Last month, Prime Minister Tony Abbott chaired an unprecedented cyber security summit with CEOs and executives from Australia’s leading companies to address the increasing threat of online risks to Australia’s digital economy.
According to the Federal Government, the direct cost of cybercrime to Australia in the past 12 months is estimated to be more than $1 billion.
In 2014, the Government’s national Computer Emergency Response Team (CERT) responded to 11,073 cyber security incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and Government. Furthermore, the Government’s Australian Cyber Security Centre recorded 1,131 cyber intrusions in 2014 involving Government agencies, an increase of 20 percent on the previous year.
These concerning figures led to the Government releasing its first ever unclassified cyber security threat report in July 2015, commenting that “the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow”.
As Australia’s home online, the .au domain name is at the forefront of the nation’s digital economy and a prime target for hacking activity.
Security vulnerabilities in the systems and infrastructure that comprise Top-Level Domain name assets are a well-known source of infiltration into the world’s most attractive hacking targets.
Over the past few years, dozens of major hacking incidents have been perpetrated by exploiting vulnerabilities in domain name Registrars to perform malicious activities on the digital assets of some of the world’s leading brands.
Attacks on Registrars in the United States, Ireland, Malaysia, the Netherlands and other countries around the world have crippled the websites of Google, YouTube, Microsoft, Facebook, Yahoo!, Bing, MSN, Skype and many more.
We’re acutely aware that Australia and .au are not immune to Registrar-based attacks. In June 2011, we witnessed arguably the worst security incident in .au’s history when .au Registrar Distribute.IT was hacked and suffered significant damage and loss of data to a point where customer websites were unrecoverable, impacting many businesses across Australia.
Within a matter of hours, losses from the Distribute.IT incident were estimated to be tens of millions of dollars and ultimately proved fatal for the company, which ceased operations shortly after.
Following the Distribute.IT incident and the increasing attacks on Registrars globally, .au Domain Administration (auDA) and AusRegistry spent two years consulting the industry to gather feedback and recommendations on how we can better address Registrar security threats.
An end result of these consultations was the development of a world-first Registrar Information Security Standard (ISS) for .au Registrars, which was launched in 2013. Registrars were given two years to meet the ISS standard and the deadline is rapidly approaching in October of this year.
What is the .au Registrar Information Security Standard?
The .au Registrar ISS is a set of mandatory protocols which will help .au Registrars manage and improve the security of their infrastructure and systems, as well as protect the stability and integrity of the .au namespace.
Managed by auDA, the mandatory protocols in the ISS will ensure accredited .au Registrars have numerous levels of redundancy in place and adhere to industry best practice security measures to defend against attacks.
The standard complements the requirements under the ISO 27001 information security management system and builds upon this with specific certifications that apply only to the management of domain name credentials.
The theory behind the ISS is that these shared best practices across the industry will act as a rising tide to lift all boats – from .au domain registration right through to hosting services. This will in turn give .au domain name owners increased confidence in the management of their online assets and improve consumer trust in the .au namespace.
Implementation of .au Registrar ISS
The ISS was developed in consultation with AusRegistry, Registrars and other industry participants through the 2012 Industry Advisory Panel, and was approved by the auDA Board in February 2013.
Registrars must achieve ISS compliance by 31 October 2015, while information security auditing company Vectra has been appointed to ensure compliance.
The feedback I have received from Registrars shows general support for the ISS and they welcome the benefits it brings to their business. In fact, most had already identified attaining ISO 27001 as an important strategic goal for their business operations and to support ongoing growth.
Unfortunately, there may be some Registrars who will be unable to achieve ISS certification. We’ve already seen consolidation in the Registrar market ahead of the October deadline, with VentraIP’s Angelo Giuffrida citing the ISS as one of the reasons behind their recent acquisition of IntaServ.
We may see a few more Registrars choose to de-accredit their business and move to a reseller model as the deadline draws closer. During this period AusRegistry is available and ready to help any of our Registrar clients to better consider their options and make the best decision for their business and customers.
Global Registrar security incidents – 2012 to 2015
May 2015 – United States: Domain Registrar Informs of DNS Hijacking
Feb 2015 – Vietnam: Lenovo, Google websites hijacked by DNS attacks
Jan 2015 – Malaysia: Malaysia Airlines website compromised by 'cyber caliphate'
Nov 2014 – United States: Craigslist Domain Name Hijacked by Hackers
Feb 2014 – United States: Hackers try to hijack Facebook, other high profile domains through Registrar
Jan 2014 – China: China internet outage blamed on 'hijacking'
Oct 2013 – Malaysia: Google Malaysia taken offline by hackers
Aug 2013 – United States: New York Times, Twitter domain hijackers 'came in through front door'
July 2013 – Netherlands: Thousands of websites defaced after Registrars hacked
July 2013 – Malaysia: Several high-profile .my sites DNS-hijacked
April 2013 – Kenya: Google, Microsoft, LinkedIn hacked in DNS hijack
April 2013 – Oman: Google Oman domain hijacked by Hackers
Nov 2012 – Romania: Google, Yahoo Among Sites Hit in DNS Attack
Nov 2012 – Pakistan: Google & Apple hit in high-profile Pakistan hack
Oct 2012 – Ireland: Google and Yahoo Irish search domains hijacked
What to expect post-ISS deadline
The ISS certification will not be effective without compliance auditing and the motivation for compliance will not be inherent if there is a lack of actual enforcement.
To this end, auDA may issue suspension notices to Registrars who fail to achieve ISS certification by 31 October 2015. This would mean these Registrars would be suspended from creating new .au domain names or accepting transfers in, during which time they would be given the chance to complete their certification or risk being terminated.
Importantly, .au domain name owners can have confidence that their domain names will remain fully operational despite any uncertainty in any Registrar’s accreditation standing.
AusRegistry and auDA have jointly developed contingency plans to manage the process and protect Registrant and the Registrar interests. The integrity of all .au domain name records and data will be maintained and managed by AusRegistry and auDA in any circumstance.
The Distribute.IT security incident and the large number of Registrar attacks globally perfectly demonstrate why the .au Registrar ISS is so important.
It’s clear that cybercrime will continue to increase, and our position on the frontline of the nation’s digital economy places our .au Registrars in the crosshairs of hackers around the world. Attempts to hack .au Registrars are inevitable.
With the implementation of the world’s first Registrar ISS, the .au namespace is now arguably one of the world’s most securely-managed Top-Level Domains and certainly one of the most prepared to respond to these attacks. It increases security mindfulness and builds greater capability across all Registrars to drive increased trust and confidence in the namespace.
George Pongas is general manager of naming services at AusRegistry