Security follies
Date: Wednesday October 03 2001, @05:52PM
Topic: ICANN Meetings

The story of ICANN's Annual Meeting this November keeps twisting and turning. Let's recap the bidding. First, Stuart Lynn announced that the meeting would have a new "format" -- its "overriding imperative" would be a focus on "stability and security of the Internet's naming and addressing systems and of their operational implementation." Agenda items, he continued, "will be assessed for inclusion by what they contribute to the overall focus." Constituencies and supporting organizations "will be asked to meet during [the three days of the meeting] to focus on the topic of the meeting." Indeed, Lynn wrote to the Names Council, the Annual Meeting would "focus exclusively" on security and stability issues.

Notwithstanding that the Board would address other "essential business," concentrating on "topics where time is of the essence," he continued, the new format "may well delay progress on some of the worthy and important initiatives that are currently underway." Delays in those work items were justified, though, by "the importance of ensuring the stability and security of the Internet itself."

Two days later, we saw ICANN begin to backtrack just the tiniest bit. Lynn sent out a new letter, allowing that constituencies and SOs could meet for one day, before the three-day meeting devoted to security issues, to consider non-security matters. They could use their meetings on that initial day to shape their input on non-security items on the Board's agenda -- since, after all, the Board might end up considering non-security items for which time was of the essence.

The announcements generated incredulity on the GA list. Danny Younger suggested in a letter to Lynn "that this was simply an attempt to hijack the annual meeting to the detriment of the At-Large." Lynn's answer energetically denied any motivation to "use the events of September 11 for bureaucratic ends." He added that the Board would in any event take no action on the ALSC report in November; it could do no more than post the report for public comment.

It's easy to see why the announcement found people looking for a hidden agenda. The problem is that the stated justification for the decision seems . . . well, wacky. Yes, security is crucially important. But there are two problems here. The first is that ICANN meeting attendees are heavily nontechnical, and it's hard to see what actual work could be done by engaging them for three days, without advance preparation, on what is genuinely a set of technical issues. (Finally! ICANN addresses technical issues!) Actual work on security will be accomplished in working groups under the umbrella of the PSO, or the IETF, or specialized working groups within ICANN on issues such as data escrow. The product generated by such working groups can usefully be brought before the larger body. But we won't make progress towards greater security by devoting an entire three-day ICANN meeting without doing that work in advance.

The second problem is that there don't seem to be that many security issues genuinely within ICANN's purview. Registrar data escrow is one; an ICANN committee developed a draft some time ago specifying escrow formats (although ICANN appears to have taken no action on it). Registry disaster recovery is another, although it would be surprising if ICANN had not adequately addressed it already. But it doesn't seem as if there are enough of these issues to justify short-circuiting a scheduled four-day business meeting and replacing it with a Security Summit. So one can hardly blame people for wondering what the real motivation for the move was.

Lynn addressed these questions in a message he sent out yesterday. It turns out that the purpose of the meeting isn't to do actual work at all. Rather, it's "to educate, to enhance awareness, to assess security and readiness in the broadest terms, and to launch continuing efforts to assess and improve security and readiness" within all of ICANN's "communities." There will be "plenary orientation talks" allowing attendees to become informed on matters such as the status of DNSSEC; there will be bottom-up brainstorming sessions; there will be "facilitated small workshops (everyone participates) that will focus on self-assessment" and provide group therapy on security issues. The goal is consciousness-raising: Folks providing DNS services, it is hoped, will leave the meeting energized and foccusing on security issues in their own organizations, chastened by the understanding that many security failures "can be attributed to lack of management attention."

So that's the answer: ICANN has taken it upon itself to "ensur[e] the stability and security of the Internet itself" through public education and consciousness raising, with the goal of making service providers more aware of security issues. A little far afield from technical coordination of Internet identifiers, perhaps -- but when the security of the Internet itself is at stake, our servants at ICANN won't worry about venturing into uncharted organizational terrain. Certainly, we are told, this is more important than ICANN doing the work for which it was chartered.

Here's a prediction, though: Attendance will be light. Specifically, many people with real work to do, and many people unsupported by expense accounts, will avoid this meeting like the plague. And that's a loss -- because the Board will find time to address controversial non-security issues. We won't know in advance what those issues will be. But when it does, the folks who might have spoken out on those issues won't be there. ICANN will pat itself on the back for what a good job it did of addressing these pressing issues while simultaneously addressing security; it will explain that this shows how silly people were to complain that the meeting was being "hijacked" or that staff was eliminating action on ongoing work. And we can expect to see more ICANN meetings in the future devoted to education and dog-and-pony shows, with actual work items sandwiched into a corner with minimal public input.

This discussion has been archived. No new comments can be posted.
Security follies | Log in/Create an Account | Top | 6 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Re: Security follies
by fnord ( on Thursday October 04 2001, @05:12AM (#2732)
User #2810 Info
M. Stuart Lynn said: There are certain issues of security you don't discuss in a football stadium. Expect to see more firewalls put up around certain areas to keep out those who don't have the necessary level of security clearance. This could be seamlessly integrated into the ICANN apparatchik without much bother by putting Joe Sims and Jones Day in control of vetting who is allowed access. -g
[ Reply to This | Parent ]
  • 4 replies beneath your current threshold.

  • This article comes from ICANNWatch

    The URL for this story is: