am People name or ICANN Internet Corporation for Assigned Names and Numbers, just make an article that ICANN and to get away the Norwegian Association and own it. And we are also very proud to have our sponsors ICANN and IQ so they both them thank you very much
for ISOC this event we I have to do
I have to make some sort of unlisted here. So, first of all, this event is live streamed and recorded. So whatever you do, has been there. It will be there forever. The presentations will be published on ISOC No, you will find the link to the address. Ah between the three shots, there will be some short breaks because you have to the speakers then might stop and do some technical stuff. So, that's something that you have to be aware of it will be a short break but we will be in this room. After this event, we will have some refreshments looking behind you and there is a bar and we will serve you some nice snack.
So the first
slot is an introduction to ICANN and you remember what it stands for now everybody we do a test is held by Christopher Medina. Subramanian is Vice President stakeholder engagement Europe and managing director for Europe and He's based in Brussels. So great welcome to you. I'm looking forward to your presentation. I just do the rest of them and then we go into the second slot is about cybersecurity and IRS needs to directive. It is in my view, extremely interesting because it's something that will most likely in fact, one way or another the business we're in in the on the Internet. The speaker says here are Lisa and she is director general European telecom that operations Association, also known as ethnos, but it's not et. No is net No.
aplique SeRa is
ICANN Vice President for Government and the 5G regulations. And we are open studio who is a senior advisor at the Norwegian national security authority, innovation called SM
o all this
shot we have to be us to be a moderator but where is to be us.
Question is going
to be us is an illusion. It is a ploy by Louisa Research Center for Computer and law at university in Brazil.
And the last session
we have a short break you remember that? It's about DNS abuse and we are pleased to do to have the following speakers. The young lawyer from ICANN is the lead security stability and resiliency specialist in the tuna WHOIS environment Managing Director of DWeb which is the legacy of red.no and we have ro Clarkson who is the chairman for IQ global as is moderating this session will be moderated by Sebastian Parrish tremor. He is Associate Professor, head of Center for Information and innovation law, something that I've called pronounced in English UCP that means something in Copenhagen, doesn't it? Yes. Very close to it. Okay, so definitely looking forward to this is one of the biggest event ever taken place by ICANN away. So let's hope that we managed to do this in a food and a good to get back on stage and think of a
very big blow this
by the way, we have a recording of the room sound also so if we can be very clients, it will be awesome for the recording industry.
Thank goodness.
I feel a little bit like I'm on a karaoke stage.
But luckily for you,
it's not a karaoke stage. I'm very grateful to be here.
I just want to say so many of you have done so much work to set this up. And we've had a very warm welcome a number of Internet stakeholders across Norway that of course the Internet Society and our global and Cuban partners, the academic community, government stakeholders here in Norway, Norland and others, and so I'm very grateful we're very happy and proud to have a partnership with you here.
And I did also want
to specially say thank you to Steve, for being a driving force for all of this and I did promise also for those of you that are already members of the Internet Society of Norway that you must consider joining the board for the board of the Internet Society of Norway and it will be a very valuable experience. I do so my name is Chris mondini. I sit in Brussels, organizing the European region for Internet I mean Internet Corporation for Assigned Names and Numbers, which is ICANN, of course. We will know it by the end of the presentation. And I've been with ICANN for about 10 years. I started out in the United States working in the California Office at one point there was a Silicon Valley office and then through the headquarters in Los Angeles because if anybody asks where the Internet was born, a good answer is Los Angeles. The and I had a career in diplomacy and a career in technology consultant before that, but I'm really happy to be using my technology regulatory skills for the good of an expanding global
Internet, Internet. When I give
a talk, I really usually always start out by saying, though we call it the Internet. It is of course a
network of networks
and these are independently owned and operated networks that choose to interconnect voluntarily. Because they use common systems, common standards, common protocols and among the most important of these, the one that the originators of the Internet struggled but could not succeed in making completely decentralized is the addressing system or the system of unique identifiers as we call them. So again, in that name, Internet Corporation for Assigned Names and Numbers, you have the two big categories of these identifiers. The numeric addresses that identify parts of the network or devices are up to many 10s of billions. of devices connected now. And of course, the systems that convert to domain names, which are largely what we as humans can remember and use to navigate the Internet. And when you think that there are 10s of billions of devices and the last 10 years that I've worked at ICANN, we've gone from three and a half billion Internet users to about five and a half million Internet users. It's quite an amazing and incredible success story for the system because so many of you here have worked in for many, many years and many of you depend on I was chatting with a few of you before the event and you come from sectors like construction or sectors like maritime shipping and software. And you're all here because you know that the sector now is depending on the systems that keep the Internet global, expanding, interoperable, and we all depend on it. So the ICANN organization that I'm part of is 400 people were in about 38 countries.
And I'd say main focus
is the administration and operation of a domain name system, this addressing system that I discussed, with a lot of important technical partners, regional partners like the right NCC partners like Norwich, and others. It's a distributed network of partners that make that happen. We are also very involved in convening a community. So you'll hear this distinction between the ICANN organization for which I work as a paid employee
and the ICANN community and the community. Around about we've tried
to quantify about 10,000 people who have passed through PolicyMaking at one point or another at ICANN from business civil society, government, academia, Internet users, all in different structures that meets to make policy so when I say policies, I like to think of them as innovations and developments in these systems, these addressing systems because they're not static. They have to evolve to the needs of the world and the Internet users. So we have this administrative Technical Operations function. We have this convening of global community. Every country in the world, 180 of them are represented on the Governmental Advisory Committee alone, all those stakeholder categories that I mentioned, and then at the same time, we're spending increasing time really responding to what some of the risks are. And of course, we're hearing about them. We'll be hearing from some of my colleagues and some of the people that stain are introduced about abusive practices on the Internet, and several projects to address that. And also monitoring well meaning well intentioned legislation or regulatory activity can inadvertently have an effect on how these underlying systems work. But the fun exciting, innovative part of what we're working on really is in what this community puts out. So in the coming months, you'll see further extent expansion of what's called the generic top level domain space. So these are sitting alongside well known country code top level domains and have it in 2012 was the last time there was a big expansion to now more than 1500. So in earlier days when there was a dot match or a.com these are now joined by dot coffee dot guru dot X, Y, Zed, etc. And finding ways to make these industries available for those that would like to have a community or presence on the Internet is something we're working very hard on them that we as an organization are convening the community and making
real. The most exciting part of that,
though, I think, is in what is a very, I would say inspiring, almost heartwarming part of the word, which is an internationalized domain names. So if you can imagine that parts of the world will choose different alphabets or scripts even today, that an intranet user needs to find a keyboard that will have a www dots
and Latin script. And if you're the next
billion users and you're speaking in Devon Gotti or Arabic or you use a Cyrillic alphabets if you're sitting in Chennai, or Hokkaido, you don't want to have to do that anymore. And what's amazing is that all of the volunteer efforts of many people across their community linguists, technical experts, get together they make what will be the future intranet in which people will be able to experience 100% in their own language in their own alphabet. And of course, all of the software systems need to be compatible with these new things. And so there's a big effort across the community and a great deal of investments in fact, and we call universal acceptance, which is going to talk to everyone. I've been to headquarters in Silicon Valley companies with a colleague from India and we show it on that device. We said, Look, you know, there are 250 million people that have these means in his particular scripts, yet when they sign up, try to sign up for your transportation service, name transportation service, they can't do it. And that gets their attention. So it's very inspiring work because it really is about the continuing the mission of the growing interoperability Genet.
We had some progress
that the community has made that was announced just in the coming days about ways to comply with data protection laws, which involve deciding how to have a system a pilot system to make the unpublished portion of data that you might provide when you register a domain name available to certain approved requesters of this data. And so this has been an arduous, arduous task among all of those stakeholder groups that I mentioned to comply with a lot of data protection regulations around around the world.
And again, it's important work, and it's all in the service of keeping intranet expanding and keeping and growing the service of users.
The Global South, I talked about the linguistic aspect of it, but there is of course the technological and network aspect of it. You've worked for the Internet Society to encourage the installation of
Internet exchange points.
In Africa,
for example, these are places where these networks that I described come together and where the, the boundary lines where the data gets exchanged, as I can we manage something called a root server instance, network of root servers, which are, I would say, the servers where the queries that your devices make to find out how to navigate the Internet visit and we've put a cluster of them in Nairobi recently with another one to come elsewhere in Africa. And immediately we saw that the responsiveness and the resiliency and the patterns of the traffic improved to be closer to user be faster. And again, to make the Internet work better, and be more meaningful for
those that are fighting every day. A couple of the
topics today that will will be addressed as one that I alluded to, which is some of the regulatory aspects where sometimes in the current geopolitical climate, I would say, well, meaning well intentioned legislative or governmental initiatives sometimes can have unintended effects on what happens in this technical layer. The Internet, and Flexi those my colleagues will be just addressing that with their fellow panelists. And then I did allude to say abusive practices both
I would say,
systems themselves and how they can be attacked, but also how the domain name system can be used to do other things. I mean, the domain name system really helps us to do everything. But when it helps people to do things like distributed phishing or malware, this is an area that we are seeking to increase knowledge and capacity and awareness among all of us who have a stake in mitigating those harms. So in addition to recruiting for the Norway ISOC
board, I'm
also report recruiting for ICANN,
but the good thing is you I described this community you might say well, who is in this community, and the secret is you're already in MIDI, if you're using the Internet and pending upon that you are part of the Trinity because what you do depends on the work of the many volunteers and many of you already volunteered many hours of your time to keep the Internet and the Domain Name System and the unique identifiers upon which it works. I mean, you don't have to develop lots of hours. There are many easy ways to follow there. You could do as little as signing up for newsletter. We have a fantastic mailing list email was that Gabby should take the organizers and Gabby is there in the back in her rent outfit so you can all find her and I'll find ways to get connected with her email address and email list and that is where we publicize our regular monthly webinars for the Nordic Region on all kinds of topics, including topics that many of you propellers.
We convene a global
community three times a year in an alive, free open reading and it's pre pandemic It was between two and 3000 people and I think we're quickly getting back to that size of meeting again.
Again, they're in 60 plus countries, countries
governments, business civil society, domain names, sector actors. Next one is next week. It's in sunny Cancun. But who needs Cancun when you have the sunshine here in Oslo. I've been enjoying greatly. We have one in Washington DC in June. And then in humbard, if you'd like to attend with a little bit closer, there's one in Hamburg. It's the third week of October. You'll be able to see this community in action and it really wants to dive in and sign up for policy developments. work or if you just want to join one of the structures of the community to be on an email list. Or as I said, a newsletter an email list you can do that very cool person in your organization. And there's all about ICANN and people go to and say did you explain that to me? You can be that person. We have papers that we publish on governmental issues, regulatory issues. We have excellent papers that are office of the CTO publishes for that met the academics here. And then finally, I just want to say ISOC. Norway is also what's called an app large structure of ICANN. So this is a grouping of Internet users that come and give the user perspective on all of these issues. That I've addressed. So when you're signing your salary in Steiner, you're also signing up with ICANN and Lauren structure. They are organized also on a European regional basis, and they run all kinds of awareness raising and educational programs. So that's my recruitment speech. But as I said, I feel we've already recruited you. I am here with my colleagues, to help you to get as involved as you would like to be to answer all of your questions. Really, most sincerely thank you and all of the Internet community here for the warm welcome to open dialogue and the awareness reason that you're such a good partner. So thank you very much.
Thank you very much. We do have some opening for some questions. So anyone that wants to know about some acronyms it is a dealing. These are the audience so as a thanks for your coming here. You're going to a very warm, hot days. We're going to give you these but I don't know the English words, but it is. So you have to promise me when you're on the board and I will want you to bring this on on Reagan March.
That's good
to be here okay. We need five minutes, maybe wake up the next next session, so nobody can talk together.
You don't need to have this. So there's a practical side. So for all you that have your faults in different places to produce close brackets.
We need some, the next step. And some chairs and so on. Okay.
So we
are ready to continue.
And we are shifting
a little bit of focus. We are shifting the focus on cybersecurity. And as you will know, the Internet wasn't really designed to be secure. Cybersecurity has become an issue over time and is increasingly in the focus of both ICANN and other organizations and by other organizations, we can perhaps also include the European Union, where there is regulatory effort going on to ensure cybersecurity. And I think it's interesting to have this double perspective on both ICANN as a global organization and the European Union as a regional organization, but also the different modes of regulation where you have traditional governmental organizations and then this multi stakeholder perspectives meeting each other. So for that we have convened an excellent panel to talk about cybersecurity and the use and is to directive and we're here in a few moments, what NYS two is all about. And the first person to speak about this is Lisa food who is Director General of the European Telecommunications Network Operators association or
ethno Torres us. Thank you and
I will bring not only the Internet perspective, but of course, the telco perspective because our work although the telecom operators and and as you might I don't know if you know, ethno, but just very briefly, ethno are a European Trade Association and we represent 70% of the investment in infrastructure in Europe. So, my members are big telcos, like Deutsche Telekom, British Telecom, but also Tila nor EDC and Denmark. Tyria. In Sweden, we are having them remembers in all European countries, and of course, as telecom operators are also subject to cyber attacks because a huge part of the critical infrastructure is telecommunication. We do exchange a huge amount of data. So the Internet runs on the telecom infrastructure. But as I would like to discuss with you before we go into this too, what we see is that cybersecurity and cyber threats.
But what
I'll talk about today is what is it Europe is trying to do about and how do they try to create regulation and measures tributes will infinity and also increase the resilience of critical entities? So I know not everyone is happy for this to directive. And of course, this too, is not perfect, but to me I think it's an important part of regulation. I think it has the goal of achieving a high level of cyber security across the EU member states. We had the first NIS directive that showed to be difficult to implement, creating even more fragmentation than was meant. And actually, the enforcement of it was a bit difficult. So now we see a new director, which is Franklin the security requirements. Also trying to address the security of the supply chain, streamline incident reporting obligations in all membership countries will also see there are much more stringent supervisory measures and stricter enforcement requirements. This is not to stand alone. We will also have the directive on resilience of critical infrastructure coming up so there are a lot of regulation on cyber security coming up in the EU. If we look at the legislative process, you can see the timeline here I'm not going to go into depth with this one. The slides will be available for you if you want to look at them after this presentation. This is originally a 30 minute presentation that I'm boiling down to 10 minutes because we want to have a conversation with the panelists. So well, if we look at what's happening now we have a directive, but that directive needs to be implemented in the member states. So it's not a done deal now. Now the national authorities need to transpose transpose it into national laws by October 2024. So that will need to be done. We'll see that in Isa. The European cyber agency will also have guidelines that they will they will publish and also the commission will have the delegated and implementing act and this is important especially for TLDs and DNS services that will be specified and implemented act. If we look at the NIS two I'm not going to talk to all of these things on the slide but very quickly, there will be an improved cooperation at EU level we need to increase the trust between the competent authorities they need to work more together. We need to facilitate information sharing between the competent authorities and also there will be rules and how to handle large scale incidents or crisis. There needs to be stronger security requirements and also the stronger enforcement and so commission, including harmonized sanctions for breaching of the director day it's a bit more as I said, fragmented in each member state.
So this too,
is also reaching many more industries before so that's one of them massive novelties of this directive is that it's actually expanding the scope of who is included under the regulation. We it extends the scope to new sectors such as Telecom, social media platforms, and also public administration. As I said before, registries and DNS
services so if we look
at the risk management measures, well, concretely, the regulated entities will need to implement a number of cybersecurity risk management measures as part of their security policies, but also practices and you can see this long list many off off the registries but also telecom operators are already doing this today. So it's not like it's it's a huge shift. I think the biggest thing here is reporting measures so actually that we need to report so I look at the reporting obligations. Well, there is an incident of significant impact. You need to report it and how do you define significant impact that is to be seen, but it's more if it stops the services that you're providing or if it has a huge economic impact on your company, then you will need to to report it. Also, the cross border reporting is important. If you're if you have an incident that is affecting more more countries, you will need to report it to of course and then the state sets affected also to ESA. So there is things that needs to be taken into account. You need to have a response plan. You need to know what to do if you have a cybersecurity incident. Again, as I'm saying many of you already do it. Today many of the companies that are
affected by
that are using the Internet or having critical services. Of course, you know how to deal with cyber security.
If we look at the
telecom operators, we don't see this as a revolution. We see this this evolution, because we're already working with many of this. Many of these measures. Many of the countries many of the member states already have rules that are Indian this to directive in place or the telecom operators. I come from Denmark, I know DK was was I had requirements to actually comply with ISO 27,001 and therefore much of what's in the news today is already taken care of there. But what we see as a development is also that it's it's widening the scope. So the full value chain is in focus here. And I think the value chain is important for all of us, not only telcos also for other Internet players. And if I look at the Internet infrastructure as I said, this regulation is very explicitly regulating TLDs and the DNS servers than the non european registries that are offering services within Europe. I said also before is the key aspects is ICT supply chain that's extremely important for resilience of critical infrastructure. Because what we see is some of the breaches are made in the ICT supply chain. So the the vendors also have their role to play. And here, if we look at this to this, it might have a greater focus on the supply chain, but it doesn't really cover all of it. So we had hoped that these two would cover everything also the supply chain. It doesn't. Of course, there are coordination with the vendors and the vendors. Their products are partly defined by the services you want them to provide. In the hardware and the software, if we look at how the world developed right now, at GE 6G moving into summarization, it's much more more virtualization of networks. And the more virtual the networks becomes, the more vulnerable it becomes to attacks to cause we see it as more secure than 4g. We also know that in services where attacks can can happen becomes poor. So there is a balance to be taken care of there and we need to make sure that everyone we're delivering software, hardware, whatever it to telcos also needs to comply with this too. So this was raised with the commission. So now the Commission have the cyber resilience act where they say, Well, this will actually also cover many of the providers of the vendors of the software and also the hardware. We see it as partly but in the cyber resilience act, what we see is that it takes into account that it needs to be security by design, we need to have lifecycle support and update update. And also there are some requests for vulnerability handling processes. But
how it's gonna
be brought to life is still a question the rules are not the axis not decided. are still negotiation going on in the EU. In the end, it's all about how it's implemented in each member state. So that was a quick introduction to this true but also the cyber is in fact, thank you.
Excellent,
thank you. So maybe we can then have the panel on the page here and if you want to end your presentation there. So we are now joined also by Elena Flexera, who is the vice president of ICANN for government and iG o engagement and also Balkans DD who is senior advisor for the Norwegian national security authority. And what we have in mind for the next
minutes is that both
Elena and olken will give initial presentations on their perspectives, and then we can have discussions, but perhaps before going to the first presentation by Elena a check is there any questions to Lisa's perspective and won't be able to ask the question but just check who has questions?
We have one person there. Okay, excellent. Excellent,
good, then we have four questions in line for you later, but first we go to Elena with oryzias.
Research actually because at the very thorough explanation of what is nice to about so now we can jump right into the effects. And really from from the Internet side and when I say Internet for us and kind of the family of taking organizations this work without the IDs, there was really the fundamentals right. You got the defiers and the IP but of course the outcome cobbled together so when I say Internet was I refer to the fundamentals. So what would be of any students lesion on the side and I mean from a security standpoint, so and so it's all about maintaining more security. That isn't a question also the fact that the DNS is critical, of course is absolutely critical to that. As Lisa said the cybersecurity risk management measures that are laid down in a server I think any operator in the space that actually respects itself, does it in one way or another or anyway if the operators themselves. So then you're not better themselves, then maybe you can say that through the legislation that we'll have to implement these measures now. So in that regard, yes, you see a more secure, secure space. I would rather like to focus though, on the scope of evaluation of those measures and obligations under scope and the approach initially, and I'm sorry, that doesn't take a dive in the necessity for them to see as many as two proposal came out, so it wasn't used that people would include DNS operators all the way to the root servers and they don't sugar operators are fed in around the world to have them and Bureau have hundreds of hundreds of instances. That's all they do is they propagate and publish for the rest of the world. So then our queries get results fast and secure and resilient. That's the idea. Okay, so the EU proposed that would impose regulation on all of them. In Europe or outside Europe. Very minor that these operators offer their services voluntary, for the public interest for the sake of the world. And so, exposing this operators regulation and in fines that is true also includes probably has had the outcome of making them withdraw from the service. Some point during the negotiations the country had realized that the way to go so a compromise over thinking it's a second thing saying this for the sake of Bragman, compromises over the name was conceived, if you have more than 10 years, you will have value in regulation. Not you will not be but will have an effect on that one. Everyone would have dropped to 10 instances. So ultimately in the regulation, I'm trying to say here is that what would have happened with this would have been in the regulation is a who had less of these mirrors, on reason that the mainframe system is a tool resilient is that we have many many, many many, many branches. So you've got to expect us to have the exact opposite outcome. What's the intended outcome was so in this space less classical, just to be honest operators, there has been an effort to actually put in scope those that make sense and I have to say that still lots of events. No way are physical and Steelers work. Why am I bothering you with the root server operators, which are now edited out of when I used to? Vision I'm still racing with you is the approach the approach to safety when we see because at least mentioned at the beginning. So there are very real problems that have changed on the Internet and the fundamentals were to give you the glue to have a global Internet. Everything else comes on top. Up there will have many many issues and security issues. Because of this, we see legislators around the world not only in Europe, but Europe, if you will, is laid out there thinking about okay, how am I going to get make that more secure? What am I going to do for my citizens which is of course, rational consideration right? Europe will have will have the principle of a special ramping up we're seeing is a special guarantee is apply the same way it is applied in cable news or it's applied in software. Although but reputations over all the way down to the fundamentals and the point I'm trying to raise you with us. If you want it to be more secure, you have to do the exact opposite. You don't do this because then make it less secure. You create one single point of failure, no mistakes. You have to think in the exact opposite way. And you think about other things on security, for example. That's an additional raising that here we do and we see that not only the names, here and there in other regulations that come from the European Commission area where we see that is standardization. Definitely relationships. There you see this approach coming into play. So you have to do our own we have to do to place our own standards and then the world will follow which makes perfect sense for the single market. You have to have products in the single market that are secure. We find this perception this idea of doing standards so comes into our world into the standards that the IETF is making. These things either aren't see the globally agreed globally and then they work globally or you just have your own automated bottom line Rhys approach when it comes to the fundamentals. Right. These are the very, very glue that keeps things together, let alone tiny cell phones
Thank you very much, Elena.
And let me check again.
You have questions for Elena coming up later. Half Okay. Good. Question.
Then we can
continue with on steady.
So is being used as senior vice Rafi in which national security authorities is really going to represent and talk about today. So I'll start 30 years ago when I was working at the tenant or the leasing telephone before the relationship as a research scientist. I was more or less quickly though there was a guy who talked about the Internet being able to carry the participation in the cellphone network. So the the bad the bad scientists today. These days are talking about the danger of losing information because it carries everything. Somehow by luck. I was right about this prediction. I was lucky enough to be part of something called the Internet telephony consortium at MIT and Harvard, where we actually modelled made it actually proved that it was possible to have to love me. Anyhow, so it was by the infimum. That's been part of the story. So nice to encourage them to start. There. I got involved in that. The European Union South project program called the European program for people Infrastructure Protection, which was proposed as a directive in 2006. It was confirmed, made a directive in 2008. In 2006, I started working with the working groups on experts in 2000. Doing this when the proposed directive was published, it was 11 sectors, Apple's digital infrastructure. That number is quite important. Because of the needs to directly power several sectors of our ascension. The ER directive, which is the recipients of critical evidence, have seven sectors that might be prefilled. Is so they kind of match up in that was not the case. When he goes the proposal from the Commission was reduced to two secretaries it was energy and transport. That's it. The reason was the threshold was quite high. So it was all the services involving two or more states. It ended up being really too restrictive. I joined an expert group for ICT or information technology. It's hard to find out can we during this episode directly with the whole sector. We found that event. Also actually we have this lesson we have most of this implemented already because the MC pride was very focused on incident response. RSA was more focused on preventing incidents. So after a few years old discussing coming up with suggesting themes that may the nation first they made a security policy isn't after that it became a cybersecurity strategy in 2008, and then this the work that this directory is the first historically solid. That is history. So it's kind of a good story to go after. In the NIS. Directive, evaluating these two directive. Founding is oppositely which is the resilience of attributes. These are really sibling directly as with the directive, resume so this is the most cyber. These two are isn't cyber, it's as explicit they know that both our risk management approach for that is all hazards. Just for some of the sub spirits people are working with intended that's only the start is all hazards is very important. This character has an operating room. Same thing is for the restraints of the can entities both characters states that these two groups must have joint meeting every year. The critical researcher that is brought about in the residence of entities directly is automatically inside in person in the start. No cyber directive makes new new services and pretty when you start with that is disregarding size. All right, it was the size is it's larger than SMB. Businesses business's Republic protections and some things are disregarded inside apply DMS it's quite inclusive and there are team directors on cyber cyber that is actually working in impair. So these are these will work in a way. You have the legislation, the Protection Act. They implemented the FCC corrected so that barriers have been implemented and will be replaced by billions of people entities directive. states that this will happen in possibly the mystery. Of course they are like this. The Civil Protection Act is the director of civil action. Who's the authority that we need actually implementing these are I didn't know where we need that that several authorities will have to cooperate maybe this will happen in an organized manner in some effort. Also, we have a third director which is the third act which is Dora, which is the financial sector. So it's a trinity of directives and won't act. But especially these missionaries, the presidents of entities are really putting together the measures of the security measures are more or less included in risk management. The response to protected risk management activities on sidewalks every day in the students are going to decide the this is the curriculum and battling with variables parently. Both directives will have a form or are specifying performance bars or strategies. So we will have to have the cyber strategy with in performance within our computing. And we'll say with the residents okay to introduce him. We'll close up we have a quick quick rental infrastructure strategy and they are much slower so we'll have a new strategy
called most, most of the exam results or details I shouldn't mention that incident. Response is recycling that incident response takes priority for reporting. So if the incident response activity is go, you leave the reporting until we actually launched this so it's very important that are quite a few details that recycle these. There have been lots of changes in in this new directive since the post so what is supply chain risk management resource improvement but that is important to be in Union critical evidence. So you have the diagram of the 2020 common Civil War as the most important I was happy to to decline. At the time this was in 2012. Long reports in the area of reporting. Credit overwhelmed they actually reported that the third party reports that is of course in the in the supply chain was about 19% of the incidence compared with the IBM customer data breach report last year. A report of 21% of these supply chain results. It's bolted on. Really what about is it seems the post blockchain that popped
out also that the cyber resilience Act which is coming in still in discussion, the committee in the European Parliament have not reported it's stated that it probably will cover about 10% of products so 90% of it. So be covered by the detailed requirements in that act will be classified into a set of nation. Security I think that's probably four minutes.
Open Thank you very much. And this means that we can now start discussing both in terms of discussions amongst panelists but also with the audience and perhaps I can start with some of the questions
that were formulated
in your mind after leases presentation. We
start with some of these I saw some hands. Well, yes, we have people
on Zoom. I think so. I'm so
sorry about what I'm about to ask. You can see I'm young, inexperienced, usually don't do much in the realm of security. And made me question to both really and it's as well. Thanks for a great presentation.
A lot of interesting stuff.
I'm learning at breakneck
speeds. Be patient with me. Internet is a global thing, right.
There's global cooperation. There are a lot of voluntary actors in here. Security, traditionally, national subject, right.
The EU typically traditionally hasn't been very involved in matters of national security. So there are some points as to why the EU should be regulating this right. What are the what is the EU stake in making this directive and regulating it on EU level
what's what's the interest and what's the driving force behind?
Particularly work in a broad sense is my question.
Perhaps all of the panelists
Well, I can give it a first girl but much of the regulation is about creating a basic level so a level of security here is by harmonizing the country's telecom operators have been regulated by the EU for many many years. Now, I what I see is that want to create that baseline for the ecosystem as such on the telco side, we've had specific regulation before we were in this invoked now we are part of them this directive is to but only in the second round, but there is still and still I've been for a long time security regulation in the telecom reputation. So let's, I think you're right it's a national matter. But now with the cybersecurity threat, it has become global or European
I can just add on the this directive is a minimum directory. So any mental states can be found on whatever relational thing required will not stay there. The other aspect which is harmonization that actually use the same standards is the same language for describing risks is designed the same methods all express risks. Again, read the recital preamble you'll find that the question was regarding national security is exempt. So member states won't have to reveal the national security information. The problem areas that because then the you know when they have something called a multiple national infections that are owed by the international experience. So they will be will have to restrict the information about these pace. We will have to report incidents. If they are inside we started sharing information. So it's actually will be somewhat difficult to actually make this happen in all present. Because every represent is so small varieties on National Security Tax. I think it's possible to work about government. Important thing is it's a nation sharing that you share information about incidents. Thanks anybody want
to add something like that, or should we proceed to a question? Yes. Okay. We made you there were some people also that wanted to ask a question regarding Elena's presentation. We're going to proceed there. I already set the bar really low. I'm going to ask a question about the FizzBuzz sentence. Because this too has some worrying aspects. I mean, I can't use the excuse of being a newbie. I'm on all the staff member of the ICANN Board, also open source developer. So this tool looks like it's trying to secure the supply chain by having by imposing restrictions on finance, the possibility of finance all the way down the supply chain. How do you see the open source ecosystem operating in this environment?
Yeah, how do I see that?
I see it right now. It is true to not include the vendors. So that has been part of this it's
if you deliver the open source to
registry, the registry would be the ones who were in charge and they be viable if you as an open source if they using their open source. So the open source under an S two might not be traveling it could be under the cyber resilience act, and I don't know how that will be end up being. So
I I do understand your concern on an open source, because that's done on a profit basis. But the bottom line of all of this is that when you use anything in commercial terms, you need to be responsible for what you do. That doesn't see open source and I don't know how that thing and maybe you know where we're about where the open source lies and all of this. Well, the supply chain is
still the European is still it's a it is a problem with it is always responsible. To do this in the proper way Windows locks on repositories are not no longer maintained. You might even vote in well who aren't in whatever action the sled poles and some are militaristic. So I don't know how they are. Source but what is more important is that disclosure of relevant entities will be improved. That is a good thing. So might be the ultimate task, because we have more strict on the dosing or what about this the responsibility of not disclosing the incomplete and as soon as possible a problem that exists in the ceiling. There is a musician I don't see that Mr. Lee but in the CRM decision
gesture is if it has been raised for during the consultation on the CRA because I think that's an important point saying you do have an ecosystem of open source and nonprofit that has a different kind of value and and also purpose that needs to be taken into account but in the end, it also needs to be trustworthy. So how do you how do you actually balance that?
That's I'm thinking of proposal proposals. You know, sometimes presentation that doesn't really give you an idea of where things are going. That's it. I've looked into it and I've seen a lot of references as well that hopefully will be
excellent. Did we have other questions for Elena?
I
work with trench noise I have a question for actually kind of Morrow. And it's playing pretty high, oldest after and I would like to add a little bit information which I hope will help add some weight to the issue. I've seen some numbers that in the European markets 92% of all applications will use open source software as part of their supply chain their dependencies and I would like also to correct maybe, or just some of your ideas on mobile. We're not talking about nonprofits. We're talking about your work. People who have their own time. Do something they love, and others find it useful because it's been given away in a very efficient term as an open source license. For me, this sounds like we are about to introduce some regulation that will be frankly ignore this if you've created percent of all issues that are out there related to supply chain issues and 92% of those, again, are open source related. And who knows how many of them these, again, are purely volunteer driven. Should we enforce people by knocking on these laws on the borders of their homes? Or are we having to actually introduce some requirements to businesses that they take the liability or this case? Maybe force businesses to have an ongoing livelier relationship with open source developers all over the world? You have any thoughts on this topic?
I'd love to hear what you think. Dr. Lerner is that three quarters on development room is designed to one thing is our business of our vendors and other things was syncing because there are quite a few issues where open source groups or publishers or something license on their open source code. It's not used since it's supposed to be in the in the master. So there are some quite extensive things being done here. On the notion of proprietary software that is written in house everything every line vote is is very rare. There is some people that didn't this way. It's very good. So So thank you, if the biggest actors are observing the reality that the math brain is not implemented. I think there is this price.
Before we continue on with this, am I trying Am I understanding the question correctly that so it no you're saying that the issue is not with the but with the cyber resilience act proposal, and what part of the cyber resilience act proposal is the specific challenge to open source?
I have to say to start moving schemer, this is rolling lighter, the fundamentals and I surprisingly, still have a life so the particular article
No, I don't I don't have this specific it's more that we know that this is going to also include vendors. Here the vendor isn't seen as a commercial pot. And I completely understand and sorry for calling and nonprofit. It's all here work much the open source. I think it's an interesting dilemma because open source is an important part of our digital ecosystem today. But we also have security which is
a basic threat to our lives if we don't take care of cybersecurity. So
I'm not saying that open source should be held liable. But if you use open source code in commercial software, you need to be liable not as easy open source developer but those who are using it for commercial purposes. So to me there is someone who benefit from open source in a commercial way they need to be liable as you sell people also product that they need to trust.
Right, I guess
we also need to continue the discussion on open source and salaries Linux acted when we when we have more specific discussion of that. Yes, although here so.
On special warning from
the RIPE NCC, and there was a question of whether there have been any comments to the cyber resilience regarding the open source programs and yes, there has so RIPE NCC has submitted or comments on this. And we have consulted with our community, which has an open source Working Group and several of these issues have been listed in that so the commission should know about this. I think there are also two or three other European responses that raised the same kind of issues. I think just to add, I literally say here that you have somebody has to be responsible for providing security services. And if you use open source, I would think it's unreasonable to try to pass over to the producer open source. But then on the other hand, we use open source for DNS resolvers, which are volunteer or organizations, but we also use Red Hat Linux or things like that where it's a huge commercial group back so it's one size fits all doesn't really make sense.
Thanks, Nicholas.
Question. Yes. Yeah. This is fine. I'm Joe hat on and this is somewhat connected trainings and Internet based on domain names. My reading of the nice too, is that it will enroll more entities than the nice one or the nice. So we know that in Europe, there are also very many other new genetic TLBs are based in Europe because tax rates regulations and etc. They have to tell you directly whatsoever registrar's, just do something even though they are not ICANN accredited. Maybe there are just nationally accredited et cetera ISPs must do something.
So, the question is,
what sort of revolution the company because there will be changes, how much will that take the business? Will it actually feasible for the entities that today are an operation, that the entities are saying, No, I can't do this anymore because they're too strict and the fees are too high countries and turning down the business. Funding actually, I read from ISOC report is in certain 2001 But anyway, I don't think that is completely valid. But my question is, What's your thinking about how much will this I don't change the business or Brexit operators registers? etc
etc, true, this very different, breadwinner is one innocent and is one ready included VNS operators, but it was up the EU member states to look into their jurisdiction and say, Okay, we think that this is essential but this is not essential. Now, the sake of criminalization are different things when it comes to the domain system operators automatically if you're a DNS operator, no matter what you are, essentially what I was saying before, does make sense in some regard because she has to be a super soldier but the other guard does capture and it is by no means either neither essential nor important. So yes, for those are those it's probably going to be extra burden through as I was saying before, basic services and measures everyone should be doing. reporting obligations, though, are coming on top of that. What you mentioned is the key here. Similarly with the GDPR. What was the issue of the fines? You're the same so maybe for small operators? Not important to be an operational burden. I don't know about that. I'm not sure.
I think the burden is gonna be bigger, of course on all the small ones but also on the cyber he sees around and you're because they need to actually get all the reporting they need to supervise and also look into compliance etc. There's going to be heaps of issues on getting this system up. But I think in the long run, it will make it better and I hope it will find a balance where it's not overly burdensome, but more at a level where we are creating more trust. In our digital ecosystems.
That list is very much just to give you a sense of the size and scope. There are millions of domain names registered only in Europe and in theory these supposedly have to be receiving reporting from among them. Sorry. This will be exciting to watch. All this is going to be now what's the threshold on how your incident can be recalled? How much punishment home are the severity measures, having been in almost all of these? It will be awfully important because the vocational and the saw the ventilation is raising the bar reasonable level and the fold is not too low. It will work out if they are suspects. You have to rewatch small incidents. To look on mismanagement. Also recognitions for the it will be felt to be too much. So, salt and some of these details in the directive have not been burned out. They are to be decided later. is also the resilience of crypto is directly the list of services while sanctions are included in the sidebar the information in November of this year. So the list is no it doesn't exist. What services aren't ruling in this political infrastructure. We're talking back on cyber effective so we have to see how the Coordination Group How are you deciding hope they are reasonable. Questions they're
actually gonna ask
that question this is all before but when I'm sitting here I'm I'm getting a completely new question rising and not particularly familiar with this regulation. What I have done is I've been working on the deregulation the seesaw regulation. And what what I'm hearing here is one of the problems that I'm very good at actually, what doesn't seem to be some overlap in the comprehensive thoughts coming into this it seems to be something of siloed approaches. So the local entities are going to have older, several regulations. And I realized I'm probably going to send a question to you that might result in some just rubbing your hands up in the air and wondering But I'm gonna ask you anyway. Do you see
how do you see the all these regulations coming in together? Not necessarily being coordinated
how do we approach as we approach this?
What I can say is that I know that the member states are, at least at some extent, aware of those in particular when it comes to the NH two debates. At first, there's a lot of time thinking about that. What how does Yeah, come on that counters the one that was extended were very successful, but at some level of a person and very fortunate in the fact that he was very open to inputs Well, the process might be one, something has been perceived but also when it is interpreted. Think we have to connect because then if
we run the telcos, we are subject to regulation on cybersecurity and many laws or action directives. We find it concerning but we hope that it will all be solved in the final in the final member states because that's in the end, those who are actually the ones that are making this into into actual regulation. We're not against this too. We're just hoping that they're not contradicting each other and we hope everything will be clear. So we're not having one regulation containing another but it is a concern.
It's is it is also the person who will be in the expert groups that are supporting information on decisions.
Really, if people know the topics and all the problems and all the sectors that are over, they work out. They are too eager. Not really developed know what they're doing. They didn't do great damage by using them.
I know experienced folks and helping those out and working out almost well. There have been people at invidious we've all seen the European member states handle on security. Visa is quite easier because this is an opportunity to collect lots of information about the cybersecurity level in the member states. People are participating in vafre in group is for me Doc testing if number of items that the amount of data that is being collected too much to those member states. This is smaller, it's an expense. So we are actually pretty positive in some discussions that isn't being too expensive. We just talked about legislation will not work. Yes. Thank you very
much. I'm getting conflicting signals. On the one hand there are more questions to be discussed. On the other hand, I'm getting signals from we need to conclude and move on to the next session. But there will be an opportunity to discuss also after the next session and also perhaps during the break. So many thanks to all of you who asked questions, and many thanks to our excellent panelists.
Whichever is missing, you will have limited time anyway. So it's not a surprise anymore. But it's still useful. I start here and thank you very much for attending. Listen, you definitely need that in a cold Copenhagen and in Bristol and you're going skiing so it's a short break now. We need to take somewhere and I have a gift. There will be a guide at the door down there in these cards. The magic that is cards. It gives you a drink. So the bar is over there. You can cook your your receipt
so go through that door. Take a
breather, take a drink and come back in say 10 to 15 minutes. Okay, enjoy
And if the fourth is the Baskin and He will direct that and keep the time. And after that you've seen that there are some food on the back of the room, or your cause. Welcome to do in afterwards and enjoy everything. Go on.
Thank you very much and welcome
back with a drink. So this session should be fun. I'm also sure you're getting hungry and keeping time with me. We're talking about DNSSEC views in the sense of a really, really important topic that has gained I think also politically much more visibility over recent years. And we'll hear three very interesting and somewhat different perspectives. First from ICANN, then from the National ccTLD here in Norway, Nolan. And last but not least, from IQ global in terms of how to handle abuse.
So but further ado, I would welcome
Shawn and Lloyd, who will tell us a bit about DNS abuse and mitigation in the gTLD context. So we're here I think a little about the dark the domain abuse activity reporting, as well as some suspected effectives regarding damage related malicious domains. And maybe we just give it another second or so until everybody finds isn't very serious.
Shawn, the floor is.
Awesome. Yeah, so my name is Sean Knight. I work in the SSR team. Within ICANN office of the CTO. And as has already been said, I'm going to talk about two projects that we work on that look at uses domain names but in slightly different ways. The first project about the long running project now it's been running since 2002. And it's called domain abuse activity reporting. And it's really about looking at metrics. So was designed as a system to look at security threats to look at domains that have been reported to us as being abusive across top level domains and the initial idea was to publish the methodology sent out for consultation to get feedback, and then produce the system that would enable people to replicate it and look at the date that we're looking at. And maybe two different conclusions, the ones that we come to, actually from the same data, so we thought that would be interesting. This is going to be a very brief overview of it. So there's a there's a link here two times more detail about this. All. In essence, it's very simple idea. We have the case, phones, we have the gTLD generic top level domains. And we can subscribe to reputation blacklists, so some of these are commercial license SpamHaus, serval and some of these are open source dating things like fish tank and Aikens, WG Heldrich a lot of interesting data. You combine those you can look at how abuses distributed across the TLDs. And because we know the size of the teams, I mean, I wish the names are actually present in them. normalize these speakers so we can account for the different sizes of the domains involved. Because obviously a larger isn't it 10 times larger, short number of abuse proportions in one of these notions the idea that the data can be used to report in the news and trends and report on historical data and evolution of banks and so on. It's not visiting this data to be used to look at litigation of these abusive domains. We're not imagining that it can be used to do anything other than what the data contains. It can't tell us whether domains are malicious registrations or compromised domains, because sometimes we just don't know it's just it's appeared on one of our leads. So we can apportion it to whether it's phishing or malware but we can't tell you any more than that. So we can start inferring more information that is contained within the data with you. And we're also going to rank TLDs we'll see some graphs in the reports. They're all anonymous. We're not labeling which TLD is which so you can say Oh, this one's better than that one. That's that's not the intention of this system. So the system produces fewer posts and again, the link is on the slide. So you can see these going back in time. We separate the detail these into two groups legacy, which are those delegated pre 2010 and new gTLDs or the current batch and we break down the abuse metrics by those categories. So we've got spam, you've got malware, phishing, and we've got command and control. You can see how these things differ between the different populations of TLDs. We can look at how things have evolved over the previous 12 months. And actually, you took a report few months ago, it was the same thing but going back to the previous 12 months. All of these things just looking at how things evolve over time. You can also look at per TLD. So we can kind of normalize these things. So here we've got the size of the TLD versus the median cancel of spreads that we've seen. And again, the magazine the new gTLD is a kind of separated but we're not labeling we're not
the monthly reports will have the 12 month for us but because we've been collecting this data, we can also look at longer term reports. Longer term trends sign is going back a number of years and the dashed line on these graphs is when the GDPR regulation came into force. Because there was a lot of concern at the time that without there is data that people wouldn't be able to find and discover a piece of domains. And so the problem with either rocket, or would disappear completely and simply because you're no longer able to discover these things. We saw in our data, there was no kind of discontinuity at this point in time. So we don't think this looking at this data that there was any big change happening at that again, we can we can break it down by the different categories as well so we can look at each of those has evolved over time.
You also don't ccTLDs to take that they have slightly different report that they receive because it's individualized towards them. Looks something like this where get compared to populations we've seen in standard Matthew reports. Also the other ccTLDs but not an individual basis, that makes sense. So they see their own data. They see the aggregate data of everyone else. You don't see any kind of comparison other than that they don't see your history this project has been running for a while and we have a number of things on our expedition, things that are going to happen. Some of which are perhaps more interesting than others to say naoroji in Sydney, let the people who aren't running gTLD and consuming their own button. We're looking to add information on uptime of threats. So how long abusive Dominions active for before their mitigated and suddenly either suspended from the zone or malicious content. Looking at differentiating between malicious registrations and compromised domains which is which can be seen in various different lights, for instance, the mitigation that you might take is very different things that registration is malicious compared to if you think it's a legitimate domain that's been hijacked and have malicious content placed on it without the knowledge of the registrant and a few other things in the pipeline that will hopefully make the information that we can present just more useful or interesting or informative, because that's what it looks like. It's about getting data into information to help people make decisions about policy or any other aspect. That's, in a nutshell, possibly the quickest introduction to the subject. I'd like to talk about this. Meeting security threat information collection and reporting. Thanks for the DNS ticker for shorts or even just ticker because we can't be bothered. So yes, are you aware that criminals use the Internet and will use large events things that are in the public imagination to hook their campaign to the fishing and you have a global event? Combined with the Internet, you've basically got the largest mass audience for this kind of activity that we've ever seen. We've known for a while that large events have associated bursts of domain name registrations, so vague games you get a whole bunch of names registered with Olympic premier in the city or welcome anything, the events, the larger the event, the more global the event, the larger and effect that you see. And COVID-19 was no different costs. Us the fact that you have people working from home is kind of a perfect storm. We were seeing articles we were reading papers and things were being asked about the enormous number of dangerous, risky, abusive registrations, domains and URLs. It wasn't always clear what was meant. It wasn't always clear what we're actually talking about. What What do you mean by risking? I don't. It's hard to quantify what what was meant. So yes, worse, suspicious, potentially malicious, they're not they're not something you do. Anything with. Some of these were looking at all URLs and reporting the numbers of full URLs, whereas some were looking at certificate transparency, this Some people were looking at passive DNS sources, just queries within DNS so we wanted to clear published methodology again, that people could reproduce if they wanted to, and examine what exactly we could see within this space and examine some of the numbers that we're reading. Not only did we wonder what's on the numbers, but we also wanted to get right intelligence to the right people. So if people can take action on the domain that is really fishing and getting the right information to them as a way to to get that started COVID-19 And last year, we added terms to cover the conflict in Ukraine as well. The methodology is reasonably simple. Again, we take an input which is the details in some files that we have access to. What we do is we take today's files and yesterday some files can be looking at what's appeared in the to those the new registrations that list through the filter, and it's very simple keywords. Although we also have translations, we have IDN. Variants, we have lookalike characters, so we have lots of variations around the themes like a zero instead of you know, and all
that kind of stuff.
And if it matches the type those domains and we hook them up against as many threat intelligence sources as we can. Things like VirusTotal things like fish time things like domain Safe Browsing API's. We gather all the responses from that. We see that has a sufficient number of those sources telling us that these domains are bad. And we take it for us and we gather more information about the domain we gather. The DNS information. So who's hosting, we capture a screenshot, it's believed that fishing involves then we have a human actually look at the information that we gather, looking at the evidence that we've gathered on that domain, if we believe that it's sufficient to be reported we can send a report with all of that auxiliary information that the registrar we need in order to take action, making their own investigation and deciding whether they believe the demand is necessary. So what did we think? Well, this branch, the blue line, is simply registrations that matched one or more of our keywords. So you can kind of see the same kind of spike that that we're seeing in other people's data. We saw a little bit of a bounce, and then things kind of calmed down and returned to some sort of ground level. And there's another little side reintroduce the terms around the conflict in Ukraine, but nothing like the scale spike we saw with COVID. And the red line on this graph. That's the number of domains where we found at least one piece of information or one source that was telling us that this domain was malicious. That's not the same as saying that we believe that it is actually malicious because some of that sources produce not saying from evidence they've seen that this man is bad. They're saying that some sort of machine learning algorithm has said that this domain is probably bad. So we can't use that information, but it gives you an idea of the difference between just the number were registered and the number that has any information at all. I'm not gonna talk too much because as I've left it in the slide deck, it kind of shows how different turn it off over time. I find it interesting other people may not find this is just to say, we had to introduce new terms through sort of evolution of the events, they receive a term Omicron which basically have almost no signal till it was used as a variant of of COVID-19 which I'm very sharp spike, basically, the event again, but in miniature, okay. Really, matter of weeks rather than months that initial like to come. So some broad statistics just from the first three years of operation, we now have around 580 different search terms. Our list looked at approaching half a million distractions that matched one or more of our search terms. Only around 6% of those had any evidence, any reports from third parties that they were malicious. There's 6% Really, it's only 2% that had any negative credible evidence, if you like, sort of the level where we might feel comfortable sending that information to a registrar saying you may want to spend time looking at this domain is this delicious? And we also obviously we're capturing a lot that weren't related to the event. Asked obviously we had in stone facemask pretense and people setting PPE and all that kind of stuff. Because it will also catch anything with those letters and again, payment we were looking for stimulus payment that can cover a multitude of different things. So that's it for me. Like I say to two ways of looking at the visa domains in different ways. One looking at Broad metrics and aggregating and one trying to drill down and get specific evidence on individual domains.
In presentation.
We're gonna do the same thing is in the first session, so I'm sure there's quite a few questions to this. So if you will, to raise your hand and I try to remember your face sessions
to shown
no, I'm very surprised I have a few. I will get back to them and maybe have a few to. Then without further ado, we're gonna switch perspectives and go over to the national ccTLD registry and Norwich were here to tune in is gonna talk about this something we don't like on the Internet and the Norwegian approach and when originally ecosystem is has been managing director for more than 20 years now. And you've also been on the CCNSO for even longer as far as I know. So you are no stranger to the ICANN community. Welcome to Florida. I want
to talk about somewhat challenges coming from a ccTLD perspective, because you've recently heard about some of the things that I can nurse assistant to the country code top level domain is like Norway that so because we don't talk about other things. That's saying already Sharma saying that. Advice is great as well. So it is unfortunately a fact. There are bad things on the Internet. What do we do about that? So we're going to talk a little bit about why every school is different because we do not do things the same way. And that's because every every TLD whether it's a cc gTLD because it's easy to exist within a legal ecosystem. That ecosystem is partly made up by local law in our case, original party by registration policy, the framework we built on the apartment for No, there is a patient policy where we require a local presence we require that anyone having a doTERRA domain, they don't have to get in Norway, but they do have to be registered either as a business in the business register in Norway, or they have to be registered in the state distinction. Nation registry, get the number there by working in Norway for a time. It's not about citizenship, but it's about no we it's a real personal real organization having a domain in Santa Claus does not get done just making laws. And the other thing is, and this is a very enriching thing we think the ones that come first shouldn't be able to eat all the food at tables and giving somebody something that comes afterwards. So we have a limit on the number of domains that each can have. And always the scanners is less. It was not the intention by introducing the rule. It was mainly in order or those coming in later to be able to have some domain inside. The principles that are important for us as a registry is that domains and I know working in the industry where domains is the most important thing in the world, but they are not magic. And what is illegal. Offline should also be illegal online. So you can't just say oh, it's on the Internet and you should be allowed. Vice versa. The rule of law and the principles of justice applies online as well. The police and others that have a mandate to catch criminals should of course be able to do that online. But they should also have to follow the same procedures, rules or rules. It shouldn't be difficult for them that they shouldn't be considered for either. What is the domain name? Well, it is. Other thing you can touch. It's an address. It's a human readable version of an IP address. It exists in our database, the moment somebody come and subscribes to it. So innovates subscription gives you a unique right to use that nobody else can have as long as you keep up the subscription. So Norito demo can only be held by one company and this is us. Oh there are people whose name first name is limited. And there can be different trademarks within different areas that still share the same name. They cannot have the same domain the other thing that is in the original role very clear is that the main holder is responsible for the subscription and is it and this has this pattern in two different Supreme Court decisions one from 2009 where the law enforcement of the earphone no and there was a long court case on this actually something that this is the original what to do, how to deal with it within that. It is something that can be seized by the workers many much avoiding subscriber is responsible. And then in 2019 in awkward time decision that decided that even if you as per subscriber or what people want to call registrants on domain that rented it out to somebody else you're still responsible for can use may still lose domain name you still have to show up in court. Oh, my name my name is used to provide the legal counsel to services because that's what we're talking about. are good because even the abusive or illegal domain names like you'll find this very moment. But But I mean, usually the domain name itself is not legal. Does not make an illegal statement is whatever use its picture. And there is a trend that the NSA seen as sort of a way of controlling, controlling services trying to act upon things that run on top of the Internet by acting on the infrastructure itself. This is a quote from the USB that you have. This happens. It also has unintended consequences. Because it's kind of like you did something illegal is going on in a house. And in order to stop it instead of stopping the illegal things that go wrong. You take them all the road signs and then you take the hole in the road. That kind of annoys people that just want to go to a shop next door. So it has unintended consequences. Why do we still sometimes do it? Sometimes it's the only thing within reach of reports that sometimes can be justified. You have to look at the proportionality of it. To take one example we are using. In a brochure we try to enforcement. Seeing the student at the university could have done something illegal and we were to take down. That would of course be that all the email addresses of everyone including the professors in this room were stopped, stopped working. The patients would stop working. Last time I checked the whole call center will also be without its email and services because they depend on the name service from perhaps other services down as well but hospital presses are interested to see we got his back on the Supreme Court still decided domain names and the obfuscated there are things even if you can't touch them, they are things that can be used to commit a crime. So can be confiscated. Like a gun like a car like anything you can use to commit a crime. You can also my enforcement can confiscate it, sees it as part of an investigation and then bring it as part of a criminal cause. case ends up confiscation. What happens is that the right to use is the thing that the main holder has, it's taken from the domain holder, frustration is transferred to the police. They are the domain holder with normal rights and duties and they had to care for the domain name until the cases initially like they have to you know feed the dog that they have seized because it's somebody it has to access them from the court cases finished then after the case has been inserted in court. If there is no clear case for the police, the court will say no was not used. You have to hand it back. This was the case of the first court case with Ezel politically is not managed to convince voters it was used. But Porter decides Yes, there is enough evidence that this really cannot then mean the right of use can be confiscated. And then it is given our the rights of users given the state they can like with other things they confiscate stolen bicycles they and and back to the people they were stolen from. They can't reach the people their own from the salad and the money goes to the state. You could sell the domain name or even state or they can keep it if they want to. can also destroy it, which is what they do when they confiscate drugs
they do not sell it. So that is a choice. of the state of the case of law enforcement in the case of Popcorn Time. Enforcement decided to employ what we as a register do is mainly to say if a domain is confiscated and the police want to destroy the registration, they tell us we will alter the block in the name for two years and that is every two years or a new customer buying something that has been used in a criminal ladder. It's the same you get the telephone number. Nobody wants the telephone number that come to the Pizza Express. I mean so so you need a cooldown period. That's is the only thing and then it goes back into what very resource that everybody can use. And we do have in addition to the police that can do this. And it's given clients in law to see something without a court case in beforehand. We have the consumer protection regulation. There are I think nine different authorities that have been given the power to n there is a risk of serious on the interest of consumers and no other way of stopping it. Go to the court and tell them we need this domain to be taken down or we needed transfer process authority. And this is the comes from the base of a regulation that basically highlights proportionality issue that taking down a domain name is very, very serious because it runs intended consequences. So it should only be done after everything else had been tried. And in Norway this is implemented differently in different countries. But in Norway, the Norwegian government also said because it is so serious and the consumer protection authorities have to go to court and show them that they have tried everything else before they go to the registry is the court that decides aluminium sheet without the exception of the Norwegian Medicines Agency. Because in those cases, with bad medicines there can be lives on the line so they have the right to come there with us. What do we do? What we don't do is to decide on whether things are legal or illegal. There's lots of governmental agencies that have that power. And yes, the registry do not have that competence, nor do we have the mandate. The Supreme Court looks like we were part of that case. We were we were just you know, sitting on the sidelines and watching but the Supreme Court took the time to make it very clear. No, it's not on the taken control of the customer insights and do not have mandate. This is that we have also found support from law enforcement in because it's their job. It's not our job. What we do is to try to make it possible for those who has that mandate to carry it out in a transparent manner in a good manner that makes it means that every party understand what's going on. And then we also have a lot of information. We do provide, as you can see here, but we do provide different guides to people on the main conflict in the legal system both what happens with court cases what happened with the green futures do two things what happened with with criminal things and guides for law enforcement. If you want to see the domain name, this is what you need to tell us in order for us to actually be able to carry out our that given then we also have a race or other sex running order underneath. So that's a little bit different technology but basically we have a bed, which where you can go and who can look at who holds a domain name. It's a company I guess you'll get a lot of information. You won't get international is the contact person for the domain but in this case I think you for yes. If it's a private person, you will get an email address that you can contact that individual and you will get some information about the registrar but you will not get information about the domain holder unless you have no law or other reason that we can have that. That is akin to if you want to read more than you ever wanted to know about things in Norway, we have to guide standard procedures, you know, translated the Supreme Court decisions. And there's a couple of other documents as well. It's nice to read the report. It's a good description of the ecosystem of DNS that's much lighter than what I'm able to think that's it. In this presentation
on the local ccTLD again, I would ask whether we have questions in the room
and please raise your hand and I try to remember your face
always drinks and food. I have a few questions. I look forward to asking them
at bats. So we definitely were sitting on this panel after seven o'clock so they're not asking us questions you're not going to last at least we have with us the chairman of IQ who will present to us IQ abuse manager, a service that monitors 200 million domain names on a daily basis which is quite a loss. So I'm looking forward to hearing more about that
as well personnel have been in this space for a while
and company global is an operating measure number of years and want to talk about you know what,
why is this more than a weakening
of the leading or the leading provider of services and monitoring and management. And that is important history I guess. Schools 30 years back.
Years ago we started with absolutely first commercialized peace in Norway, Norway. was also one of the first countries in Europe that came online and actually started the program most of the routers and the servers that that was sent around in August. We actually became the first fully national ISP
incoming telephone and
this was very expensive to operate these things. Eventually we sold this company to another telco tell us an error.
In that project, which started in the absolute beginning of the 90s. We dealt with the maintenance domain registrations and most of it
happens by machines but there was very little things that happened online and Yeah, he did everything that companies into today but across multiple sectors. So we did everything on the shared hosting, dedicated hosting or location. ISP for for consumers for businesses.
Every single Bible operations to the you know whatever needed back then because you know we were
so the two samples in Norway that so at least we geeks perhaps mostly, but really hands on and after that competition takes us to the to the end of this. This we have the assumption of the company that became the web hosting company at this point to share those things. And say 10 biggest in the world, that doesn't make a difference in countries. And I guess we were the one that registered domain names across most companies before asking the largest. So we learned the hard way, I guess, the hard way about how abuse was started. In various countries and how to deal with the Department of Health for these things. And we have systems for it. So fast forward a little bit because we have multiple conflicts between them. And later with several registries there operations as consultants, but we also operate our own registry for wild global which is sold to this amazing team. And we switch completely to to bring those tools that we actually built for Dotto in this space of abuse, mitigation. And I guess the reason why we built this was one of our providers their software providing your service. Another way to build it and then offer it to others. So that is the background for why turtle we are hoping competence one of the biggest players in the industry to small response, the registrar's office with software service providers or others to deal with us. Regarding concur with Diane, were the trendsetter. Group little bit lately, is still the problem. There are certain aspects about report reporting of abuse. There are not really a lot of good tools for for that so we don't see all that news. And so not all the views will be in all these different say lists that that the argues is in use.
So so there's still a problem out there regarding reporting.
Systems that are operates in certain markets obviously many more domain names in the world. And as far as we work to gather information about them and then get back to work or how we deal with them. We also give out some some statistics and tools and some reports in the form of energy on the CCA domain names out there as some research abused women, almost all TLDs have their abuse reports. And so it's a problem everywhere. virgins and phishing and spam is what you see in some amount of reports. I guess the time that we have already we have gathered about 40 million reports. So these reports so we have a lot of data about 40,000 every day. So we also have
to talk a little bit about the
different fields or bodies that is available to us and others many of them have been built for different purposes. Many have been built for restricting access is Gs 14 now so now and therefore many of these
large data feeds are not current information. That's also something that the industry needs to take in advance and improve on. We don't have perfect data but
there's a lot of data out there.
What should the players in the industry deal with? Deal with abuse? I mean, maybe think it's very important for them. So let's start with reputation.
Obviously, we should use the namespace. They can be affected by a lot of abuse in that same namespace. We can see on certain addresses or perhaps doesn't have that reputation and that that is actually affecting the registrations and the seriousness of the players use and so it is something that everyone should care for. And therefore being a part of this global initiative to deal with. Say that, you know, He's surprisingly, players in the industry have taken part in this, which is very positive. I didn't expect that my names are really focus on this so fast and I feel like everyone's work with this. What we tried was several different tools. One of them is free, so that you use stocks or abuse statistics, some someplace that everyone can go in and get statistical reports and provide information about what they what they want
to vie for for an answer or a
subject that they want to receive more songs. So here, the place in this video actually have a source to see statistics, not for insipid statistics. So that's then the main that we offer
is product that is used to manage
abuse as a management tool. So not only does it provide insight into into the abuse,
we dig out all the information we can but any abuse we make sure to to provide that information to the case manager to easily make choices to what to do.
The we have all those databases that are useless but we have also many more. We have a curated list or database that we provide them and they selected us as the jewel registrar or whoever. So this option into but for us we have curated the way to provide less false positives was renewed in over diseases and very quickly and lots of false positives. So that's what we're doing to ensure that the case manager knows that this is real and of course capital asset and and provide our metrics to make it easy. The service also makes it easy to communicate between players and industry because registries need to communicate and vice versa. And here instead of sharing spreadsheets, you can share magic link that contains all the relevant information so that the various players to deal with that information when when it's shared. Also have ways to report
abuse and address to the
disabled stakeholders like ICANN and national requirements where there are a need to provide specialized reports to the prospective and VB for for the new TLDs and the registrar's register. See we provide those reports that are tailored to those requirements that this is needed. And this tool we will of course, make sure that helps the industry, whatever target industry or
to make sure that they're compliant in an ISP. So
we talked about the complexity of having all these regulations and all these things and then it goes much like we have here on a system industry to make sure that we stay compliant with other things, that's the services that also contains, let's say areas that are really important for those players on to also monitor season. We have a
grievance with the person that was the first player that can do this is obviously a very serious topic and something that we really need to help with. This is a newsflash we also have more solo ad free tool. That is just courses called reduce down and for this
is most of tape paper use. Answer whatever you want to monitor it can be monitoring an IP address or monitoring a DNS server or, or monitor domain names. So brands can use this registers registrar's and there's this ad hoc way to get more than just statistics wishes, or threesomes. So this is an add on
then, we are working on something new. We started last year to build we are
working on a domain locking tool.
So one thing is that abuse happens we deal with it but then much abuse from happening in the first place. And this is a this is a difficult thing to make because obviously registries and registrar's they don't want to block. Certainly those that are that are commercial, but even the non commercial you know, they don't want to block namespace because those should be available namespace for us to build this block list based on all this historic abuse data that we have to make sure that we provide a block list that only contains non legit domain names and domain names that are extremely likely to to be abusive towards the the label or the brand in this case because brand names are one of those things, really where people open Internet and phishing implemented so this way is one way to help brands to protect themselves better protect themselves in a cost efficient way. That doesn't hurt industry and other providers that are often operating as revenue for that industry. When the site services I guess to have this kind of all kinds of situations so there will always be a whole set of there but it is important to make sure that you have a way to reduce abuse from happening understand this. This is what we're building. This is
two blocks of blocking the miners inside it cannot be disturbed.
Blocked domain already registered name and domain that will be blocked is already registered. It won't affect that domain and unless it expires, it will end up with this block list and we registered that domain and the algorithm and the service that we are built on
is more than just the lock. This will also provide a list
to this band operator that contains all the domain names that we do in Delaware. That's actually our say legit, and perhaps valuable names that they should consider. In addition, we'll supply the list of tokens that they found during the algorithm was over 10s of 1000s of remain and variations
that have a look at it was there could be actual abuse happening there. We will couple this with it with our abusers mansion as much
more insistent on those and there could be so why on earth or use that they should emerge. That's the latest thing that we're working on. So this is really to make my game safer. As we I guess we are more stricter rules than less. So that's a rule has different legislations and rules connected to them and
obviously, just to make sure that everyone can live up to their Thank you very much roll and with that said let's single
for the presentation. I would ask someone to join us on the panel.
For three distinct perspectives on DNSSEC views, we have a question in the audience since at least one so if you could get a microphone
to be in the
second row or you take my meantime
and please introduce yourself
as much as the best and leave in rccl, University of Oslo Thank you three for presentations,
I learned a lot. I have questions or maybe one and a half questions. So it's question related to certain states that were not be named. I would have assumed that the cyber conflict there is going to be DNS abuse as it is it is it is it very obvious reading. You said you're showing that you're not feeling particular players or parties but once the evidence of certain states that should not be named engaging in systematic DNSSEC use of example IQ ICANN address in our data. When we added turns around the conflict in Ukraine it's important to remember we don't have access to ccTLDs. So we're just looking in the gTLD form for these. And so see the actors behind that we're seeing if that makes sense. So we're not reading into the owners, or the registrants. Our data doesn't show these things going on. And we hear about it and if we don't have any data so to make it one way. We monitored all C's utilities and utilities and obviously all trans COVID or anything else in the past. We see it we see that 10 Someone returns in this area to that person out and also the inside more detail as
I've seen device so it's not because we finally got no we haven't seen anything like that, not as we monitor about content.
If it had been very clear, I didn't know which authorities to is complete already to address so. I think also to be clear that sometimes when things happen people register domain they have had that term and it has nothing to do with abuse it has to do with this is a moment. This is what you're thinking about that time you're thinking about COVID or you're thinking about working at the home office or you're thinking of work and you're thinking perhaps I should make a page or relief for refugees from Ukraine. Perhaps I should just do something that has. So for a term to rise doesn't really necessarily connected criminals. During a visit, which again, doesn't necessarily connect with state actors does different things than just registering the event. I would assume. So it's not another
example of the problem. Attribution
wants to exist in abusable. That's when you really see it. And then my second question is sort of related to hinder you you didn't really give you an indication as to whether Kool Aid is engaged in this sort of activity that IQ is engaging in or not. I mean, you have no mandate to do work on contents. So going and monitoring the subscribers does is not something that we have the money for. We have also it's about privacy and freedom. of speech is pretty well regulated in low rates. We've been set by law enforcement and others to do investigation. We come when they come and buy the season, domain name, or request information based on our law and remember information by the day you have to follow up. Sometimes they won't actually sees a domain name or capability needed. Sometimes they might want to observe what happens and that is there. We just act on it. When it is appropriate in the economy. The order would not be a court order in case of law enforcement, but it would still be a quid order. Thank you. Thank you very much for this very interesting question.
More questions? In the floor. We have time for one more.
Otherwise, I would try to
lay down many of my questions to the three of you and try to connect them into one and it's connected to where it needs to stop. So bear with me. Soon there will be food.
You said what is it amazing and
expenditures. I think that's great and very important. And that's for sure. What is abuse and we've heard a lot about abuse now right? So we know malware, phishing, farming, spam and so on. We also know that phishing and spam categories and so on we also know that Norwich, you chose the legal setup as a ccTLD is not very proactive in these things. Now what I have and as a background, I was involved in advising session on the digital services act. What I'm kind of seeing is that there is definitely kind of an encouragement to do more about things happening online. Maybe directly to platforms, completely different players. Now that is a there is a clause that in I think also addresses DNSSEC says to voluntarily maybe do more than you're required to do. And there is obviously an interesting and slippery slope because we're talking about comes in we're not talking about waiting for the courts to come up with an order but actually out of self
is a marriage and
thoughts and so what is it which one of us abuse? where's the
where's the border between
us off the DNS and the content that is being made access by remaining things, DNS abuses all of us turns I know. It's from some things meaning full attacks on the DNS DDoS attack on name servers could be seen as abuse of the DNS, they're attacking the basic service will. That's not what you're talking about. You're talking about mainly threats. We would turn ethical abuse, although that's a slippery slope in phishing, and that's being controlled by certain domain names in spam, except that spam is kind of content is not damaged difference between spam and a web page. And we're into condom use start with the easy part with see that every piece of this illegal, which is which is of child abuse, you move on to a few rights being abused you move on to any law run taking pictures of themselves not wearing a headdress, which is illegal in some countries, but not
abusive use of
signals from anything does it mean is used for the DNSSEC? Talking about the slope here and the PSA, I think, for us, we take guidance from our local government and our local government has when considering consumer protection revisions, said don't obey names so invasive that should be done to normal making a case in front of a court. One exception for us is a private accident. But yet we are a superhero the Internet V decides we can take on the Consumer Protection Authority has to do before we can do it is not something I see yesterday, I think given the framework and you're right, I'm not saying that that would be every gTLD because they do not have the same clear jurisdiction for us. The processes the rule of law and the consistency does watch is very, very important. Because we will undermine the trust in the democratic system to be used to be worse but this is about us not having to step in because there is an advantage. Obviously, what it says is, it's great to know that you but there are sorts of things to be said about registers that create stricter policies or clear policies that day, man since so in order to do this, for example, that is the case they have policies that they maintain, they don't have capture and can you please check these things on there? That the industry will notice that there's a big series and where the industry can under their policies or procedures on these policies and their politics and policies are the same as possible is a very important section right
that the framework is actually quite quite different in this fact, there's there's different things to take account of show any any perspective from from I can now also that you will data right i mean is that a call to action to do more proactively.
So we have very similar issues that we have to be mindful of where our scope is, what's within scope and what isn't. So we can't look at the site selling counterfeit goods, for example, because that's that's outside of our remit and phishing and malware distribution are within our remit. So we're quite able to go in and you know, and report with differences. You have to be careful not to extend that. Thank you very much, and I have to be
very careful of time.
So what I would do is
Yes, oh, you have a question. Well, as
soon as I can get back to you in a few seconds. You are very welcome to ask a question for the audience.
I think I'd like to mention something that the something that was referred to by Rolf and here is that it's called specular treat. And that is passes in just remember the new T generic few means this was the into the process of developing good policies or creating them. And it was some sort of, I don't like the word, spirit. Maybe it was more triggered by the coordinator advisor committee because they saw something in this space in the hand to do something about suspicious behavior on the Internet and in utilities. rise to the surface and in the beginning, I do agree we have a serious problem defining what is DNS abuse? There's there's libraries or explanations and thinking about and etc. Using here is that those who we refer to as the contracted parties within the ICANN generic they have kind of agreed upon what is this set some sort of a level they have also seen that in original text as it is today, span has been revised, but they have added spam when is the vehicle for something that is reverse is something that driven something pinyons This the good thing also hosted my day job had all is that the contractor parties has agreed upon to say that the wording in this spec entry entry at in aggravation women is isn't good enough.
And then consensus didn't make this better. That is something that might launch at a bad call. Is that something
launched kind of or would like to advocate because we see that you have to deal with somebody. We don't deal with it. We kind of saw the punch was sitting on a tree and to make the interest. So no story is yes. ccTLDs do have a different tools to generics. That's okay. Okay. Well, I really like to hope is that everybody takes a small portion of solving and mitigate these kind of problems because we are all depending on having a trustworthy and save base, please. Very much and no, we will very soon go to the
wonderful so apparently there is still a lot to discuss. I think there's a possibility to discuss again in around mid November. form as well. Maybe also before. So thanks again to our three presenters. And so for a really interesting discussion and without further ado, I think I would go back to
you but first of all,
pick a post thank you much
it'll be something to bring back home as at least get something during this
missing one, I guess what I'm missing.
Anyway, so for miscalculating what happened to the the thing is
now some food you have as
drinks. We have the meeting room until 9pm So people I talked to friends note start fighting and enjoy the rest of the evening. Thank you very much for bombing.