DOMAIN NAME STRATEGY 2020

Annie: Hello, everyone and welcome to today's webinar, "Domain Name Strategy 2020 Blocks, WHOIS, Cyber Criminals and Other Challenges." My name is Annie Triboletti, and I will be your moderator. Joining us today is Gretchen Olive. Gretchen is a Director of Policy and Global Domain Name Services for CSC. For nearly two decades, Gretchen has helped global 2000 companies devise global domain names, trademark and online brand protection strategies. And is the leading authority on the internet corporation for assign names and numbers, New gTLD program. And with that, let's welcome Gretchen.

Gretchen: Thank you, Annie. And thank you everybody for joining us today. We do have a full agenda. So we're going to jump right in. As you can see we're going to definitely talk about what's going on out there in cyberscape. The DNS is definitely under attack. We're going to look at cybersecurity as a top business priority, and then dive right into talking about a comprehensive domain name strategy and key considerations for 2020.

So, for some of you, I kind of saw the registration list, many of you have attended some earlier webinars we've done this year and certainly a theme has been about the DNS is under attack. There have been numerous warnings and also advisories sent out by leading security authorities, the Department of Homeland Security, ICANN and also national governments raising the flag about specifically DNS hijacking. It is gotten to a point where these attacks are not only persistent and pervasive, but they are doing some very significant damage to governments and companies alike.

So it's really important to understand that this is the world we live in today. This is not just a campaign. This isn't just a one-off. This is the world that we wake up to every day and, you see me kind of going through some slides with some headlines in the news. And every day we wake up and there's a different headline, and for somebody like myself who's been in this space for 20 years, I have never seen a time where it's been so rapid and so just absolute, the scale of these attacks are just absolutely unbelievable.

And so we've talked in other webinars, like I mentioned about an attack called Sea Turtle, and it's really about that DNS hijacking where basically the DNS for domain names get hijacked. And people get redirected to malicious sites. And that can cause all sorts of problems. You can have injections of malware, ransomware, people can be entering their credentials into what looks to be legitimate sites, but they're cloned sites, and all these things kind of then lead on to additional bad acts and fraud and identity theft. And when it comes to governments, a ton of personal sensitive data being basically taken on residents of the various countries and the folks who do business with the agencies that are affected.

So it's really become not just a regional problem, not just an IT problem. It's really become a global business problem. And so it's a couple of headlines here, again, where you can see this DNS hijacking. There were six U.S. government agencies that were specifically affected. And that's what kind of prompted the Department of Homeland Security here in the United States to issue their warnings and guidance. There have been other attacks where actors have gone out…bad actors have gone after, subscribers of very popular online services. And what we're seeing more and more is that these attacks seem to be state sponsored. So the resources that these folks have behind these attacks are enormous.

And so this isn't a 12-year-old in the basement, you know, just trying to have some fun trying to poke fun at a company. These are large scale attacks where very serious kind of damage is being done to the integrity of systems and to data privacy. We also see that really what always seems to start off, let's just say, trigger the DNS hijacking is spear phishing beforehand. Spear phishing is how the bad guys are getting these credentials to be able to then take further action to manipulate the DNS.

So this is been something where you can see in that article from CircleID, this isn't again an isolated situation. We're seeing that phishing attacks targeting executives are now the top cybersecurity insurance claim that a big company, a big insurer like AIG is seeing.

So you can see through the years we've heard about these scams where spear phishing scams that try to target executives. Now it's a top cybersecurity insurance claim. So you can see that, again, whenever you have these bad actors and the resources that state-sponsored bad actors have, it really results in big losses, whether it'll be to reputation, whether it'll be financial, whether it be the data. It is something that affects both governments as well as industry.

And this is a really good chart from IDC's 2019 Global DNS Threat Report. And really what it found is that no industry is immune from these attacks and from these losses. So you can see anything from manufacturing to retail to healthcare to government to utilities. They're all being affected. I know this week I've been reading in the news about a school here in the United States in Arizona that's been shut for a couple of days because of DNS attacks. So they come in many forms. They come in many sizes, they come announced always and it is something where there's really been a ramp up in terms of the damage that's being done.

So let's dive into that very question about cybersecurity in the C-suite. I know that as annual reports came out as a top of this year, if you read, you know, I read through a fair amount of them just to kind of understand the challenges and the objectives, the business objectives of our customers so that we can make sure that the services that we're providing are kind of helping them achieve what they want to achieve online.

And with rare exception, you would see that cybersecurity is a top priority, top three priority often and so there's some definitely some research out there that supports that sort of anecdotal kind of observation of mine. But according to Ernst & Young's 2019, CEO Imperative Study, gaps in cybersecurity are the biggest threat to business growth and to the global economy according to CEOs and that's not just this year. That's for the next five to 10 years.

And so what's happening in boardrooms is that cybersecurity is no longer just an IT priority. Before it was very much like, "Oh, we have a CTO, we have a CISO. They're going to take care of that. Just keep us posted." That's not something we have to kind of intertwined with our business strategy and priorities. But that shift has definitely happened. It is now a top three business priority.

And it really requires cross-functional engagement and alignment because, you hear it everywhere. And we hear it here at CSC, security is everyone's job. There's no one who doesn't need to make sure that they're following the rules, making sure that they're not doing anything to expose information, expose credentials, those types of things. Every person in every organization, security is their job, and definitely that message is starting, more than starting to get to the C-suite and it really has a created this kind of evolution where cybersecurity is no longer just an IT priority, which I think is a real positive.

Now, I do think there's room for improvement. I do definitely think that, I think that there's, like I said, there's somewhat of an awareness, but there's a lot of education that still has to happen. And that's really going to be incumbent on business leaders who are dealing with and fighting these battles every day to make sure that this education is happening. Because, you know, obviously boards and CEOs are really focused on how to grow revenue, how to grow the business, and that's, of course, what every company's driving towards, but it's just like, you hear the phrase all the time, it takes 20 years to build, a great reputation and five minutes to lose it and probably less than five minutes, you know, probably seconds. And so it's really pretty important that this not be just sort of a flavor of the day that this continue to be a business priority.

So what's interesting though, is that as companies talk about cybersecurity strategy, what's interesting given everything we talked about DNS attacks, attacks, you know, the DNS hijacking where registrars are being attacked, registries are being attacked, people's credentials are being stolen so that they that these bad actors can get into accounts where they can manage DNS.

Despite all that information that's out there and all that evidence of what these bad actors are doing, domain name strategy has not been part of a company's cybersecurity strategy. And that's a gaping hole because there's a lot the companies are doing kind of inside the firewall to make sure that they have the biggest, baddest firewall, they have all the latest technology, and monitoring, and managed services, and all the kind of the coolest and newest tools. But so much of this bad stuff happens outside the firewall. And that is really where a domain name strategy can help mitigate those risks because that all happens outside your firewall.

And domain name strategy, I think it's really important. I think I love this cartoon here because it kind of it's a little bit old fashioned. I admit to it, it's a little bit old fashioned. But it really reminds me of you know, people do not often think of domain name strategy as like a key business priority. It's an administrative task. In a lot of people's minds, it's about "What domain names do I register?"

But quite honestly, it is way more than that in today's world. It's really, it's your run book on how to manage and secure your online presence and protect your organization from these DNS attacks. It is far more than just what domain names are you registering. This domain strategy really needs to be part of your overall cybersecurity strategy so that you've got all the protections that are possible outside the firewall.

And it's a gap right now. So as I mentioned earlier, there's a real need for education and a complete paradigm shift at the C-level to really enable that integration of the domain strategy into the cybersecurity program because there's no one really within an organization that's saying, "This needs to get done." But when you really step back and you look at what's going on out there, it's clear to see that these assets, these domain names, and all the associated things that go along with them, they are a real blind spot that companies have.

And so when you're looking at creating your domain name strategy for 2020, this has got to be a key component of your overall cybersecurity strategy. So it's really important to kind of help educate your teams internally, and especially your C-suite and board about how there's this interplay between your domain strategy and your cybersecurity strategy.

So let's talk about really when, you know, I said that domain strategy is much more about much more than just like what domain names are you going to register. So what are those key domain names, strategy questions? So what, yes, what namespace do you want to proactively secure for use? That is about registration, right. What websites do you want to have? All that type of stuff. What do you need for it to run applications, e-mails, VPNs? All that. What namespace do you need? What domain names do you need? And what TLDs, top level domains, do you need to secure for use?

Then you need to think about what namespace do you want to prevent others from getting, right. So that's kind of the more the defensive posture. That can come in the form of defensive registrations, or, as we'll talk about shortly, maybe some blocks, those types of things.

Then have you placed an appropriate and reasonable level of security and vital domain names to mitigate DNS attacks? This question is absolutely critical. Because as we live in a more regulated world, when we look at the cybersecurity regulation that's emerging, the data privacy regulation that's emerging. A lot of it asks, "Are you taking reasonable actions? Are you doing what's appropriate and reasonable in the circumstance?" And there's a lot of things that you can to do to secure your digital assets out there outside the firewall, but a lot of people don't either know about them or undervalue them.

And so what's going to happen over time is, as these breaches happen as these attacks happen, and a regulatory review occurs, of whether or not your actions were kind of appropriate and reasonable, questions are going to start being asked about things like, "Did you lock all the domain names you could? What kind of DNS did you have?" All these types of measures that we'll talk about in a little bit.

And it's really important there's a phrase in there that I really want to key in on is vital domain names. These are the domain names that power your business. These are the ones that are business critical that if something happened to them, it will disrupt your operation, it will disrupt your website, it will disrupt your business operation, it will disrupt your e-mail. I know all of us we come in every morning and we look at our e-mail box and we think, "Oh, gosh, how could I have that many e-mails?" Right? But just think about if you weren't getting e-mails.

As much as we all kind of dread having to go through the e-mail box, we probably couldn't live without it, because it really helps us communicate across the globe, across teams, make sure that we're clearly articulating things that need to get done, following up on things, getting information that we need to do our jobs. It's become such a part of the way we do business that if those vital domains that power things like e-mail go down or are compromised in any way, that is not only going to be potentially an opening for a bad actor to, you know, take data. It's also going to disrupt your business.

Another question is, are you adequately monitoring for online brand abuse based on your current company risk tolerance? So, look, you can't monitor for everything. And I think that's gets overwhelming. The space is so big. It changes so fast. There's so many threats, and I think it's easy to get overwhelmed. But what really needs to happen as you're creating a domain name strategy is to really kind of objectively assess what is your company's risk tolerance? What are the things, you know, if it happens, you can take some other actions. You can live with that. But what can't you live with if it happens? And that's really where you kind of build that kind of risk tolerance and that helps guide you're kind of risk averse budget discussions and decisions.

And then you got to think about the mechanisms and resources, you'll need to enforce rights online. Because once you identify a problem, what are you going to do about it?

So you also need to think about, do you have the appropriate threat mitigation in place based on the current threat landscape? So again, top of this webinar, we talked about all this DNS hijacking, and this attacks and spear phishing, and there's lots of bad things happening, online data breaches, etc. Are you doing enough to, mitigate those threats? Do you have DDoS protection? Do you have things in place on your…do you have the right DNS, you have the right SSL? Or digital certificates? These are all things that are going to help mitigate risk and again, you have to kind of look what's the threat landscape? What are the threats out there? And what's an appropriate risk kind of mitigation strategy for those threats?

And then there's this big bucket of a domain name governance program. And I will tell you, as I work with many clients, there's this kind of, I would say, old way of thinking that you've created a domain name policy, it gets put on a few pieces of paper. Everybody feels real good when it gets done. And then it gets filed. And every once in a while, you pull it out to kind of see, "Oh, I want to register this name does it fit our policy." But there's not really an ongoing living, breathing, domain name governance program. And that is a real miss in your domain name strategy. If you don't have it. You really need to have a governance program where you're looking at defining access rights and controls, as well as roles and responsibilities.

Third-party liability is huge. And humans are the biggest risks to any organization. That includes all of us on this webinar, and quite honestly, studies have shown the higher you go in an organization, the greater the risk, right. And so you really need to make sure that you have the proper access and rights controls, that everybody understands their roles and responsibilities and other people are clear as to who is responsible for what, when, and why.

So that is a really, really important part of that overall domain governance program. And that's something that needs to change with time as market conditions change, as your staffing changes, as the kind of global aspect of your company changes. These are things again, that this is not so you put on a piece of paper, file away and pull out maybe once or twice a year. This is something quite honestly, I would recommend a quarterly review of.

Also do you have standard-based vendor selection and management, understanding what are the security standards that your vendors need to meet? How are you vetting them against them? These are the types of things that are critical to make sure that you're working with the right parties, again, protect yourself from that third-party liability?

Do you have documented escalation paths and procedures? This one is one that I get, I have to admit I get up on the soapbox about quite a bit. Because, again, I work with a lot of clients. We work through these domain policies, and we kind of articulate different things. We're going to register these domains names. We're going to put these controls on them. We're going to put these security measures on them. We're going to get SSL or digital certificates for these types. We're going to do DMARC on the…you know, we got to kind of go through it all.

And then I say to them, "All right, so when something goes wrong, how's that going to be handled within your organization? Does everybody know what to do? Who has the logins and passwords? Who has the authorized contact for X,Y, Z, actions?" And there's always these kind of like big guys like, "Oh my gosh, that's like a whole separate project." And quite honestly, it is right. And that's why, again, this is something you want to review on a quarterly basis because as your organization changes, so will this type of information, but in a crisis, it will be invaluable.

Again, it's a run book, your domain strategy is a run book. And when disaster strikes, there's nothing like having a manual on what to do, because when you don't, it makes the situation even more stressful, even likely more damage to be done. And really something that could define how your customers look at you.

Then you also have cross-functional multi-stakeholder domain council or steering committee, that's really kind of the group I'm talking about reviewing things on a quarterly basis. And again, it's important that it's multi-stakeholder because it isn't just an IT function. It isn't just a marketing function. It isn't just a legal function. It isn't just a risk management function. It isn't just you get the point. Right. It's a lot of people need to be involved in this. You know, everything from information security to the domain administrator, right.

So it's really important that everybody's on the same page and also bringing their expertise to the table because marketing a lot of times people are like, "Well, you know, marketing they just asked us, ask us for domains or just ask us to put like digital certificate on a website or something like that. They don't really need to know everything."

Well, that's a huge mistake, because they will bring a lot of information to the table regarding, like, how the browsers are treating certain websites and what characteristics these websites need to have to do really well in search engine optimization. So they'll bring that type of information to the table that security might not know, or legal might not know. But then legal will bring a lot of information about regulatory situations. Maybe there's some new industry-specific regulation that's emerging that the marketing team isn't aware of. So, again, this cross-functional, multi-stakeholder, domain council or steering committee is a really important part of the overall kind of domain strategy.

And then lastly, it's critical that you have a reliable source of information, data and insights regarding the risks that are out there, your portfolio performance industry benchmark. So you have this council, they're reviewing your run book every quarter, you got to make sure the right information is being kind of fed into that process. Yes, you'll have experts from inside your organization that will bring information to the table. But again, the partner that you choose should also be bringing a lot of information to the table about the performance of your portfolio, about what's going on in the ecosystem, and even what's going on in your industry. How do you compare? So these are things that are all part of sort of an overall domain strategy.

So with that as a backdrop of sort of the things that you should be thinking about, the kind of high level things that you should be thinking about when it comes to domain strategy, which again, should be integrated into your cybersecurity strategy. There's some things going on in 2020 that we wanted to highlight that these are kind of like some key considerations given. You know, you got all the usual stuff. But now here's some of the new stuff that you need to factor in, as well. And again, that's why those quarterly meetings are so important because we could probably do this webinar again in six months and we'll have a whole new list of things. There may be a few little repeats, but likely a whole new list of things, so or updates to these items.

So we've talked about kind of the threats, the security threats that are out there. But again, I wanted to really highlight and emphasize that security has to be top of mind in everything that you do with your domain strategy. And in 2020, it is just that much more important. It was important in 2019. It's that much more important in 2020. And I'm going to go out on a limb it's going to be even more important in 2021.

So I think you kind of get where I'm going and really when you talk to security people you'll often hear them talk about a defense and depth strategy. And really what that kind of means is a multi-layered approach to security kind of always making sure it's not sort of a possible single point of failure. You want to have lots of different layers of security, to kind of make sure that it's almost like, you know, kind of peeling back the onion, that just one layer is if you get through that, there'll be another and another, and another.

So just some key things for you to kind of think about is that kind of outer shell really important picture you're working with an enterprise class provider. You know, I looked at the registration list for this webinar, and there are some very important and big valuable brands on this call. And it's really important that you're not using retail registrars, that you're not using 15 different DNS providers and you're not doing things where, you know, you don't have dedicated support and the security infrastructure that you need to really properly secure your assets.

So you have sort of an enterprise class providers, sort of, you know, the outer shell. Also secure portal access to things like mandatory two-factor authentication, IP validation, federated ID. Control user permissions. Again, we talked about the access rights and controls, make sure you have visibility on elevated permissions with notifications. We have an authorized contact policy, a very robust authorized contact policy, not just anybody can send in a note and say, "Hey, we want you to do this to a domain." The CEO could send us a note. If they're not listed as an authorized contact, we don't take the action.

We've had those situations where we've had to tell a CEO no. And while at the first kind of the onset of the requested, so it's a little tense because everybody just wants to work to get done. After we explain why we have the policy and what kind of, you know, what the proper process is, not that we divulge who the authorized contacts are, but just sort of overall what the authorized contact policy the purpose of it is. People go, "Wow, that's a really good idea." And so it's one of those things that seems like common sense. But it needs to be more than just on paper. It needs to be lived by the partner that you work with.

And then certainly, the very center at the core here are things like advanced security features for those business critical domains or those vital domains. So we have things like Security Center, which highlight your access and controls on user permissions. It shows things like how many DNS providers you have, how many SSL providers, what your vital domain names are, things like that. Tools like that are really important so that you understand what your vital domain names are. So that you can then take those advanced security measures things like multi-lock, which is a combination of registry lock and WHOIS lock on a domain name, putting DNSSEC, or HTTPS, or DMARC, or configuring your zone for the domain name with a CAA record which basically says you can only have a digital certificate from this or specific provider or providers so that no one in your organization could put a substandard cert on any of your domain names.

So these are all kind of key things that need to be incorporated into your domain strategy in 2020. You need to ask. You need to kind of like to tier your domain names and understand for those vital domain names there's a certain profile those domain names need to have. For maybe second tier domain names, there's another profile. These are all things but overall you got to have these user permissions and secure portal and enterprise class provider to make sure that every everything stays very tight.

So security is obviously, top of mind you can tell I've been thinking and talking about it a lot lately. And hopefully, if anybody walks away, if you walk away from with one message from this webinar is security absolutely needs to be a key priority in your domain strategy as part of your overall cybersecurity program.

So there's also blocking so let me give you a little background on blocking here. So blocking is something it actually first started back in 2011 with the launch of triple x TLD. So .xxx and they introduced a blocking program where you could block people from registering domain names containing your brands in triple x, which a lot of brand owners liked very much and that was something that a lot of folks did do back in 2011.

As the New gTLD program emerged in 2012. And kind of New gTLDs came online at the end of 2013, and then 2014, 2015, 2016, and continued to even trickle out still today, from the first round of New gTLD Program. Blocking became a pretty popular idea again, and so Donuts was one that had 200 hundred plus 240 plus New gTLDs. And so they offered blocking, so that became kind of en vogue again.

And what we're seeing now is that while many registries have not seen the registration volume that they had hoped for. A lot of them are turning to looking at, "Wow, could we maybe offer a blocking program? That might be a better alternative to particularly brand owners in terms of an alternative to registration or defensive registration." So blocking was is something that really came back en vogue as part of the New gTLD Program. You know, that combined with Sunrise registration domain monitoring, really was that sort of like three pronged defense mechanism for trademark holders during New gTLD.

But while blocking helps prevent cybersquatting. It's an active measure not reactive. It can be cost effective. The problem is not all blocks are created equal and there is a lot of fine print with a lot of these blocks. And so it makes it really hard to truly understand, "Is it something my brand should do?" And what I would say as a kind of an overriding principle is there is not a one size fits all strategy. This is very kind of company specific. It really depends on kind of the company, you are, the industry you're in, how much you either did already participate in the New gTLD Program, or that you have concerns about cybersquatting in the New gTLD Program.

These are really the questions, and it really comes down to looking ultimately at a cost benefit analysis and each of these blocking programs, they have a different kind of number of TLDs that they cover. And so while you have the Donuts DPML Program, which was one, like I said, that came out at the kind of the onset of the rollout of the New gTLDs that covers at this point over 241 TLDs.

There are other block programs that cover far fewer TLDs. Now just because they're far fewer it doesn't mean that it's not cost effective. No. Again, there's sort of an analysis that needs to be done. And it's very kind of bespoke. It's very company specific. It really depends on a number of factors. So it's hard to kind of say should you block or should you not block? That kind of without knowing the details, you can't say that. But the good news is there is a way to kind of get to that answer.

So let's first go through a little bit about each of the blocking programs just to make sure everybody's kind of up to speed as to what's out there right now. I will say, if I were to pull out my crystal ball, and many of you would laugh to know that I do have a little crystal at my desk that somebody gave me, a colleague. But if I were to pull out my crystal ball, I would have to say that my guess is this is not the last of the blocking programs that we'll see. I believe that there will be more coming online as time goes on. And that will, you know, of course, make things yet more complicated. But every program, and I'm not going to kind of read to you every line here, but every program kind of has its requirements and obviously, we mentioned that the TLDs that it covers. Most of them require you to have a TMCH with a trademark clearinghouse first. Most of them will, you know, block…that you can have the blocks for like one or five years so they have multi-year options.

And you'll see some of these blocking programs also have sort of like the basic block and then the plus block where you get like, and there's more. So you got to kind of really look carefully but DotClub has a blocking program. Donuts, as we've mentioned, already has both the DPML and the DPML Plus. So those are additional blocking programs. Again, this one kind of happened, was initially launched with the launch of the TLDS in the first round of the New gTLD Program.

Then there's the ICM registry, which we talked about triple x, they have recently, last year, a couple of years been purchased by Minds + Machines often referred to as MMX. And so now they're launching, they had what was called a block called MPML. Now, what they're trying to do is sort of provide a blocking program, both a basic and a plus program for all their adult themed TLDs.

So as you may recall, ICM was also the registry for .adult, .sex, .porn, in addition to their initial TLD of xxx. So they're trying to provide kind of a way to block across all those TLDs. This program, I will tell you is still not fully flushed out. We're working really closely I mean, I think we're about 98% there, but there's some things that the registry is still trying to figure out as to the xxx blocks actually are good until 2021. And so there's some question about how that kind of flip over happens and 2021. And what kinds of benefits it is to maybe register now as opposed to later. So there's more to come on this one, but this is certainly what we know now.

What's also interesting here with the AdultBlock and AdultBlock Program is that we have seen here where the registry has outsourced the blocking program. So they've outsourced the blocking program to another registry called Uniregistry, which we'll get to in a little bit. That's also offering a blocking program and it will look remarkably similar.

There's also the trademark clearinghouse. They have a blocking program across some TLDs that they've worked with and it's called TREx. This program is one where I think there's still some change to come. So it's a little bit I think in flux as well. But again, it's a blocking program that's out there. And it's something that when you're considering a blocking strategy to try to either save costs on defensive registrations, or expand coverage, or both. It's one that you kind of want to at least talk about, again, like I said, there's, I think some upcoming changes we're hearing, potentially. So just kind of keeping a close eye on that one.

There's also like I mentioned the Uniregistry they have, this is the registry that ICM outsourced the AdultBlock program too. So you'll see a lot of similarities between Uni EPS and Uni EPS+. This comes from Uniregistry as many of you may remember, Uniregistry is behind 23 of gTLDs that may grow over time. There's a lot of domain, kind of TLD consolidation going on in the market space. And many of you will remember that Frank Schilling, who has a long kind of history in the domain space is someone who's made a lot of money kind of managing a large portfolio of generic and other domain names.

He's behind this blocking program and the adult, his organizations behind both of these blocking programs, which is a little interesting to kind of see them now kind of try to creep into the brand space a bit. So we'll continue to watch that as well. So again, a lot fine print, a lot of variation and similarities among the programs, tried to put together this chart that gives you a little bit of a side-to-side comparison. Like I said, the AdultBlock Program, I think there's still some information that's not 100% there yet, but these are certainly full plate of blocks to consider for whether or not to participate again to either reduce cost or expand coverage.

So, again, that question of to block or not the block, it's a very kind of individual company question. We are helping our customers figure this out. It's something that, you know, talk to your account manager at CSC and we will get you connected with our brand advisory team which will help you go through this blocking analysis to see if, what blocks might be right for you, if any. So it's again, it's complicated, but we're here to help you navigate through the kind of the complexities of this.

So, in 2020, we also have the availability and access to WHOIS that continues to kind of change and these changes continue to be in progress. This all started to kind of I would say, get in motion in May of 2018 with the beginning of the enforcement of the GDPR. That led ICANN have to issue something called a Temporary Specification, which enabled registrars and registries not to have to publish personal data on the WHOIS record so a lot of the kind of contact records in the WHOIS you've seen kind of go to dark or redacted.

This is very different than the world that we've lived in. We've certainly had privacy and proxy registration that has kind of masked from WHOIS. But finding out who's behind a domain name is getting harder and harder. And it's really because of a lot of these kind of data privacy regulations and then kind of the knock-on effect of those regulations.

There's also been an implementation of a new WHOIS protocol called RDAP. So if any of you use the ICANN WHOIS tool, you'll notice that looks a little bit different. It looks a little bit more, a little less formatted, a little bit more machine like that's because the WHOIS protocol itself has changed. They're kind of running two protocols right now and as most registrars and registries are, but over time, that will be, kind of will move over to our RDAP. And the RDAP is really a foundational layer, if you will, to allow for some of the other things that we'll be talking about that will be likely going on with regard to access to WHOIS.

There's also been as a result of kind of GDPR and ICANN having to issue a temporary specification regarding WHOIS publication that kicked off something called an ePDP an Expedited Policy Development Process. And that has kind of two phases. And the first phase was about what fields in the WHOIS should remain? And so we've seen the recommendations. There's a very small I admit, but I think useful charts here to the side that will kind of show you what's going to likely change as we move through to implementation of the recommendations.

That implementation is likely to happen sometime my guess at this point is probably late 2020. And that will affect a), the amount of information that's collected from you for a registration. But also, now when you're trying to take enforcement actions, whether they be for IP infringement, or security and fraud, the WHOIS has suddenly and you've already felt these effects already, but it's just going to get more acute. WHOIS is going to be not as useful as it once was in kind of taking those actions. So that's something that you really need to keep in your mind as you're developing again, that domain strategy integrated with your cybersecurity strategy. Because you are going to be without some information you're accustomed to having and being able to work with to take action.

So with regard to the axis of WHOIS, this is what's now being discussed as part of that expedited policy development process or ePDP phase 2. The team now looking at how should access to that greater set of information beyond the basic domain details that will be available. What's the name? When was it registered? What's the DNS? What's the domain's current status? When will it expire? Those types of things are the basic domain data, but how can you get who's behind the domain name?

And likely what we are going to see is some form of a gated tiered access model where they'll be strict eligibility criteria and there will be some kind of accreditation or licensing of people who can provide or request that information. There'll be lots of rules around what standards have to be satisfied before that information is provided. And this is not something I see being in place in 2020.

But it's something you need to be very aware of in 2020. Because right now you make requests to registrars based on basically asserting a legitimate purpose. And I will tell you, it's very hit or miss. Whether or not you get back a respond. And partially some of that is is that registrars are not really equipped to make decisions around legitimate, purpose. Some of its that they don't have the staff to handle the number of requests and some of them quite honestly, no one's forcing them to do it so they don't. So it's a real kind of mixed bag out there. And it's something CSC participates in the Cyber Tech Accord with some other people in the space and that's something that we're taking a look at really closely right now.

So, as I mentioned this kind of availability and access to WHOIS is something that has a lot of effects on the kind of not only the information that you're used to having but actions that you would take and information you need to kind of take action. So I gave you some suggestions here, but this again, this is all rapidly moving will continue to follow this as we move through 2020. But, again, needs to be one of your considerations as your domain strategy because it's going to be harder and continue to get harder and harder to enforce your rights. And so that may result in you saying "Maybe I do need to do blocks, maybe I do need to do more defensive registrations," to try to prevent people from being in space that you wouldn't want to see others in. So it goes into your overall thinking.

You also have issues around in 2020 growing issues around kind of the concept of sovereignty and the internet. So gTLDs have been governed by ICANN. ccTLDs each country has their rules. But overall the internet is sort of this free and open public resource, and it's something that allows free flow of communication and ideas and information and ecommerce and it is something that has had little regulation on it. But national governments are beginning to look for ways to have greater control over the cyberspace within their country, both wanting to be able to crack down on bad actors, but also make sure that people stay in some countries within certain guard rails of acceptable behavior and the kind of the opinions of the different national governments.

So kind of a shining example of this one has been in China in 2017. I'm sure many of you who are global organizations have been dealing with the changes that have happened in some kind of domain name registration, and really the changes that happened in hosting content within China so that you can get a good resolution, a web resolution time to be able to target businesses in within China. And these rules, really, these measures they were called, really changed a lot about how to secure registrations and maintain registrations within China. You know, first of all, you basically you can only get in China you can only get a domain name registration that is in an approved TLD.

Now, a lot of the main TLDs that people have like.com and .cn, and .cn in China. Those are available those are approved by MIIT. But in order to be able to host content on those domains within China, you have to basically work with a registrar that's been licensed by the local provincial arm of the MIIT. You need to successfully complete the real name verification process. The registrar needs to be a Chinese entity or Chinese individual and basically, the license applicant for what's called the Internet Content provider license. The applicant for that needs to be exactly the same as the domain name registrar for the domain name, which almost exactly match either the Chinese entity you're using or the Chinese individual you're using for the registration.

So it's a lot. And so some folks have gotten compliance actions, because they've been kind of doing rolling compliance on these measures, they weren't able to kind of require this all at once across all TLDs. But it's been very challenging for companies to comply in many cases. Some have one URL strategies. And this is kind of breaking that a bit. Some have content development networks. So there's some complications in doing this kind of hosting in China. So it's something though, that this is not a one and done. This is not just an isolated incident what's going on in China. There are other countries that are watching this rollout with great interest and they've begun to lay the foundation for similar rules and requirements.

You know, in some aspects, you say these rules can be viewed as positive because it does give them greater control, and can potentially enable them to act faster on bad actors. But I think there's a lot of good actors that are getting caught up in this in some of these challenges. And so it's really causing a lot of confusion because in many cases, the rules are not exactly clear. There's a lot of gray.

So we are seeing some of this start to percolate in countries like Russia. In Taiwan, they're watching with great interest. They've done some foundational regulatory work. So we'll continue to watch that. But again, this could cause some significant challenges for companies who use that one URL strategy or and also further complicates security.

So with just a few minutes left. I also want to just highlight as I mentioned, space is always changing. So there's a couple of things we know are what I call Incoming, coming at us. So there's blockchain domains they're out there. We say blockchain domains but they're not delegated to the internet route server system and they're not regulated or governed by ICANN and they don't have WHOIS records. And they are in complete control of the owner. They are really I give you an example the Ethereum Name Service where you're allowed to register domain name in the .eth zone. And that domain zone is decentralized. It runs on top of the Ethereum Blockchain.

And it interoperates with decentralized apps and resources. It's really a collection of very complex smart contracts, and that's what makes it operational. But at this point, these domain names are not widespread, and they're mostly talked about in cryptocurrency circles. You can't type a blockchain domain into a browser because nothing's yet hosted, there's extra plugins that are required. And the thing, though, that we're keeping a very close eye on is, this could present some new challenges for trademark holders. CSC is not yet offering the service that there's a lot to assess here because it really goes out of network kind of out of our normal process. But it's something we are looking at monitoring, and will continue to watch. But it's something that you need to be aware of as you're kind of moving forward into 2020.

And then lastly, there's just overall what I called TLD liberalizations. We saw it over the last couple of years with co.nz. They offered .nz for grandfather and phase same with co.uk was a kind of a five year process that culminated earlier this year, to now offer.uk., .au was going to try to do something this year before the end of the year. It got pushed to next year. So that's coming too. And we do expect to see more of this because kind of global registrations are a bit flat, and they're looking for new revenue, new registrations. And this is something shorter is always better on the internet, and they know there's demand for this.

So again, something to really watch because if you don't kind of think clearly about this and really have some serious consideration, you could find yourself in some situations where there's increased risk for cybersquatting and people trying to kind of look like you. And that obviously, then goes into phishing and other DNS attacks and security risks.

So it's hard because you don't want to continue to spend all this money getting more and more and more domain registrations, but when people are used to seeing you at co.uk and now they see you at, uk, and they don't see someone else at uk there's real likelihood of confusion there.

So we're right at the top of the hour, you know, at the end of all of this, it's a lot. There's a lot, there's a lot of considerations, and we work in a very volatile space. So the bottom-line is you're not alone. We can help you. Kind of give you some examples there and I think even our polling questions enables you to let us know if there's anything there that you'd like more information about.