Site Overlay

Choose your top-level domain wisely

In my upcoming talk “Sources of ATT&CK” at ATT&CKcon 5.0, the MITRE ATT&CK Conference, I highlight the many top-level domains (TLDs) that are represented in the ATT&CK dataset. One of the interesting TLDs is “.io,” which makes up three percent of all unique references in ATT&CK. Examining the actual domains, you’ll find many that are familiar to those in the tech industry:

  • github.io
  • backtrace.io
  • readthedocs.io
  • expel.io
  • specterops.io
  • kubernetes.io

For the uninitiated, the “.io” country code top level domain (or ccTLD) has been assigned to the British Indian Ocean Territory through the ISO 3166 assignments of countries and territories. While many ccTLDs are used for domains with a geographical connection to the country code – for example, Australia’s ccTLD registrar for “.au” restricts the direct namespace to entities with an “Australian Presence” – some ccTLDs have opened their registries to the world. I am not going to debate the merits of whether this is capitalism at work or a cash grab that doesn’t always benefit the underlying country or territory, but it’s clear that offering up a ccTLD for worldwide registrations can draw the attention of big and small tech. Other ccTLD examples used heavily in the technology space include .to (Tonga), .cc (Cocos (Keeling) Islands), and the current hot ccTLD, .ai (Anguilla).

The tech industry has demonstrated numerous times over the past few decades that it wants to rise above geopolitics. Email and bulletin board systems (BBS’s) in the early days of the Internet removed the political and logistical risk of relying on physical mail, a service frequently overseen (if not operated outright) by governments. E-commerce outfits like eBay and Amazon.com facilitated the flow of goods between individuals worldwide in a way that was virtually impossible before. Cryptocurrency, notably Bitcoin, offered a financial future free of central banks and government controlled monetary policy that could, overnight, render a coin or bank note worthless.

And yet, in many ways, the tech industry has tied its fortunes to geopolitics. In the case of top level domains, the country code TLDs are assigned through a mishmash of nongovernmental agencies and standards organizations that have de facto power to define what is and isn’t a country or territory. So it shouldn’t be surprising that when the government of the United Kingdom announced it was ceding sovereignty of the Chagos Archipelago off the eastern coast of Africa, tech columnist Gareth Edwards noted the possible domino effect: the potential loss of the associated country code top-level domain “.io,” widely adopted by tech firms.

The “IO” country code associated with the Chagos Archipelago is formally assigned to the British Indian Ocean Territory, and treaty negotiations on the handover of the islands from the UK to Mauritius are still underway as of mid-October, according to statements from the UK government. But it seems unlikely that the name “British Indian Ocean Territory” will survive the exercise of sovereignty by the government of Mauritius, given its tumultuous relationship with the UK, and since Mauritius has its own country code, the obvious outcome, as Edwards notes, would be the retirement of the “.io” ccTLD and required migration of domains to other TLDs, potentially over the next three to five years.

It may turn out that the final treaty negotiations have no impact on the “.io” ccTLD and nothing will change. (And it goes without saying that the people of the Chagos Archipelago, Mauritius, and the Seychelles have many more important matters regarding this change in sovereignty than settling the final disposition of this ccTLD.) On the other hand, there may be a scramble by tech companies – some who have made the ccTLD part of their identity and even legal name – to relocate quickly to a new TLD. In an industry frequently shifting with mergers, acquisitions, and bankruptcies that impact domain names, the rapid disappearance of a TLD would not be disruptive. But it should be a cautionary tale of hitching one’s online presence wagon to top-level domains that are inherently intertwined with geopolitics.

I’ll go out on a limb and propose a twist: Mauritius maintains the Chagos Archipelago as a distinct territory, naming it the…Mauritius Indian Ocean Territory, preserving the currently-assigned “IO” country code and quietly averting DNS disaster.