The Financial Times today published my point of view on why I believe we need increased international attention on advancing high cybersecurity standards for what I believe is an essential component of today’s Internet: the global domain name system (DNS). Today’s DNS plays a unique and critical role to the functioning of the Internet because it serves as a global address book translating names we know (domain names, like amazon.com) into online addresses computers can recognize (IP addresses, like 220.127.116.11). This process enables the successful routing for trillions of daily data requests, communications and online transactions initiated by millions of Internet users around the world.
For years, hackers have abused the registration process to obtain new domain names which they then use to orchestrate cyber intrusions. More recently, security researchers revealed that a previously unknown hacker group carried out a series of attacks on government agencies in 13 countries by redirecting agency computers to hacker-controlled servers through the manipulation of Domain Name System (DNS) infrastructure. News reports from earlier this year have also indicated manipulation of DNS infrastructure in Venezuela (likely by the Maduro government) to redirect users attempting to access an opposition humanitarian aid website to a malicious page.
The infrastructure supporting DNS is maintained by a number of core companies that administer Internet domains, register new domain names, and host DNS lookup services allowing us to translate domain names into IP addresses. If attackers can hijack an existing customer domain at any of these companies, they can also reroute email and web-based communications, obtain confidential information and disrupt communications. And if they are able to compromise administrative infrastructure for DNS service providers themselves, they can cause potentially massive chaos, including for entire government and military domains.
Likewise, distributed denial of service (DDoS) attacks can degrade large segments of Internet traffic. Ecuador experienced a wave of DDoS attacks after the arrest of WikiLeaks founder Julian Assange that reportedly took a number of government, banking, and related sites offline, and DNS infrastructure presents an attractive target for these kinds of attacks. In 2016, attackers used a wave of Internet-enabled devices to target Dyn, a U.S.-managed DNS service provider, effectively removing it from the Internet.
I believe these recent alerts and attacks highlight an under-appreciated cyber security vulnerability in the global DNS system. DNS was invented so early in the development of the Internet (1983) that the issue of security wasn’t part of the original thought process.
Two years ago, the Global Commission on the Stability of Cyberspace, which I co-chair, called on state and non-state actors to forbear from attacking the integrity of the public core of the Internet. We now need concerted action to address the risk to essential DNS infrastructure and reduce the opportunity for bad actors to disrupt services critical to the way we communicate and trade today.
How do we move towards a more resilient DNS ecosystem? As I write in the Financial Times, an effective model must contain three elements. First, a risk-based cyber security approach that successfully defends core DNS infrastructure despite attempted attacks. Second, a proactive strategy to mitigate unauthorized DNS account takeovers and new illicit domain registrations. And third, a trusted relationship between DNS providers and law enforcement agencies, which would allow police to carry out lawful investigations and curb misuse of the system.
On the first element, key features of a defensive architecture for DNS providers should include:
- Risk-based, tested security measures, aligned to an authoritative security framework like the NIST Cybersecurity Framework, that block bad actors with an initial foothold inside a DNS provider from moving laterally and obtaining “keys to the kingdom” credentials (think strong internal access controls and segmentation) plus high-performance tools and well-trained teams to rapidly detect and respond to security incidents.
- Strong system, data and network redundancies to restore system availability and ensure resiliency.
- To mitigate DDoS risk as volumetric attacks grow to Terabit-per-second scale (as seen in the Dyn attack), ensure that critical DNS infrastructure has sufficient capacity to absorb attacks and also incorporates globally distributed mitigation facilities positioned to protect against attacks close to their sources to avoid collateral damage along the backbone of the Internet.
Even where DNS providers themselves are not breached, bad actors can still stand in the shoes of legitimate DNS customers through password cracking and other means (leading to potential website and email administrative account takeover of that customer). To mitigate such abuses, DNS providers should provide both robust customer authentication measures, plus continuous monitoring to identify abusive registrations and compromised domain names.
Effective cooperation with law enforcement is also a key component of defending against abusive domain name activities—ideally, information provided by security and law enforcement organizations should inform DNS administrators’ monitoring of internal and external data sources for abusive behavior. Conversely, DNS infrastructure providers can serve as critical partners to law enforcement in investigating and disrupting the abusive use of DNS for phishing, malware distribution, and other illicit activity.
Good work is already under way internationally to advance greater collaboration between governments and industry in managing cyber risk. The Organization of American States, for example, recently unveiled a set of best practices for protecting critical infrastructure in Latin America.
Governments and industry need to build on such efforts by working together to advance a secure-DNS agenda. This could include consideration of differing mechanisms — regulation, self-regulation, procurement processes, and liability limitations, for example — as incentives for meaningful investment.
For instance, countries might agree that the process for awarding contracts to DNS providers, particularly for administration of sensitive top-level domains, such as .gov addresses, should include the application of meaningful security standards. Likewise, to offer further incentives to invest, governments should consider limiting liability for providers whose security effectiveness can be validated independently.
What is most important, however, is we take action now before it is too late.
Michael Chertoff is executive chairman and co-founder of The Chertoff Group, a security and risk management advisory firm, and served as secretary of the Department of Homeland Security (DHS) from 2005-2009. He is the author of “Exploding Data: Reclaiming Our Cybersecurity in the Digital Age.”