New gTLD Program & Security

The new gTLD program will have a profound impact on the private sector’s increasing dominance over Internet information resources and ownership of critical registry technical infrastructure assets. It is already anticipated that only the private sector will take full advantage of the commercial possibilities offered by the introduction of new gTLDs, and create new innovations around such new domain names that will result from this new gTLD application round launched by ICANN. It is also generally recognized that new gTLDs will unleash further inventiveness and entrepreneurial acumen of Internet enthusiasts and private sector operatives. This explains the large number of applications that have been submitted which exceeded ICANN’s original projections.

However, the successful introduction of new gTLDs will also create new challenges of security for the private sector. More Internet domains introduced invariably means more Internet domains that would be exposed to different security vulnerabilities on the Internet and increased risk of cyber attacks on critical registry infrastructure and services that could disrupt registry services.

Evaluation question 30 (a) & (b) in the new gTLD Applicant’s Guidebook is devoted to Security Policy. Applicants are expected to describe in details the security policies and procedures of the proposed registry, and to go to some considerable depth in explaining how denial of service attacks would be mitigated, and describe their computer and network incident response policies, plans, and processes; the types of defenses that will be deployed against threats, etc. What ICANN considers as a robust response to the Security Question must show “evidence of highly developed and detailed security capabilities” amongst other requirements, coupled with an independent assessment report that demonstrates effective security controls as proof of conformance to the ISO27001 Certification Standard.

Cyber-Security Challenges for National Security

Cyber-security threats have now emerged as the defining security challenges of the global Internet economy. National Security operatives are now seized by the issue of Cyber-security. They are actually now more worried and concerned about security threats on computers and information resources than a physical terrorist attack that can be easily detected and disrupted in an airport. Sharing advanced passenger information on airline passengers for example between the United States and European countries will make it more difficult for a terrorist to board an airline flying between Europe the USA. Moreover, increased and more efficient traditional spying has helped security and anti-terrorism agencies to more accurately identify and prevent terrorists from carrying out their wicked plans, but the identity of cyber-warriors remain very much anonymous, and pinpointing their exact geographical location remains a major technical challenge.

In a recent Euronews interview reported on 12th October 2012, Ms. Janet Napolitano, the United States Secretary of Homeland Security stated that: “It would be virtually impossible to have a replication of 9/11”, but accepted that two areas now deserve the sustained attention of security agencies, namely, aviation and cyber. In her own words: “The different styles and the sheer numerocity (sic) of attacks occurring via cyber now… It’s the fastest-growing area that we’re dealing with.” She further cited DDoS (Distributed Denial of Service) Attack, against the financial system or the takeover of the control system of “an electric utility, to major theft and theft of intellectual property or secret information, to child exploitation via the Internet” as good examples of how such cyber attacks could be perpetrated.

Cyber-Security Concerns for the Private Sector

Such cyber-warfare will be conducted against computers and network resources owned and operated by the private sector who own the utilities, financial corporations, and a lot of intellectual property. The cost of Internet Security protection is bound to sky-rocket in the coming years. An independent security audit and certification process is a costly effort to undertake and accomplish. Private sector organizations that have their information resources compromised as a result of cyber-security attacks will not only suffer huge financial losses, and loss of business good-will, but their stock value could be affected and plummet and suffer degradation of overall market value. Investors stand the risk of losing their money invested in such companies. The new threats make the virus infection problems of the past puny in comparison, and seem designed by the cyber-warriors to completely cripple the operations of an organization. Global corporations are indeed over-exposed to these emerging security threats and would be forced to now implement corporate-wide Cyber-Security Emergency Response Strategies, perhaps based on a certification scheme that will be set (or required) by National Security & Defense agencies. The private sector would really need help to enable it adapt to these new realities and cope effectively with the emerging Cyber-Security risks.

No doubt, in a Post-9/11 globalized world that has become more and more integrated through inter-connected computer networks and global telecommunications infrastructure, there are now new security vulnerabilities. An attack on private sector-owned information resources affects the millions of users of such information and data resources—private lives are also directly impacted by the emerging cyber-security threats.

National Security operatives believe that as a result of (aftermath) measures taken by the U.S. Government in reaction to 9/11, the likelihood of another 9/11-type attack has decreased tremendously, but now worry more about the threat to Aviation and the threat to Information and Communication Technology resources that are linked via the Internet and also connected to other highly secure, government-owned networks operated by national security agencies.

The day before Ms. Janet Napolitano gave the interview to Euronews, U.S. Secretary of Defense, Mr. Leon Panetta was engaging with the private sector to stress the urgency of private sector support for pending Cyber-Security legislation in the U.S. Congress, and used the example of recent cyber-attacks on private sector computer networks owned by the Saudi ARAMCO and another oil and gas company in Qatar—both countries in the Middle-East—to buttress his assertions that the private sector is equally at great risk of coordinated cyber-warfare launched by cyber-warriors with advanced capabilities based in enemy territory. In the cyber-attacks against the Middle-East oil and gas companies, up to 30,000 computers were affected. Mr. Panetta painted more destructive and rather apocalyptic frightful scenarios by citing examples of escalated cyber-threats such as train derailments, the shutdown of power grids, and the contamination of water supplies. This is no longer the stuff of video fantasy games! Secretary Panetta explained to his largely private sector audience in New York that according to the new Rules of Engagement and National Security Doctrine, the US Department of Defense would be required to also defend the private sector against cyber attacks. (See for example, http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber-security/1525450.html) Mr. Panetta is now pushing for greater collaboration in information sharing between the private sector and government, and this would be aided by passage of the pending Cyber-Security legislation by the U.S. Congress.

A New Cyber-Hygiene Regimen

Thus, for successful Strategic Cyber-Security collaboration efforts to be established with governments, private sector organizations will now be pushed towards practicing more or safer ‘cyber-hygiene’, a new term that was used by U.S. Homeland Security Secretary Janet Napolitano during her Euronews interview, which would now be used more frequently in our collective ICT vocabulary when Cyber-Security issues are being discussed: “How hygienic is your cyber environment?”; “How sanitary is your cyber-security environment and what healthy safeguards have you implemented against cyber-attacks?” “Could you kindly outline your cyber-hygiene policies?” “To what extent are your staff practicing safe cyber-hygiene habits within the organization?” would now become standard pertinent questions asked by those evaluating the strategic cyber-security policy implementation of organizations.

This now explains why the private sector should pay more attention to the emerging cyber-security threats. Cyber-Security is also now a mainstream issue in Internet Governance, and the private sector needs to increase the level of its interest and the overall relevance of its involvement in Global Internet Governance. Implementing a new Cyber-Hygiene Regimen within an organization will now prove more costly to private sector operatives in the foreseeable future, and this will in turn increase the overall cost of strategic ICT implementations and the cost of doing business in the Internet age.