This blog is about some upcoming legislation which could have a lot more impact than you might expect on smaller companies that provide internet related services.
The Network and Information Systems Directive is an EU Directive which will be implemented in to UK law next May. At this stage the UK implementing law is not drafted and we have a chance to influence how it is drafted by responding to a DCMS consultation. If you offer any sort of web hosting, or your are ISP, even a small one, you may find yourself in scope, and so should look in to this now. The penalties can be huge, much like GDPR penalties.
Who should be in scope? It is not entirely clear on some aspects who should be in scope - who the directive is aiming at - we can guess some big players like LINX, Google, and Nominet, but when it comes to DNS and cloud services, it is very unclear.
Defining the scope. This is very important as defining the scope by describing the service and some measurable scale, can be very hard. I would struggle to define a DNS provider to include all of that they intend with no unintended consequences, even if I could understand the intended scope in the first place.
Both of these are areas where DCMS urgently need help so as to avoid some bad legislation — not only would it put an undue burden on smaller ISPs, it would actually be counterproductive and increase the risk.
If you have not heard of it before, the NIS directive is an attempt to increase the security and resiliency of network and information systems, primarily the Internet, to minimise disruption and downtime, and the ensuring impact on the economy. It builds on rules which are already in place covering electronic communications networks and services.
The main targets are those providing essential services. This covers Transport and Energy and so on but specifically covers internet related services provides by IXPs, DNS providers, and TLD registries. Whilst IXPs covered are likely to be LINX and perhaps a few others, and TLD providers are likely to be Nominet, the “DNS providers” is a concern as I will explain later.
Digital Service Providers
The directive also covers Digital Service Providers, which covers all sorts of people like on-line marketplaces, cloud computing, and search engines. Unlike “essential services”, there is a threshold test for digital service providers: a provider which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed €10 million is out of scope.
Do we really need legislation
Sadly the time to tackle this has gone as this is an EU directive which the UK is bound to implement, though it will be reviewed from time to time. However, this is an important question as the UK has some discretion as to the way in which the directive is implemented, and it may be possible to limit the scope to the few larger providers that already have in place the measures that the directive requires. Considering if the legislation is actually needed could be a factor in this.
The reason I am unconvinced is that the industry, at all levels from low level protocol design, to network operations of companies like google and ebay, already take these issues seriously and are constantly working on improvements.
Just looking at DNS, it was designed to be robust in the first place, and improvements to resolvers (randomised ports) and changes like DNSSEC are tacking some of the ways the system can be “attacked”. Even at higher levels, things like https (secure web pages) are making DNS attacks less useful. You then have the reputation of these larger companies, and their experience - when was the last time you could not get to Google or Facebook which was their fault (i.e. not just a broadband outage)?
So if industry is constantly working on this, do we need legislation? Will legislation simply add additional burden? Can we limit that burden when putting this in to UK law?
Search engines
They presumably mean google and bing, but how in scope do these companies become if they shut down EU offices? Maybe they should just list them as being in scope? However the definition actually talks of a service that searches all web sites, which no search engine does or ever could do, so google could easily argue it is out of scope. I am not that fussed as we are not a search engine, phew, but it would help to get DCMS to understand and refine these definitions — and, to their credit, they really do appear to be willing to listen.
Cloud computing and on-line marketplaces
This gets more complex as it could cover simple web hosting. There are the turnover figures, but if a medium sized company was to do some web hosting it could find itself in scope. At the very least the thresholds need to be tied to “relevant turnover”, and I think the definitions need to pinned down somewhat. There is a danger we could be in scope one day, and many ISPs only slightly bigger than us are probably going to be in scope.
The scope of “cloud computing services” proposed to be in scope by DCMS seems to go way beyond what the UK is required to implement under the directive, and we are not sure why. The directive requires only providers of a “digital service that enables access to a scalable and elastic pool of shareable computing resources” to be in scope, but DCMS is seemingly proposing that anyone who provides online services to businesses must be in scope — email, IM, VoIP, web hosting, and so on. Since very few of these services are actually critical to the economy, their inclusion seems unnecessary.
DNS providers
This is a special can of worms, and hence the largest part of this blog post. The problem is that this comes under the onerous “essential services” category which includes some serious fines for non compliance, and does not have the same turnover / employee threshold as the "digital services" obligations.
The actual EU directive talks of DNS being a “hierarchical system” that “refers queries”. To me that is authoritative DNS servers only. Remember that TLD operators are covered as well. The proposed UK legislation seems to cover caching and recursive resolvers too. That is where it becomes a problem.
The two sides of DNS…
Authoritative servers: The DNS database is distributed and hierarchical. It is a target for attack. If you can change the DNS entries, or make them appear to be changed, for, say, a bank, or one of those digital service providers, you can disrupt services and defraud people as well. So DNS is important.
One problem here is that DNS can be, and is, in the hands of the companies with these important domains. It is unlikely they would rely on their local ISP to manage the DNS. The TLD provider like Nominet would refer (delegate) to the company’s own authoritative DNS servers. So it could be that the DNS servers in question are not covered by the legislation anyway in the cases where attacks would cause the most damage.
Where it could come in is where there are ISPs providing authoritative DNS as a service to others. We do that as a small ISP. But our customers can, and probably should, be using secondary servers from other providers.
The threats here are mainly that DNS records are changed, and this could be by some social engineering (phoning claiming to be customer, emailing, trojanning to get control page login details, etc), or technical (straight hacking). Obviously there is a risk of something simple like a power outage, but that should be covered by the the fact DNS has redundant servers. There is also a risk of DoS attacks on such servers. The issue here really is that small ISPs like us, that could well be in scope here, are not going to be used by big players like a bank, or someone important. As such we are a lower risk target anyway, and less of a disruption when attacked. Even so, we offer our customers two factor authentication to minimise risk of unauthorised changes being made.
There is one other threat, one of incompetence, and I worry we could be failing such legislation if it applies to us. What happens is a customer will go to some web developer. The web developer will say that they will need the DNS name servers for the domain changed over to them. Many web developers work like that, and have no clue about other uses of DNS, even email!. We try very hard to warn customers if they ask for DNS to be changed to new name servers, but even so, it is not uncommon to have the customer on the phone an hour later asking why email is not working any more.
At the end of the day, I am not sure which “larger players” in the authoritative DNS market (below the TLD such as Nominet) would sensibly be a target for this legislation. Are there “Authoritative DNS providers to the stars” out there, offering authoritative DNS to large companies? Who are they?
Caching and recursive resolvers: This is where it does get scary. As worded now by DCMS we come in to scope as an essential service provider because of the caching recursive DNS resolvers we provide to customers. That is crazy! We are a small ISP, with under 10,000 customers. DCMS has proposed that only providers who get more than 60 million queries in 24 hours would be in scope but, having measured these, we exceed this threshold by a factor of two on our customer facing resolvers right now, but it gets more complex.
Each of the customer routers typically has a DNS resolver or forwarder, some of these are owned by us, and for many ISPs the customer router is owned, or maintained, by the ISP. If they come in to scope (and I cannot see that they would not), then they will be getting an order of magnitude more queries. I think, in our case, most customer routers are not “ours”, thankfully, but even those that are, I am unsure how we would know how many queries they get. Of course one customer deliberately hitting their own router on its 100Mb/s LAN as fast as they can with queries would put that one router in scope, even if the requirement is billions of queries in 24 hours. That would put that customer, or us (if it is “ours”) in scope suddenly.
There are other issues with DNS resolvers. The industry has tacked threats as they have come along, and one was that older/simpler resolvers were vulnerable to being flooded with incorrect answers and then made to look something us - not that hard to do with code embedded in a web page. So what happens if a specific make of customer router has such a vulnerability - that could cause wide spread impact on services, spoofed DNS and fake web sites and fraud. Who is, or should be responsible for that? The manufacturer? The reseller? The end users? The legislation seems to ignore this risk completely, but it is also easy to see it being impossible to police for “made in china” routers anyway, and you really cannot make code 100% bug free.
The other issue is that this could easily “put all eggs in one basket”. At present ISPs will operate a lot of customer facing caching recursive DNS resolvers. Lots of redundancy. This makes attacks such as DoS harder. As a small ISP I doubt we can afford to find ourselves in the “essential services” scope, so what would we do? What would lots of small ISPs do? We would almost certainly (with suitable announcement) change DNS servers to use googles 8.8.8.8/8.8.4.4 service (and its IPv6). Alternatively we may subcontract some commercial DNS provider. That could get us below any thresholds and out of the essential services scope.
The problem with this is that you end up with a few large DNS resolver companies instead of every ISP operating lots of separate caching resolvers, giving end users choice and redundancy (they can always switch to use 8.8.8.8 if they want or even run their own resolver). These few large providers, even though in scope of the regulation (if they are in the EU) will then be a juicy target for attack, either as DoS or DNS poisoning or simple bribery. They become the sole gatekeepers of the underlying hierarchical DNS system, undermining its integrity. This undermines the reliability of DNS and goes head to head with the technical community that DCMS should be embracing, and not fighting.
Of course, we have the issue of published resolvers that will be hard coded. We could port map these to an external DNS resolver. But then the port mapper boxes become as important as the DNS resolvers they replace - so do they become in scope as “DNS resolvers” themselves? What if part of CGNAT boxes? What if a feature of customer routers?
Personally I cannot see any logic in including caching and recursive resolvers in scope at all. Is there a threat? Maybe if they specifically called out google’s public 8.8.8.8 service as in scope, perhaps that is all they intend?
Missing!
There also seem to be a few key services missing from the directive!
Data centres: Whilst technically a data centre is not different to someone else selling office space (they sell space, power, air-con and physical security basically), they are key to the operation of all of these digital services that are covered by the directive. Why are they not in scope?
Content Delivery Networks: These too are key to many services, and could have major impact if attacked, but again, it looks like they are not in scope.
Don’t just comment here!
Please, consider the directive and DMCS proposals and reply. We need people mitigating the impact, making sure it covers what needs to be covered, and making sure the definitions work.
The consultation document is here (
https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive), and you have until 30th September to respond.
