Comments on 2008-2011 Issues Paper - Specifically, point 3, Security
I am writing to comment on the security issue of the paper, point 3. First, let me introduce myself. In the U.S. I worked on the White House staff to help draft the National Strategy to Secure Cyberspace, and then moved to the Department of Homeland Security for 3 ½ years where I helped to set up the National Cyber Security Division and U.S.-CERT, which I later headed for two years as Acting Director, through October 3, 2006. I currently head my own company, DRA Enterprises, Inc. doing IT consulting and business development, and public speaking in venues across the U.S. and around the world. My comments are inserted in bold. 3. Security was a theme mentioned by many respondents. a. There was general agreement that there will be an increase in the number of attacks in coming years and that those attacks would become more sophisticated. The stability and security of the DNS are central ICANN?s mission and ICANN must therefore develop strategies to deal with these attacks. Some saw DNSSEC as one of these strategies; others saw DNSSEC as only part of the solution and called for a broader framework for understanding security generally and ICANN?s role in particular. There was also the suggestion that more research was needed to better understand the evolving nature of these threats. I side with those who believe there must be a broader framework for security, that should include international collaboration by key stakeholders in government and the private sector to assessment and mitigate risk to the global information infrastructure. Just like in private corporations or national governments, it is essential that key stakeholders work together to assess and prioritize actions to mitigate the risk. It is also important that these stakeholders focus on research and development that is prioritized based on risk ? to facilitate more effective assessment and mitigation of risk, and to address long-term hard problems that affect security and resiliency. The two major areas of international focus that ICANN should be a participant is are: 1) the assessment and mitigation of risk, and the R&D to do that, and 2) enhancing the capabilities and preparedness of stakeholders to respond to cyber attacks and other malicious cyber activity. On the first point, the key stakeholders should work together on critical issues related to the assessment and mitigation of cyber risk (and enhancement of resiliency) to the global information infrastructure, such as: (i) the internet infrastructure ? two examples of issues that require international information sharing and collaboration, are the DNS attacks of the past two years, and the capability of botnets to launch devastating targeted attacks on the confidentiality, integrity, and availability of data on which our governments, critical infrastructures, and private companies depend. (ii) international watch and warning capability- international information sharing and collaboration must be enhanced and tracked against requirements based on risk. (iii) software assurance ? the short and long-term challenges of insecure and vulnerable software must be addressed through international collaboration; (iv) malicious activity in cyberspace ? law enforcement agencies of the world must work with non-law enforcement government and the private sector to work together to track and reduce the magnitude and seriousness of malicious activity. The law enforcement mission, which must continue its current work, must be called upon to be a partner in a larger collaboration that prioritizes and tracks the effectiveness of the allocation of resources and actions using the malicious actors as a metric. (v) the international security and privacy regulatory frameworks should be assessed by key stakeholders with recommendations for enhancing consistency based on effectiveness. Whether the first issue becomes a prime concern of ICANN, or ICANN participates in a larger effort, makes no difference. What is essential is that ICANN help make sure this activity happens, and ensures that key stakeholders are invited and encouraged to participate. Stakeholders should come together at least annually to focus on these issues and, preferably, coalitions of interested entities should be supported to work on these issues during the year, not to supplant others working in the space, but to create international visibility of what we need to worry about and what we need to do about it and when! The process should be like the maturation of the Internet itself. It requires top-down and bottom-up participation. We must finally begin to treat these issues like the significant risk issues they are. To date we have failed to do that, waiting for unnamed others to act. b. Some respondents suggested that ICANN also had a role in protecting end users from malicious practices (such as phishing); a number of respondents were particularly concerned about the need to protect children. There is a need to deal with issues that are not exclusively within ICANN?s mission, but where ICANN has a role to play. Significant requests have been received from Computer Emergency Response Teams (CERTS) in various countries for dialogue and policy advice on the security aspects of their work, especially regarding the use of IP addresses and the DNS for malicious purposes. The process I suggest above should facilitate informed input on measures (depending on the risk, along the entire spectrum from voluntary, to strongly encouraged, to best practices, to regulation) that need to be taken to reduce malicious activity and its effectiveness. c. Given the concern about security issues, some consider it important to consider the role and responsibilities of registrars in mitigating malicious and abusive behaviours. All relevant stakeholders should be encouraged to do their part to reduce risk. d. Some suggested that security issues (both the security of the DNS and security of individual users) will receive an increasing focus from governments in the coming years. ICANN needs to find ways to engage with governments on these issues. ICANN should work with government, and other key stakeholders, to drive focus on risk assessment and mitigation, and accountability for inaction. We can?t look to government to lead in any of these area, but we need to encourage them to participate with other stakeholders. e. Some pointed out that security of the Internet?s unique identifiers will require more practical skill development and capacity building in some places (eg some developing country ccTLDs). There was an acknowledgement that this would have funding implications and that the solution might be some combination of government funding and funding from major corporations or other private funding. ICANN may have some coordination role of such a security fund or foundation. In each area we need to promote stakeholder engagement to focus attention on what can and should be done and by whom ? and on how the most important actions can be funded. Thank you for the opportunity to comment. Andy Donald A. Purdy, Jr., Esq., CISSP President DRA Enterprises, Inc. 8201 Kenfield Court Bethesda, MD 20817 202-486-0720 (o) 301-365-5123 (f) "Technology to enable, reduce risk, and save money" Visit: www.andypurdy.com This e-mail and any attachment is for authorized use by the intended recipient(s) only. It may contain proprietary material, confidential information, and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.