LISTSERV - NCSG-DISCUSS Archives

Hi Kathy, Rudi, McTim,


The danger of bringing up rather specialist complex arguments in a
generalist forum is that things get misconstrued or misinterpreted. Let me
attempt to clarify:

I disagree with Rudi. I do not want ICANN involved in cybercrime. I also do
not want ICANN involved in cyberespionage. I believe Paul Twomey likely
went too far in authorizing ICANN's coordinating and advisory role in
Conflicker. It created a dangerous precedent. Mr. Beckstrom obviously got
us involved in operations at an unacceptable level...at least to some.

Cyberwar is different.

There is a body of law you are subject to whether you want to be or not.
Most, but not all, of international humanitarian law is directed towards
state actors. There is no opt out clause. Porting IHL to cyberspace
involves some pretty comical situations. When members of the Estonian Cyber
Defense League engage in operations on their computer related to their
national security, rather than private, function they are required to put
on military uniforms even if they are sitting in their bedroom at home.
Uniforms are an identifier with particular significance under IHL even,
apparently, if no one can see you wearing it.

ICANN derives part of it's authority from a contract with the United States
government. The United States government is the only government to have,
albeit unofficially, admitted launching a cyberattack on a third country.
The attack targeted military operations, no problem with war crime related
 IHL, although there may be problems with some other treaties concerning
first strike doctrine. What if the Americans decide to do a more general
attack, one that kills civilians and involves at some level playing with
the root zone file to disrupt communication. What if "not involved in
cyberwar" ICANN knows about this, does not direct their root server away
from A, follows directions or even assists the Americans? Thousands of
civilians die. War crime. I have a direct line of command from the
Americans to ICANN...responsibility ensues.

McTim asks a great question. Show me how? What? I can't. We're creating law
for things that haven't happened. The Tallinn Manual is guidance for things
that largely have not happened.  That's why it's dangerous to simply state
'we don't do cyberwar' and think you are free. It's not an opt in / opt out
thing like cybercrime or cyberespionage. As I wrote, I'm happy to support
David's statement today, but I just wanted to cover myself by stating I
reserve the right to change my mind in the future on this one issue as
doctrine develops.

ICANN acts a bit like a state. It grants property rights ( they are
actually licenses). It creates law like rules (that principally benefit IP
interests). Are there scenario's under which revoking or ceasing to grant
domain names to certain countries could stop potential cyber conflict?
Perhaps. What if hell freezes over and ICANN becomes free of the Americans,
actually controls the root? A nation launches mass cyber attacks. In that
scenario it could be argued that ICANN has a positive obligation to delete
that nation from the root or at least not to grant it more domain names,
more points of access. I could also argue the reverse. The thing is no one
has started to seriously look at stuff like this yet. The process is,
however, beginning.

It's a shame that ICANN doesn't establish a committee of experts to look at
the many issues involved in the IHL arena. If they don't others will. These
issues are not going away. I'd also suggest that if ICANN hides under the
"not us" bumper sticker without engaging it will be bypassed by the
international community. Russia is already using cybersecurity as a cover
for it's attempts to put control of the DNS in the ITU. A bit comical for a
country whose cyber weapon development program has, in part, been
subcontracted to criminal organisations who then are reputed to have some
freedom to engage in cybercrime against third country nationals.

It's just going to take one major attack with civilian casualties for
things to change quickly. I was in Pyongyang last week and I'm pretty sure
their newfound interest in expanding their connections to the physical
net...well, we can only speculate.

For now, to be clear: Cyberwar is not cybersecurity, cyberespionage,
cybercrime. Not all cyberwar triggers international humanitarian law. Yet
if the attack so many in the military I've spoken to fear does occur ( NATO
does not develop a cyberwar humanitarian law manual for fun) IHL will be
triggered and the position of ICANN can not be affirmatively stated by
anyone today. Including ICANN.






On Mon, Apr 22, 2013 at 6:52 PM, Kathy Kleiman <[log in to unmask]>wrote:

>  My two cents is that a) I like David's statement and think we should
> sign on it, and b) I worry about ICANN taking an operational role in
> cybersecurity.  Frankly, I worry about ICANN taking an operational role in
> just about anything, other than IANA. I think ICANN does well within a
> limited scope -- as a multistakeholder group with a narrow technical/policy
> mission.
>
> I think ICANN can foster communication, even encourage good practices such
> as DNSSEC.  I could see ICANN as a forum for discussion of DNS Security
> issues, but I am not sure how well-suited we are to *making decisions* on
> cybersecurity. It would like lead to a lot of closed meetings, in which
> many of us would not be present.  Like content, I think I would leave this
> to other forums.
>
> Best,
> Kathy:
>
> I agree with Edward's proposed text, not much that I could add to it.
>
>  ICANN has a well defined duty and getting involved in content debates
> would be more than dangerous. However, ICANN can help in tackling the
> cyber-criminality if such is done by abusing the domain name space. Some of
> the cyber-attacks are using the domain name space and can create a lot of
> damage to the consumers (private and business). In this perspective I'm
> convinced ICANN has a collaborative task and can not just stand aside.
>
>    Rudi Vansnick
> Member NPOC policy committee
>
>  Op 22-apr-2013, om 19:00 heeft Alain Berranger het volgende geschreven:
>
> Thanks for your work David.
>
>  I agree with Edward's most interesting development. Does Rudi have
> anything to say about that?
>
>  Alain
>
> On Monday, April 22, 2013, Edward Morris wrote:
>
>> Thanks for your work David.
>>
>>  Regardless of ICANN's public statements or strategic plans, I am not
>> sure ICANN can be in accordance with customary International Humanitarian
>>  Law with the statement "ICANN does not have a role in the use of the
>> Internet related to cyber-espionage and cyber-war" (page 7). I am equally
>> not sure ICANN is not in accordance with customary International
>> Humanitarian Law with that statement and I remain  open to arguments as to
>> whether ICANN should be involved in these issues or could be commanded by
>> IG treaty or agreement to exercise responsibilities thereof.
>>
>>  These are not simple issues. ICANN is a unique organisation that does
>> not neatly fit into any typical, comfortable structure. IHL, of course, is
>> state centric in terms of responsibility but ICANN on one, fairly
>> superficial level,  is almost supreme being like in it's coordination of
>> the Internet. Cyber-espoinage, no problem, ICANN is not involved. However,
>> imagine a situation where there are massive cyber attacks on civilian
>> infrastructures in third countries by state actors that ICANN could
>> operationally prevent. Mass civilian death, mass civilian injury, mass
>> destruction of property and infrastructure. Mass death of noncommercial
>> users, mass injury of noncommercial users, mass loss of property of
>> noncommercial users.  Do we truly represent these people with a position of
>> "not our problem?"
>>
>>  ICANN is a non state actor but it's operational coordination abilities
>> allow those who want, and they exist, to inpune state responsibility to it
>> through a number of intellectual gymnastics involving the definition of
>> territory and control. I doubt I'll ever buy into those arguments and I
>> don't think they'll ever be majority opinion. I could be wrong. I am
>> concerned, though, with rules 139 (Respect for IHL), 149 (Responsibility
>> for Violations of IHL) and 161 (International Cooperation in Criminal
>> Proceedings) of the ICRC's Study on Customary International Law. As of
>> today  ICANN as a non state actor does not have any responsibility under
>> these rules, but as more people examine the nature of ICANN, the ever
>> changing role of the GAC, the uniqueness of ICANN as it is constructed, I
>> can conceive of a consensus being developed in the IHL community that
>> extends responsibility under these rules to ICANN as a unique non state
>> actor. It won't happen tomorrow, it won't happen next year, but it may
>> happen, and I don't want to get myself locked into a position today that
>> prevents me from having options several years down the road.
>>
>>  For those who haven't read it the Tallinn Manual
>> http://www.ccdcoe.org/249.html  is an exceptional first effort at
>> porting IHL into the cyber arena. Mike Schmitt did an exceptional job at
>> coordinating input from some pretty diverse people in creating the
>> guidance, and from my perspective they did a near perfect job for what it
>> is. ICANN is not mentioned in the Manual. However at cocktail discussions
>> in Estonia last year with some of those involved in the project, there was
>> an interest in thinking about ICANN and where it fit into all of this, post
>> Manual production.  Interest varied, many did not understand how ICANN was
>> constituted ( at CyCon's public sessions it was described, variably, as an
>> NGO, an IGO, but never as a unique MS organisation), but as much as  ICANN
>> would like everyone to forget about it in this context it simply is not
>> going to happen. The salience of cyberwar as an  issue, for reasons often
>> having to do more with private economic interests than security, is going
>> nowhere but up and there will be some response on an international level
>> that  will impact or involve ICANN, desired or not.
>>
>>  As we exist in 2013  I'm happy to sign off on David's statement. I do
>> so, though, reserving the right to change my view as events and thoughts
>> develop and change regarding cyberwar activities. That ICANN should not be
>> involved in content, obvious. That we do not want to extend it's competence
>> to cybercrime and cyberespionage, of course. Certain forms of cyberwar,
>> though, are different in that in some areas it isn't something an entity
>> can or should be able to opt out of. I'm just not personally sure today
>> where ICANN does or should fit into all of this. It would be a lot easier
>> if we had competing private Internets but until we do I have questions in
>> this area  and reserve the right to come back in a few years time with
>> views that are different than what I can accept today. These are
>> complicated issues and I'm not sure best handled with a  bumper sticker
>> like perspective. Then again...
>>
>>
>>
>>
>>  On Mon, Apr 22, 2013 at 3:36 PM, Brenden Kuerbis <
>> [log in to unmask]> wrote:
>>
>>> +1, thanks David. Minor typo in last para, "explicit
>>> acknowledge[ment]..."
>>>
>>> ---------------------------------------
>>> Brenden Kuerbis
>>> Internet Governance Project
>>> http://internetgovernance.org
>>>
>>>
>>> On Mon, Apr 22, 2013 at 8:21 AM, David Cake <[log in to unmask]>wrote:
>>>
>>>>  This document has been out for public comment.
>>>> http://www.icann.org/en/news/announcements/announcement-06mar13-en.htm
>>>>
>>>>  I've missed the deadline on public comment for this by a day or two,
>>>> but I'd still like to see if we can make a small comment on it if we can.
>>>> Here is my draft comment - if NCSG could approve it (quickly), that
>>>> would be great, otherwise I'll just put it in as a personal comment.
>>>>  Any additions or disagreement?
>>>>
>>>>  Regards
>>>>  David
>>>>
>>>>  ----------
>>>>
>>>> The regular update of the Security, Stability and Resiliency Framework
>>>> is a very important part of ICANNs SSR function, as attested by its
>>>> inclusion in the Affirmation of Commitments.
>>>>
>>>> NCSG notes the significant effort involved in preparing the FY13
>>>> Security, Stability and Resiliency Plan, and the progress towards
>>>> implementing the recommendations of the Security, Stability and Resiliency
>>>> Review Team Report.  While work so far has seen the completion of only some
>>>> recommendations, we note planning and progress has been made for all the
>>>> recommendations, and we appreciate the commitment to full implementation.
>>>>
>>>>  NCSG supports the definition of ICANNs SSR role and remit. In
>>>> particular, NCSG values the acknowledgement of areas that lie outside
>>>> ICANNs remit, and NCSG strongly agrees that ICANNs role does not include
>>>> law enforcement or determining what constitutes illicit conduct.
>>>>
>>>> NCSG welcomes the explicit acknowledge of the necessity of a continued
>>>> multistakeholder approach to security, and notes the inclusion of civil
>>>> society within all discussions of the Internet and security ecosystem, and
>>>> particularly welcomes the inclusion of engagement with civil society on
>>>> privacy and free expression issues as a commitment for FY14.
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
> --
> Alain Berranger, B.Eng, MBA
> Member, Board of Directors, CECI, http://www.ceci.ca<http://www.ceci.ca/en/about-ceci/team/board-of-directors/>
> Executive-in-residence, Schulich School of Business, www.schulich.yorku.ca
> Treasurer, Global Knowledge Partnership Foundation, www.gkpfoundation.org
> NA representative, Chasquinet Foundation, www.chasquinet.org
> Chair, NPOC, NCSG, ICANN, http://npoc.org/
> O:+1 514 484 7824; M:+1 514 704 7824
> Skype: alain.berranger
>
>
>  AVIS DE CONFIDENTIALITÉ
> Ce courriel est confidentiel et est à l’usage exclusif du destinataire
> ci-dessus. Toute personne qui lit le présent message sans en être le
> destinataire, ou l’employé(e) ou la personne responsable de le remettre au
> destinataire, est par les présentes avisée qu’il lui est strictement
> interdit de le diffuser, de le distribuer, de le modifier ou de le
> reproduire, en tout ou en partie . Si le destinataire ne peut être joint ou
> si ce document vous a été communiqué par erreur, veuillez nous en informer
> sur le champ  et détruire ce courriel et toute copie de celui-ci. Merci de
> votre coopération.
>
>  CONFIDENTIALITY MESSAGE
> This e-mail message is confidential and is intended for the exclusive use
> of the addressee. Please note that, should this message be read by anyone
> other than the addressee, his or her employee or the person responsible for
> forwarding it to the addressee, it is strictly prohibited to disclose,
> distribute, modify or reproduce the contents of this message, in whole or
> in part. If the addressee cannot be reached or if you have received this
> e-mail in error, please notify us immediately and delete this e-mail and
> destroy all copies. Thank you for your cooperation.
>
>
>
>
>
> --
>
>
>
>