Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
Law enforcement demands to domain name registrars were a recurring theme of the 42d ICANN public meeting, concluded last week in Dakar. The Governmental Advisory Committee (GAC) took every opportunity at its public meetings with GNSO and Board, and in its Communique to express dismay, disappointment, and demands for urgent action to "reduce the risk of criminal abuse of the domain name system."
Applying for a new generic Top-Level Domain (gTLD) will be expensive and complex. ICANN's Applicant Guidebook comprises 350 pages of dense instructions, spelling out the procedures to apply for a gTLD and to comment or object to the gTLDs applied for by others. Hidden among the forest of criteria and procedures is a problem that, unless solved, could deny good faith applicants the fair notice they deserve.
When does a non-profit organization become a profit-making one? This and similarly fundamental questions about ICANN's institutional character are raised by the high probability that the gTLD project will produce profits for ICANN. How much money those profits will amount to remains in question, but it is increasingly difficult for ICANN to say that there will be no profit at all.
Cybersecurity regulation will take its place alongside environmental regulation, health and safety regulation and financial regulation as a major federal activity. What is not yet clear is what form the regulations will take. FISMA controls, performance standards, consensus standards and industry-specific consortia standards are all possible regulatory approaches. What is not likely is an extended continuation of the current situation in which federal authorities have only limited, informal oversight of private sector cyberdefenses (or lack thereof).
For those interested in encouraging innovation in the domain name space -- which presumably includes the ICANN community currently convening in Dakar -- the recent episode in which VeriSign proposed, and then quickly withdrew, a bundle of new services (the VeriSign anti-abuse domain use policy) raises important issues that will be revisited as new gTLDs are introduced. Some of those issues are referenced in a recent blog post by Milton Mueller, but his emphasis on "due process" suggests a regulatory framework that is not friendly to innovation.
There may be no better illustration of how far we've come in Internet governance, than this: twice in the past 30 days, the global Internet community has gathered in sub-Saharan Africa to plot a path to bring the Internet to its next billion users. Just weeks after wrapping up the sixth annual Internet Governance Forum (IGF) in Kenya, Internet stakeholders from around the world traveled back to Africa for ICANN's 42nd meeting in Dakar, Senegal.
I came across an interesting article on Reuters today: "U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes..." This is a pretty big step for the SEC. Requiring companies to disclose when they have been hacked shifts the action on corporations from something voluntary to something that they have to do. The question is do we want to hear about everything?
Mainsleaze is nerdy slang for spam sent by large, well-known, otherwise reputable organizations. Although the volume of mainsleaze is dwarfed by the volume of spam for fake drugs, account phishes, and Nigerian 419 fraud, it causes work for mail managers far out of proportion to its volume... The problem with mainsleaze is that it is generally mixed in with mail that the recipients asked for, and there's no way to tell the difference mechanically.
Too many techies still don't understand the concept of due process, and opportunistic law enforcement agencies, who tend to view due process constraints as an inconvenience, are very happy to take advantage of that. That's the lesson to draw from Verisign's proposal and sudden withdrawal of a new "domain name anti-abuse policy" yesterday. The proposal, which seems to have been intended as a new service to registrars, would have allowed Verisign to perform malware scans on all .com, .net, and .name domain names quarterly when registrars agreed to let them do it.
Studies have found only limited, insufficient agency adherence with FISMA's (Federal Information Security Management Act) continuous monitoring mandates. One survey found almost half of federal IT professionals were unaware of continuous monitoring requirements. A recent GAO report found that two-thirds of agencies "did not adequately monitor networks" to protect them "from intentional or unintentional harm."
A World-Renowned Source for Internet Developments. Serving Since 2002.