[Infowarrior] - ICANN board member berates 'woefully unprepared' DHS

Sat Apr 14 02:42:22 UTC 2007

ICANN board member berates 'woefully unprepared' DHS
New entity needed for cybersecurity, she argues
By Burke Hansen in San Francisco → More by this author
Published Saturday 14th April 2007 00:53 GMT
http://www.theregister.co.uk/2007/04/14/crawford_icann_security_ddos/

Amid the outcry over allegations that the Department of Homeland Security
(DHS) wants the security keys to the DNSSEC encryption technology slowly –
very slowly – being adopted by internet overlord ICANN, one ICANN board
member, the refreshingly candid Susan Crawford, has recently taken her own
swipe at security standards in place at the DHS.

According to Crawford, the DHS is woefully unprepared for what lies ahead.
She noted at a recent conference that ICANN’s major security concern after
the Distributed Denial of Service (DDoS) attack on six of the internet’s
root servers in February has been a repeat of the incident powerful enough
to cause a is a massive virtual blackout.

Although the alleged power grab by DHS has gotten all the headlines, the
security keys - still are not actually in use - wouldn’t provide the DHS
with any information it does not already have access to. How the DHS would
respond to a massive DDoS attack that succeeded in shutting down large
chunks of the internet is another matter entirely.

According to Crawford the DHS has a long way to go. "From the outside, it
looks as if [DHS] doesn't really know what it's doing," she said. "They're
trying, but many of their efforts lack timeframes for completion." Other
problems, such as a high turnover rate among senior officials at DHS, have
had an impact, but there seems to be a general failure of imagination at the
agency. Crawford has been advocating the creation of a new internet
governance group to tackle the problem.

As she stated in her blog last week, “All of the internet governance models
we have right now have strengths and weaknesses. For responses to problems
like DDoS attacks, we'd need a forum for discussion that has (1) the
non-mandatory merit-based processes of IETF, including real industry
involvement leading to substantial market pressure, (2) the globalness of
IGF, (3) the agility of a private group, and (4) the clear voice of
leadership that can be provided by government involvement. And we'd need to
avoid the problems that all of these fora have.”

Sher went on, “To prevent future attacks, we'll need to prevent machines
from being turned into zombies that can be directed at targets. That's a big
task that requires coordination among many hardware manufacturers and
operating system designers. It can't be mandatory, this coordination,
because that won't necessarily lead to the right set of solutions -- but it
can be agile, global, and well-led.”

With Greg Garcia, formerly vice president at the Information Technology
Association of America, now cyber-security czar at the DHS, the time could
be ripe for a change in focus at the lumbering agency. However, Crawford
held out more hope for a new, more nimble group to take control. A new
entity "with a new, friendly acronym" might be the best bet, she said. "None
of the existing institutions will work."

She has a point. The notoriously ineffectual ICANN seems an unlikely agent
to do the job because of its fear of confrontation and a general disinterest
in policing cyberspace – even in a largely technical sphere that cuts to the
core of ICANN’s mission, which is to protect the integrity and stability of
the net itself.

She wants an ICANN-style multi-stakeholder entity that is not the ICANN we
currently know and love. Of course, that begs the question of whether or not
two ICANNs are really better than one. ®