GDPR, which will be enforced in just over a month’s time, may seriously hinder cybersecurity capabilities, according to some cybersecurity experts.
Well-known cybersecurity investigative journalist Brian Krebs has predicted a rise in ‘spam, phishing and just about every form of cybercrime’ due to GDPR’s impact on the WHOIS tool, which he described as the ‘single most useful tool’ for security researchers and experts.
Currently, the personal details, including name, contact details and address, of a person who registers for a domain name, are published online through the WHOIS service.
This service, which allows people to search databases to find the registered users of domain names and IP addresses, will soon be illegal due to the regulations.
This may be where Krebs and others take issue – by making it harder to access this information, it will become harder for security researchers to find out who is behind certain malicious efforts.
In particular, Krebs argues, the changes are likely to cause an increase in spam and scam efforts in emails.
Prediction: In a few months, the volume of spam, phishing and just about every form of cybercrime is going to increase noticeably. New privacy rules coming out of the EU are going to take away the single most useful tool available to security experts and researchers: WHOIS.
— briankrebs (@briankrebs) April 5, 2018
The organisation that oversees the domain name system, the Internet Corporation for Assigned Names and Numbers (ICANN), has failed to change its system and processes in time for GDPR, despite having two years to prepare for it, as reported by The Register.
After some significant back and forth between ICANN and European regulators, in which ICANN requested a special exemption and asked for suggestions on how to change the system, it was ruled late last week that the system will break the law under GDPR.
ICANN has come under some criticism for failing to ready itself for GDPR. Brian Chappell, Senior Director, Enterprise & Solution Architecture at BeyondTrust, said: “ICANN has been aware that the WHOIS system didn’t even meet the existing Data Protection Regulation for over five years but ignored the need to comply and is now faced with new legislation that carries big teeth.
“New registrants won’t be anonymous to law enforcement agencies but the transition period will hamper individual investigators until ICANN can provide access for accredited persons to the satisfaction of GDPR. This situation is a shining example of why GDPR cannot be ignored.”
Tomofumi Okubo, of DigiCert, said: “The internet community needs to think more like a security practitioner in the way it approaches WHOIS and GDPR compliance efforts. Addressing the needs for due care and due diligence may portend a brighter future for WHOIS, which looks a little murky right now.”
Other industry experts, however, argue that it is a small price to pay for the positives that GDPR brings. Steve Gailey, solutions architect at Exabeam, commented: “With any legislation, there will be unintended consequences, and with such a large scope and diverse jurisdictions it is bound to find some abuse of practices which are for the good of users and the Internet as a whole.
“On balance, it is a very good starting point, however, there is certainly work to be done and additional clarification needed in some areas.”