The European Union has announced it is drafting legislation that wants to put an end to the anonymous registration of domains, which are often used for illegal activities including the distribution of malware.
The legislation is the “Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union”. This act will add new provisions that enable domain registrars to collect more information from registrants and verify that information.
Looking at the scope of the law and its consequences for businesses and consumers is Chad Anderson, who is a Senior Security Researcher for DomainTools.
Anderson looks at the benefits of the laws: “This change in posture shows just how important registrant information can be for defenders. We’ve certainly found other ways of fingerprinting actors based on tactics, techniques, and procedures (TTPs), but taking down large swaths of domains tied to a single individual is much quicker when they can actually be tied to that individual and time is increasingly of the essence.”
However, there are some points of contention that needs to be discussed. Here Anderson is critical, stating: “For those that say this will be a hit to whistleblowers and activists: that’s hogwash as they should all be using Tor and pre-built sites anyways to protect their anonymity. If anything this will force their hand to use better operational security. Leak sites will still exist and alternative registrars still exist. All of the problems for maintaining a private Internet where activists can work have already been solved.”
Anderson also takes issues with those who are more inclined to flag civil liberties issues. Anderson says: “For those that say this is a hit to privacy: this operates the same way it would if you were buying property anywhere else. Yes, it’s digital property, but you should have to be responsible for that permissive SPF record allowing relay of malware spam in the same way you have to be responsive when there’s a gas leak on physical property.”
The reality is, as Anderson puts it: “We’ve now seen from multiple pipeline ransomware events that critical infrastructure is just as in, if not more in danger, from a ransomware event than it is from a physical attack.”
Anderson challenges another myth: “For those that say this doesn’t matter because cybercriminals will just hide behind corporations or registrars in other countries: yes, that is the point. Defensive work is never about eliminating the threats, it’s about making it so expensive that the threat cannot operate. This raises the bar and makes it expensive for easy cyber criminality like business email compromise (BEC) and credential phishing campaigns. Additionally this reduces the attacking area left to monitor as it reduces the number of registrars that attackers can use.”
Summarising the necessity of the provisions in the directive, Anderson concludes: “These are all wins in the defensive playbook. No crime won’t stop, but yes it will require a more sophisticated attacker and remove the run-of-the-mill non-technical cybercrime that is pervasive today.”