[ISN] ICANN board member berates 'woefully unprepared' DHS

From: InfoSec News (alerts@private)
Date: Sun Apr 15 2007 - 22:27:24 PDT


http://www.theregister.co.uk/2007/04/14/crawford_icann_security_ddos/

By Burke Hansen in San Francisco
14th April 2007

Amid the outcry over allegations that the Department of Homeland 
Security (DHS) wants the security keys to the DNSSEC encryption 
technology slowly very slowly being adopted by internet overlord ICANN, 
one ICANN board member, the refreshingly candid Susan Crawford, has 
recently [1] taken her own swipe at security standards in place at the 
DHS.

According to Crawford, the DHS is woefully unprepared for what lies 
ahead. She noted at a recent conference that ICANNs major security 
concern after the Distributed Denial of Service (DDoS) attack [2] on six 
of the internets root servers in February has been a repeat of the 
incident powerful enough to cause a is a massive virtual blackout.

Although the alleged power grab by DHS has gotten all the headlines, the 
security keys - still are not actually in use - wouldnt provide the DHS 
with any information it does not already have access to. How the DHS 
would respond to a massive DDoS attack that succeeded in shutting down 
large chunks of the internet is another matter entirely.

According to Crawford the DHS has a long way to go. "From the outside, 
it looks as if [DHS] doesn't really know what it's doing," she said. 
"They're trying, but many of their efforts lack timeframes for 
completion." Other problems, such as a high turnover rate among senior 
officials at DHS, have had an impact, but there seems to be a general 
failure of imagination at the agency. Crawford has been advocating the 
creation of a new internet governance group to tackle the problem.

As she stated in her blog [3] last week, All of the internet governance 
models we have right now have strengths and weaknesses. For responses to 
problems like DDoS attacks, we'd need a forum for discussion that has 
(1) the non-mandatory merit-based processes of IETF, including real 
industry involvement leading to substantial market pressure, (2) the 
globalness of IGF, (3) the agility of a private group, and (4) the clear 
voice of leadership that can be provided by government involvement. And 
we'd need to avoid the problems that all of these fora have.

Sher went on, To prevent future attacks, we'll need to prevent machines 
from being turned into zombies that can be directed at targets. That's a 
big task that requires coordination among many hardware manufacturers 
and operating system designers. It can't be mandatory, this 
coordination, because that won't necessarily lead to the right set of 
solutions -- but it can be agile, global, and well-led.

With Greg Garcia, formerly vice president at the Information Technology 
Association of America, now cyber-security czar at the DHS, the time 
could be ripe for a change in focus at the lumbering agency. However, 
Crawford held out more hope for a new, more nimble group to take 
control. A new entity "with a new, friendly acronym" might be the best 
bet, she said. "None of the existing institutions will work."

She has a point. The notoriously ineffectual ICANN seems an unlikely 
agent to do the job because of its fear of confrontation and a general 
disinterest in policing cyberspace even in a largely technical sphere 
that cuts to the core of ICANNs mission, which is to protect the 
integrity and stability of the net itself.

She wants an ICANN-style multi-stakeholder entity that is not the ICANN 
we currently know and love. Of course, that begs the question of whether 
or not two ICANNs are really better than one.

[1] http://www.govexec.com/dailyfed/0407/040507tdpm2.htm
[2] http://www.theregister.com/2007/03/09/root_server_assessment/
[3] http://scrawford.blogware.com/blog/_archives/2007/4/3/2857003.html


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Sun Apr 15 2007 - 22:50:34 PDT