Several members of the US Congress called on the National Telecommunications and Information Administration (NTIA) on 21 September to do more to protect the privacy of domain registration information. US Senator Ron Wyden (D-Ore.) and US Representative Anna G. Eshoo (D-Calif.) led a group of lawmakers in criticizing the NTIA for not protecting the “highly sensitive” personal information used to register for .US domains. The records contain usernames, addresses, phone numbers and email addresses.
The US Congress members said it is “highly concerning” that NTIA has not directed its contractors administering .US domains to adopt any protections for this sensitive information since at least 2005. “The automatic public disclosure of users’ personal information puts them at enhanced risk for becoming victims of identity theft, spamming, spoofing, doxxing, online harassment, and even physical harm,” the lawmakers said in a letter to NTIA Assistant Secretary and Administrator Alan Davidson. They also wrote that “anonymity is a necessary component of the American right to free speech.” The NTIA did not respond to requests for comment.
The lawmakers claimed there was no reason for the information to be disclosed publicly, and suggested the agency automatically offer privacy free of charge upon registration. NTIA should also require users to provide affirmative consent “for transferring user data to third parties, including public disclosure,” the letter said.
According to the US lawmakers, government entities, including in the US, should be forced to seek a warrant to request access to .US user data, and users should be alerted if such access is granted. The letter argues that the government should set an example for the rest of the world by creating a “more secure and private system for registering internet domains through its control of .US.”
Alongside Wyden and Eshoo, Senators Brian Schatz (D-Hawaii) and Elizabeth Warren (D-Mass) joined U.S. Representatives Ted Lieu (D-Calif.), Sara Jacobs (D-Calif.), Zoe Lofgren (D-Calif.), Ro Khanna (D-Calif.), Tom Malinowski (D-N.J.), and Stephen F. Lynch (D-Mass.) in signing the letter.
The letter comes after several government agencies globally have highlighted domain cybersecurity as an area of concern in recent weeks, with domain registrars having been hacked in the past. A spokesperson for Wyden said that there was no international coordination on the announcements but noted that this has been a longstanding concern among privacy experts.
Last year, a .US advisory body asked NTIA for increased privacy among .US domains, the spokesperson noted. “In the broader ICANN [International Corporation for Assigned Names and Numbers] community, debates continue on how to protect privacy for domain name registrants,” the spokesperson said. “This letter signals that Senator Wyden and other privacy leaders want to ensure that the interests of folks that want access to this data do not trump the privacy rights of individuals registering domain names.”
In a parallel discussion on the same day, despite having taken “significant steps” to strengthen the country’s defenses against digital threats, the progress must be a “prelude” to further changes, the Cyberspace Solarium Commission urged. “Even as we issue this progress report, we know that assessing implementation is not enough,” commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisc.) wrote in the panel’s second annual assessment report. “Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape,” they added.[1]
The Commission report follows several actions taken by the executive branch and Capitol Hill to bolster the country’s cyber resiliency in the wake of major ransomware attacks, including on Colonial Pipeline, meat processor JBS and software company Kaseya, as well as the massive SolarWinds breach carried out by Russian hackers. Most notably, landmark cyber incident legislation became law, and just last week the first US cyber ambassador was confirmed.
The Commission made 116 policy recommendations in its original report and published six follow-on white papers. Of those, 33 have been implemented; 30 are close to implementation; 31 are “on track” in some fashion; 20 have experienced limited progress; and two suggestions, less than 2% of the overall figure, face “significant barriers” to becoming reality, according to the latest report.
US Presidential directives and the National Defense Authorization Act (NDAA) have become major vehicles for executing the group’s ideas, with the US House of Representatives version of this year’s bill containing a pair of key Solarium proposals.
The first would designate “systemically important entities” status to the most vital US critical infrastructure, requiring operators to enact strong digital security standards and share threat intelligence with the government in return for increased federal support. However, last week, a coalition of industry groups sent a letter opposing the idea, arguing it would create “programmatic redundancies” and that the information gleaned through the effort could lead to an “elevated risk of exploitation by America’s foreign adversaries.”
The second would create a “Cyber Threat Environment Collaboration Program,” a portal intended to increase data sharing among members of the Cybersecurity and Infrastructure Security Agency’s growing Joint Cyber Defense Collaborative — the organization’s public-private coordination hub that was relied on during the Log4j crisis. The Senate draft of the policy roadmap doesn’t contain either provision. Senate Majority Leader Chuck Schumer (D-N.Y.) on the 20th said the chamber would be in session next month and would take up its draft of the must-pass legislation then.
Yet two recommendations have faced so much pushback that the commission sees little hope of them being implemented anytime soon: creating congressional committees devoted to cybersecurity; and establishing liability of “final goods assemblers” of software and hardware for breaches and hacks resulting from the exploitation of known or unpatched vulnerabilities. “We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail; protecting our national cybersecurity,” wrote King and Gallagher.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/cyberspace-solarium-commission-calls-for-sustained-investment-in-defense/
Comments