The French Digital Bill and Military Planning Law (LPM) aim to give authorities the necessary tools to combat looming cyber threats but how they go about doing so may set a dangerous precedent that dismantles online freedom.
The concerns include permitting the National Information Systems Security Authority (ANSSI) to force Domain Name System (DNS) resolvers and Internet Service Providers (ISPs) to block domains accused of hosting malicious or fraudulent content without a court order. Given the involvement of DNS in every Internet transaction, DNS filtering by national defense agencies is already an existing option. Internet Pioneers, Internet Architects, and Distinguished Technologists recently published a letter, “Concerns over DNS Blocking,” to Members of the French Assembly and Senate to highlight apprehension regarding the pending legislation.
As highlighted in the letter, authoritarian governments are increasingly implementing extensive Internet censorship under the guise of cybersecurity. DNS blocking is also an ineffective approach to safeguard users from malicious URLs because resourceful adversaries will bypass DNS blocking by using alternative DNS servers, running their own DNS resolver, directly accessing an IP address without DNS, or implementing a virtual private network (VPN) to use a different DNS resolver.
Such escalation could negate any security filtering at the DNS layer and could even produce the proliferation of “pirate-friendly DNS,” or offshore DNS services that facilitate access to copyright or infringing content. Meanwhile, there is ambiguity in Article 32 of the LPM and Article 6 of the Digital Bill regarding the impact on open DNS resolvers – distinct from DNS services provided by ISPs and they offer resolution services universally, regardless of a user’s location – which implies that the open resolvers would be compelled to enforce content removals on a global scale. An authoritarian government with such powers could impede users worldwide from accessing critical information, such as reports on human rights abuses, mirroring the concerns raised in the proposed expansion of the cybercrime treaty.
An additional concern includes Article 6 of the Digital Bill, which extends website blocking. This strategy has the potential to set a concerning precedent that a national government would exert government-specific web filters onto browser technology, despite the availability of free products for governments to flag websites for blocking.
Article 34 of the LPM also contains problematic language around vulnerability reporting. It requires software publishers to report “significant” vulnerabilities to ANSSI and to their users, irrespective of whether a patch is available. This amplifies the risk of exposing information to adversaries before implementing mitigations. It also raises concerns over the level of security of the database that would store such vulnerabilities, includes ambiguity on how to monitor if vulnerabilities are disclosed, and has the simultaneous absence of a process to support vulnerability mitigation.
There is also vague language on what information is sent to ANSSI. Article 33 requires transmission of non-identifying technical data to ANSSI on-demand, while Article 35 extends the power for ANSSI to install “technical markers” on the networks of data center operators, electronic communication operators, and ISPs without due process, posing a risk to civil liberties of French and global Internet users. The lack of detail on what non-identifying technical data is necessary and what these technical markers will consist of makes these articles problematic. This approach conflicts with EU law and the OECD Declaration on Government Access to Personal Data, as well as contravenes CJEU case law, which could jeopardize the EU’s recognition as a qualified state for accessing the EU-US Data Privacy Framework.
To prioritize security, filtering should be targeted toward risk factors rather than content regulation. Resources are better invested in advanced threat intelligence that will prevent threats, rather than through means to block critical resources. To support DNS, domain seizure through established procedures and relationships with the registrar and registry can protect at the root. Meanwhile, the government should also advise prompt patching for vulnerable products while implementing safeguards that enable companies a reasonable timeframe to mitigate vulnerabilities before disclosing them to the government.
The internet runs on trust and the future of a secure internet is one that promotes zones of trust. It’s a system where an actor can rely on elements that they deem trustworthy. However, when trust is lacking, society falls back on constraints, and these proposed legislations cripple the very foundation of global communications.
Read Next
The International Counter Ransomware Initiative: From Forming and Norming to Performing
Next week the 68 member nations of the International Counter Ransomware Initiative (CRI) will convene in Washington DC for the group’s annual gathering to foster cooperation between nations to combat ransomware.
The Good, the Not So Good, and the Puzzling
The White House Office of National Cyber Director released its summary report on its RFI on Open source software security, checking off another box on the commitments made in the National Cybersecurity Strategy.
Brazil, U.S. Exchange Cybersecurity Best Practices with Digi Americas Alliance Support
Representatives from Brazil and the United States concluded a two-day exchange on cybersecurity best practices hosted by the Digi Americas Alliance on Aug. 8-9 in Washington D.C.