November 14, 2001
Marina del Rey, California
ICANN Public Meetings
I. Welcome - Lynn
A. Different perspective today. Morning parallel sessions for management versus operations/technical questions.
B. Constituency meetings in the afternoon
C. Welcome to keynote speakers.
II. John Tritak, Critical Infrastructure Assurance Office
A. My position (as a US Federal official) gives a certain perspective, but issue is global and includes private interests.
B. Concern since mid-90s about terrorist attacks on infrastructure. Sep 11 in this sense not surprising.
C. Increasing concern about electronic attacks on communications infrastructure. Now a serious concern. Industry to take the lead here. Government to raise awareness. Information sharing to assure industry, investors, and customers that system is sound.
D. A few high profile failures might cause a dramatic drop in confidence (more so than would be justified). Need to increase security so as to maintain market and customer confidence.
E. Private sector created electronic communication systems, and private sector is best able to resolve problems. Government to stay out of the way. But security is a national concern.
F. ICANN’s role includes plans for backup and overall reliability of DNS services. Users are rightly concerned about this.
G. Information age “security” means reliability even under difficult times. Not just a cost center.
H. Special importance of Internet reliability in the face of potential overload of other communication systems during crises.
III. Bruce Schneier
A. CTO, Counterpane Internet Security
B. Slides – http://cyber.law.harvard.edu/icann/mdr2001/archive/pres/schneier.html
1. Nigel Roberts (.GG): Prosecution and deterrence are successful only when huge effort expended. Agree that law enforcement requires a high standard of proof, and that this is difficult and costly? Possible market failure because a private entity reaps only a portion of the benefits of prosecuting?
• Right. In some countries, it may be uncertain what law was broken even when the offender is known. Ordinarily, it is not financially beneficial to prosecute. Change possible but uncertain. Punishment does not always fit the crime. Don’t pretend that this is easy. Also, problem of a company’s fear of admitting that it was hacked or of prosecuting the attacker.
2. Kent Crispin (Songbird): Concerned about privacy. More monitoring (for security) yield more collection of data that might be alleged to violate security concerns.
• Right. Serious concerns. A problem that we face in the real world also (airports, cameras, etc.). May not want to sacrifice all liberties in exchange for appearance of security. Should focus on efforts for “real” security.
3. Randy Bush: Concern about weaknesses of password security, especially on wireless network.
• Fix this.
4. Andy Mueller-Maguhn (ccc.de): Punishment efforts may not resolve security problems because computers remain insecure, because false sense of security may result. Security by obscurity (or by punishment) is not a good idea.
• Do not advocate throwing everyone who hacks into jail. But it may make system more safe. Advocate the creation of a lawful society (where most people follow law), where hacking is taken as seriously as other kinds of crime. Punishments should not be excessive, but should exist. Of course, most focus on the most serious attacks, not on “random morons.”
5. Russ Mundy (NAI Labs): Companies and organizations are different from the Internet in that they have some designated person in charge. Internet problem could be that no one is in charge and so no one is responsible. No centralized economic resources to improve centralized or fundamental Internet security. Need better economic incentives for securing critical portions of Internet infrastructure.
• True that this is problematic. What to do? Government? (Which?!) Consortium? Ignore the problem?
6. Paul-Jean Jouve (Brinx Corp.): Russian programmer had cracked Adobe’s PDF system to allow copying of text. Should not assume that hackers fit a particular social profile. Should instead seek to involve “hackers” in improving software flaws.
• The best of the hacking community is a helpful resource. But the rest of the community is not so valuable.
7. Bob Bownes: Tracking may not be sufficient. Need assistance from legal or other authorities. Registrars not interested in learning about or correcting invalid data, etc. A catch-22.
• No easy answers.
IV. Panel Sessions: McLaughlin
A. Technical Track in this room
B. Management Track in Promenade Room
V. Webcasts Resume Tomorrow Morning, 8:00AM Local Time
For additional technical information, please contact:
Ben Edelman and Rebecca Nesson