CONGRESS MUST ACT NOW!

On January 10, 2020, the President issued an executive order strengthening the economic sanctions against Iran. While the Iranian government announced that the ballistic missile attacks on Iraqi bases used by U.S. forces concluded their response to the killing of General Soliemani, increased tensions between the U.S. and Iran are expected to continue and Iran’s cyber capabilities will continue to pose a threat to U.S. interests. Director of National Intelligence John Ratcliffe said both Iran and Russia have obtained US voter registration information in an effort to interfere in with the 2020 Presidential election. The Cybersecurity and Infrastructure Security Agency (CISA) recently announced the compromise of U.S. government agencies, critical infrastructure entities, and private sector organizations, most likely by Russia, beginning in at least March 2020. Recognizing those threats, the U.S. must ensure that it has the tools necessary at its disposal to defend itself – including access to WHOIS data.

WHOIS data is the registration information for who is behind a particular website. Much like public land and title records that demonstrate ownership of a physical location, WHOIS records had been publicly available since the inception of the Internet. WHOIS records have been used by law enforcement, cyber security experts and consumer advocates to identify malicious websites and either block, isolate or take additional action. Unfortunately, the recent, and overly broad, interpretation of the European Union’s General Data Protection Regulation (GDPR) has resulted in this information being redacted and going almost entirely dark. No longer can law enforcement or cyber security firms quickly identify registration information behind a website and link that information to other, potentially harmful website.

Concerns around WHOIS information going dark have been well documented. In a survey of law enforcement agencies from around the world presentation to the Public Safety Working Ground at ICANN, 98 percent of respondents indicated that WHOIS information at least partially met their investigative needs prior to implementation of the EU GDPR. Since then, only 8 percent of those same respondents said that WHOIS still meets their investigative needs. At a 2019 briefing on Capitol Hill, Jason Gull, Senior Counsel in the Department of Justice’s Computer Crime and Intellectual Property Section said, “We are finding that WHOIS is turning into ‘WHO WAS.’ We have historical information about WHOIS from a year ago and that information is like having an old phonebook.’ Other agencies, including the Food & Drug Administration and Drug Enforcement Administration, have also expressed their frustration with this resource going dark.

Russia, Iran, China and its surrogate forces are well-known to be expert cyber-warriors. In a very short period of years, cyber warfare has gone from being an element of science fiction to a grim reality. Because it is highly asymmetric (very few expert hackers can cause widespread effects) and deniable (forensic attribution is not easy) many experts believe that cyber will become a preferred method attack and disruption that countries will use.

That is certainly true of countries like Russia, Iran and China. They have a history of using cyber tools effectively. In fact, several Iranians have been indicted in the U.S. justice system for their roles in cyber activities targeting America and American entities. In 2018, an investigation by FireEye (using registration data) discovered over 2,800 inauthentic social media accounts originating from Iran that were ultimate removed from social media platforms. These accounts were designed to impersonate U.S. political candidates and influence media campaigns involving Iranian interests.

Dealing with the WHOIS problem is vital, and the urgency to do so is only increasing. Unfortunately, current estimates for regaining access to WHOIS by correcting the interpretation of the GDPR won’t be available for three years or more. Now is the time for Congressional leadership. Without WHOIS, our vulnerabilities will continue to persist and investigations into not only cyber-frauds and cyber-warfare, but drug cases, intellectual property cases and other problems will be hurt.

As was stated by the U.S. Department of Homeland Security in a July 16, 2020 letter to Representative Robert Latta, “HSI views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations… Since the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow. If HSI had increased and timely access to registrant data, the agency would have a quicker response to criminal activity incidents and have better success in the investigative process before criminals move their activity to a different domain.”

Strengthening the cyber resilience of both public and private sector organizations is a matter of national security. We should expect that adversaries will continue to focus efforts to gather intelligence and cause disruptions through cyber-activities. For Congress and the Administration to ignore the WHOIS problem, or wait for the failed ICANN process to fix it, is turning a blind eye to an extremely serious risk to our nation. Congress needs to step in and address this vital weakness in our cyber defenses. Congress needs to enact WHOIS legislation now that will ensure that those who are protecting our national cyber infrastructure have all the tools they need to make America and the world more safe.