy group European Digital Rights, told National Journal that EU courts are unlikely to accommodate any third-party request for access to WHOIS data, even if that request stems from a legitimate interest.

“Parts of the [information security] community appear to be stuck in the first stage of grieving: denial,” van Holst said.

Perhaps the only thing that could tip the scales, some cybersecurity researchers say, is greater involvement by the U.S. government.

Unlike Brussels, Washington tends to place cybersecurity concerns above questions of consumer privacy. And during last week’s meeting in Barcelona, David Redl, the administrator of the National Telecommunications and Information Administration, warned ICANN against permanently restricting WHOIS access.

The U.S. government isn’t keen on a direct confrontation with the EU, and has so far let ICANN and the relevant stakeholders hash out the issue. But if the WHOIS database remains closed at the conclusion of the review next year, Chen believes Washington may have no choice but to step in.

“I’m not sure the U.S. is just going to sit by and watch this happen, if it goes the wrong way,” Chen said.

What We're Following See More »
Trump Signs Border Deal
2 days ago

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"

Trump Declares National Emergency
2 days ago

"President Donald Trump on Friday declared a state of emergency on the southern border and immediately direct $8 billion to construct or repair as many as 234 miles of a border barrier. The move — which is sure to invite vigorous legal challenges from activists and government officials — comes after Trump failed to get the $5.7 billion he was seeking from lawmakers. Instead, Trump agreed to sign a deal that included just $1.375 for border security."

House Will Condemn Emergency Declaration
2 days ago

"House Democrats are gearing up to pass a joint resolution disapproving of President Trump’s emergency declaration to build his U.S.-Mexico border wall, a move that will force Senate Republicans to vote on a contentious issue that divides their party. House Judiciary Committee Chairman Jerrold Nadler (D-N.Y.) said Thursday evening in an interview with The Washington Post that the House would take up the resolution in the coming days or weeks. The measure is expected to easily clear the Democratic-led House, and because it would be privileged, Senate Majority Leader Mitch McConnell (R-Ky.) would be forced to put the resolution to a vote that he could lose."

Where Will the Emergency Money Come From?
2 days ago

"ABC News has learned the president plans to announce on Friday his intention to spend about $8 billion on the border wall with a mix of spending from Congressional appropriations approved Thursday night, executive action and an emergency declaration. A senior White House official familiar with the plan told ABC News that $1.375 billion would come from the spending bill Congress passed Thursday; $600 million would come from the Treasury Department's drug forfeiture fund; $2.5 billion would come from the Pentagon's drug interdiction program; and through an emergency declaration: $3.5 billion from the Pentagon's military construction budget."

House Passes Funding Deal
3 days ago

"The House passed a massive border and budget bill that would avert a shutdown and keep the government funded through the end of September. The Senate passed the measure earlier Thursday. The bill provides $1.375 billion for fences, far short of the $5.7 billion President Trump had demanded to fund steel walls. But the president says he will sign the legislation, and instead seek to fund his border wall by declaring a national emergency."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.