GDPR Deadline & impacts of its implementation on cybersecurity: WHOIS DATA

As the EU defined GDPR compliance deadline of 25 May approaches, a growing number of registrars are going dark. This trend will have a significant impact on cyber crime fighting capability. At MoSec Solutions, we have outlined some issues that will negatively impact on some of our most effective cybersecurity mechanisms. The main pain-point is the negative impact that the EU defined GDPR has had on internet domain registration. The data collected during a domain registration constitutes one of the most critical components needed in the fight against cyber-crime. For those who do not know what domain registration data is and how the domain registration process works, here is a brief introduction.

At the request to register a domain, we are generally obligated to issue some information, i.e. Names, Address, etc. This information is referred to as “Domain Registration Information”. The data is published by domain registrars in the international Registration Directory Service (RDS), formerly known as WHOIS, upon a successful registration. It is this information that we usually deploy in an attempt to unmask the name, address and contact details of all domain registrants.

As Cyber-Crime fighters, we rely on this information to link malicious domains that we identify or discover other related domains being used by the same cybercriminals. We follow up by flagging and proactively block them in our pursuit to prevent further damage by cyber-crime campaigns and measures. Cyber criminals generally register several domains for their activities. In cases where fictitious details are used, registrants have to use a real phone number and email address. This information is enough for the security community to link associated domains. Using high-speed detection engines that have access to WHOIS data, organizations are well equipped to block millions of spam messages coming from domains associated with the individuals linked to spam messages. While the GDPR is meant to enhance the privacy of individuals, it is having the unintended effect of encouraging domain registrars not to release registration details to the RDS. The reluctance to send registration details means that the information is incomplete and of less value to cyber-crime fighters.

Based on our experience, it might take more than 40 days to detect malicious domains by other methods without access to WHOIS data. This has the result of organizations being left at the mercy of cyber criminals during that period. As always, the wheels of politics rotate at a different speed and has a different dynamic in comparison to the digital world. EU regulators and ICAAN need to thoroughly and carefully engage each other in pursuit of a solution to this little-understood issue.

In our eyes, it is quite ridiculous to proceed at a full force and speed with the adoption when it is clear that as a result, registrars will to continue to go dark. The consequences of registrars going dark are the loss of the ability to coordinate evil domain blocking on a massive scale in the pursuit of halting cyber criminal campaigns. Many security experts estimate the weakening of the ability to coordinate such measures to days, weeks and even months rather than the current state of deploying the same within hours.

Flouting ICAAN rules to comply with GDPR

The other likely impact is that people will receive more spam which translates to having more possibilities of clicking on malicious links that will result in cyber attacks. As a result, it could easily lead to a more substantial privacy loss than the GDPR protects. The GDPR intends to protect privacy, but a failure to get the approach to domain registration information right could send that whole intent aback.

According to several leading technology media outlets, the EU regulators have responded on the issue by rejecting proposed solutions. They have asked for greater protections from ICAAN for the personal data of European domain registrants. ICAAN, on the other hand, has taken the approach of calling for exemption of registrant data from the GDPR for another year. The claim is that this should create the time necessary to have the issue resolved among the parties.

Under ICAAN rules, domain registration information must be published. Still, registrars are opting to flout Icann rules, for which there is no financial penalty, in favour of applying internationally applicable GDPR rules. Their intention here is to avoid significant financial penalties for non-compliance.

The compounding issue here is the fact that registrars are applying this universally, not just for European registrants. The result is the GDPR negatively impacting full transparency about who is behind an internet domain, one of the fundamental pillars upon which the internet is built.

In our opinion, there are several potential ways of solving the problem; A significant one is to build a mechanism for access to the data only by registered, certified users. It must be ensured that the most critical tool for preventing cybercrime does not become inaccessible as it would significantly affect privacy.

With a little over five months left to the deadline, we hope that the European regulators will closely work with their significant others to ensure that security teams continue to have access to the data need to help stop cyber crime through a discussion of possible consequences and remedies.

Given the national and economic security issues attached to this topic, we firmly believe that the preservation of the resiliency, transparency and accountability of the internet is critical.