The act contains a loophole added late in the process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.
During the past few years, we have witnessed an alarming increase in the volume and sophistication of cybercrime and cyberattacks. It is both understandable and necessary that the US Congress has taken measures to strengthen our country’s cybersecurity. The Strengthening American Cybersecurity Act of 2022, for example, was recently passed by the Senate and is currently in review by the House of Representatives. The cybersecurity community is pleased to see action by Congress on this important issue, but, unfortunately, the act contains a significant loophole added late in the legislative process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.
The Domain Name System, of course, registers domain names and translates them into digital addresses that route traffic through the global Internet. DNS is at the heart of the Internet and represents the exact type of information that needs to be reportable to proactively protect our cyber assets.
For decades, DNS and the data concerning individuals and organizations that register and use domain names — known as WHOIS data — have been critical to law enforcement agencies and private cybersecurity companies to protect the US and its citizens from cyberattacks and cybercrime.
As stated in written testimony to Congress by the FBI Cyber Division in 2003, “Cyber Division investigators use the WHOIS database almost every day. Querying domain name registries is the first step in many cybercrime investigations. Anything that limits or restricts the availability of WHOIS data to law enforcement agencies will decrease its usefulness in FBI investigations …” This was true in 2003, and it is true now. In 2020, DHS reaffirmed, “Homeland Security Investigations (HSI) views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud.”https://3cbd666bd7a99cb268814510cf1f264b.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
Despite the unambiguous statements from governments and law enforcement agencies expressing the critical importance of DNS and open and immediate access to accurate WHOIS data for cybersecurity, WHOIS data has essentially gone dark since May 2018. This can be traced to the enactment of policies put in place by the Internet Corporation for Assigned Names and Numbers (ICANN) as the organization attempted to comply with the European Union’s General Data Protection Regulation (GDPR). But GDPR applies to people, not to companies or governments. Yet nearly all useful registration data has been hidden — even the data not subject to GDPR. Read more:https://bit.ly/3jUrFSd
You can also read this: Biden Requests Nearly $11B for Federal Cybersecurity Spending