Cybersecurity Industry Fighting Uphill Battle Against GDPR

Private cybersecurity researchers are pushing to regain access to domain registration information after new European privacy rules shut them out.

AP Photo/Tim Hales
Oct. 31, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation went into effect in May, regulators and privacy advocates touted the new rules as a long-overdue shield to protect internet users against nefarious online activity.

But several months into its implementation, cybersecurity analysts now say overzealous application of the GDPR is in fact making the internet less safe by protecting the privacy of bad actors along with good ones.

“Has it lowered our ability to identify malicious actors and their infrastructure? Of course it has,” said Andrei Barysevich, the director of advanced collection at cybersecurity firm Recorded Future.

Barysevich believes private cybersecurity firms were blindsided when the GDPR severely curtailed the public’s access to WHOIS—a global database of domain-registration information that lists the name, email address, phone number, street address, and other identifying data for any individual who purchases a domain name. And his concerns are shared by a global group of private cybersecurity professionals, some of whom travelled to Barcelona last week to urge the Internet Corporation for Assigned Names and Numbers to grant cybersecurity researchers an exemption.

Tim Chen, the chief executive of threat-intelligence firm DomainTools, was one of those professionals. While he supports the GDPR’s overarching goal, Chen worries that ICANN’s overbroad application of the new rules are shutting security researchers out of information they need to identify and respond to botnets, spammers, and other malicious infrastructure now flourishing online.

You’re basically making this a worldwide law that applies to everybody, even though it’s only an EU law and only applies to individual persons,” said Chen. “And doing that kind of an application does weaken security of the internet.”

Chen and others hope to convince ICANN to create a system where private cybersecurity analysts are granted special dispensation to examine domain-name information in order to protect online targets from criminal enterprises—including those run by Russia and other state actors.

But after the discussions he had in Barcelona last week, Chen thinks it’s unlikely that access to WHOIS will be extended beyond law enforcement officials. “I’m pessimistic on any other access, unfortunately,” he told National Journal.

Until the GDPR went live on May 25, WHOIS was publicly available for any and all to review. And though it was far from perfect, cybersecurity researchers say the domain-registration database often provided the breadcrumbs needed to identify, track and ultimately dismantle the online infrastructure of cybercriminals operating worldwide.

John Bambenek, a vice president at cybersecurity firm ThreatSTOP and a professor at the University of Illinois, said access to WHOIS data was a crucial part of the response to Russia’s election meddling in 2016 and afterwards.

“One of the ways we were able to see what the Russians were targeting before they actually attacked was this data,” said Bambenek, explaining how automated tools were routinely employed to scan domain-registration information for suspicious names, numbers or addresses.

“We put alerts so anytime they registered a domain, we knew about it before they started launching attacks, and we could interdict it,” said Bambenek. “That’s how we caught the meddling in the French election. We saw it in Germany. We saw it in the United States. We cannot do that anymore.”

On paper, the GDPR’s enhanced online-privacy protections apply only to EU citizens. But companies around the world quickly discovered the difficulty of determining which of their users is from an EU member state. And given the hefty fines imposed for noncompliance, domain name registrars like GoDaddy soon decided it was safest to apply the strictest interpretation of GDPR to their global set of customers.

ICANN requires registrars to submit all domain-name information to WHOIS. But though registrars must follow ICANN’s policies, the organization is forbidden from forcing them to violate local laws. And in a bid to limit their legal exposure to the GDPR, the registrars successfully convinced ICANN to pull a veil of secrecy over all domain registration information submitted after May 25 of this year.

The publication of that data had been the norm for two decades prior to GDPR. And even if law enforcement ultimately maintains access, cybersecurity researchers worry about the consequences for the internet ecosystem should WHOIS remain off-limits for everyone else.

“The FBI doesn’t open computer crime cases unless somebody like me brings it to them in the first place, with enough data to say it’s worth their time,” said Bambenek.

Not everyone is convinced that the GDPR has broken a key tool for cybersecurity research. Paul Vixie, the chief executive of cybersecurity firm Farsight Security and a key architect of several domain name system protocols, said increasing efforts by both bad actors and other users to hide their true identities had largely ruined WHOIS long before GDPR came along.

“It’s true the GDPR is putting some pressure on WHOIS,” he told National Journal. “But it’s not like WHOIS was pretty healthy until May 25 of this year. WHOIS was mostly dead, and now it’s on its way to being all dead.”

Vixie also pointed out that even under the old system, domain name registrants could pay extra for a private listing.

But while Barysevich acknowledged WHOIS’s limitations, he warned against discounting its usefulness in tracking down experienced cybercriminals. “We think that nation-state attackers are not making any mistakes, but they do,” he said, explaining that even sophisticated hackers must provide real email addresses or risk being shut out of their domains.

“There is no such thing as total invisibility,” Barysevich said. “There’s always some level of exposure.”

Bambenek noted the existence of private domain names under the old system, but argued that malicious actors almost never used them because it raised a “big red flag” for the sensitive institutions targeted. Organizations like the State Department typically screen out emails, or any other proposed interaction, that emanate from private domain names.

ICANN’s decision to make WHOIS private remains under review, and cybersecurity professionals are hopeful that accommodations can be made to ensure their access to the database while still maintaining user privacy. But that would require assurances from EU regulators that they won’t punish GoDaddy or other domain-name registrars for granting analysts access. And so far, Chen says those regulators have been “remarkably hands-off” during the ongoing debate.

“The law is in their minds clear, and people need to follow it,” said Chen. “And that’s it.”

Walter van Holst, a technology lawyer and a member of the privacy group European Digital Rights, told National Journal that EU courts are unlikely to accommodate any third-party request for access to WHOIS data, even if that request stems from a legitimate interest.

“Parts of the [information security] community appear to be stuck in the first stage of grieving: denial,” van Holst said.

Perhaps the only thing that could tip the scales, some cybersecurity researchers say, is greater involvement by the U.S. government.

Unlike Brussels, Washington tends to place cybersecurity concerns above questions of consumer privacy. And during last week’s meeting in Barcelona, David Redl, the administrator of the National Telecommunications and Information Administration, warned ICANN against permanently restricting WHOIS access.

The U.S. government isn’t keen on a direct confrontation with the EU, and has so far let ICANN and the relevant stakeholders hash out the issue. But if the WHOIS database remains closed at the conclusion of the review next year, Chen believes Washington may have no choice but to step in.

“I’m not sure the U.S. is just going to sit by and watch this happen, if it goes the wrong way,” Chen said.

What We're Following See More »
HOUSE TO VOTE LATER THIS WEEK
Criminal Justice Reform Bill Clears Senate
1 hours ago
THE LATEST

"The Senate passed a bipartisan criminal justice reform bill on Tuesday night, handing a significant victory to President Trump and senators who lobbied to advance the legislation before the end of the year. Senators voted 87-12 on the legislation, which merges a House-passed prison reform bill aimed at reducing recidivism with a handful of changes to sentencing laws and mandatory minimum prison sentences." The House aims to vote on the measure when it reconvenes later this week.

Source:
"EKE OUT" MORE COOPERATION
Judge Delays Flynn Sentencing
7 hours ago
THE LATEST

Federal Judge Emmet Sullivan "agreed Tuesday to postpone Michael Flynn’s sentencing after a hearing to decide the punishment for President Donald Trump’s former national security adviser went awry." Sullivan gave Flynn a chance to reconsider his decision to plead guilty, adding that he could not "guarantee a sentence without prison time, even after the special counsel’s office recommended that Flynn not be incarcerated. After a brief recess, Sullivan and prosecutors agreed to delay sentencing so that Flynn could "eke out the last modicum of cooperation."

Source:
SHE REPLACES JON KYL
Ducey To Appoint Martha McSally To Senate
10 hours ago
THE LATEST
WOULD USE OTHER FUNDS TO REACH $5 BILLION IN WALL FUNDING
Is White House Caving on Government Shutdown?
10 hours ago
THE LATEST

"White House Press Secretary Sarah Huckabee Sanders seemed to endorse a potential spending deal that would include all of the remaining appropriations, including a Senate Homeland Homeland Security bill with $1.6 billion in wall-related funding. But as usual, there was a catch—President Donald Trump might insist on flexibility to use other funds already identified to get closer to his desired $5 billion."

Source:
VOTE IS 82-12
Senate Advances Criminal Justice Reform
11 hours ago
THE LATEST
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login