Last month, the U.S. National Cybersecurity Strategy was launched providing a new roadmap for stronger collaboration between those operating within the digital ecosystem. The strategy calls on software makers and American industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the Federal Bureau of Investigation and the Defense Department to disrupt the activities of hackers and ransomware groups around the world[1].
The cybersecurity strategies that aim to improve overall internet security and reduce cyber threats will likely have a positive impact on domain security. For example, if the U.S. government implements new measures to detect and prevent cyberattacks, this could help reduce the number of attacks targeting domain names and domain name systems (DNS). At a high level, the U.S. National Cybersecurity Strategy discusses securing critical infrastructure—cloud services, domain registrars, email, hosting providers, other digital services, and DNS. At the very least, this should put the more security-conscious enterprise-class registrars in a strong position to be a model for registrars that don’t practice Know Your Customer (KYC) compliance or have other security protocols such as registry lock or DNSSEC in place for their clients. The strategy also discusses how the internet and DNS are vulnerable infrastructure, and the White House Fact Sheet states that “reducing systemic technical vulnerabilities in the foundation of the internet and across the digital ecosystem” will need to be part of the goal to invest in resiliency[2].
In the recent past, other governments around the world have developed their own national cybersecurity strategies to address growing cyber threats. The U.K., Canada, Australia, and Japan—just to name a few—have cybersecurity strategies in place outlining their respective approaches to dealing with cyber threats. Each of them focus on stronger infrastructure in addition to further collaboration between stakeholders.
But to date, there really hasn’t been a large movement or push by the U.S. government to widely adopt domain security measures. The problem with this is threefold:
- Within the broader phishing and ransomware discussions, little attention is given to preventative actions (domain-related security measures) that could mitigate attacks in the early stages of a ransomware attack.
- No standards differentiating between consumer-grade and enterprise-class domain registrars exist, which has continued to enable consumer-grade registrars to operate domain marketplaces that drop-catch, auction, and sell branded or trademarked domain names to the highest bidder.
- The industry lacks an understanding of the importance of domain security and the available options to implement effective measures into their risk management strategy.
For those focused on internet fraud and online brand abuse, the strategy discusses focusing on mitigating against phishing attacks, business email compromise (BEC), and wire transfer fraud. Since these scams often include imitating trusted brand names, this is a positive development for brand owners, and proponents of trademark and IP rights, as well as online consumer safety. These attacks often happen by compromising legitimate web domains or by maliciously registering fake web domains. The intent of these fake domain registrations is to leverage the trust placed on the targeted brand to launch phishing attacks or other forms of digital brand abuse, or IP infringement that leads to revenue loss, traffic diversion, and a diminished brand reputation.
Overall, the impact of the U.S. government’s cybersecurity strategy on domain security will depend on the specific measures included in the strategy and how effectively they’re implemented. To learn more about CSC’s domain security best practices, view our Domain Security Recommendations.
[1] nytimes.com/2023/03/02/us/politics/biden-cybersecurity-strategy.html
[2] U.S. National Cybersecurity Strategy, https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf