Security and Stability Concerns

["Jerry L. Archer" <jerryarcher@xxxxxxxxxx>]

There is much talk on security and stability of the Internet infrastructure
and how the proposed registry agreements for .info, .biz, .org and others
strengthen security and stability.  My over thirty years as a computer and
security consultant leads me to believe that the Internet will not be well
protected by these proposed agreements.  

In fact, ICANN-despite U.S. Department of Commerce's (DOC) publicly stated
belief that it is uniquely qualified to perform the technical Domain Name
System (DNS) functions that are critical to the security and stability of
the Internet-has failed to create an appropriate contractual basis for the
protection and sufficient oversight of the security and stability of the
Internet.  

Unfortunately, the proposed contracts fail to provide many elements of a
good security model, including requirements for timely:

*         Disclosure and mitigation of any security breach; 

*         Disclosure of the level and type of any serious security breach
attempts and remediation plans;

*         Disclosure and mitigation of any suspected security-related
failures;

*         Disclosure and mitigation of known security vulnerabilities;

*         Implementation of contingency and disaster recovery plans; and

*         Security testing and/or auditing.

Conventional wisdom dictates that any industry whose failure would have
significant adverse impact on the nation's economy or national security must
be subject to significant scrutiny and oversight.  Yet ICANN has failed to
establish itself in this oversight role, and instead would be dependent upon
the goodwill and integrity of the registry operators, such as VeriSign, to
provide and invest in security and stability.

 

Unfortunately, these omissions come during a period when the nature and
level of cyber security issues are rapidly escalating and evolving requiring
even greater attention.  It would seem a reasonable assertion that
terrorists and organized crime can and will see enormous benefit in
disrupting or altering the DNS and thus the Internet, as the Internet
directly contributes more that $650 billion to the US economy - more than
$1.7 trillion globally.  In addition, many critical pieces of the nation's
infrastructure, such as the military's Global Information Grid, use the
Internet and much of the nation's disaster communications relies on the
Internet, at least in part.  Examples of the potential catastrophic failures
of the DNS are the Distributed Denial of Service attacks in October 2002 and
early 2006, which in the first case, crippled most of the non-VeriSign 13
root DNS servers.  By most accounts, these attacks were perpetrated by a few
hackers without significant organization, funding and firm intent.  

 

No regulator in any critical industry would condone the failure of so many
core industry elements, especially when the only reason the others remained
operational was due to "goodwill" investment in the infrastructure and
security.  

ICANN cannot and should not depend on the goodwill of registry operators,
but instead should rely on contractual provisions regarding necessary
security and stability safeguards.  Given the critical nature of the
Internet in today's world ICANN should not be experimenting with
non-traditional oversight models.

I encourage the DOC and ICANN to re-examine the registry agreements in the
light of security necessities of the 21st century and adopt prudent and
reasonable security-related modifications.  I would further encourage the
DOC to assist ICANN in the evolution of its oversight role and to ensure
that ICANN is fully prepared to independently accept this responsibility.

 

Respectfully,

 

Jerry L. Archer