Welcome to the Conversation

Need to Protect ‘Backbone’ of Internet

BUSINESSWIRE – An expert report (pdf) released today concluded that in proposals for the .com, .biz, .info and .org registries, the Internet Corporation for Assigned Names and Numbers (ICANN) has failed to ensure adequate security safeguards. The report, written by leading security technology expert Jerry Archer, recommends that oversight, planning and testing provisions be implemented in the proposals to run these registries before they are finalized.

The report, “DNS – A System in Crisis,” was commissioned by Network Solutions. The report analyzed trends behind the growing security threats to the Domain Name System (DNS), which is the “backbone” of the Internet. The DNS provides directions to all destinations on the Internet, making it a prime target for hackers. The analysis makes recommendations for ensuring that the DNS is safeguarded, through ICANN oversight, as well as reporting and monitoring requirements. It notes that security must not be sacrificed in the proposed agreements for these four Top Level Domains (TLDs).

“Industries in which there is potentially far less impact from a single point failure, such as banking and brokerage, are much more regulated than registry operators, even in regard to cyber security,” the report said. “The failure of a single registry operator, especially .com, could cause catastrophic results.”

In the report, Mr. Archer made key recommendations about the minimal level of ICANN oversight and security risk mitigation that must be included in these agreements, including: (1) Requirements for security reporting from registry operators; (2) Provisions for registry operators to provide detailed security plans and regular testing of DNS defenses. (3) Development by ICANN of independent assessment capabilities regarding potential DNS security breaches. (4) Execution by ICANN of risk analysis of the operations of registry operators.

The .com proposal is now pending before the U.S. Department of Commerce for review, after ICANN’s Board of Directors in February approved the agreement, which includes automatic renewal terms and up to $1.3 billion in cumulative, guaranteed price increases that would not have to be justified. ICANN in July also posted for public comment draft proposed agreements for .biz, org. and .info. More than 1,000 individuals sent in responses, voicing concerns over issues such as automatic renewal provisions.

“ICANN, through the proposed agreements with the registry operators, has proposed the creation of virtual monopolies through perpetual renewal provisions, but then refused to regulate the entity,” the report said. “Without competition and in the absence of contractual requirements, there is no compelling motive for registry operators to expend resources on security and stability versus improving the bottom line.”

Mr. Archer has more than 30 years of experience in computer and security technology and is a managing director for Devonshire Ventures, a security, technology, products and strategy consulting firm. He is a former senior vice president for global interoperability at Visa International, where he managed a team responsible for codifying policies, standards and best practices for Visa systems. Prior to Visa, he served as senior vice president of information security and technical risk for Fidelity Brokerage Company and managing director of digital business solutions at Bankers Trust.

“In the proposed agreements for .com and other registries, ICANN has a critical opportunity to turn to a new chapter in the troubled security history of the Domain Name System,” said Mr. Archer. “Security must not be an afterthought in these agreements. ICANN must at least maintain a minimum baseline of oversight and security risk mitigation.”

“This report underscores why final approval of a .com agreement that removes most of ICANN’s oversight is such a bad idea,” said Network Solutions Chairman and CEO Champ Mitchell. “Consumers would be hit with a total of $1.3 billion in higher prices over six years with no reason to believe they would have better security. In fact, as this report shows, security risks would get worse, rather than better, under this deal.”