During the past few years, we have witnessed an alarming increase in the volume and sophistication of cybercrime and cyberattacks. It is both understandable and necessary that the US Congress has taken measures to strengthen our country’s cybersecurity. The Strengthening American Cybersecurity Act of 2022, for example, was recently passed by the Senate and is currently in review by the House of Representatives. The cybersecurity community is pleased to see action by Congress on this important issue, but, unfortunately, the act contains a significant loophole added late in the legislative process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.
The Domain Name System, of course, registers domain names and translates them into digital addresses that route traffic through the global Internet. DNS is at the heart of the Internet and represents the exact type of information that needs to be reportable to proactively protect our cyber assets.
For decades, DNS and the data concerning individuals and organizations that register and use domain names — known as WHOIS data
— have been critical to law enforcement agencies and private cybersecurity companies to protect the US and its citizens from cyberattacks and cybercrime.
As stated in written testimony to Congress by the FBI Cyber Division in 2003, “Cyber Division investigators use the WHOIS database almost every day. Querying of domain name registries is the first step in many cybercrime investigations. Anything that limits or restricts the availability of WHOIS data to law enforcement agencies will decrease its usefulness in FBI investigations …” This was true in 2003, and it is true now. In 2020, DHS reaffirmed, “Homeland Security Investigations (HSI) views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud.”
Despite the unambiguous statements from governments and law enforcement agencies expressing the critical importance of DNS and open and immediate access to accurate WHOIS data for cybersecurity, WHOIS data has essentially gone dark since May 2018. This can be traced to the enactment of policies put in place by the Internet Corporation for Assigned Names and Numbers (ICANN) as the organization attempted to comply with the European Union’s General Data Protection Regulation (GDPR). But GDPR applies to people, not to companies or governments. Yet nearly all useful registration data has been hidden — even the data not subject to GDPR.
It is not only US-based law enforcement agencies that emphasize the critical role of the DNS and WHOIS data for cybersecurity. In 2018, the European Cybercrime Centre (EC3) Advisory Group on Internet Security stated, “Almost all cyberattacks … require infrastructure which is subject to DNS registration at some point in the attack life cycle. As such, the international Whois protocol plays a critical role in identifying malicious infrastructure and thus defending against or preventing attacks. Accessing Whois registrant information is an essential element of the cybersecurity community’s efforts to maintain the overall security and stability of the global Internet. …”
Passing cybersecurity legislation while exempting DNS and ignoring the lack of WHOIS data accessibility is like trying to improve banking security while removing the know-your-customer (KYC) requirements. Doing so leaves the country increasingly vulnerable and unable to identify, track, and prevent malicious behavior.
Restore Access to WHOIS Data
Given these circumstances, it is contrary to the goal of improving security for the federal government and the American people for Congress to give a “pass” on mandatory reporting to the DNS and the current lack of availability of WHOIS data. It would be more beneficial for Congress to restore access to WHOIS data and require that all domain name registries and registrars that have any business nexus to the US be able to verify the accuracy of the WHOIS data of their customers. Such data should also be made publicly accessible. The three top-level domains —.com, .org, and .net — are all administered by US companies and, as of April 2021, comprised 60% of all domain names used by websites around the world.
As explained by the Anti-Phishing Working Group at a Cooperation Against Cybercrime international conference, “Restricted access to WHOIS data by GDPR regulation under its initial interpretation (by ICANN) hampers Internet security; law enforcement activities; security research; anti-money laundering activities; and programmatic suppression of criminal infrastructure.” Turning a blind eye to this critical component of cybersecurity and relegating these DNS and WHOIS data issues to the exclusive provenance of ICANN’s multistakeholder organization, which has failed to serve the public interest, will impede rather than improve the cybersecurity of the US.