NetChoice comment on DNS-CERT Business Case

[Steve DelBianco <sdelbianco@xxxxxxxxxxxxx>]

At the Nairobi meeting, ICANN CEO Rod Beckstrom raised a lot of eyebrows
when he sounded the alarm about extant threats to the DNS.  In the public
forum, I defended Mr. Beckstrom's approach, since I believe it is a CEO's
responsibility to name risks that endanger the organization's ability to
meet its core mission.   But I don't believe that the CEO should assume that
the best response to new threat levels is to add staff and budget to create
a permanent new bureau within ICANN.
 
First, let me acknowledge Mr. Beckstrom for his increased focus on security.
In its role as technical coordinator of the DNS, ICANN is responsible to
monitor security threats and work with the community to ensure that
infrastructure operators are taking appropriate measures. Moreover, the
Affirmation of Commitments requires in-depth review of ICANN's efforts to
³enhance the operational stability, reliability, resiliency, security, and
global interoperability of the DNS.²
 
However, none of this suggests that the DNS now needs a centralized approach
to maintaining security.  In fact, it seems radical to impose centralization
on a DNS infrastructure that is, by design, so widely distributed and
decentralized.
 
Even if more centralized security were needed, we should not automatically
assume that ICANN is the best organization to do it. Yet ICANN staff is
apparently already committed to building an in-house CERT structure. Their
business case describes 'the operational concept, services analysis, and
suggested governance and funding models.'
 
Initially, ICANN staff says the new DNS security team will only be an
information coordinator.  But is there a clear need for a new information
coordinator?  And would coordination have made a positive difference in
responding to recent DNS attacks?  These questions should be answered before
we create a new ICANN bureau, one that is likely to evolve command and
control over the diverse and decentralized DNS that works pretty well today.
 
Despite an ever more threatening world, the DNS and the Internet as a whole
have been remarkably robust and resilient. Infrastructure operators already
share information with one another and with existing CERTs.  It may be that
ICANN should improve its support for existing security teams, instead of
designing a new team of its own.
 
Let me conclude with a police metaphor that came up at the public forum in
Nairobi. 
 
Early in the meeting, Peter Dengate Thrush had said that concerns over crime
and abuse in new TLDs were not justification to stop the new gTLD process.
Peter's metaphor was that you wouldn't abandon your new home upon learning
that it could not be made 100% burglar-proof.
 
After Mr. Beckstrom sounded the alarm and called for a DNS-CERT, I said that
ICANN's plan to create its own CERT was like having our burglar-conscious
homebuilder create his own police force, complete with 24-hour shift
coverage, police cars, badges, SWAT teams, etc.

I said it would be far better for the homebuilder to install an electronic
security system ­ and have it wired to automatically alert the local police
and fire departments already ably serving the community.
 
Steve DelBianco
Executive Director, NetChoice