RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Mike O. and Joe have stated that the incremental cost of running a 24/7
threat-response capability is zero.  I think that's incorrect, and solicit
comments.

My observations are:

* Monitoring and response do not just require 24x7x365 staffing -- but
possibly 24x7x365 staffing by personnel with a specific background.

* Some registrars -- including some large ones -- have 24/7 customer support
for registrants but route abuse complaints to compliance, legal, or
specialty personnel, who they feel have the expertise to make the judgments
needed.  Specialists are not on duty 24/7.  The WG has had a lot of
discussion about how hard it is sometimes to determine whether a given
domain name is a problem, and the legal and liability issues involved in
suspending it.

* Personnel is a real capex, and incremental staff cost is not zero.
Someone must handle those calls and e-mails, and be trained to do so.  I see
this in my company.

* NOCs (Network Operations Centers) are dedicated to, well, network
operations.  Abuse response, customer support, and NOC are distinct
disciplines in many companies, especially once they reach a certain size.

* I don't know how many registrars have dedicated NOCs, or are staffed 24/7.
(Having contacted many registrars over the years, I know many smaller ones
are not 24x7x365).  Registrars with dedicated NOCs might have them because
they offer ancillary services such as hosting.

All best,
--Greg



-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
Sent: Saturday, August 02, 2008 3:33 PM
To: ebw@xxxxxxxxxxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal


Eric commented:

#I appreciate you are a man of beliefs. Thank you for your estimation of 
#the cost of your "24/7 abuse queue" proposal, which I don't understand, 
#lacking your beliefs or some other context that would result in numeric 
#values for a spreadsheet.

Let me attempt to break this out a little...

Putting on my "MBA hat," the costs for handling a 24/7 abuse queue will 
vary widely depending on a number of concrete factors, but will, in most
cases be zero or near zero.

Capex? None that I'm aware of. All registrars already have all the
basics (network connectivity, workstations, building space, etc.)

Opex? If you already have a 24/7 NOC to deal with other operational issues, 
abuse response could be added as a supplemental duty. Enter "$0.00"
in the spreadsheet for "incremental staff costs" in that case.

Likewise, if abusive customers are already being aggressively screened out,
you may never see much if any business for the abuse desk to handle. In
that case, the total direct incident-related costs will also be zero in
the spreadsheet. Absent registrars (or others) coming forward and saying,
"Yes, heck yes, we're just overrun with miscreants," I'm going to assume
that most registrars will be in this asymptotically small incident count
range, which means that direct variable costs will be more zeros for your 
spreadsheet.

Are there other costs I've missed that you're concerned about? 

Or is you concern largely with the "micro level" tier of registrars who 
are more or less operating from their garage/kitchen table? (Nothing
wrong with that sort of entrepreneurial scale operation, by the way,
just noting that operations are different at that level than if you're
one of the big outfits)

Regards,

Joe

Disclaimer: all opinions strictly my own.