Culture

Neither safe nor secure on the Internet

Jerry Archer asks whether Congress has the stomach to tackle big problems looming in cyberspace.

Oct. 4, 2006 7:53 a.m. PT

3 min read

Most of us don?t like speed limits, but we accept the rules of the road because they represent the reasonable application of oversight and practical insight.

Recent congressional hearings underscore the intense interest of policymakers in a similar debate regarding the Internet as the cyberspace superhighway.

The domain name system (DNS) is the backbone of the Internet, providing the virtual signposts for an enormously complex environment with tens of millions of virtual and perilous "pathways and intersections." Some believe that we should allow the DNS to operate without "burdensome" oversight. But if we don't concede to some reasonable rules of the road included in the pending proposals to operate top-level domain (TLD) registries, we won't be very safe or secure.

The potential impact of a DNS failure compels action. Almost all companies today are using the Internet, seeking new markets, new customers and lower operating costs. More than 5 percent of the U.S. gross domestic product accrues from the Internet--more than $650 billion--and it is rapidly expanding. Worldwide, the value of Internet commerce is more than $1.7 trillion.

Attacks on the DNS are not new. Hackers have poisoned the DNS databases, shut down and impersonated DNS servers, and used the DNS servers as an amplifier in denial-of-service attacks. Yet the Internet Corporation for Assigned Names and Numbers (ICANN), has failed to provide additional security oversight and "rules of the road" for the operators of the proposed registry agreements for the .com domain with VeriSign, as well as the proposed .biz, .info, and .org TLDs. Instead, ICANN would opt to allow VeriSign and other registry operators: to make up and freely change their own security rules, not to tell the public or ICANN these rules or to disclose how well their rules are working.

If there is to be a successful defense of the DNS, it will require increased vigilance, resilience, reaction speed, flexibility and, most importantly, enlightened oversight by ICANN.

And hackers are shifting more and more to DNS attacks such as the denial-of-service attack that rendered nine of the 13 DNS root servers inoperable in November 2002 and a massive denial-of-service attack on the .com TLD again early this year. Unfortunately, the threat is rapidly evolving, including new identity theft scams known as "pharming." In comparing phishing with pharming, the CEO of a security products company said: "Phishing is to pharming what a guy with a rod and a reel is to a Russian trawler."

Simply put, the Internet is becoming much less safe and needs the firms that operate the infrastructure to put strong security in place, maintain it and update it continuously. And, those measures should be actively reviewed to ensure they are adequate and working.

The National Academies recently completed a report titled "Signposts in Cyberspace: The Domain Name System and Internet Navigation," sponsored by the U.S. Department of Commerce and the National Science Foundation. The report's final recommendations advise that ICANN strengthen its agreements with the TLD operators and call for further steps to improve the security of the DNS.

If there is to be a successful defense of the DNS, it will require increased vigilance, resilience, reaction speed, flexibility and, most importantly, enlightened oversight by ICANN. A robust security strategy in the new TLD agreements aligned with global realities is essential for the Internet to be safe, sound and secure.

Security-wise, the proposed .com registry agreement, which is now pending before the U.S. Department of Commerce, would allow VeriSign to do, fundamentally, as it sees fit. Today, and in the past, VeriSign has seen fit to develop robust security and has been untarnished by attacks. For that track record, the company deserves praise. But tomorrow, VeriSign might just as easily see fit to sacrifice some security to accrue profits, taking the risk that nothing will happen.

But that risk is not VeriSign?s alone. VeriSign essentially enables the flow of that $1.7 trillion of global e-commerce and 5 percent of the U.S. GDP that make all of us stakeholders in the security of DNS. As stakeholders, we need an advocate, ICANN, which must ensure that security is never sacrificed.

It doesn't take a mathematician with a Ph.D. to see that the proposed registry agreements do not provide better security and stability for the DNS; it takes only good common sense. We all know the value of stop signs in intersections.