Dear EU: Please Don't Ruin the Root

I love Europe, and I want to see the European Union succeed. I also love the Internet, and I want to see it thrive as well. And it therefore pains me that it now appears that the European Union might inadvertently be picking an ugly fight with “The Internet”.

UPDATE: I am EXCEPTIONALLY happy to report that through robust engagement with European institutions who understood the problem, the root servers are now fully out of scope of the NIS2 directive! Thanks to everyone involved, you know who you are!

What is going on? A new EU directive is currently making its way through the various EU bodies. This Proposal for directive on measures for high common level of cybersecurity across the Union is the successor of the initial attempt known as the NIS Directive.

I did a presentation over at #RIPE82. Slides here, video here. This presentation goes into some more depth what NIS 2 actually is, and how it could be good or very bad.

This directive creates rules for “essential and important entities” so they adhere to minimum Cybersecurity standards. Although it is for now somewhat up in the air who exactly would count as such an entity, it is sure to include national telecommunication companies, Google and many other major communication hubs. Many of these are already regulated in various ways.

Surprisingly however, the European Commission version of the directive explicitly includes all the root servers, the infrastructure that keeps the internet alive.

The very short version:

  • The Internet functions because over 1300 servers provide a starting point for every (website) name used online. These are the root servers.
  • These 1300 servers provide an overlapping service - we don’t need 1300, we don’t even need 100. As long as some of them work, the Internet is fine (but we do like a margin of safety).
  • These servers are managed by organizations like the US Department of Defense, NASA, two European non-profits, a Japanese academic project, an important open source software vendor, plus two commercial entities. There are 12 Root Server Operators in total, operating 1378 servers at last count.
  • The NIS 2 directive is meant to target ’essential entities’. If any of these entities would fail, it would disrupt society
  • Such entities must have specific cyber security plans in place, and can be audited (on-site) if there are worries cyber security is not good. There can also be very large fines in case of non-compliance. EU member states can also order these entities to shut down services
  • The current version of the NIS 2 directive explicitly says the EU will regulate the root servers, and therefore NASA and the US Department of Defense in this way
    • The NIS directive applies to everyone offering services to EU citizens, regardless of the nationality of the operator or where the servers are
  • The non-profit root server operators might have to leave the EU and put up active measures so that no Europeans can use their root servers. They can’t afford to do all the paperwork for NIS 2.
  • Other governments also want to regulate the whole Internet. If the EU decides to do so now, it will be hard to say no to Chinese and Russian regulations affecting the whole world. They also have plans.
  • The Root Server Operators (RSOs) are not actually individually essential - 11 out of 12 could go down and no one would notice. In over 40 years of operations (!), “the root” has never gone down because of this overlapping service.
  • A public fight between the US government, “The Internet” and the EU would lead to a loss of trust
    • The US will not appreciate EU staff showing up to do random audits of their military networks
  • Root server operators leaving or even abandoning the EU does nothing for the European Digital Agenda, and would reinforce our status as a place where doing digital business is too hard, while potentially diminishing the resilience of the Internet in Europe.
  • The public and non-profit entities running the root might then well be replaced by more commercial operators with large regulatory desks, skilled at evading EU regulation
    • Authoritarian governments might also claim the space left open by the non-profits that left
  • Including the root servers in the NIS 2 directive is therefore likely unnecessary and also unwise
  • The European parliament’s draft report on the NIS 2 directive contains wording to prevent NIS 2 regulation of the root servers (Amendment 1, page 6, Amendment 32, page 27)
  • I urge the EU to adopt Amendment 1 & 32 for the good of the Internet, and to focus on strengthening the reliability of the essential entities that indeed do need regulation.

UPDATE: On the 28th of October 2021, the European Parliament adopted a version of the NIS2 directive that has taken the root servers out of scope. This is not the final step of the legislation however, so it remains to be seen what happens next.

Root server instances in Europe

Root server instances in Europe

The longer version

Almost everything online starts with “looking up a domain name”. We type in website names but computers setup connections to numerical IP addresses. DNS performs this translation from names to IP addresses. Each country takes care of its own part of DNS (for example, there are servers for names that end on .de, .nl but also .eu). Finally, there is a list of where all the country servers are.

This is provided by the “root servers”, over 1300 servers distributed across the globe, mostly administered by non-profits or public entities. These servers are part of “the fabric of the Internet”. Whenever we use the Internet, we need one of these 1300 servers to be available.

The NIS 2 directive has an effect on all service providers that are essential to Europeans, regardless of where these entities are domiciled. In other words, this regulation would definitely apply to NASA and the US Department of Defense, because these operate root servers on which Europeans depend.

This means that with the advent of “NIS 2”, as the directive is also called, the EU would attempt to impose regulation on NASA, the US Department of Defense, but also non-profits like ISC, RIPE NCC, ICANN and the Japanese WIDE project.

Various root server operators took note and sent in their views to the EU: RIPE NCC, ISC, Netnod, ICANN.

So what are the NIS 2 obligations? Essential entities must have solutions and documented procedures in place for:

  • risk analysis and information system security policies;
  • incident handling (prevention, detection, and response to incidents);
  • business continuity and crisis management;
  • supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures;
  • the use of cryptography and encryption.

If these plans are found to be deficient, or if there is an incident, EU member states can order operators to take all measures to return to compliance. If an incident has occurred, and followup is not satisfactory, measures can include fines, on-site inspections, including random checks, mandatory audits, security scans and requests for evidence of promised improvements.

To be sure, the directive makes clear these things only come into play after major incidents, several warnings and clearly deficient followup. But still, this directive clearly has teeth, and can lead to large fines.

Specifically, NIS 2 would make it possible for an EU member state to order NASA and the US Department of Defense to submit to on-site inspections, including random (unannounced) visits.

Regulatory exemptions

Most companies hate to get regulated. An exception being very large corporations that have “dealing with regulatory stuff” as one of their core competitive advantages. We’ll get back to that later.

But generally, most companies would prefer not to get regulated. So almost everyone would like to get an opt-out from the NIS 2 directive, including the root server operators.

Aside from the silliness of the EU attempting to audit the Pentagon, there are concrete reasons why individual root server operators are not essential service providers.

The laudable goal of NIS 2 is to protect the continuity and reliability of essential services. If your Internet Service Provider goes off the air, your life is disrupted spectacularly. If you are a business customer of one of these ISPs, your whole company in turn might go off the air.

Taken together, the Internet surely is an essential service itself. However, if any one of the root server operators goes off the air.. no one would notice. The root server operators provide an overlapping highly redundant service.

In over 40 years of operation (!), no attack has ever succeeded in disrupting the service of more than a handful of root servers. And more importantly, no one has ever noticed any effect of such an attack. This is because the service is provided decentrally, with no single organization being a single point of failure.

Each of the 12 root server operators provides the same service. None of them is individually essential. The redundancy is so effective that the whole Internet automatically switches to any of the other 11 operators in case one individual provider has a problem.

In addition, by downloading this file, every Internet service provider can run their own root server.

This all mean that the root servers are very different from other entities the NIS 2 intends to regulate.

Unintended consequences

Were the EU to regulate the root server operators, this may cause some of them to abandon the EU. Root server operation is a non-profit operation - no one of us is paying these operators to do what they do. We are getting this service from companies and organizations that have historically been at the core of the Internet. There is no business model behind it.

Should these non-profits decide to abandon root server operation for Europeans, because they can’t comply with the compliance procedures or potential fines, their role might well be taken over by parties with large existing compliance desks. These would be companies well versed in evading EU regulation.

In effect, we would be handing over an even larger part of our Internet traffic to commercial operators that are adept at navigating EU regulation while seeing more and more data pass through their systems.

Geopolitics

Currently the Internet is governed by a set of overlapping international bodies, like ICANN and the IETF. These have their own international stakeholder frameworks. Although governments do take part in these bodies, no single country is “pulling the strings”. This makes sure the Internet remains mostly unfragmented.

Various less-than free countries are aching to impose their will on the Internet, but they have so far been held back because no government has attempted to enforce their regulations extra-territorially.

If the EU would now cross this Rubicon, many other governments would line up to add additional and likely conflicting regulation. This is not the sort of Brussels Effect we are looking for.

Recently, David Ignatius wrote on this topic in the Washington Post: Russia’s plot to control the Internet is no longer a secret

In addition, if any of the non-profits currently providing root server operations would leave, the space they leave might be taken up by more authoritarian regimes claiming a seat at the table.

Current status

The European Parliament’s draft report on the NIS 2 directive contains amendments that exempt the root server operators. This is very welcome. However, it is known that the European Commission is very fond of the idea of regulating the root servers as well. The European Parliament also needs to adopt this amendment.

It is possible that the European Parliament or the European Commission might not adopt Amendment 1 or 32. This would set the EU up for a damaging fight with “the Internet”, and specifically, with entities that are not individually providing an essential service, and that also operate a fully functioning nuclear triad.

What can we do?

The EU does care about these things. But they do need to know that adopting Amendment 1 and 32 is important. It may therefore be useful to send some tweets. Please do not get angry with these accounts, it is not helpful. This is a complicated subject, we want to help them understand the problem.

Of specific note are the following accounts:

  • @digitalEU: “@EU_Commission account for #DigitalEU run by DG Connect.”
  • @LorenaBoix: Director at the @EU_Commission, working for a better society in a @DigitalEU
  • @EvaKaili: Eva Kaili, European Parliament Member - Chair Future Science & Tech
  • @evamaydell: Eva Maydell, European Parliament Member for #DigitalEU, Initiator of #Regulation4Innovation
  • @RasmusAndresen: Rasmus Andresen, European Parliament Member - fighting for climate & social justice, a Green New Deal, digital rights
  • @EvzenTosenovsky: Evzen Tosenovsky, European Parliament Member - Committee on Industry, Research and Energy
  • @mmatias_: Marisa Matias, European Parliament Member
  • @bgroothuis: Bart Groothuis, European Parliament Member, NIS 2 rapporteur

A suggested text:

Dear EU: Cyber security is important, but please don’t #RuinTheRoot by regulating the non-essential entities that run the core of the internet! @digitalEU @EvaKaili @RasmusAndresen @EvzenTosenovsky @mmatias_ @evamaydell @LorenaBoix https://berthub.eu/articles/posts/dont-ruin-the-root/

The relevant department of the European Commission (DG Connect) can also be contacted through this form.

If you are in the EU, it is also extremely useful to contact your national telecommunications ministry or department. Their policy people have an important seat at the table for this directive. If you have any contacts there, do point them at this page.

Finally, I will get very cross with anyone sending out disrespectful messages, so please don’t.

About the author

I spent 21 years working on DNS servers, and I know many root server operators personally. I have left the DNS industry, but I have since gained some knowledge of regulatory affairs. I wrote this post since I care deeply about both the Internet and the EU. This post represents my personal opinion only, although I did consult with many people to hear their thoughts.