WHOIS Behind Cyberattacks? Under GDPR, We May Not Know

The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.

GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent. These consequences could include a significant increase in cyberattacks, online fraud, and spam. At IBM, we are among many groups and individuals calling for European regulators to work with the right parties to ensure security teams continue to have access to the data they need to help stop cybercrime through a discussion of possible consequences and remedies.

What’s at Stake?

The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.

The current interpretation of GDPR will greatly restrict access to data for security professionals and security researchers, as well as automated processes associated with access. Today, cybersecurity professionals use this information to quickly stop cyberthreats. Restriction under the GDPR interpretation includes limiting access or redaction of data such as the name of the person who registered the site domain, his or her phone number, physical address and email address.

Why this information is so vital to ongoing efforts to protect data privacy and prevent or limit cybercrime is best explained with an illustration of how that protection is provided in the first place.

How We Stop Cybercrime Today

IBM receives upward of 35 million malicious spam messages per day in our spam traps. Using high-speed machine-to-machine technology and with full access to WHOIS data, we can block these messages. But organizations like IBM X-Force can also block or at least delay activity coming from domains associated with the individuals (or phone numbers, email addresses or physical addresses) aligned with these spam messages.

That’s how IBM X-Force identifies and blocks nearly 1.3 million malicious domains per month. This information is shared globally — with other cybersecurity investigators, governments and even law enforcement — for the legitimate purpose of cybersecurity protection and to better protect users everywhere. Without WHOIS data, IBM X-Force analysts predict it might take over 30 days to detect malicious domains by other methods, leaving organizations at the mercy of cybercriminals during that period.

Also, it is important to understand how attacks are often launched. Organized criminals — and that is exactly who is behind an estimated $600 billion annual cybercrime business — invest heavily in buying legal and illegal email lists. They also purchase spam and phishing kits on the Dark Web. They then purchase not a few, but literally thousands of domain names at a time — domains that, at a glance, may look quite legitimate.

Then they do nothing for a period of time, possibly months, simply watching and noting if security filters block any of the domains. Once they feel their fake domains are largely perceived as legitimate, they strike, unleashing millions of illicit emails. They closely monitor click-thrus, which usually follow a pattern of high clicks followed by increasingly fewer successful click-thrus as spam and other filters begin limiting their effectiveness. After as little as a few hours, they shut down the operation and assess their “take.”

With the proper WHOIS data, IBM X-Force, as well as private, legitimate security researchers, can essentially “map” the malicious domain information to other fake domains by blocking any domains opened by the same person or with the same phone number or same email address. Cybercriminals routinely reuse such data because it is too costly to buy thousands of phones with unique phone numbers or to establish thousands of unique email address. This cyber cross-referencing is highly successful at stopping or greatly limiting the overall damage of the attack by limiting the amount of time the attack can take place.

Many Calls for Restraint

Opposition to these fundamental access changes to the WHOIS database and calls for a “cooling-off period” have come from many quarters. Included among these voices is Secretary Wilbur Ross, Department of Commerce, who specifically noted the importance of “preserving quick access to domain name registration… needed for intellectual property rights enforcement, cybersecurity and law enforcement.”

Additionally, the U.S. Chamber of Commerce, in a recent memorandum, minced few words in praising the security benefits of broad access to WHOIS data while sounding warnings of probable impact due to proposed changes to that access.

“Legitimate public access to the [WHOIS] database has proven crucial to effectively identify, prioritize and allocate resources to the policing of malicious and unlawful activity on the Internet,” the memorandum stated. “If access to the database is eliminated, there will be a significant rise in cyberattacks and fraudulent online activity without any ability for law enforcement, cyber researchers, companies or consumers to respond or remedy. An assurance of forbearance of enforcement or an interim ‘self certification’ solution, preserving this access to qualified users with appropriate safeguards, is necessary.”

Others Chime In

Security expert Brian Krebs is another leader in the call for temporary reconsideration of the GDPR rules regarding WHOIS data.

“I have worked the majority of my professional career to expose those who are doing the spamming and scamming,” Krebs articulated. “I can say without hesitation that an overwhelming percentage of that research has been possible thanks to data included in the public WHOIS registration records.”

Some suggest that this change will not have a material impact as qualified investigators can take legal steps to access the owner’s information. This is not practical in an automated cyber protection environment when security attacks often begin, do all of their damage, and conclude in a few minutes or hours. More time is needed to develop a solution that would appropriately calibrate privacy interests with the need to access this information for cybersecurity research purposes.

Conclusion

The time is now for security professionals globally to contribute to the conversation regarding the unintended consequences of interpreting the GDPR to restrict access to WHOIS data in cybersecurity research contexts. Preserving the resiliency, transparency and accountability of the internet is key, given the national and economic security issues that could result.

A fuller meaningful dialogue is needed and short- and long-term solutions must be developed and proposed. Industries and regulators need to find a path to both protect privacy and give the security community access to the data we need to stay ahead of the threat actors — but we’re running out of time to put it into action.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

Caleb Barlow

Vice President - IBM Security

Caleb Barlow is an accomplished security professional and Vice President at IBM Security, where he leads IBM's Threat...