ICANN 72: INSIGHTS FROM THE VIRTUAL MEETING
Join our upcoming webinar, which gives a recap of the recent ICANN 72 Virtual Meeting.
The session will share highlights of important industry policy developments that will affect your online domain name, brand protection, and cyber security strategies.LEARN MORE
GET STARTED WITH CSC
Expert Gretchen Olive, CSC director of policy, will bring webinar participants up to speed on:
The status and community discussion related to availability and access to WHOIS for IP and law enforcement, as well as security and fraud investigation purposes
The current community discussions and work related to domain name system abuse
Ongoing policy work to enable the launch of the second round of the New gTLD Program
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right, or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.
Caitlin: Hello, everyone, and welcome to today's webinar, "ICANN 72: Insights from the Virtual Meeting." My name is Caitlin Alaburda, and I will be your moderator.
Joining us today is Gretchen Olive. Gretchen is the Director of Policy and Global Domain Name Services for CSC. For nearly two decades, Gretchen has helped Global 2000 companies devise global domain name, trademark, and online brand protection strategies, and is a leading authority on the Internet Corporation for Assigned Names and Numbers' New gTLD Program.
And with that, let's welcome Gretchen.
Gretchen: Hello, everybody. And again, thank you so much for joining us here today. As usual, with this webinar meeting series, we have a really packed agenda. It kind of amazes me I can shorten this Annual General Meeting. It's in the virtual format again, not in-person, and thinking maybe fewer days would mean less information. No, not the case.
So we'll take care of a little housekeeping here at the beginning. Then we'll move right on into all the different policy development processes that are going on within ICANN right now. We'll talk some about where the next round of gTLDs may or may not stand, the discussions around DNS abuse.
We'll also highlight some of the regulatory kind of developments going on around ICANN, which is impacting their work. We'll talk some about what's on the mind of the GAC, or the Governmental Advisory Committee, which continues to kind of wield a lot of influence and power within the ICANN community.
And then lastly, we'll talk about some kind of new threats that the ICANN President and CEO sees on the horizon for ICANN.
So as I mentioned, let's take care of some housekeeping first. We do have a few new people I see on a registration list that I haven't seen on prior registration lists. So thanks for joining us.
ICANN, Internet Corporation for Assigned Names and Numbers, has three public meetings per year, one in March, one in June, and then the one we're talking about here today is the one that typically happens at the end of October, early November. And this is their Annual General Meeting. It's typically a seven-day format. This time, it was four days to compress, but still no less information shared. So always an adventure at ICANN.
When we talk about ICANN, what we mean is there's ICANN the organization, that's kind of the CEO/President, and his staff. There's the ICANN Board of Directors, and then there's the kind of broader ICANN community that is made up of a number of stakeholder groups as well as advisory committees.
So you can see on this org chart, if you will, there are gray boxes to the right. Those are the different advisory committees. The dark gray one, the Governmental Advisory Committee, is one we talk about practically at every one of these meetings. And this time, we also will talk some about the Security and Stability Advisory Committee, a recent report that they issued.
Otherwise, we generally stay in that kind of big blue box in the middle there, which is the Generic Names Supporting Organization. And that's really made up of registries, registrars, business users, intellectual property interests, law enforcement, ISPs. The list is there for you.
So this is really the group that focuses on a lot of what happens in the generic top-level domains and the policies related there too. So just so you have a little kind of context of who we're talking about when we talk about ICANN, this chart, I think, sums it up pretty well.
So we're going to jump right into the various policy development processes that are happening at ICANN right now. So to kind of give you some understanding, ICANN is a multi-stakeholder, bottoms-up consensus policy organization. I know that's a mouthful. What it basically means is that things kind of start at the constituency level and at that kind of interest group level, if you will, and then as policy discussions rev up, they kind of come up through the different stakeholders organizations.
And we focus mostly in this webinar series about the GNSO, the Generic Names Supporting Organization, like I mentioned, all those different parties that are part of that.
Right now, one of the biggest PDPs going on is sort of a multi-pronged process related to WHOIS. This all started back when the General Data Protection Regulation replaced the Data Protection Directive and became enforceable in May of 2018. When that happened, there was a direct conflict basically with GDPR and ICANN's rules, policies, contractual language with the different registries and registrars around WHOIS.
So a lot of personal information in the past has been in the WHOIS record. And when the GDPR came along, that kind of blew everything up.
And so while GDPR was designed to really harmonize data privacy laws across Europe, and to better protect and empower all EU citizens around data privacy, it has extraterritorial implications. What I mean by that is while it is to protect the EU citizens, if companies outside of the EU are doing business with EU citizens, it has application to them too.
So it really caused quite a stir, quite honestly, in the ICANN community end of 2016, all the way through 2018, where there just couldn't be policy yet put together around how to kind of revise and reform the WHOIS to be in compliance with the GDPR.
So we wound up with this thing called the temporary spec, which kind of blew up the WHOIS a bit. And a lot of people will say the WHOIS has gone dark because ICANN allows registries and registrars to not include certain information in the WHOIS. They kind of got a waiver of their contractual requirements to publish that data.
Really since, there have been a lot of challenges around that. Everything from transfers of domain names have been affected to kind of enforcement of IP rights, security and fraud investigations, law enforcement. You name it, it seems like it's been impacted by this enforceability now of GDPR.
So this has really then kind of led to a pretty prolonged what was initially called an EPDP, Expedited Policy Development Process, around WHOIS.
So this EPDP around WHOIS has been broken down into multiple phases. Initially, there were two phases. So Phase 1 was going to be about the collection and handling of the WHOIS contact data and sort of how to make requests for that WHOIS data. Who was kind of eligible to make requests for that WHOIS data?
Phase 2 was about the kind of access to the WHOIS, like the system by which that data that's maintained by registrars/registries could be accessed and the different controls around that access to ensure that the GDPR was not being violated.
So that's how we started and that started in earnest in mid-2018. By February of 2019, we kind of had the final report for Phase 1. Both Generic Names Supporting Organization, the GNSO, and the ICANN Board approved most of those recommendations.
But there was this nagging issue that still there could be no real consensus around, which was around natural versus legal persons. In a lot of ways, the temporary specification that ICANN kind of hastily had to put into place just prior to the enforceability of GDPR really treated all registrants the same. But the thing is the GDPR is really just trying to protect personal data.
So there has been a lot of discussions around, "Why isn't, for every domain name, the ownership of the domain name distinguish between being kind of licensed or owned by a natural person versus a legal person? And can't we kind of have multiple paths on how to handle things?" Well, that wasn't possible in 2018, because there wasn't enough time to kind of get that through.
And really, that policy discussion and debate really continued through the Phase 1 work that was done on the EPDP. And quite honestly, consensus was not reached on that issue.
Anyway, after these first phase recommendations were approved by the board, ICANN assembled what was called an implementation review team to start implementing, taking these recommendations and trying to build processes and policies to kind of support what was determined. That is still going on. It was expected that that would be done already. That is not the case.
It also kind of sprouted because of this natural versus legal person issue and the feasibility of potentially using what's called a uniform anonymized contact email in the WHOIS record. This Phase 2A was kind of created, if you will, as an outgrowth to the completion of Phase 1. But we had to first get to Phase 2 because that was already pre-planned.
And that final report, they started work right after. The work was done with Phase 1 in the spring of 2019, early summer. They then kind of launched into this Phase 2 work. They had the final report by August 2020, so about a year and a half later.
That was filled with controversy. The system for secure app access is just a huge source of debate. There are a lot of concerns about its feasibility and its cost particularly. So, as a result, ICANN has now created, as part of the policy development process, this new phase of process called the operational design phase.
So these policies and recommendations kind of come up through the multi-stakeholder, bottom-up consensus policy process of the PDP. And now ICANN basically wants a feasibility report and kind of an assessment of those recommendations before they vote on it. And that's what the ODP phase is now going to be.
It's new. We haven't been through a full one yet. So initially, they gave them six months to complete the ODP. That did not happening. It's still going. And then in September, there was a kind of a grant of another six months to work on this. I think there's some concern that we're still not going to be there. But it is a work in progress still.
So, in this new ODP for the Phase 2 EPDP . . . gosh, that is a mouthful. A lot of questions are being asked. "Well, what have they been doing all this time? Where are we?" And so this slide was created, and I think it was in a presentation that was in the late August/September timeframe that kind of summarized where they are.
They've kind of gone through their project governance, got that all squared away. They're working through the mutual understanding on data collection. They've done surveys. They've done an RFI, understand different systems that might be out there that exist today or ideas. They've done a bunch of data collection. It's currently being analyzed. The team is kind of all getting on the same page.
And then there's sort of this assumptions assessment in ODA drafting. So the ODA is the Operational Design Assessment. That work is in process on different sections. The dependencies have been identified. There may be a few more that get identified as we move forward in my experience.
But they are trying to work sequentially, and they're also trying to, I think, better communicate and engage with the GNSO Council liaison as to progress and what is going on. I think this has been a little bit of a black box for a lot of people in the community, and that's also causing a lot of angst, and concern, and questions, and doubts, and fears. So they've tried to, I think, shore that up with more active engagement with the GNSO liaison.
So with the ODP going on for Phase 2 of the EPDP around the WHOIS, this Phase 2A we talked about the kind of sprung out of the Phase 1 report, they have done their work. They've published their final report and it's been approved by the GNSO. It was approved at this last meeting, ICANN 72.
There are four recommendations that have basically come out of this. And again, this is that legal versus natural persons debate and sort of using the anonymized email address.
So first recommendation is in what's called the registration data directory service. It's basically the technical protocol that's being used to publish WHOIS, one of the ways that the WHOIS is being published. One of the recommendations is that there, on a mandatory basis, be the creation of a new field that enables but does not require anybody to designate the data as a natural or legal person data and non-personal data within that record.
So kind of giving us some new fields, that if a registrar wants to require that from their registrants to be outlined or indicated, that would be possible.
In addition, in terms of recommendations, there's some optional guidance for registrars that do opt to differentiate between natural and legal persons that the Phase 2A report provides.
It also says that if ICANN does go forward in kind of developing what they call GDPR Article 40 Code of Conduct, that ICANN really needs to consider the guidance provided to registrars around the natural verse legal persons in drafting that code of conduct.
And if there are contracted parties . . . So contracted parties are registries and registrars are the ones who contract with ICANN to offer these gTLDs. Those who choose to publish that anonymized or pseudo-anonymized registrar-based or registration-based email address, they should evaluate not only the legal guidance obtained by the EPDP team from a law firm that was procured, but also any relevant guidance by relevant data protection authorities.
I think some good information, some good recommendations, how much teeth they have is, I think, what concerns folks the most. There's so much "if this, then that," and a lot of decision tree stuff.
But this final Phase 2A report that was just recently approved by the GNSO has been sent to the ICANN board for a vote, and the GNSO has recommended the creation of an IRT, an implementation team basically, to work this through.
So this EPDP is a monster. That's, I guess, the bottom line of all this. It's got many lanes and tentacles, and they're all moving forward, but not quite sure where they will all end.
So let's switch gears to another PDP, which is the transfer PDP. This is one that's recently underway, so it hasn't been going on for years.
But transfers have been the subject of PDPs for years and years and years within ICANN. The challenge is that transfers, once again, kind of had to come into the PDP process, because when the WHOIS kind of went dark, and particularly personal information, which affected the admin email on every WHOIS record basically, that really blew up the transfer process.
During the kind of inter-registrar transfer process . . . so when you move a name from one registrar to another registrar, there are some emails that kind of get triggered as part of that process that sends a form of authorization to the losing registrant and some other email notifications to the gaining registrant. All that kind of got blown up because that address was now not available in the WHOIS, and oftentimes is redacted.
So the GNSO Council launched a new kind of two-phased PDP on the transfer policy in February of 2021. You can see the theme. Multiple-phased PDPs. Hopefully, you see that by now.
The goal of this PDP is to kind of look at the changes to the current policies that's needed to improve, what they say, "the ease, security, and efficacy of the inter-registrar and the inter-registrant transfer." So, again, inter-registrar is from one registrar to another. Inter-registrant is when you change ownership or licensing rights from one registrant to another.
So you can see there are six bullets here of things that needs to be addressed. At the top there is the form of authorization and the authinfo codes that help trigger or kind of allow transfers to happen.
You can see in the prior PDP that we discussed around WHOIS and now this transfer PDP how interrelated all this stuff is. It's hard to do one of these PDPs in isolation because many of them are dependent on some of the policies and rules that occur in other areas.
So, when you're trying to deal with policies and rules and controls around WHOIS and then you're talking about transfers, where WHOIS is a big part of that process, kind of the mechanics of that process to ensure things don't go wrong, it is really hard to kind of keep these things on track.
But right now, ICANN is targeting mid-2022 for the work group to publish their initial report. So we'll see if they can keep that timeline. But again, you can kind of see that even if they keep this timeline, the WHOIS PDP is probably going to extend beyond that. So it's hard to know when this all kind of wraps up.
Let's move to our third in-progress PDP at ICANN. This relates to the Rights Protection Mechanisms, or the RPMs, that were used during ICANN's New gTLD Program that was launched in 2012. That brought us all those new gTLDs and dot-brands and all that stuff.
So this PDP has been going on for quite some time. It was also being conducted in two phases. The first phase kind of covered all those rights protection mechanisms that were new and applied to the New gTLD Program that launched in 2012.
So things like the uniform rapid suspension system, sunrise and trademark claims, trademark clearinghouse, trademark post-delegation dispute resolution procedure, these were all new rights protection mechanisms that were brought about through the New gTLD Program and really kind of were being tested as part of that implementation. So that's what Phase 1 covered.
Phase 2, which is something that is just getting started up now, was focusing on another rights protection mechanism known as a Uniform Dispute Resolution Policy, or UDRP, which has been in existence since 1999 and most people are very familiar with as a mechanism for trademark holders to recover domain names through an administrative process. And that's gTLD domain names.
Part of the initial scoping, if you will, of this RPM PDP was to first look at the new stuff and then do a review of the old stuff to see if in the New gTLD Program, the rollout of the New gTLD Program in 2012, if this UDRP was still fit for purpose, still kind of met all the same needs. So a two-phased approach again.
So Phase 1, that final report was published at the end of 2020 and approved by the GNSO at the top this year. ICANN after that had notified the GAC, the Governmental Advisory Committee, which is made up of different ministers from typically telecommunication or internet ministries within governments. That group looks at everything going on through the ICANN policy process and tries to bring the perspective of public policy and kind of the balancing of the interests.
And so the GAC has been very interested in these rights protection mechanisms and kind of the evaluation of these rights protection mechanisms so that when the final report came out and the GNSO approved it, ICANN provided notification to the GAC that that Phase 1 final report was approved by the GNSO and the public comment period was opened.
There was a summary report of the public comments that got issued in June of this year. And the ICANN board says they'll now consider the recommendations as per the ICANN bylaws.
This one, though, is super sticky because this has been an area where the GAC has had a lot of long-standing concerns. They weren't really happy about the rights protections for what they call IGOs, intergovernmental agencies, NGOs as well. They were concerned about how objections were handled. There are just a bunch of things that they just felt didn't have all the components that it should.
So the ICANN board is treading super lightly in this area, I think is probably the right way to categorize this. ICANN is kind of waiting for all these PDPs around the New gTLD Program, and we'll talk about another one in a second, to all come to fruition and kind of take one big look at it to see what they should do.
Again, they're kind of treading lightly here and they will look at these recommendations, but they don't seem to be in any major rush right now.
This Phase 2 piece, like I said, is just underway, but it's kind of . . . A lot of people haven't been around for this whole period of time, much less since the New gTLD Program started to when the PDPs started in, like, 2015/2016.
So people are a little confused, like, "Wait, I thought we looked at all the RPMs. Now we're looking at them again?" So there was a lot of angst and conversation and sort of scratching their heads, if you will, regarding why we need to have this second phase. But it was initially scope.
So the second PDP that emerged, if you will, from the New gTLD Program was something called the New gTLD Subsequent Procedures PDP. You'll often hear it talked about in shorthand as SubPro PDP. This was really focused on looking at the 2012 new gTLD round of policies and deciding what changes would be needed.
The policies and the process were really codified in something called the Applicant Guidebook. It kind of took you through the entire process of everything from how to apply to a new gTLD, to object to a new gTLD, to what needed to be done and by what time to get a new gTLD delegated, and then what the rights and obligations of the new registries would be under the New gTLD Program.
So it was a pretty comprehensive, if you would, set of documents that made up this Applicant Guidebook. It really came from recommendations that were formulated in 2007. So I mean, we're spanning a really long time, 13, 14 years here on the internet, which is sort of like three lifetimes.
But nonetheless, the PDP had over 40 separate topics identified. They kind of separated or bucketed them into work tracks to try to tackle the work in kind of bite-sized pieces, and you can see the ones that they started out with. But this is a PDP also that's kind of had quite a run.
So I give you a quick timeline here of the different reports, documents that have been published around this PDP. When the last report was approved by the GNSO, the ICANN board had six months to review and approve.
And the challenge is that while the report is fairly comprehensive, there were still a few key issues that there's a lack of consensus around or uncertainty around. And that was closed generics, mandatory and voluntary personal interest commitments, and also how this new proposed standing predictability implementation review team, or SPIRT, and how the GAC inputs happen in relation to that all work.
So kind of going back to when we talked about the RPMs and ICANN treading lightly at this point, now you have this SubPro PDP at the finish line, and ICANN is also treading lightly.
And what they've done is they've initiated in September one of these ODPs again, so these operational design phases, to kind of look at the whole New gTLD Program. And that's including the reports and the comments specifically around the subsequent procedures, but I think we'd be all foolish to think that they're not going to look at the RPMs and other reviews and reports that have come out regarding this program.
So it's kind of now put back into play, "Do we need another round?" and the assessment of, "Is that in the public interest?" So it's got a lot of folks relatively spun up. There's been a lot of clamoring for the next round, and many people who are kind of very anxious for the next round are thinking, "This is just another delay tactic by ICANN." But I think it kind of depends on where you sit how you view this.
So ICANN has tried to put a little bit more meat on the bone, if you will, regarding what exactly the objectives of the subsequent procedures ODP is about. They talk about assessing the potential risks and anticipated costs, the resource requirements, timelines, dependencies, interactions.
One thing that is truly precious in the ICANN community, and probably everywhere, but we really feel it in the ICANN community, is time. There are so many issues. I mean, just by the fact that what we're talking about, PDP 4 here in progress, during this webinar, there's just a lot going on and a finite group of volunteers and people who work on these issues.
And so trying to kind of prioritize this . . . and I think that's almost a four-letter word in some way, in the ICANN world. But prioritization is really hard. And I think ICANN is trying to kind of balance the interests and prioritize how important it is to get to the next round.
The board has requested to try to give the community a little bit of urgency, if there could be any. That's the ODA, or the Operational Design Assessment, be delivered within 10 months from the date of initiation.
So let's just say for sake, starting now, we're looking at end of summer next year, basically. So they're asking as part of this for there to be . . . kind of do this assessment in the global public interest framework that ICANN has been working on over the last few years.
So I give you a link or a URL there to go to where you can read more about that. But again, pretty complex, pretty intertwined, all this stuff. It's hard to move on PDP forward in absence of another one. They're kind of very, very intertwined.
So if four multi-phase PDPs were not enough for you or the ICANN community, I'm excited to tell you two additional ones that have gotten underway.
So there's one getting underway regarding IDN. And both of these, interestingly, are EPDPs. So that's the Expedited Policy Development Process. So the first EPDP ever in ICANN history was the WHOIS EPDP that we were talking about at the top of this part of the webinar about PDP. But now, we're going to go for two more, the IDN EPDP and the EPDP on specific curative rights.
So the IDN one is really focused on those . . . IDNs are internationalized domain names. So they are domain names in different scripts than Latin basically, than the Latin script. So Arabic, Chinese, all the different scripts that are out there.
So, basically, this group that's working on this EPDP is expected to provide the GNSO Council with some policy recommendations around the definition of all gTLDs and the management of those variant tables.
When we talk about DNS abuse here shortly, one area that causes some challenges related to DNS abuse is when people register domain names that look like Latin script, but then they use other characters, other script characters that make it seem . . . To the eye, it looks like a legitimate one. But it's kind of a copycat to try to trick the eye and often take on and use the domain name for abuse online.
So they're trying to get a definition of all gTLDs in the management of the variant tables, and also how IDN implementation guidelines should be updated. So it's really trying to look and make sure . . . There have been issues in the past around mixed scripts and other things like that. I think that PDP is trying to nail that down.
The other EPDP is around specific curative rights. And this is really the continuation of the work done as part of subsequent procedures PDP around what they call the IGO curative rights.
So I think there needs to be more discussion around the limits and the policies around that. This is something that GAC is really, really focused on, and there are still some outstanding questions. So that's the subject of this PDP.
So we've talked about a number of PDPs going on, two of them very specific around the New gTLD Program, kind of this post-implementation review that happens. We also got stuff around transfers and the WHOIS. There's all that kind of percolating around us. Where does this put the timing of the second round of new gTLDs?
It's a really good question. I am always saying that, but it just, again, shows that it is going to be really hard to nail this down. I think there are too many open questions, so many things that are going on, not only within ICANN, but in a little bit we're going to talk about some of the things that are going on outside and around ICANN that really impact whether it's the right thing to go forward and what the right timing for that is.
And exactly when that will happen is anybody's guess. I really think it's 2024 or later based on this meeting. I know each meeting I kind of sit back and say, "What's the new timing?" But there are so many really big rock issues that have to be settled here: WHOIS, transfers, the different RPM negotiations, if you will, or discussions that need to happen with the GAC, and then the sort of OTP framework that is . . . EPDP process that has emerged that has to take place on SubPro. And that's at least two years of work. At least.
I think it is 2024 or later. I know there may be some people on this webinar that are super disappointed to hear that. But we'll continue to keep you posted here and let you know how that continues to unfold.
So now, I'd like to switch from sort of the PDP processes going on to the other thing taking up the air in the room at ICANN meetings. These last few, for sure. Which is DNS abuse. And quite honestly, rightly so.
DNS system abuse or DNS abuse is really . . . I mean, it's a chronic . . . It's a growing problem. It's persistent. It's pervasive. It's not slowing down. The problem is magnified by outside events like COVID, natural disasters, civil unrest, our political discourse, all these things. It just adds fuel to the fire.
There are so many definitions and descriptions of what DNS abuse is. I think there's still no one definition that everybody points to. But if we just look at some of the statistics out there, and this is one I've used a couple of times here, in 2021, so this year, cybercrime will cost the global economy more than $6 trillion in damages, and that's exceeding annual costs for natural disasters and the global drug trade. It's just unbelievable.
It really is something that . . . we talk about these policies and we talk about these different mechanisms in the ICANN world, and ICANN has kind of danced around a little bit. Are they really the place to kind of solve the DNS abuse issue? Well, I don't know if it's "the" place. It's definitely one of the places that it not only has to be discussed, but smart people need to come around the table and figure out how to get the pendulum swinging the other way.
COVID has definitely shown us all how dependent we are on the internet, not only for our e-commerce and commercial activity, but connectivity, to our jobs, to our loved ones around the globe, to get the information that's critical to our health and safety. We've got to figure this out. We've got to figure out how to make it better online so that the bad guys are not taking advantage of challenging situations, people in need, and robbing people of their identities and their finances.
So it's garnered quite a bit of attention at the ICANN meetings, and I quite honestly think appropriately so.
So we've talked about DNS abuse, and that's something that the CSC has been really looking at closely for years now and really trying to help our customers be as secure online in their domain name security as possible.
In this year's report, the 2021 Domain Name Security Report, we analyzed the domain portfolios of the Forbes 2000. There are a couple of key findings here that I share on this slide. But I assure you, there's much, much more in the broader report.
The bottom line here is that domain names are a very, very key component to a company's overall cybersecurity presence and posture. And so we try to help companies, through this report, understand where there may be holes in their domain name security, which is likely to lead to potential gaps in the security posture of the company.
Now, we can absolutely send anyone who's attended this webinar a copy of the Domain Name Security Report. We've done a separate webinar on the 2021 Domain Name Security Report, as well as we have a number of resources to help companies understand some best practices for domain name security.
But let me give you some high-level takeaways from this Domain Name Security Report.
I think that the top headline is basically most organizations are not adequately addressing domain name security and they're leaving a gaping hole in their cybersecurity strategy and posture that's leading to DNS abuse.
So, yes, we can talk about different policies and things that can happen to mitigate DNS abuse. But that's likely to take time. Technology is always ahead of policy. It's just unfortunately the way it goes. So there are some things that companies can do today, and that we really encourage our customers to do today, to help protect themselves.
So, first of all, there needs to be this understanding at the C-suite level, as well as across the organization, that domain name security is a critical component to help mitigate cyber attacks in the early stages.
So basically, domain name security is the first line of defense. There's so much that companies are doing, so many millions of dollars that companies are investing in firewalls and really important hardware security and monitoring systems, etc. But there's this thing outside the firewall that you have very little control over, and that's the DNS.
And if you take certain precautions to really kind of lockdown your domain name security, it is really that first line of defense before bad guys even get to your firewall.
A key thing the research shows is that use of consumer-grade registrars increases risk exponentially. What does that mean? What's a consumer-grade registrar? Well, there are registrars out there that really . . . they're in the business of high-volume registration. They're in the business of quick, easy, get-you-up-online, and not a whole lot of security controls around that. Not a whole lot of "How do we layer security on top of your domain portfolio to make sure that you are protecting yourself?"
The DNS really was a system that was built for speed and convenience. Security was not kind of at the forefront when DNS was evolving. It's only in recent days, and when I say recent days, last 5, 10 years, where security is really more and more and more each year coming to the forefront.
The challenge is that the system already exists, and people like it. It's fast. It's easy. It's globally distributed. But when there are registrars that are really just focused on the speed and convenience part and not really focused on the security part, that is where a lot of companies get in trouble, because they don't know the controls and the things that they can be doing to lock down that domain name security. So the research does show that consumer-grade registrars increase risk.
We also see that most cyber attacks, including ransomware and business email compromise, or BEC, begin with phishing. There are all sorts of types of phishing. We've seen it, like, "I've got a bank account in some foreign land. I want to share the money with you," to very targeted phishing campaigns against executives or named parties within an organization, all those types of things.
But really, when you kind of look at all these bad things that happen, and the ransomware has definitely been in the news in the last six months, it all traces back to phishing. The losses due to ransomware, they're in the billions annually, and most of the protections specific to ransomware and the response mechanisms, stuff like that. The bottom line is if domain name security measures were in place, some of that stuff would not even happen.
So I really encourage everybody to take a look at our Domain Name Security Report. This issue of DNS abuse is not going away. Like I said, we had a nice webinar which will take you through the report, and then we've got tons of kind of best practice resources, as well as products and services that can help you really put that defense in-depth security approach on your domain and portfolio-related digital assets.
So, with all that being said, let's kind of turn back to ICANN and look at what is being done. Like I mentioned, ICANN, there's a lot of debate about whether or not they're "the" place to be trying to work this out. I don't think they're yet convinced they are "the" place, but they definitely are a place.
So right now, a patchwork approach is really currently being undertaken within the ICANN community. There are questions about, like I said, is this really ICANN's role? How does compliance play into this? Do they have the right tools? Can they really coordinate with all the industry players that need to be coordinated with?
A lot of people feel like ICANN and the contracted parties, meaning registries and registrars, should be doing more to combat DNS abuse. I agree. There's a joint effort underway involving the gTLD registrar stakeholder group and the gTLD registry stakeholder group to create a trusted notifier framework. I think that's good stuff. The challenge is it's likely not going to be mandated by ICANN and will be largely voluntary. So we'll have to see what the effectiveness of that framework will be if it comes to fruition.
Also, on the Governmental Advisory Committee, DNS abuse is something they're very, very focused on. They have a Public Safety Working Group. They're working with different stakeholder groups within ICANN, the registry stakeholder group, talking about the domain-generated algorithms that are being used for botnets and malware, messaging malware and mobile antivirus workgroup, looking at a survey of cyber investigators and anti-abuse services.
They're also working kind of among themselves with individual national governments to see if they can brainstorm how there can be a coordinated approach or what countries are doing things that are making a difference or having an impact.
And then ccTLD registries are also looking at new rules they can impose as well.
So I think there's work being done, but is it going to be what changes the tide? I think most people feel like no at this point. But I think this is a discussion we've got to keep on having and keep on pushing to ensure that we do turn the tide.
I think one of the more concrete actions that have been taken, though, within the ICANN community given all the discussion going on . . . I mentioned very early on in this webinar when we were looking at the ICANN org chart, those gray boxes I talked about, the Government Advisory Committee, and also the SSAC, or the Security and Stability Advisory Committee, they are a group of technologists that are provided by ICANN around different policies and things like that related to security, stability, or resiliency.
They had done a report that was called SSR1 that had a bunch of recommendations, but it was time for a new one of these reports given the landscape changing so dynamically, so quickly, domain abuse really rampant.
So, recently, the SSR2, the Security, Stability, and Resiliency report, was released. And it's really been looked at as a potential roadmap for the path forward, because it kind of just feels like ICANN is treading water an the ICANN community is treading water. So could this report potentially lay out that roadmap for how ICANN can help mitigate DNS abuse?
The final version that was issued contains 63 recommendations grouped into those four key areas I have on the slide. The ICANN board did consider the final report and not all the recommendations were approved.
I give you a link here to what's called the SSR2 scorecard for more detail. And that's kind of a . . . ICANN, when they get advice from these advisory committees, they have to document what they do with that advice. Do they accept it? Do they reject it? Do they reject it in part? Accept it in part? They have to kind of document that and provide rationale under the bylaws for that advice.
And so they usually quantify that or kind of document that in what's called a scorecard, and that's what's here, an SSR2 scorecard. It kind of goes through recommendation-by-recommendation and what the ICANN Board has accepted, what it's rejected, where it has more questions, etc.
To say the GAC is not happy with kind of the initial response, if you will, by ICANN is probably an understatement. This is something where, again, the GAC is very passionate about DNS abuse. And they definitely see that as their role in terms of giving that public policy view of things going on in ICANN and they really are pushing ICANN and the ICANN board to really drill down, to really dig in. "Let's take what the SSAC has put on the table and let's develop it into that roadmap, and let's be clear about the things that ICANN can and can't do."
A lot of times, these reports that come from the Technical Advisory Committees, they kind of make a big splash and they come out and then they fizzle. I think this one is not going to fizzle. This one is definitely going to keep a place on the stage for, I think, quite some time.
So as I mentioned earlier, it's not just what's going on within ICAN that has an impact on ICANN and the different things that they're working on, everything from the different PDPs to DNS abuse. So ICANN has historically and it continues to struggle with that interplay between multi-stakeholder consensus policymaking model and sort of the external global regulatory environment.
So there are three items here. We went through them in a little bit more detail last webinar, but the Network & Information Security Directive 2, or NIS2, the Digital Services Act, or the DSA, and the Convention on Cybercrime of the Council of Europe, aka the Budapest Convention, are three examples of those new regulatory developments that really are percolating around ICANN with real potential direct impact on current ICANN policy work.
So we talk about the work within ICANN be so intertwined. Then you kind of layer this stuff on top of it, and it's hard to see where the endpoint is on a lot of things, because these regulatory developments really continue to highlight the problems of timing, representation, and sort of community preparedness to participate.
How are you at all these places at once? All these different entities and organizations discussing these issues or sections of issues that matter to ICANN, how is the community, how is ICANN in all those places at once and making sure that we're all rowing in the same direction to get to a resolution that is workable?
So given we're a little short on time, I'm not going to spend a lot of time going through NIS2, but I think that of the three is one that people should really watch super carefully. So I try to summarize it for you here.
So there are two areas where I think NIS2 particularly intersects with the work being done at ICANN. It's regarding sort of these requirements for essential entities of DNS and then also proposed requirements concerning domain name registration data, which is Article 23 stuff.
ICANN submitted comments recently on this. So I provide you a hyperlink there to go check those out. But again, all this stuff has impact on a lot of work being done within ICANN, but certainly the WHOIS PDP is right in the bull's eye on this.
So throughout this webinar, you've heard me mention the GAC, Governmental Advisory Committee, and just kind of a little bit more about them just so we put a little bit of a color on that picture.
Currently, the GAC is made up of 178 country or territory members. There are 38 observer organizations. It's usually around 500 participants from the government sector. They've really been increasing engagement and participation, especially through the COVID pandemic. Sixty new delegates have been added since ICANN 66. So this is, again, a group that continues to gain influence and power and is continuing to grow.
So the GAC, like I said, they are getting power and influence within the ICANN community. At the end of every ICANN meeting, they issue something called a Communique. So this Communique that came out on ICANN 72, they listed a couple of areas of concern. Their issues of concern, again, focus around DNS abuse, accuracy of WHOIS, and subsequent procedures. So we've kind of talked about that throughout the webinar.
They are not sitting on the sidelines for sure. They are really engaging not at the end of the policy process, but kind of throughout, which as painful as sometimes that may feel, I think it's a really good thing. I think that the New gTLD Program, that was one of the big challenges. They got the community after a big policy process, and then at the end, the GAC had all these questions and things they wanted to see changed. So I do think it's good that they're engaged more kind of concurrently.
Now, within the Communique, the GAC also offers kind of official advice ICANN. So for ICANN 72, they had advice very specific to the scorecard that we talked about for the SSR2 final report.
So they really advised ICANN that they need to undertake as a matter of priority the follow-up actions needed to support swift implementation, and to inform the GAC accordingly about that timeline.
They also want further information on where there are disagreements, and where there are some of those recommendations where they say, "We can accept it in part," the GAC wants more detail around that.
They also put up a few things around following up on previous advice. So want some further updates around the domain name registration data, registration directory service and data protection. This is all about access, accuracy, and privacy around WHOIS. And then you've got the EPDP Phase 1 policy implementation. That timeline seems to be never-ending. The GAC wants a more definitive timeline as to when that group's work will be done.
Now, no ICANN meeting would be complete without a little additional drama and intrigue. And so this time, ICANN CEO and President, Goran Marby, kind of highlighted some recent moves by Russia in the UN-backed International Telecommunications Union, or the ITU, and really kind of categorized it as a threat ICANN's existence and the current internet governance status quo.
So current internet governance structure is really about multi-stakeholder consensus, and it seems that Russia does not see it that way. And there have been obviously some actions taken that give everybody pause to think that there's some effort underway to displace ICANN.
But from the Russian perspective, they believe ICANN poses a risk because it's based in the U.S. So it's subject to all those U.S. judicial and legislative systems, as well as sort of the OFAC, or Office of Foreign Assets Control, which really kind of can seize assets and cause some financial challenges for foreign governments who are not complying with treaties or laws that are out there.
So we'll watch this. There have been threats in the past. I think there's some heightened concern around this one just because it's sort of analogous to some of the other political things that are happening across the globe. So we'll watch this closely, but definitely something that caught a lot of people's ears at this ICANN meeting.