M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available.
I was one of the contributors to the comment.
In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud.
Several reports that my Interisle colleagues and I published are cited in the comment, along with the 2022 DNS Abuse Study Commissioned by the European Commission, which also quotes from our Interisle phishing landscape study.
Statistics - attacks against brands and government agencies - generated from data collected at our Cybercrime Information Center are cited as well.
Infosec can effect change but it must engage. In this case, a ruling could require that the domain name industry to better attend to public safety needs; for example, by implementing Whois and RDAP in a manner that provide trusted interveners timely access to Whois for the obvious legitimate purpose of mitigating or preventing cybercrime, by requiring registrars to take preemptive action against malicious bulk registrations, and by requiring registrars to "lock and suspend" domains reported for phishing, fake sites, fraud, malware, which are crimes.
Find the proposed rule here: https://www.federalregister.gov/documents/2022/10/17/2022-21289/trade-regulation-rule-on-impersonation-of-government-and-businesses#open-comment
Find M3AAWG's comment here: https://www.m3aawg.org/sites/default/files/m3aawg_ftc_comments_on_impersonation_-_dec_2022.docx_.pdf
You can follow this conversation by subscribing to the comment feed for this post.