More than $16 billion has been stolen in 2024 due to cybercrime schemes such as phishing and data breaches, with losses projected to reach the trillions in 2025. This sharp rise in activity can be partially attributed to a continued abuse of the Domain Name System, or DNS, which is exploited by cyber criminals who register domain names for intentional abuse of DNS for nefarious activities. But how exactly do these scams work—and how did we get here?
In this episode, Shane Tews is joined by Karen Rose, partner at Interisle Consulting Group and formerly a key staff person at the Department of Commerce, where she authored the green paper that became the white paper that led the way for the Internet Corporation for Assigned Names and Numbers. Karen’s firsthand involvement in this pivotal moment in internet history, coupled with her decades of expertise, makes for a rich conversation.Â
Below is a lightly edited and abridged transcript of our discussion. You can listen to this and other episodes of Explain to Shane on AEI.org and subscribe via your preferred listening platform. If you enjoyed this episode, leave us a review and tell your friends and colleagues to tune in.
Shane Tews: Can you give us some background on how you ended up in the DNS space?
Karen Rose: I started my career at the Federal Communications Commission around 1996. During that time, the Commission was focused on implementing the Telecommunications Act of 1996. At the same time, there were some internet issues bubbling up. One of the issues that came up was about Internet domain names and the sale of Internet domain names and country code top level domains. I had some experience with the Internet in university and graduate school and they were looking around for somebody to look into this more.
I raised my hand as the intern and said that I’d take a look at it. So that’s where I started, because everybody was too busy on the Telecommunications Act of ‘96. However, as these issues evolved and the administration began to focus on electronic commerce, it became clear that action was needed in the internet domain namespace to transition it from the vestiges of the US government’s responsibility to a more private sector environment.
I worked on those issues, and then it was decided to move that portfolio over to the Department of Commerce rather than a regulatory agency like the FCC. So, I followed it to the Department of Commerce and worked with Becky Burr on DNS issues and Internet resources.
Some experts are projecting that the 2025 cybercrime loss will be between 1.2 and 1.5 trillion, factoring in both direct and indirect costs. What is the kernel to this problem?
From the big picture, what we’re trying to do at Interisle is look at cybercrime from an economic and a business perspective because cybercrime fundamentally is a business. Like any other business, cybercriminals must acquire the necessary resources to conduct attacks. When it comes to things like phishing and spam and malware, a fundamental resource that they need includes domain names.
One of the things we have been focusing on is how those cyber criminals acquire these essential resources for attacks. Domain names tends to be one that a lot of people are interested in looking at, but we also look at things like hosting and subdomains. So, we are focused on the ingredients that cyber criminals need to conduct attacks and access to domain names is one of those fundamental resources.
Your report says that 77% of phishing domains are maliciously registered. What does that mean?
Malicious registrations are those that are purposely made for the purpose of conducting attacks for malicious activity. The way that cyber criminals access domain names tend to be something like breaking into somebody’s account and using a domain that has already been registered.
So, this would be stealing a domain name from somebody who already has it. But the primary way that they get these domain names is by just going and registering it themselves. And as you mentioned, about 77% of the domain names that are used in phishing attacks are simply registered by cyber criminals for that purpose.
It sounds like there are some good guy tools that, if you are looking to be on the right side of this. You also mentioned country code top-level domains (CCTLDs), so country codes. Do you see a pattern where the people that have to comply with country codes tend to just make that a ground rule for their other top-level domains (TLDs) if they are a registrar that does both generics and country codes?
What we have found is that, and we’ve done a number of case studies, and we have one coming out in the new report, is that TLDs that have stronger requirements for registration and strong verification policies. For example, they check the identity or they at least check the validity of the registration information, and tend to have very low rates of abuse.
There is a range of ways that CCTLDs implement their checks. Some CCTLDs require solid proof of identity, a national registration card or a business registration. Others perform more automated checks on the information provided, but they have specific rules and requirements in place. What we have found is that policy matters. So, the policy on who can register a domain and the verification level of the information provided by that customer can definitely drive down the amount of abuse in those domains.
So, you mentioned something that you call overcompetition in this space. Can you explain that to us?
Competition is great. It provides many benefits to consumers, businesses, and the economy alike. It helps drive down prices. It helps spur innovation and that’s great. Competition is good. When we entered the debate about domain names in the 90s, one thing everyone wanted to do was introduce competition in the domain namespace. And this has been one of the primary functions and goals and roles of ICANN.
So, you might say, competition is good, so even more competition must be better. But that is not always the case. Overcompetition—which is where you have very fierce competition, an oversupply of products, you have a vast number of suppliers and producers that are battling it out for a relatively small growth in the market—can lead to detrimental outcomes for consumers and businesses and impose costs even on the economy and society.
This could result in things like reduced profitability. You have market saturation, price wars in over competitive markets. And it also can incentivize negative business practices because you have a large number of competitors that are scrambling over a relatively small amount of market share or growth. And this can incentivize negative business practices in markets, including selling to bad actors. And what we’re seeing is that the relentless push in ICANN, it would seem to make sense.
Competition is great, so many think that more competition must be better. But this relentless push has now resulted in a market where we are seeing pretty significant signs of over competition that are producing potentially some negative outcomes for consumers, for business, and for society.