Protecting Your Brand in China: Streamlined Domain Strategies with Security in Mind

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Protecting Your Brand in China: Streamlined Domain Strategies with Security in Mind." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Alban Kwan. Alban is the APAC Head of Corporate Development and Strategic Alliances for CSC. He has been with CSC and its affiliated companies since 2009. Alban has developed a deep understanding of online brand protection, digital asset management, and cybersecurity specifically for the Asia-Pacific region, and he advises top global and local companies. He frequently engages with local policymakers and is often invited to speak at conferences where he shares his invaluable insight on brand protection, security, and local policies affecting business. And with that, let's welcome Alban.

Alban: Thank you very much. So first of all, I suffered COVID recently, so my voice isn't very good, so hopefully you can hear me clearly today.

The agenda today is really to talk about the Chinese domain name management strategy, and specifically we have the MIIT domain name regulation a couple years ago. And I want to highlight what we are doing to help you manage domain names in China in a more effective way.

So certainly you may recall that a couple years ago we had accreditation done as well, and I will also talk about how we are actually going to utilize this accreditation and how we are designing the whole workflow and the security regarding this particular new accreditation that we have in China, which would help you to secure your domain name in the Chinese market.

So, now, you may recall that this particular law was actually passed a long time ago, back in 2017, by the MIIT, the Ministry of Industry and Information Technology. Now that particular regulation actually requires us as a registrar to actually put out a system, a registrar system within China locally. The regulation actually mandates all registries and registrars to do the same as well.

So the scope of that particular regulation actually expands beyond just us and also expands beyond just .cn. If you want to use a .com in China and obtain a ICP license, theoretically speaking, you should be putting that .com domain name under the management of a registry that is compliant with the Chinese regulation, in which case Verisign is, and a registrar that is compliant with the MIIT regulation as well.

Now, as you can see, this is not a matter that we should take lightly, because we are talking about putting rather important domain names in a new system in China, and these domains are typically those that you would need to obtain an ICP license, meaning that you want to be using it in China for your business. So these are, by default, critical domain names, and as such, we need to ensure that whatever system that you're using, whatever plan that we use will be able to fulfill that.

And you may also recall that, back in 2020, CSC already made an announcement that we are the first foreign-owned company to obtain that local domain registrar license in China, and that's certainly correct. But actually, throughout these four years, we actually spent a lot of time making sure that we actually have the right structure in place in order to help you protect the brand and actually ensure that the domain name would be secure as well.

So by security, let me just tell a little bit of a story to start that conversation going. So last week I was actually invited by ICANN APAC and KISA, which is the Korean Information Security Agency, to be attending a conference in South Korea that is to train the youth around Asia on internet governance. And I am responsible to talk about how the web3 domain names, so-called crypto domains, the web3 domains actually related to cybersecurity and how it interacts with the domain name systems and how it interacts with the ICANN compliance and things like that.

And one of the students actually came to me and asked, "Hey, is all this discussion theoretical? I haven't seen this happening before. I haven't seen any web3 domain names being hacked and stuff like that." And she was doubting all the discussion that we are having and the examples that we are giving are actually just theoretical.

And by the end of that particular conference, before I went back to Australia, something actually happened that's really timely. So last Friday, if I'm not mistaken, there was news basically just broke that a lot of the cryptocurrency companies, including a crypto web3 domain name company called Unstoppable was hacked, was hijacked due to what the news referred to as DNS hijacking.

But if you actually look into the case, that was actually not DNS hijacking. It is something called domain name hijacking. And I'll detail a little bit more about this later on in one of my slides. And that particular incident actually leads to a lot of money being stolen, and actually domain names could be stolen as well through this. And the root cause of that was because this company used basically the same domain name registrar, and that registrar was sold to another company. And throughout the transition, some of the safeguards were lowered, and because of that, the hacker seized the opportunity and basically hijacked a bunch of domain names and used these domain names to launch phishing attacks. And one thing led to another.

So this is the reason why we have to be absolutely sure that when we launch our Chinese system, our Chinese accreditation, we do not basically just copy and paste the foreign, our existing software and just put a copy over there in China and call it a day. That cannot be done because, as I mentioned, these are critical domain names, and the Chinese compliance is actually more stringent than any law around the world as well. So we have to make sure that a number of things are aligned and these domain names that we put into this new system are 100% secure as well. So that's the data security and the cybersecurity side of things that we have to make sure that the local domain name registrar system would be able to support.

And this is what we came up with. We are basically able to build a new China-based domain registration software system, which is an internal system, together with a large cloud-based provider in China. So this is a very special cooperation because these are not their business, but because they see that CSC's business is attractive, they understand that we're trying to protect a lot of brands behind the scenes, and they are actually working with us to develop a brand-new system to our satisfaction and able to make use of their infrastructure to ensure that everything would be secure as well.

So this domain name system will interact with each other, and it will work seamlessly together to provide a seamless support. And I'll talk a little bit more about how we actually do this later on.

But in order to be secure in China, there are three things that we are thinking about, and this is hardware security, the software resilience, and also a compliant operational process. And these three are extremely important. I'll go through a little bit on each later on with you.

So now one of the challenges that we are facing, for a global company like yourself, in managing domain portfolios around the world, including China, is that China is uniquely annoying in some way that the domain name registration is linked to the ICP license and it links to a lot of the compliance issues. And therefore, he doesn't necessarily speak Chinese. Even if you find a Chinese provider, they don't necessarily speak really good English. And compliance often changes in the sense that the authority changes and they change their mind, and it will change quite rapidly as well.

So it's really hard for you to understand and keep yourself updated about this. So, at the moment, a lot of the global companies basically utilize two main models in managing domain names with Chinese portfolios as well.

The Type A is basically just working with multiple providers. So the global company would have the head office manage a global provider, and the head office would also try to manage a Chinese provider because the global provider may not have someone who can handle the Chinese compliance. So you're forced basically to separate the management.

Or B, you as a global company may have the head office manage a global provider for all the portfolio outside China, and let your Chinese office to find a local provider to handle the Chinese portfolio, which is also a model that we see quite often with global enterprises as well.

Certainly there are different types of risks that you have to consider. The more registrars that you use, the more providers that you use, certainly that increases the security risk. And if you are basically decentralizing and let the Chinese office handle domain names in China, you lose oversight on a global level, and that would not be the most effective way.

No matter how you find your Chinese provider, there's a need for effective communication, there's a need for safety, and more often than not, you may not be able to find a Chinese provider who is actually able to build a system, a resilient system that you need for your important domain names that is active.

Now this is the context, and the solution that we came up with really quickly is that we are building something like this. So you as a global company, the head office, you only need to deal with CSC, and you'll be using CSCDomainManager as per normal. That will basically, that accreditation linked to the main CSC entity will manage the portfolio outside China. But for the portfolio inside China, we'll be using a new accreditation based in Shanghai that is having the MIIT accreditation and with a brand-new portal and system that is specifically designed for China to be the backend system. And these two systems will talk together, and it will basically fulfill all the domain name requests behind the scenes. But there will be a total separation, so to speak. Rather than just the display of the name, the actual system behind the scene will have a total separation.

Now, for this, we can actually ensure data security, and we can also ensure full compliance with the China regulation. And then also, on top of that, there will be a centralized, consolidated management through the CSCDomainManager as the portal. Now this is the idea.

And also when we construct this kind of idea, we are also thinking a little bit more than that. And this is something that we may talk about this later on because there are still a couple of things that we need to iron out. But at the moment, one of the most difficult situations for you to manage a Chinese domain is that it needs to be used to obtain your ICP license, and that's not a really clear process for us in the HQ side. So that's really triggered the reason why we want to decentralize to the Chinese office to manage everything.

So in this new partnership, we are also trying to build something that will extend into an ICP license later on and making sure that the head office is actually able to fulfill everything and understand everything. Even if you want to decentralize, you're able to get the information, understand the process, and understand what needs to be done. So even if there's turnaround in the Chinese office, you won't lose oversight over all these assets as well. So this is something that we will probably talk about later on.

Now this is a really simple slide, talking about enterprise-class and consumer-grade registrars. I won't go through this in too much detail because if you are using CSC, you probably understand consumer-grade registrar mainly focusing on the SME market, whereas the enterprise-class registrar also cares about servicing, actually delivering the security and also expanding beyond that how to integrate everything together and stuff like that. So this is a very important concept that I want to bring out because one of the reasons why we want to build this system, and especially when I go through a little bit about the operation workflow that we're building into it, hopefully you can understand that there are a lot of things that we need to take into consideration, even on the operation process, that would ensure that we are able to fulfill the enterprise-class registrar promise to you in the Chinese market.

All right. Now, so this is just the backend portal, just to let you know how it looks like. So this is co-developed between CSC and the partner over there, and this is exclusive to CSC. I won't go through the details. Just to let you know that it exists. I will go through however, later on, a few of the things that we specifically worked with them to develop, because these are requirements that you may not know about, but actually very important if you want to secure operation workflow in China.

Now this is a graph that I created, and this links to the security talking points that I just mentioned to you. Now that cryptocurrency incident that I mentioned before, the hacker actually hacked into the domain name registrar because the domain name registrar managed the names of a record, the DNS record, and the DNS record points to the DNS record, and the DNS record points to all the different services that you use, including your website, your apps, your email, your voice over IP, all your APIs, internal APIs, or the cloud integration if you're using Azure or Akamai or any cloud integration.

DNS is actually a protocol that needs to happen before you reach the cloud. So if DNS went down, cloud security went down as well, and also if you use Google authentication, O365 authentication, any DMARC protocol, SPF protocol to secure your email, everything relies on DNS.

So the hacker, what the hacker did is that they took down the registrar, changed the names of the record into a phishing site, and then they actually sent a phishing email as well. Because of this, everything afterwards basically can be controlled by the hacker. So this is why we need to make sure that the domain name in China also works perfectly and is perfectly secure.

And now this is the operation workflow. Now, in China, one of the things that we spend most of the time talking about and developing is actually how do we make sure that not only the system is secure and we have the pipeline and the hardware necessary to defend again any hacking and cyber attack, but also on the operation workflow side of things, we are able to actually offer something that actually works.

Now this is about the real name verification. So if you have managed any Chinese domain names, you know that the real name verification process is not exactly easy to do. It could be complicated in the sense that the rule actually changes from time to time.

And if you manage a lot of domain names in China, one of the things that happens is that, sooner rather than later, you'll notice that your domain registration, your real name verification, and your ICP license, all these three things needs to match together and they don't always match together, especially after a number of years. Sometimes you're going through some name changes and stuff like that, it starts to deviate. And we have to make sure that we have a really simple process to do bulk updates, to actually look into all the real name verification information easily. This is to reduce human error and ensuring that we are not relying too much on our manual workflow and stuff like that, so that all this can be secure also from an operation perspective.

Now this is something that we actually designed in the new system. So there's a lot better bulk RNV workflow than any of the retail systems that we've seen. And hopefully, you'll see that when we process any Chinese domain name after the launch of the new system, it will be better and more efficient and you'll get the result quicker as well.

The second thing that we've done in the Chinese system is actually what we call the enhanced security options. Now in a retail operation, especially with some of the Chinese retail registrar systems that we have reviewed, they don't normally offer a lot of options over there because, to put it simply, they don't need to. An SME doesn't really need all these options. But we do.

As an enterprise-class registrar, we have to be able to offer all this flexibility, understanding what exactly are we locking. Sometime a local registrar may tell you that, "Hey, this domain name is locked." It's actually not locked. Certainly it's only locked on their level, on the registrar level, but not really on the registry level. Language could be something that they kind of mix up to say, "Yeah, this is locked." But actually what kind of lock are you locking? This is sometimes something that they don't tell you exactly. We need to be able to distinguish exactly what are the locks that we've done on the Chinese registrar system as well, and we are able to kind of unlock it in an efficient manner.

So this is the what we have worked on to make sure that we change it in a way that more flexibility can be offered and we can actually do that on the 24 by 7 manner as well. So all these are also already built into the new system for you.

Now the other thing that I want to highlight for this new system is the data recording. So as this is a system used for critical domain names used in China and there's a lot of compliance concern in China as well, and data security concern, we want to make sure that all the different operations that we've done, either by yourself or through the CSC service team, everything is logged.

What we find is that before we do the enhancement, not everything is actually logged. Sometimes the logging doesn't contain all the information that we need to do a deep dive, and this is something that we also work on to make sure that the system actually logs everything. And in case, if there is something that happens, we would be able to provide the data for ourselves or for you to actually chase down exactly what happened. And this certainly is not something that you would see because this is a backend thing, but hopefully you can see that we are not basically just copying our global system and putting it in China.

And why I said that, if I have done that, it won't work. Just Chinese domain name management just has a lot of slightly small different things that we need to take care of. And if we are not really designing a system specifically for the Chinese market, we won't be able to do that effectively.

So this is an overview of what we've done, the requirements and the reasoning behind why we take some time to actually build all this together. Now the system will be launching very soon. Maybe around the September timeline would be the time that we want to launch this. And hopefully that gives you a good overview of what we've done, and you'll be able to see this is a secure system for you.