[ncdnhc-discuss] Fw: Thoughts on upcoming security meeting

[YJ Park]

Dear members,

This is the formal request from Stuart Lynn, CEO of ICANN
who seeks non-commercial domain name holders constituency'
keen participation especially in following areas to share our
views on Nov 14.

> (b) to adopt suggestions for security improvements by all DNS service 
> providers - registries, registrars, nameserver operators, etc.
>
> (d) to launch continuing efforts to assess and improve security and 
> readiness across the scope of ICANN's activities and communities.

And further we can develop into

> (c) to make recommendations to the ICANN Board for near term policy 
> and other actions and directions to be pursued by ICANN.

On the other hand, he raised such concerns as follows, too

> Are there policy issues that should be considered 
> (without worrying about this stage about bottom-up or top-down -- we 
> can figure that out later)? Are there activities that ICANN should be 
> launching to, for example, coordinate activities across its 
> supporting organizations? Are there continuing educational or 
> reporting activities? That is the purposes of 2(c).

Regards,
NCDNHC AdCom members

----- Original Message ----- 
From: "M. Stuart Lynn" <lynn at icann.org>
To: <NCDNHC NC Reps and Admin Cttee:>
Sent: Wednesday, November 07, 2001 1:36 AM
Subject: Thoughts on upcoming security meeting


> 
> Dear colleagues:
> 
> [This note is being sent separately to each ICANN constituency in 
> anticipation of the upcoming meeting. Please distribute as 
> appropriate within your constituency.]
> 
> I thought it might be helpful to suggest some possible thoughts and 
> guidelines to be considered during your sessions on Wednesday, 
> November 14 and for reporting purposes at the open session on the 
> morning of Thursday, November 15. Obviously, each situation is 
> different, and these are just some general thoughts that you may or 
> may not wish to adapt to your particular situation.
> 
> Background:
> 
> First, however, I would like to draw your attention to the fact that 
> the reporting session -- along with most other sessions at the 
> meeting -- will be an open session, even though it is limited to 
> conference registrants. This means, of course, that it would be 
> inappropriate to discuss highly sensitive information. I should think 
> we could safely focus on security principles and directions, rather 
> than the specific status or failings of any particular installation 
> -- the kinds of principles and directions that represent best 
> practices and proposed activities for your constituency etc., rather 
> than detailed implementations. And on suggestions for  policy areas 
> where further exploration might productively be considered by ICANN 
> as a whole.
> 
> All of us involved with the DNS recognize that the distributed and 
> redundant nature of its architecture makes for a very robust 
> operating environment. Security practices across the community are 
> undoubtedly very high, and organizations are generally very committed 
> to best practices by the standards of the profession. Most Internet 
> professionals, both technical and managerial, take this task very 
> seriously. The public can be reassured by the number of times the 
> Internet has continued to function in the face of natural and other 
> disasters, including, of course, September 11.
> 
> Nevertheless, across the Internet community as a whole, our security 
> architecture and operations can never be perfect - there are bound to 
> be chinks in our armor. This ICANN Special Meeting on Security of the 
> Internet's Naming and Address Allocation Systems has certainly been 
> triggered by the events of September 11 that heightened awareness 
> generally for improved security, but security issues were present 
> before then and will continue to be present long after. But this, 
> however, is a particularly demanding time for everyone. It is a time 
> at which the ICANN community is pausing to assess the current 
> situation regarding Internet security across those limited areas that 
> we coordinate, and think about where we need to go, what directions 
> we need to take beyond what is already being done.
> 
> We all recognize full well that security is not a one time event just 
> for one meeting, and that it requires continuous attention. Besides 
> setting the stage for near term actions, one of the key hoped for 
> outcomes of this meeting is indeed to encourage continuity into the 
> future. Your constituency may wish to consider where there is a need 
> to make security a continuing part of their agendas. And ICANN as a 
> whole welcomes continuing advice from its constituencies, councils, 
> and advisory committees as to where there are policy issues that must 
> be addressed that transcend a single constituency or a single SO.
> 
> ICANN is obviously not responsible for Internet security as a whole. 
> Our range and the range of ICANN's constituent organizations is very 
> limited. ICANN's role is also largely a policy role, and, although 
> many may reasonably differ as to the definition of policy, we must 
> focus our efforts where we can do the most good. People may also 
> reasonably differ where that is. One of the purposes of this meeting 
> is to flesh out different ideas and perspectives, to surface your 
> ideas on what ICANN should be doing.
> 
> With this background in mind:
> 
> 1. Overall Purposes:
> 
> The overall purpose of the meeting is to conduct an in depth 
> examination of security requirements related to the domain name and 
> address systems, the extent to which these requirements are currently 
> being met (in general terms), and what individual, organizational and 
> collective actions are needed to create a security environment for 
> the domain name and addressing systems that assures their continued 
> operation under emergency conditions. Given ICANN's mission, a 
> principle focus is to shed light on any *policy* directions that 
> ICANN needs to pursue to enhance overall security.
> 
> 2. Desired Overall Outcomes:
> 
> The desired outcomes of the meeting are:
> 
> (a) to improve the knowledge base and to heighten awareness re DNS 
> security by ICANN constituents and the broader public.
> 
> (b) to adopt suggestions for security improvements by all DNS service 
> providers - registries, registrars, nameserver operators, etc.
> 
> (c) to make recommendations to the ICANN Board for near term policy 
> and other actions and directions to be pursued by ICANN.
> 
> (d) to launch continuing efforts to assess and improve security and 
> readiness across the scope of ICANN's activities and communities.
> 
> 3. Constituent Organization Outcomes:
> 
> I hope you can tailor these desired outcomes to the priorities of you 
> own constituency and that they can form the framework for your 
> thinking and outputs, and your reporting session on Thursday morning. 
> The earlier sessions of the meeting are framed with 2(a) in mind. The 
> round table discussions before lunch on Wednesday, November 14 is 
> intended to  provide a useful dialog in general regarding 2(b) from 
> both a technical and a management perspective.
> 
> The Wednesday afternoon constituent sessions is directed more 
> precisely at 2(b), 2(c), and 2(d). Perhaps most of your efforts will 
> be aimed at 2(b) and 2(d) focusing on what your constituency or its 
> members individually should be doing to adopt best practices, conduct 
> assessments, monitor outcomes, improve education, coordinate with 
> other constituencies,  etc.
> 
> Out of your discussions and discussions with those in other 
> constituencies, there may evolve thinking on what ICANN qua ICANN 
> should be doing. Are there policy issues that should be considered 
> (without worrying about this stage about bottom-up or top-down -- we 
> can figure that out later)? Are there activities that ICANN should be 
> launching to, for example, coordinate activities across its 
> supporting organizations? Are there continuing educational or 
> reporting activities? That is the purposes of 2(c).
> 
> 4. Areas of Security Concerns:
> 
> In this context, security can be thought of quite broadly as 
> addressing both prevention against classes of threats, and recovery 
> and restoration. Both sides of the coin will be featured at the 
> meeting. More broadly, it is about striving for continuity and 
> integrity of operations in the face of such threats. This encompasses 
> physical, logical (including systems, communications, and data 
> security), and organizational security. The meeting, of course, will 
> be limited to ICANN's areas of concern: security of the Internet's 
> domain name and address allocation systems.
> 
> I look forward to seeing you at the meeting and working with you to 
> achieve the above goals. I do recognize that the special focus of the 
> meeting has constrained the time you can devote to your normal 
> business, and appreciate your cooperation.
> 
> With warm regards.
> Stuart
> -- 
> 
> __________________
> Stuart Lynn
> President and CEO
> ICANN
> 4676 Admiralty Way, Suite 330
> Marina del Rey, CA 90292
> Tel: 310-823-9358
> Fax: 310-823-8649
> Email: lynn at icann.org
> -- 
> M. Stuart Lynn
> 2255 Yosemite Drive
> Palm Springs, CA 92264
> 
> Tel: 760-322-4783 or 4784
> Fax: 760-322-4785
> Email: mslynn at ucop.edu
>