In its Beijing Communiqué [PDF, 155 KB] of 11 April 2013, the ICANN Government Advisory Committee (GAC) called on ICANN to have new gTLD registry operators find and act upon a variety of abusive activities occurring within their TLDs. This led to a requirement in all new gTLD contracts:
Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. [Specification 11, paragraph 3.b]
Due partly to time constraints, this language was purposefully left general and without detail. On 25 June 2013, the New gTLD Program Committee (NGPC) of ICANN's Board of Directors issued a resolution (Resolution 2013.06.25.NG02) that calls for a Framework to define details [PDF, 72 KB] regarding how registry operators will conduct that threat analysis and what kinds of follow-up actions may be suitable.
For effective policy development, all parties must share a clear understanding of the definitions of these security risks. They should also understand the way that threat data are collected and reported for these risks. In Lending Clarity to Security Risk Definitions [PDF, 96 KB] we provide definitions of four fundamental types of security or abuse risks for which monitoring and reporting can be implemented: phishing, malware, spam, and botnet command-and-control. We explain how threat data for these risks are collected and reported today. We examine relationships (similarities or characteristics) of certain security risks currently under consideration in order to lend clarity to the ease or difficulty of collecting or reporting threat data.