Comments on 2008-2011 Issues Paper - Specifically, point 3, Security

["Andy Purdy" <Andy.Purdy@xxxxxxx>]

I am writing to comment on the security issue of the paper, point 3.  First,
let me introduce myself.  In the U.S. I worked on the White House staff to
help draft the National Strategy to Secure Cyberspace, and then moved to the
Department of Homeland Security for 3 ½ years where I helped to set up the
National Cyber Security Division and U.S.-CERT, which I later headed for two
years as Acting Director, through October 3, 2006.  I currently head my own
company, DRA Enterprises, Inc. doing IT consulting and business development,
and public speaking in venues across the U.S. and around the world.

 

My comments are inserted in bold.

 

3. Security was a theme mentioned by many respondents.

a. There was general agreement that there will be an increase in the number
of

attacks in coming years and that those attacks would become more

sophisticated. The stability and security of the DNS are central ICANN?s

mission and ICANN must therefore develop strategies to deal with these

attacks. Some saw DNSSEC as one of these strategies; others saw DNSSEC

as only part of the solution and called for a broader framework for

understanding security generally and ICANN?s role in particular. There was

also the suggestion that more research was needed to better understand the

evolving nature of these threats.

 

I side with those who believe there must be a broader framework for
security, that should include international collaboration by key
stakeholders in government and the private sector to assessment and mitigate
risk to the global information infrastructure.  Just like in private
corporations or national governments, it is essential that key stakeholders
work together to assess and prioritize actions to mitigate the risk.  It is
also important that these stakeholders focus on research and development
that is prioritized based on risk ? to facilitate more effective assessment
and mitigation of risk, and to address long-term hard problems that affect
security and resiliency.

 

The two major areas of international focus that ICANN should be a
participant is are:  1) the assessment and mitigation of risk, and the R&D
to do that, and 2) enhancing the capabilities and preparedness of
stakeholders to respond to cyber attacks and other malicious cyber activity.

 

On the first point, the key stakeholders should work together on critical
issues related to the assessment and mitigation of cyber risk (and
enhancement of resiliency) to the global information infrastructure, such
as:

 

(i) the internet infrastructure ? two examples of issues that require
international information sharing and collaboration, are the DNS attacks of
the past two years, and the capability of botnets to launch devastating
targeted attacks on the confidentiality, integrity, and availability of data
on which our governments, critical infrastructures, and private companies
depend.

(ii) international watch and warning capability- international information
sharing and collaboration must be enhanced and tracked against requirements
based on risk.

(iii) software assurance ? the short and long-term challenges of insecure
and vulnerable software must be addressed through international
collaboration;

(iv) malicious activity in cyberspace ? law enforcement agencies of the
world must work with non-law enforcement government and the private sector
to work together to track and reduce the magnitude and seriousness of
malicious activity.  The law enforcement mission, which must continue its
current work, must be called upon to be a partner in a larger collaboration
that prioritizes and tracks the effectiveness of the allocation of resources
and actions using the malicious actors as a metric.

(v) the international security and privacy regulatory frameworks should be
assessed by key stakeholders with recommendations for enhancing consistency
based on effectiveness.

 

Whether the first issue becomes a prime concern of ICANN, or ICANN
participates in a larger effort, makes no difference.  What is essential is
that ICANN help make sure this activity happens, and ensures that key
stakeholders are invited and encouraged to participate.

 

Stakeholders should come together at least annually to focus on these issues
and, preferably, coalitions of interested entities should be supported to
work on these issues during the year, not to supplant others working in the
space, but to create international visibility of what we need to worry about
and what we need to do about it and when!  

 

The process should be like the maturation of the Internet itself.  It
requires top-down and bottom-up participation.  We must finally begin to
treat these issues like the significant risk issues they are.  To date we
have failed to do that, waiting for unnamed others to act.

 

b. Some respondents suggested that ICANN also had a role in protecting end

users from malicious practices (such as phishing); a number of respondents

were particularly concerned about the need to protect children. There is a

need to deal with issues that are not exclusively within ICANN?s mission,
but

where ICANN has a role to play. Significant requests have been received

from Computer Emergency Response Teams (CERTS) in various countries for

dialogue and policy advice on the security aspects of their work, especially

regarding the use of IP addresses and the DNS for malicious purposes.

 

The process I suggest above should facilitate informed input on measures
(depending on the risk, along the entire spectrum from voluntary, to
strongly encouraged, to best practices, to regulation) that need to be taken
to reduce malicious activity and its effectiveness.

 

c. Given the concern about security issues, some consider it important to

consider the role and responsibilities of registrars in mitigating malicious
and

abusive behaviours.

 

All relevant stakeholders should be encouraged to do their part to reduce
risk.

 

d. Some suggested that security issues (both the security of the DNS and
security

of individual users) will receive an increasing focus from governments in
the

coming years. ICANN needs to find ways to engage with governments on

these issues.

 

ICANN should work with government, and other key stakeholders, to drive
focus on risk assessment and mitigation, and accountability for inaction.
We can?t look to government to lead in any of these area, but we need to
encourage them to participate with other stakeholders.

 

e. Some pointed out that security of the Internet?s unique identifiers will
require

more practical skill development and capacity building in some places (eg

some developing country ccTLDs). There was an acknowledgement that this

would have funding implications and that the solution might be some

combination of government funding and funding from major corporations or

other private funding. ICANN may have some coordination role of such a

security fund or foundation.

 

In each area we need to promote stakeholder engagement to focus attention on
what can and should be done and by whom ? and on how the most important
actions can be funded.

 

Thank you for the opportunity to comment.

 

Andy

 

Donald A. Purdy, Jr., Esq., CISSP

President

DRA Enterprises, Inc.

8201 Kenfield Court

Bethesda, MD  20817

 

202-486-0720 (o)

301-365-5123 (f)

 

"Technology to enable, reduce risk, and save money"

Visit: www.andypurdy.com 

 

This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information, and/or be subject to legal privilege.  It should not be copied,
disclosed to, retained or used by, any other party.  If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender.  Thank you.