Transcript Slide 1
Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor The Internet as an Ecosystem • Built as experiment; now part of everyday life – Assumed benign, cooperative users • Now involves a wide variety of systems, stakeholders, opportunities & risks – Governments, corporations, civil society, criminals • Malicious actors now use Internet – Growing centers of gravity – militarily, economically, socially – Anonymity & ability to leverage 3rd Parties for Bad Acts • Will we a tipping point in inability to address growth of malicious activity and capability? – My mother-in-law: Can I safely use my credit card? Bot Nets and Complexity of Attacks Bot Code Bot Code Actors Involved - Code Developers - Botnet Developer (t = X) - Bot Controller (t = Y) Botnet Developer - Owners of assets C2 ( C2 and bots) Bot Controller - DNS operators Bot Bot - ISPs Bot - Target(s) Attacker Multiple purposes; Possibly no digital connection Routing Target(s) Attack the swamps, not the fever Who’s responsible? Who should be subject of retaliation? - What type? Legal notice, arrest, digital disruption? Who should be part of a cooperative mitigation and defense? The Internet: coordinated, not controlled Just some of the major organizations concerned with the Internet What is Domain Name? Mechanism for translating name into number www.icann.org = 192.0.32.7 (IP address) • ccTLD (country code top-level domain) • Generally used or reserved for a country • .jp, .kr, .uk, .my …etc • gTLD (generic top-level domain) • .com, .info, .net, .name, .biz, .pro …etc • others (infrastructure top-level domain) • .arpa, .int ...etc ICANN/IANA domain names ip address (Internet Assigned Numbers Authority) ccTLD registry RIR Root Zone w/ USG and VeriSign . .se .jp ARIN gTLD registry . .com RIPE NCC AfriNIC APNIC LACNIC NIR .net .net zone JPNIC CNNIC LIR example.net zone registrar I want ‘example.net’ to setup www.example.net www.example.net = ISP ISP ISP I need 1 ip address to setup www.example.net = 192.0.2.1 KRNIC ICANN’s Role and Plan ICANN Plan for Enhancing Internet Security, Stability and Resiliency established in 2009 • Core: Ensure DNS system stability and resiliency • Enabler: Work with broader Internet and security communities to combat systemic DNS abuse; assist operators to protect DNS registration and publication processes • Contributor: Identification of risks to security, stability and resiliency of the DNS as part of larger cybersecurity challenges • Not involved in cyber war/espionage or content control Plan available at www.icann.org/en/security DNS System-wide SSR Coordination, Analysis and Planning Provide for coherence in concepts of a key subsystem of a larger Internet ecosystem • Conduct annual DNS SSR symposium. This year in Kyoto in early February focused on Measuring DNS Health – Baselined what metrics and measurements exist and where gaps exist in terms of getting more comprehensive – Key parameters for DNS health – coherency, integrity, speed, availability, resiliency • Developing set of key contingencies for use in ICANN and community efforts related to response and exercise planning • Finalizing continuity plan for failures of DNS registries to address how to protect registrants DNS Vital Signs Coherency Integrity Speed Availability Resiliency Mitigation of Malicious Conduct in New Top Level Domains Practical measures for extending the DNS in a more secure and accountable fashion • Requirement for employing key security technology (DNSSec) • Prohibition on undermining protocol (Wildcarding ) • Requirements to enhance trust in people (background checks) • Enable a scalable approach to investigation and response (Zone File Access) • A voluntary program for higher trust in key zones (TLD certification program) DNS Collaborative Response Enabling effective private sector response and leadership • Working closely with FIRST and national CERT community – Joint session in Nairobi; help set up East African CERT – DNS Security workshop at FIRST general meeting in June • Continue collaboration in stopping spread of Conficker as well as lessons learned and follow-up efforts • Continue to have security team incident reporting mechanisms to identify potential systemic DNS incidents Capacity Building Programs Enabling effective security and resilience at the edge of the system • Continue conduct of ccTLD security and resiliency training program – Attack and Contingency Response Program focused on managerial level threat awareness and contingency planning – Joint registry operations training program initiated focused on basic, advanced and security DNS technical skill building • Reaching over 100 DNS ccTLD operators in 41 ccTLDs in the last six months Global Engagement Foster a global dialogue on how to most effectively pursue security/resiliency for Domain Name System • Work closely with regional TLD associations and network operators groups • Work to enhance regional outreach activities – INTERPOL workshop – Asia-Pacific Economic Cooperation – Telecommunications and Information Working Group – Commonwealth Telecommunications Organization • This ICANN – MSU Institute for Information Security Issues annual forum Discussion Questions What are the expectations of private sector/multi-stakeholder organizations to provide security and resilience in key aspects in the global information infrastructure? What are the right mechanisms for achieving transparency and accountability in this regard?