White House pushing for research carveout in GDPR
The White House is hoping to convince European regulators to protect security researchers in their General Data Protection Regulation so they can continue to scrape data that’s relevant for data breach and botnet investigations, according to White House Cybersecurity Coordinator Rob Joyce.
GDPR, which mandates companies with European customers to have numerous data protections in place, goes into effect May 25, 2018. The law will have a significant impact on the billion-dollar cybersecurity industry, but some of its privacy provisions could have a negative effect on security researchers’ work.
One of the more concerning developments revolves around access to data published by the Internet Corporation for Assigned Names and Numbers (ICANN). Whenever a domain name is registered, ICANN requires information like, a name, IP address and physical address to be submitted. While these details are sometimes forged, that information can provide clues about a cyberattack.
ICANN stores all of this data in a record archive known as WHOIS. With the way GDPR is currently written, ICANN may scrub aspects of WHOIS, thereby making it less useful to security researchers.
Security professionals have criticized the impending change. In an interview with independent cybersecurity journalist Brian Krebs, Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center, said that “the new WHOIS plan could leave security researchers in the lurch.”
“Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore,” Mounier told Krebs.
Joyce said Tuesday at a cybersecurity conference in Annapolis, Maryland that he was also concerned by the chilling effect that GDPR may have on some cybersecurity research projects and investigations.
“We share some of your concern that some of the internet metadata that lets us hunt threat actors and which enables businesses to understand where the threats originate may be affected by GDPR,” said Joyce. “We are actively attempting to push back and fix or create a carve out in the regulations for GDPR … we think there’s room and time to get the ICANN records exempted from it.”
The Department of State is the lead U.S. agency in contact with the European Commission’s working group regarding GDPR compliance negotiations.
“Multiple other international partners have raised this same concern,” Joyce added. “It resonates with us and as we engage with the EU we’re looking to make sure that that there’s an effort to secure cyberspace. And taking away one of the tools for detection doesn’t line up.”
The State Department did not respond to a request for comment.
