WHOIS service in jeopardy as EU authorities reject ICANN’s interim solution to GDPR compliance for vital “internet phonebook”

The deadline for compliance with the EU’s General Data Protection Regulation (GDPR) is fast approaching, and an astounding number of organizations are woefully unprepared to meet it. A new survey of IT decision-makers by Crowd Research Partners found that a whopping 60% of organizations will likely miss the GDPR compliance deadline of May 25, 2018, even though 80% of respondents listed GDPR compliance as one of their organization’s top three priorities. A closer examination of the findings paints an even grimmer picture:

• Only 7% of respondents reported having already achieved GDPR compliance.
• 28% of respondents hadn’t even begun working toward the May 28 GDPR compliance deadline.
• 43% of respondents cited an internal skills gap as a stumbling block to GDPR compliance, while 40% blamed budget issues.

Among these organizations is ICANN. Yes, that ICANN, the non-profit organization responsible for IP address space allocation, DNS management, and other duties that ensure the reliable, stable operation of the internet.

EU Authorities to ICANN: Achieve GDPR Compliance or Else

At issue is the WHOIS directory, which acts as a sort of “internet phonebook” and contains the personal identifying information (name, address, phone number, etc.) of everyone, whether a person or an organization, who owns a domain name. As it currently functions, WHOIS is in violation of the GDPR, and ICANN has admitted that it won’t be able to make WHOIS GDPR compliant by the May 25 deadline – despite having had two years to come up with a solution. ICANN has proposed an interim solution it calls “The Cookbook,” but EU authorities have found it severely lacking.

The ongoing debacle has put the future of WHOIS into jeopardy. Barring a major development, the service may become fragmented or even go completely dark on May 25, a prospect that has put IP attorneys, cyber security experts, and law enforcement agencies, who depend on WHOIS to enforce intellectual property rights and track down cyber criminals, on edge.

ICANN is pleading with European data authorities for an extension, but many experts doubt one will be granted. ICANN has had two years to prepare for the GDPR; additionally, the EU has been sending it written warnings about WHOIS violating other European data privacy laws for at least six years. Instead of preparing for the inevitable, ICANN chose to sit on its hands.

Is Your Organization Prepared for the GDPR?

Organizations that violate the GDPR face fines of up to 20 million euros (approximately $24.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The stakes are incredibly high, and the time left to prepare is critically short.

Find out where your organization stands right now. Click here to take Continuum GRC’s free GDPR readiness assessment and download your report today.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Hardware & Software Supply Chain Cyber Attacks Pose Significant Threats

Due to globalization and outsourcing, enterprise supply chains are more intricate than ever. Most products are no longer manufactured by a single entity. Materials, components, and even final products pass through multiple hands before ending up in the hands of end users. Additionally, most companies have multiple third-party business associates providing everything from office supplies to cloud storage; the largest enterprises may have thousands of these vendors. While enterprises have long been on guard against the possibility of physical product tampering or counterfeiting, many companies are still not cognizant of the scope of supply chain cyber attacks.

Supply chain cyber attacks can involve hardware or software. According to NIST, some of the most common threats to the cyber security of the supply chain include:

• Third-party vendors – anyone from software engineers to janitorial providers – having physical or virtual access to information systems.
• Lower-tier business associates with poor cyber security practices.
• Compromised software.
• Hardware that has been compromised by malware or that is counterfeit.
• Unsecure supply chain management or supplier system software.
• Data aggregators or third-party data storage.

Cyber criminals are increasingly hacking legitimate software updates. A recent study by Symantec found that this type of supply chain cyber attack surged by 200% in 2017. One of the most infamous examples is the NotPetya malware, which was spread through a compromised update of a popular accounting software package.

While supply chain cyber attacks are a threat to all industries, the problem is especially acute in the healthcare industry, which is rapidly implementing IoT devices. At any one time, the world’s hospitals are running up to 80,000 exposed devices, and these devices can be attacked at numerous points on the supply chain.

The U.S. government is also vulnerable to supply chain cyber attacks; for this reason, the FCC has drafted a proposal that would prevent telecoms from using Universal Service Fund money to purchase hardware manufactured by companies that “pose a national security threat to United States communications networks or the communications supply chain,” noting that compromised equipment could “provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”

Preventing Supply Chain Cyber Attacks

Proactive supply chain risk management is key to preventing supply chain cyber attacks. Here are some examples of best practices:

• Know your organization’s vendors. Often, the purchasing and accounting departments are well-versed in a company’s supply chain ecosystem, but cyber security personnel are left in the dark.
• Establish specific security metrics for your vendors to adhere to, and include them in every RFP and contract. Don’t forget about physical as well as technical security controls; e.g., measures taken to ensure that hardware is not physically tampered with.
• Institute no-tolerance, “one strike and you’re out” policies for vendors who provide products that are found to be counterfeit or fall short of security specifications.
• Tightly control hardware component purchases. Unpack and thoroughly inspect all components purchased from vendors that are not pre-qualified.
• Tightly control vendor access to your hardware and software. Limit software access to as few vendors as possible. Limit hardware vendors’ access to mechanical systems only, with no access to control systems. Authorize and escort all vendors while they are on your premises.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.