The European Commission has published its latest proposal to improve cybersecurity across the EU. At 108 pages, it is far from a quick read but should be required reading for all CIOs and CISOs. It is part of a wider package of actions that the Commission is planning. This latest document will also replace the EU Network and Information Security Directive (NIS) – (EU) 2016/1148.
The document states: “The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis. The proposal also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential.”
The Commission identified three key weaknesses with the NIS Directive. They are:
- the low level of cyber resilience of businesses operating in the EU
- the inconsistent resilience across Member States and sectors
- the low level of joint situational awareness and lack of joint crisis response.
Given that these are issues with implementation by businesses and governments, how will this new directive fix that? Reading through the directive, it is clear that it can’t. What it can do is take a series of measures to try and improve the way the directive is implemented at an EU level and hope that governments and businesses do their part.
What does this have to do with domains?
One of the targets of this directive is accurate information about who owns a domain and, by extension, how many domains that individual has registered. It wants domain registrars at the EU and country level to do more to stop people from registering large numbers of domains anonymously.
It states: “(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.”
It is putting much more pressure on registrars to gather and verify the details of people registering domains. This is likely to be problematic for many, such as those offering cheap and quick domain services. It will require them to introduce more processes, gather more data and provide increased protection for that data. The likelihood is that this will increase the cost of buying a domain name. But will it have any effect?
Bringing Know Your Customer rules to domain ownership
Chad Anderson, Senior Security Researcher for DomainTools, believes it will. Welcoming the change, he said: “For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it’s digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there’s a gas leak on physical property.
“We’ve now seen from multiple pipeline ransomware events that critical infrastructure is just as in, if not more in danger, from a ransomware event than it is from a physical attack.”
Comparing the ownership of a domain to that of a property is an interesting statement. There is a lot of legislation and processes that people go through to identify themselves when buying property. Can domain registrars simply repurpose those mechanisms, or will governments have to create new legislation? How will verification take place? If you want to register a domain for yourself, you might be prepared to send scans of government ID to a registrar. But would you trust them to keep it safe?
Another challenge is what if you are buying for a business or a community group? You might register using your data, but what if you hand it to someone else? How can you be sure your data will be removed? It can be harder than you think (I write from experience).
Anderson believes that one benefit of knowing who registered a set of suspicious domains is in takedowns. He commented, “Taking down large swaths of domains tied to a single individual is much quicker when they can actually be tied to that individual and time is increasingly of the essence.”
Will cybercriminals really use their own names?
But will cybercriminals register under their own name? Unlikely. They will simply scrape data off of unprotected sites and reuse other people’s data. They will also likely register away from the EU or use overseas domain registrars to hide their identity.
Anderson has a response to that. He said, “For those that say this doesn’t matter because cybercriminals will just hide behind corporations or registrars in other countries: yes, that is the point. Defensive work is never about eliminating the threats, it’s about making it so expensive that the threat cannot operate. This raises the bar and makes it expensive for easy cyber criminality like business email compromise (BEC) and credential phishing campaigns. Additionally this reduces the attacking area left to monitor as it reduces the number of registrars that attackers can use.”
Enterprise Times: What does this mean?
What level of impact will this have on domain registration? That is a hard question to answer at this early stage. If it reduces the automated mechanisms that cybercriminals use to register new domains constantly, it will disrupt their activity. That is a good thing. As Anderson says: “These are all wins in the defensive playbook. No, crime won’t stop, but yes it will require a more sophisticated attacker and remove the run-of-the-mill non-technical cybercrime that is pervasive today.”
But, it will only work if national governments adjust their laws and enforce action against all registrars. Simply introducing a new directive won’t make this go away. Legislation is a blunt and painfully slow tool to deal with this issue. By the time any laws are passed, the cybercriminals will have moved on and found ways around this.
Additionally, registrars will want to know what this means for their business model. At the moment, none of the four registrars that Enterprise Times contacted were able to comment. None of them, as yet it seems, has read the directive, so they rightly said they couldn’t comment. The costs of gathering, verifying and storing data will need to be calculated, especially if it means employing more people or waiting for governments to implement new systems.