VeriSign .Com Foes to Homeland Security Committee: You're Next
Having hit House Commerce, Judiciary and Small Business committees with competition concerns, opponents of VeriSign’s proposed .com registry contract said they plan to air grievances with the House Homeland Security Committee on a new angle: Cybersecurity. An “expert report” commissioned by prime critic Network Solutions (NS) said ICANN hasn’t ensured “adequate security safeguards” in the .com, .biz, .info and .org top-level domain registry agreements. But VeriSign shot back that the report was “very basic” and more concerned with swaying Congress than improving registry security.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Another hearing on the .com contract is scheduled for the Senate Commerce Committee Sept. 20. An industry source told us a similar hearing is expected Sept. 21 in the House Telecom Subcommittee. The Commerce Dept.’s memorandum of understanding with ICANN expires Sept. 30, but VeriSign’s current .com contract doesn’t end till Nov. 2007.
NS would have a letter mocked up for the Homeland Security Committee “as quickly as possible,” Chief Policy Counsel Jonathon Nevett told reporters in a briefing Wed.: The .com dispute “absolutely belongs in that [national security] context.” NS has discussed the issue with cybersecurity advocacy groups, but “we just started on this” angle, Nevett said. The Cyber Security Industry Alliance hasn’t taken an in-depth look yet but Exec. Dir. Paul Kurtz, a frequent witness at Hill hearings, finds it a “really interesting topic,” an Alliance spokeswoman told us.
ICANN should include minimal oversight and security risk mitigation provisions in registry agreements, the report said: (1) Security reporting requirements from operators. (2) Detailed security plans and regularly testing of DNS defenses by operators. (3) ICANN development of “independent assessment capabilities” for potential DNS breaches. (4) ICANN risk analysis of registries’ operations. Though the report covers registry agreements in general, it didn’t shy away from identifying the proposed .com agreement, the “crown jewel,” as its primary concern. Devonshire Ventures Managing Dir. Jerry Archer, a longtime IT security official for financial institutions, wrote the report.
DNS attacks are a regular occurrence now, and hacking “will likely be supplanted by calculated catastrophic acts of terrorism and crime with global consequences,” the report said, citing DHS’s U.S. Computer Emergency Readiness Team. Pharming -- the “poisoning” of DNS to redirect browsers to fake websites -- is on the rise, it said. Banking and brokerage industries are far less vulnerable to DNS attacks on a “single point of failure” than registries, but far more regulated: “The time has passed for laissez-faire, goodwill- based approaches” with no oversight or policy component.
VeriSign is “hanging its hat” on security concerns to justify raising prices under the proposed contract, said Janice Obuchowski, NS consultant and former NTIA dir. She cited analyst reports that said VeriSign stands to pocket at least 80% of revenue from proposed increases. The contract would let VeriSign raise domain name prices up to 7% in 4 of 6 years, with “presumptive renewal": “You can imagine that they'll have this contract forever” without a serious screwup, Nevett said. Other TLD contracts are much different, he added -- for example, the contract for .us runs in a fixed term and can be terminated by the govt. at any time. The .com contract “has become the new model for future TLD agreements,” he warned.
Because VeriSign doesn’t release data on its security expenditures or frequency of DNS attacks, no one can give a good estimate of what level of increases would be required to provide adequate security and let VeriSign break even, Nevett said. For the moment, VeriSign is keeping an eye on DNS security as a matter of “goodwill” -- an oft-repeated term at the briefing -- but should the company be acquired, there’s no telling whether the buyer would continue that goodwill, he said.
ICANN doesn’t need new authority to hold registries to security standards, Obuchowski said: “We'd like them to take the power that they have and use it for the public.” Contract terms without security mandates are likely to set off the UN and international parties to press for more say in governance, Nevett said.
VeriSign waved off the report’s significance, in particular its authorship. A spokesman told us Archer “shopped a report for us” that VeriSign declined, “so we knew he was interested in getting paid to do a report.” The recommendations are “either being done or [have been] recommended” already, he said, calling the report “6th grade work for a graduate course.”
Contrary to the report’s insinuations, VeriSign does briefings for ICANN and “of course we test our defenses,” the spokesman said: The registry has run “100% uptime for 7 years” while adding 1,900% capacity. An attack on root servers in 2002 left 9 of 13 servers down, but 2 of the 4 remaining were VeriSign’s, he said. “Hopefully [registrars] will also start focusing on their own systems so they stop calling us when they have network issues,” as GoDaddy did recently, the spokesman added.
“There’s nothing wrong with formalizing these things,” which is the work of the ICANN Security & Stability Advisory Committee, the VeriSign spokesman said: “We will lead in that effort.” But the NS report is just a ploy to gain advantage in the .com dispute and scare congressmen unfamiliar with the security operations that every registry must conduct to stay in business, he said. A spokesman for NeuStar, which runs the .us registry, said the company hadn’t reviewed the report in detail yet, but “it doesn’t appear to me that the author consulted NeuStar in any way.”