Home Affairs CommitteeWritten evidence submitted by Nominet [EC 16]

Introduction

Nominet is the internet registry for the .uk country code top-level domain (ccTLD). With over ten million registered domain names, we are the second largest country-code top-level domain. We are an SME with a turnover of around £25 million and we employ around 140 people. Nominet operates on a not for profit basis with a constitution that requires that we act for the public benefit.

We interpret our public benefit constitution as requiring us to provide a secure and resilient internet service to ensure the smooth running of the .uk namespace. More broadly, working with others, we seek to raise awareness of risks to the internet and promote measures to reduce these risks. This means in practice:

Monitoring the large amount of traffic we process for signs of abuse such as Distributed Denial of Service (DDOS) attacks, or distribution of malware and spam and where appropriate sharing these indicators of abuse with other industry partners.

When asked to do so by law enforcement authorities, suspending .uk domains associated with criminal activity.

Raising awareness amongst businesses and end-users through targeted promotional campaigns and education initiatives, in particular through our dedicated information portal, “Know the Net”.

Through our charitable foundation the Nominet Trust, providing funding for community-level partnerships and initiatives such as the e-Crime reduction partnership in South Wales.

What do we mean by “e-Crime”?

e-Crime covers a broad territory and some of the confusion in the debate results from people using the term to mean different things which present different enforcement challenges and require different combinations of actors to work together to address the issue. For us e-Crime is a subset of cyber-crime and distinct from issues such as espionage, “hacktivism” and cyber-terrorism. On this definition, the key feature of e-Crime is that the attacker receives some direct monetary benefit. Therefore in this response we focus on the common forms of criminal conduct that we encounter falling within that definition, and not on issues such as cyber-terrorism or mass infringement of private rights through, for example, online copyright infringement.

Very little e-Crime constitutes entirely novel forms of criminal behaviour. In most cases, e-Crime is the adoption of new technology to perpetrate types of crime with a long history. For instance, Nominet is called upon to act where .uk domain names are associated with sale and distribution of counterfeit goods and illegal pharmaceutical products.

An area of increasing concern is the use of new technology to distribute viruses and malware. The purpose of distributing viruses and malware is often to facilitate other forms of crime, such as to harvest personal data with a view to perpetrating large-scale identity theft or to facilitate fraud.

How well is the “e-Crime” problem understood by policy-makers?

In general the UK Government has been in the forefront of nations seeking both to identify e-Crime risks and respond to them effectively. The National Cyber Security Strategy published in November 2011 was in our view a thoughtful and comprehensive overview of the issues and the actions for both Government and others that it contained were reasonable and realistic. In particular we welcome the Government’s recognition that, because the nature of e-Crime itself can change very rapidly (for instance as a result of technology shifts), a partnership approach with members of the internet industry is critical to ensure flexibility to address future threats.

However, at the level of policy-making below this an on-going concern for us is the ownership of responsibility for e-Crime (in all its different manifestations) within Whitehall. Despite the best efforts of Ministers and officials to create a coherent and joined up approach, Nominet has not always found it easy to determine where policy leadership on specific questions lies. This problem has been exacerbated by the transfer of some aspects of internet policy from BIS to DCMS.

Over the past 12 months we have had e-Crime and cyber security related interactions with each of DCMS, BIS, Home Office, Ministry of Justice, Cabinet Office, the Foreign Office and Department for Education, as well as GCHQ, CPNI, CSOC, Ofcom, the Intellectual Property Office, Information Commissioner’s Office and the Law Commission. Each of these interactions has arisen from laudable and important policy objectives, but simply keeping track of the plethora of policies and initiatives is a significant task.

This busy policy environment is becoming further complicated by the steady accretion of powers and responsibilities in e-Crime related fields by EU institutions. E-Crime is by nature a cross-border phenomenon, so in principle more effective collaboration at EU and indeed global level is to be welcomed. However, the full nature and extent of EU competence in this area, and how this interleaves with national efforts, remains somewhat unclear. There is some risk of duplication of effort and there is further risk regarding the EU’s more mandate-focused approach compared to the UK’s cooperative and voluntary approach.

This is a particular issue in relation to the reporting of security incidents and the sharing of information and intelligence across Member States. Commissioner Kroes has made clear that she will seek to introduce mandatory incident reporting requirements on a range of industries, but we would agree with the position taken by the Government that legislating in this way should be a last resort and that a cooperative non-regulatory approach may produce better results in the long term. In particular we believe in the importance of embedding risk management and preparedness in corporate culture rather than a compliance based approach which will always tend towards minimised standards.

Effectiveness of Current Law Enforcement, Legislative Capabilities, Gaps

As regards UK-specific enforcement capabilities, the agencies that have been most active in pursuing e-Crime include SOCA, PeCU, the MHRA and Trading Standards. We welcome the proposed formation of an e-Crime specialism in the new National Crime Agency which should build on the useful experience in tackling e-Crime already gained by these existing agencies.

For our part, consolidating e-Crime enforcement in the NCA is an opportunity to establish a clearly-specified crime reduction strategy. This should include identifying which forms of e-Crime cause the greatest harm, what tools are appropriate to tackle the problem and how partnerships with other actors to take effective joint action should be structured.

Nominet is particularly interested in this because of the rising volume of requests we are receiving from law enforcement agencies to suspend .uk domains associated with criminal activity. At present we will typically be asked to suspend a domain based on evidence held by the agency concerned that the domain is associated with a criminal activity—for example, counterfeiting or sale of unlicensed medicines. The Agency in question does not need to have proven in a court that a crime has been committed in order to notify Nominet that it believes that the domain name is being used to commission a crime.

The making of these requests, and our response to them, is a purely administrative arrangement that has no statutory underpinning. In effect Nominet is being asked to co-operate with law enforcement as an administrative matter, and to assess whether for instance a domain name complies with our terms and conditions. Law enforcement agencies may however point out to Nominet that were we to refuse to act when in receipt of actual knowledge that a crime has been committed on a .uk domain, we could ourselves be committing a criminal offence under the Proceeds of Crime Act.

In practice, the level of information presented to us varies. We encourage agencies to channel requests through a handful of law enforcement agencies with whom we have an established working relationship. In principle though, any body with law enforcement responsibilities could approach us with a request, based on minimal evidence, and expect us to comply with it. Hitherto such requests have generally been made in relation to relatively straightforward cases of criminal conduct, and we have generally found that the domain holder is indeed in breach of Nominet’s own terms and conditions. However, in theory we could be asked to suspend domains on the basis of criminal conduct whose nature is inherently more problematic, for instance where freedom of expression issues are engaged.

In response to this, Nominet has been seeking to develop an abuse policy which codifies the approach that we will take when we receive such requests. We hope to publish this for consultation in the coming year. Obviously such a policy cannot constrain the behaviour of the agencies themselves but can only describe how Nominet will seek to act. Hence in our view the need for the NCA to seek to develop its own matching processes for making such requests, and then applying these processes across the board in a consistent fashion.

Many stakeholders would go further and suggest that the law itself needs to be amended so as to create a clear legal framework for the making of suspension requests, possibly including court oversight of the process. It is hard for Nominet to determine the materiality of this issue from a wider perspective because we do not know what level of requests the NCA and other agencies might make in the future. It is worth noting though that domain suspension or seizure is an increasingly popular mechanism for US law enforcement agencies, who have “seized” multiple thousands of domains in single operations. Were the Government and/or the NCA to come to the view that domain name seizures are an essential mechanism for preventing or disrupting e-Crime, then the legal basis for these requests should be placed on a more robust footing than it is at present.

Information Sharing

As noted, we make efforts to share information with other parts of industry and the UK Government on cyber-crime threats. Increased government involvement with trusted parties involved in network and information security—in particular in sharing information—would be welcome. Such involvement is best through cooperation and partnership. The speed of innovation, the transnational nature of the internet and the number of organisations involved in assuring the successful operation of what was designed as a distributed network requires a cooperative, rather than a centrally coordinated, approach.

It is important to note however that the overriding consideration in making information sharing networks work is the ability of participants to trust each other. It is for this reason that the “CERT” (Computer Emergency Response Team) model has resulted in a plethora of CERTs for different industries, and indeed, different parts of government. We believe that the Government’s approach to CERTs has demonstrated a good understanding of the role that trust plays in making them work. The European Commission’s occasional suggestions for an EU-wide CERT and mandatory information sharing would in our view encounter some problems in creating the necessary levels of mutual trust and confidence. Private sector participants in particular will need very robust assurances about the use to which incident data is to be put by others in any pan-EU CERT network.

Online Safety and Awareness-Raising

The National Cyber Security Strategy rightly focuses on the need for promotional effort to be expended on raising awareness of risks and of empowering businesses and communities to protect themselves against e-Crime. We welcome the steps the Government has already taken in this direction, but it will be continuing challenge over a number of years as the public and businesses develop a culture of technology and information security.

In 2008 Nominet established the Nominet Trust, an independent charity which supports initiatives that harness the internet to stimulate positive social action at a grass-roots level. To date Nominet has contributed £26 million to the Trust. The Trust has funded a number of projects relating to e-Crime including a significant piece of research by Professor Mike Levi and Dr Matthew Williams from Cardiff University’s School of Social Sciences which was published last September.

As well as supporting research and community action through the activity of the Trust we have also sought to develop accessible online resources that help raise public awareness through our “Know the Net” website. Given the need for long term cultural change in how we think about our privacy and security we believe it is important to avoid an alarmist approach to consumer education and awareness. Headlines about cyber criminals victimising millions of people can make it seem that the ordinary consumer is powerless thereby encouraging apathy rather than sensible precautionary measure.

Our Know the Net campaigns use engaging materials to educate users about simple practical measures that they can take to lower the risk of them becoming a victim of e-Crime. Three specific examples are worth mentioning:

Online scams: “ThreatTest”

Based on findings that suggested that more than half of UK population has been targeted by online scams, we commissioned research to better understand the profile of online scam victims. We found that women between the ages of 25 and 34 were most at risk. In response we launched an online “ThreatTest” tool, which has to date been used by more than 28,000 people. It provides some important common sense tips to help reduce personal exposure to online scams.

Obeying the law online: “Accidental Outlaw”

Our research found only 44% of people could correctly identify what online activities were illegal. The top risks identified were misuse of copyrighted content (particularly music), discussing or publishing details relating to a super injunction and defamation of other people using social media,

In response we launched the “Accidental Outlaw” test—more than 22,000 have taken it already. This allows users to check their own understanding of how the law applies online and learn about areas they are unsure of.

Mobile Security: “In The Dark”

Recognising that many people now use smartphones and tablets everyday as their principal means to access the internet, our research showed that only 54% could correctly answer questions on device security. The research also showed that 43% of users do not have basic security measures such as anti-virus software, remote wipe facilities in the case their device is lost or stolen, or the latest version of their operating system installed, and 31% did not know how to protect their mobile device. 21% of 16–24 year olds reported that they had been “phone jacked” putting them at risk of data and ID theft.

In response, we launched “In the Dark” tool for users to test their own mobile security knowledge—almost 5,000 have used it already.

Security of the Domain Name System

Although this is not a specific line of inquiry in the Select Committee’s call for evidence we thought it would be useful to provide some background about Nominet’s primary responsibility, the functioning of the .uk Domain Name System (DNS).

How the DNS works

The DNS system goes back to the establishment of the internet as a distributed network of connections between geographically diverse computers. Internet addresses are written as a string of numbers known as “IP addresses” which tell computers the location of the data they are trying to find on the internet. The DNS system was created to replace the IP address with letters and words in order to make the system useable. For example, it is much easier to remember www.bbc.co.uk than 212.58.244.68 which is the IP address of the BBC’s website.

However, in order to allow a computer to know that the domain name of www.bbc.co.uk relates to the IP address 212.58.244.68 there has to be a place where this can be looked up. All top level domains (eg “.uk” or “.com”) are incorporated in the “root zone file” the ultimate, authoritative database of the global internet, which is managed by the Internet Corporation for Assigned Names and Numbers (ICANN) which operates this function under an arms-length contract with the US government. A DNS search comprises of two stages of looking up. Firstly the domain name is looked up on the “registry”. Each top level domain on the internet has a registry where domain names can be looked up. Nominet is responsible for running the registry of all domain names that end with .uk. The registry does not actually contain the IP address of each domain name, instead it holds the IP address of the “nameserver” used by the user of the domain name. This allows a computer to contact the nameserver and identify the IP address of the server it is looking for.

Potential Vulnerabilities of the DNS

The DNS system was developed for a small network of trusted connections between computers. The benefit of the system is that it is easily scalable and has extended to cover the hundreds of millions of domain names that are now registered around the world, however the system does have some potential points of vulnerability.

One feature of the DNS is that the servers of registries have to handle millions and sometimes billions of requests to identify nameservers and the nameservers have to handle large numbers of requests to turn domain names into IP addresses every day. This requires a significant amount of computing power and highly robust systems to ensure that a response is always provided and that it is provided in a fraction of a second. The DNS system can be exploited by hackers, criminals and “hacktivists” to launch Distributed Denial of Service (DDOS) attacks. A DDOS attack attempts to flood the victim IP address or server with so many requests that the servers become overloaded and slow down or fail to provide a response. The result is that no one is able to use the system, for example to view the website or get email through to the domain name under attack.

Another weakness of the DNS is that it relies on the veracity of the information provided in response to a DNS query. “Cache poisoning” attacks take advantage of the fact that internet service providers will use a server on their own network to cache common queries such as facebook.com or bbc.co.uk from their users rather than repeatedly send a DNS request to the registry every time the address of bbc.co.uk or facebook.com is requested. This caching mechanism manages the amount of traffic the ISP and the registry have to contend with and provides faster response times for users. Unfortunately there is no validation of who has provided the information in regular DNS so in a “cache poisoning” attack the incorrect information is inserted into the ISP’s cache server in order to direct traffic to another source than the intended source for example to obtain log in credentials or to cause reputational damage to an organisation.

Defending against these vulnerabilities

As outlined above, the most important response to these types of attacks on the DNS is to take steps in advance to prevent or limit the effectiveness of such attacks. Nominet’s systems are highly robust and resilient, utilising physically diverse and geographically diverse infrastructure to maintain the reliability of the .uk DNS. We also have sophisticated monitoring techniques to identify patterns of traffic that may indicate an attack or malicious activity. In addition there is clear value in the sharing of information and cooperation between businesses and governments. When an attack is identified, swift action by registries, ISPs and other network providers can limit or mitigate the threats.

We have also been active in the encouragement of the deployment of the DNSSEC security standard which is designed to prevent cache poisoning by embedding an encrypted digital signature in the response from the registry to the DNS cache by signing all messages between systems with an encrypted digital signature to create a “chain of trust”. DNSSEC is not a silver bullet to solve e-Crime issues but it does mitigate a vulnerability in the original architectural design of the internet that has been exploited by attackers in the past. Particularly for high- risk domains such as those for governments, financial institutions and large- scale e-commerce websites it can add an additional layer of security.

Potential Developments in the .uk DNS

Nominet recently conducted a consultation exercise on the introduction of a new domain name service in the .uk domain space. At present, .uk is organised under a hierarchical structure in which consumers and businesses register at the third level, such as example.co.uk or example.org.uk. From time to time, Nominet has been asked why it is not possible for consumers or businesses to register at the second level, such as example.uk. This would mirror the simpler structure of .com and most other country code Top Level Domains.

Our consultation proposed the introduction of a new, second-level structure that we referred to as direct.uk, sitting alongside the existing .co.uk, .gov.uk and so on. We proposed the inclusion of additional security features into the new service that would enhance end-user trust and hence make the product particularly attractive to those wishing to trade online. The security features we proposed included an obligation to implement the DNSSEC security feature, the provision of a malware scanning service, stricter procedures for validating data provided by registrants at the point of registration, and a “Trustmark” that the registrant could use on their website. We also proposed to restrict eligibility to companies with a UK presence, as this gives the customer some comfort that UK consumer laws would apply to transactions from the site in question.

Our consultation has received a very high response rate with around 1,000 responses alongside many views submitted by phone, email and in public meetings we held around the country. It was clear from the consultation responses that there was not a consensus of support for the direct.uk proposals as presented. Although shorter domains (eg nominet.uk rather than nominet.org.uk) were considered desirable, many respondents felt that the proposed release mechanism did not give enough weighting to existing registrants, and could lead to confusion if they could not obtain the corresponding domain.

The objective of raising trust/security was welcomed, but many disagreed with the proposed approach, suggesting that standards should be raised across the whole of the namespace. There was significant support for the introduction of address validation for registrants; though some would like us to go further than that and others would like us to carry out the validation process differently. We have published a summary of the consultation responses and analysis of the consultation data on our website.1

Based on the feedback we received we are going to explore whether it is possible to present a revised proposal that meets the principles of increasing trust and security and maintaining the relevance of the .uk proposition in a changing landscape for domain names. The Nominet Board plans to review progress at their June meeting, where they would consider whether there is an alternative option that addresses the concerns raised in the consultation. Any alternative options would be subject to further consultation prior to any final decision being made.

Conclusion

Nominet remains committed to making the UK internet a safe and trusted space for business and consumers. As there is not and will never be a silver bullet to tackle e-Crime and cyber security issues our approach is rooted in providing a robust and resilient service which is enhanced by co-operation across the public and private sectors, supplemented by awareness raising activities to empower businesses and consumers to take practical steps to ensure their own safety and security.

The task of developing a culture in which people’s online behaviour is appropriate to the risks that exist is not one that can be achieved by government action alone, nor can it simply be left to the private sector. We therefore welcome initiatives such as this inquiry that help to raise awareness and, we hope, best practice.

March 2013

1 See http://www.nominet.org.uk/how-participate/policy-development/current-policy-discussions-and-consultations

Prepared 29th July 2013