[bc-gnso] Business Constituency Comments on DSSA Working Group Phase 1 Report

[Steve DelBianco <sdelbianco@xxxxxxxxxxxxx>]

Below are the BC comments we submitted regarding the DNS Security & Stability 
Analysis (DSSA) Working Group Phase 1 report.

Thanks to Scott McCormick for his excellent draft.  I worked Marilyn's comments 
in there before submitting.  
(Link<http://forum.icann.org/lists/dssa-phase-1-report/msg00002.html> to 
comment view)


Subject: Business Constituency Comments on DSSA Working Group Phase 1 Report

The Business Constituency is concerned with the security and stability of the 
DNS, as it severely impacts our membership base.  ICANN's decisions, in 
particular, impact the diverse and distributed businesses whose infrastructure 
and services make the Internet work.

The Phase 1 report shows the effort put forward to start addressing the types 
of risks to the global DNS as it pertains to security and stability, and is a 
welcome update on the progress of the WG.  We urge the DSSA WG to continue and 
complete the work defined by its charter.  We look forward to a final report 
detailing the risks and threats to the security and stability of the DNS.

DSSA-WG Background:

The objective of the DSSA Working Group is to draw upon the collective 
expertise of the participating SOs and ACs, solicit expert input and advice and 
report to the respective participating SOs and ACs on: The actual level, 
frequency and severity of threats to the DNS.


This is the first of two reports from the DNS Security & Stability Analysis 
Working Group. The goal of this document is to bring forward the substantial 
work that has been completed to date and describe the work that remains. This 
has been in many respects a “pioneering” cross-constituency security-assessment 
effort that has developed knowledge and processes that others will hopefully 
find helpful and can be reused in the future.


The DSSA has:

  *   Established a cross-constituency working group and put the organizational 
framework to manage that group in place
  *   Clarified the system, organizational and functional scope of the effort
  *   Developed an approach to handling confidential information, should such 
information be required for certain assessments
  *   Selected and tailored a risk-assessment methodology to structure the work
  *   Developed and tested mechanisms to rapidly collect and consolidate 
risk-assessment scenarios across and broad and diverse group of interested 
participants
  *   Used an “alpha-test” of those systems to develop the high-level 
risk-scenarios in this report. Those scenarios will serve as the starting point 
for the remainder of the effort.

Work that remains:

  *   Perform a proof of concept to refine and streamline the methodology on 
one broad risk-scenario topic with the goal of reducing cycle time and making 
it more accessible to a broader community

  *   Roll the methodology out to progressively broader groups of participants 
to introduce the methodology to the community and further improve the process 
and tools on the way to completing the assessment.

  *   It is essential that this work involve businesses beyond ICANN's 
contracted parties, although such broad engagement is not sufficiently evident 
at this point.  Outreach should be expanded to the non-contracted parties who 
support Internet infrastructure and services.

Rapportuer for these comments: Scott McCormick

Submitted by:  Steve DelBianco, vice chair for policy coordination, Business 
Constituency