Abstract: New security technologies are never neutral in their impact; it is known that they can alter power relations and economic dependencies among stakeholders. This article examines the attempt to introduce the Resource Public Key Infrastructure (RPKI) to the Internet to help improve routing security, and identifies incentives various actors have towards RPKI implementation. We argue that RPKI requires ISPs to achieve security at the expense of autonomy, requires all actors to tradeoff simplified global compatibility and centralization of power, and affects the policies and business models of the Regional Internet Registries and their relationship to ICANN. While the Internet remains a space where authority is highly distributed, elements of hierarchy do exist, especially around critical resource allocation, and it is likely that security and other concerns will lead to continuing efforts to leverage those hierarchies into more powerful governance arrangements. To download this paper by by Brenden Kuerbis & Milton Mueller, originally published in Communications and Strategies, in full, see: ssrn.com/abstract=2021835

Maybe he is trying to say ICANN is not good enough for him, but as he is about to “leave” ICANN after three turbulent years as CEO and President, Rod Beckstrom delivered a few grenades regarding its performance at the ICANN meeting currently underway in Costa Rica. Beckstrom was strident in his criticism of conflict of interest rules for directors, noting that “ICANN must place commercial and financial interests in their appropriate context.” He went on to ask “how can it do this if all top leadership is from the very domain name industry it is supposed to coordinate independently?” But Beckstrom’s stinging criticism was met with a withering criticism by former ICANN staffer Maria Farrell who wrote, “In the long tradition of tenants trashing the gaffe as they’re finally evicted, ICANN’s outgoing CEO seems determined to burn down the house he’s been renting for the past three years.” “In an effort to salvage his tattered reputation,” Farrell continues, “Beckstrom seems to be following his standard m.o. of shifting attention to the suddenly glaring failings of the organization that’s decided to terminate his employment.” Beckstrom has form here when he left the National Cyber Security Center at the Department of Homeland Security, he complained “of inadequate funding and cites efforts by the National Security Agency to ‘subjugate’ the NCSC to its control,” according to an ars technica report at the time. Noting there is a “germ of truth” to his “searing criticisms,” Farrell says he’s been happy to run [ICANN] for the past three years … [where] conflicts are rife, with several industry-sourced Board Directors needing to recuse themselves from discussions or votes on new generic top-level domains. And ICANN’s standing is nowhere near to recovering from the dramatic act of pantouflage of our last Chairman, who went from Chairing the Board meeting that approved new gTLDs to running a new gTLD company within a few weeks.” Farrell then notes “things are more complicated than they first appear” referring to directors recusing themselves when, in many other organisations, this would not be required. Farrell concludes that “unfortunately, we can expect more of these ‘bombs’ to be dropped during Beckstrom’s final months, as the CEO and Board Director attempts to paint himself as a courageous contrarian speaking truth to power. But the truth is Beckstrom’s speech was not only inaccurate and mean-spirited, but a transparent attempt to wring personal, tactical advantage at the strategic expense of the organization he still purports to lead. It is a shame that at this point in Beckstrom’s tenure, we have come to expect no better.” Maria Farrell’s article on the Crooked Timber blog is available in full at crookedtimber.org/2012/03/13/icanns-departing-ceo-burning-down-the-house/

Many sectors of the global economy may be struggling, but domain name registrations continue to grow strongly with registrations across all Top Level Domains (TLDs) increasing 8.6 per cent or 16.9 million in the 12 months to end of June 2011, reports Verisign in their latest Domain Name Industry Brief. In the latest quarter, growth was 2.5 per cent or 5.2 million. Country code TLDs grew to 84.6 million registrations a 3.6 per cent increase quarter over quarter, and an 8.4 per cent increase year over year in the registrations base. The .COM and .NET TLDs experienced aggregate growth, surpassing a combined total of 110 million names in the second quarter of 2011, with Verisign refusing to separate out individual registration figures. Looking out graphs provided in the report, there are around 92 million .COM registrations and around 18 million .NET registrations. This represents a 1.8 per cent increase in the base over the first quarter of 2011 and an 8.3 per cent increase over the same quarter in 2010. New .COM and .NET registrations totalled 8.1 million during the quarter. This reflects a 2.0 per cent increase year over year in new registrations, and a 2.3 per cent decrease in new registrations from the first quarter. The order of the top TLDs in terms of zone size changed slightly compared to the first quarter, as .CN (China) moved from ninth to eighth largest TLD, dropping .EU (European Union) from eighth to ninth. The largest TLDs in terms of base size were, in order, .COM, .de (Germany, currently with 14.577 million registrations), .NET, .UK (United Kingdom – 9.559m), .ORG, .INFO, .NL (Netherlands – 4.641m), .CN, .RU (Russian Federation – 3.41m) which since this report was compiled has overtaken .EU (3.389m). CcTLD statistics are from registry websites as of 31 August. Among the 20 largest ccTLDs, Brazil, Australia and Spain each exceeded four per cent quarter over quarter growth. Last quarter, seven of the top 20 exceeded the same threshold. There are more than 240 ccTLD extensions globally, with the top ten ccTLDs comprising 60 per cent of all registrations. The .COM/.NET renewal rate for the second quarter of 2011 was 73.1 per cent, down from 73.8 per cent for the first quarter. Renewal rates vary quarter over quarter based on the composition of the expiring name base and the contribution of specific registrars. This latest Domain Name Industry Brief also looks at effectively harnessing Internet opportunities, while mitigating cybersecurity risks, which can mean the difference between success and failure for small to medium businesses. The Domain Name Industry Brief notes that while the benefits of effective online marketing and branding for SMBs have been exhaustively discussed, the mounting Internet-related challenges and cyber threats often go unaddressed until it’s too late. In 2010, The Wall Street Journal reported on an international cybercrime ring that managed to steal about $70 million from small businesses, municipalities and churches before law enforcers were able to stop it. The criminals specifically targeted small businesses because their electronic defences were much weaker than larger organizations, allowing them to steal with virtual impunity. Ironically, as larger enterprises improve their defences and make cybersecurity a larger priority, SMBs become an even more attractive target to cyber-criminals looking for easy, and profitable, targets. But despite growing threats, SMBs as a group have been slow to adopt effective security technologies and protocols. In its most recent annual survey of SMB leaders, the US National Cyber Security Alliance (NCSA) (http://www.staysafeonline.org) found that less than half of SMB owners (43 per cent) were confident that their businesses were adequately protected against data thieves. Even more alarming was the fact that more than half of those polled (53 per cent) said that the cost of securing their data and networks was not justified by the threat. That’s despite the fact that more than 74 per cent of small and mid-sized businesses have been impacted by cyber attacks over the past year, according to Symantec, which pegged the per-incident cost of such attacks at more than $180,000. Effectively mitigating those threats requires a combination of common sense security procedures and smart – but not overwhelming – investments in security technology and services. In May 2011, the Federal Communications Commission (FCC) hosted a Cybersecurity Roundtable focused on protecting SMBs. The FCC offered a 10-point cybersecurity checklist (http://www.fcc.gov/events/cybersecurity-roundtable-protecting-small-businesses) for companies that included simple-but-effective recommendations like installing firewalls, regularly updating software and training employees in basic information security practices. The FCC guidelines represent an excellent starting point for any SMB with an Internet connection. But for SMBs with more extensive Internet operations – including those that base significant portions of their business on email and online transactions – those steps may not be enough. As a general rule, the more an SMB relies on the Internet, the more that SMB must devote to ensuring that its infrastructure, networks and customer-facing technologies are secure and stable. The entire host of technological threats that face large companies (from email and phishing scams to hacking and DDoS attacks) can be directed equally at SMBs, where they often have a much more serious impact. The report says that DDoS attacks can be particularly damaging to online-oriented SMBs, taking them offline for hours or even days by flooding their servers with illegitimate traffic. Cyber criminals know how damaging such an attack can be to small and mid-sized businesses and will often use the threat of a DDoS campaign to extort money from owners and network operators. For SMBs with significant online investments and business offerings, it may make sense to invest in third-party DDoS mitigation services from a company that specialises in bridging the natural technology gap that occurs when smaller organizations face large-scale threats. The value of a DDoS mitigation service is that it allows even a relatively small SMB to take advantage of enormous bandwidth capacity when they come under attack. This allows networks to stay up, and businesses to continue operating, even when they are under direct attack. Whether an SMB is an all-Internet operation, or a bricks and-mortar business that uses the Internet mainly for e-mail and administrative functions, it pays to have a clear view of the cyber threats that face all SMB owners. As is always the case in cybersecurity, an ounce of prevention is worth a pound of cure. To read more of this Domain Name Industry Brief or download previous editions, go to www.verisigninc.com/en_US/why-verisign/research-trends/domain-name-industry-brief/index.xhtml

The African Registry Consortium (ARC), a pan-African consortium that aims to administer the .AFRICA domain by Africans and for Africans, was publicising its case saying several of the players involved in ARC are also involved in the administration of the co.za domain name space in South Africa, which is currently under the administration of UniForum SA. Meanwhile Njeri Rionge, one of Kenya’s most successful and revered serial entrepreneurs and also adviser to another contender for .AFRICA, DotConnectAfrica , was described as Africa’s most successful women by Forbes magazine. “We see .AFRICA as the ideal opportunity to highlight African know-how and expertise”, said ARC Spokesman and founding member, Koffi Fabrice Djossou. “One only has to look at how the co.za domain funds are applied by UniForum SA, to see the benefits of having the .AFRICA domain administered by an African organization,” said the ARC. “UniForum`s co.za social responsibility initiative, for instance, launches at least two new computer labs at previously disadvantaged schools every single month, with more than 200 labs having already been completed.” “This new domain will give the continent a truly African identity for the first time and will allow companies and organisations operating here to proudly highlight their African operations and identity,” says Djossou. However having a truly African identity online is the same goal as the DotConnectAfrica consortium. According to ARC the goal is to promote an African identity for the continent while at the same time improving the security aspects around such a domain. “ARC is seeking the backing of the African Union, as the AU has also recognised the commercial and social benefits that the .AFRICA domain may present,” he says. At present, continues Djossou, ARC includes representatives from Senegal, Kenya, Benin and South Africa, and the door remains open to other African nations that may express interest in getting involved with ARC. Both parties will be aiming to submit bids for .AFRICA when ICANN begins taking applications in its three months application window that commences on 12 January 2012. However it would be anticipated that due to costs, the bids would be able to work out a way forward together. It is anticipated the winning consortium, or a collaboration, would have .AFRICA up and running in 2013 and that internationalised domains in French and Arabic would also be available some time in the future.

August 17, 2011 — Web hosting provider Go Daddy has implemented Trend Micro Deep Security to protect systems in its data centers, according to a recent press release. According to the report, Trend Micro’s deep security solution is designed to provide advanced protection to physical, virtual or cloud servers, as well virtual desktops.

Reliability, stability, trustworthiness are three of the most important features of a TLD, and one of the main messages that auDA, the policy and regulatory body for .AU, has been striving to convey writes Chris Disspain, auDA CEO and these days also ICANN board member. “In fact, I’m pretty sure we have been banging on about the importance of trust ever since auDA was established and assumed responsibility for the operation of .AU,” writes Disspain. “The relevance of this message has been highlighted by recent developments that have negatively affected thousands of British companies” where there have been “legal and administrative battles surrounding the operation of ‘gb.com’, which offers third-level registrations as an alternative to .co.uk.” With the downtime that ensued from the .gb.com outage, Disspain writes “what the recent events surrounding gb.com do highlight is the types of added risks registrants expose themselves to by choosing to register in a space that is selling third level domains on a commercial basis as opposed to in a well-regulated domain with well-defined policy frameworks.” Another third level domain to launch as an alternative to the country code in recent days is com.de, promoted as an alternative to .DE. .DE and .UK are the two largest ccTLDs. A problem that can arise is if the business selling the third level domains goes out of business – you lose your domain name. “All of the marketing and promotional efforts you have made go down the drain and your business may follow soon after.” “In contrast, registrants in a regulated space such as .com.au are afforded certain protections in the unlikely event of registrar failure and can recover their name and livelihood with the assistance of auDA and whichever registrar they choose to switch to. “Also, .AU has mechanisms built-in to deal with circumstances where you might find your business, trademark or other intellectual property rights infringed upon by a com.au registrant.” Disspain then writes that “another advantage of operating your business in a well-run domain is that doing so can resolve issues of confusion and trust for your most important stakeholders – your customers.” In conclusion Disspain writes, “all of these arguments tie back to one main issue – and the main motivation for this post – the importance of trust. Trust in the domain space you register in, trust in the security and stability of your commercial investment, and the trust your customers will have in your operations and the protection of their rights. All of these are vital drivers of success in the bricks-and-mortar world of business – and just as important online.” To read this full article by Chris Disspain, auDA CEO and as of June 2011 ICANN board member, go to: blog.auda.org.au/2011/08/09/without-trust-there-is-nothing/

July 22, 2011 — UK Web hosting provider UKFast announced on Friday it has released a new security report that shows how credit card details are as openly available, leaving consumers open to fraud and businesses at risk of costly legal action. In a recent study titled “Data Security – Protecting Your Profits”, UKFast found that relatively simple Google searches reveal personal indentification details.

A “deliberate, premeditated and malicious” attack on the network of Australian registrar and webhost Distribute.IT saw customer data, websites and emails that were hosted on a number of Distribute.IT servers potentially rendered unrecoverable. Distribute.IT described it as “a deliberate aim at the Company and our clients”. The loss of the data has been disastrous for many customers of Distribute.IT. The cost to the company that had around 210,000 domain names under management and 6.5 per cent share of the .AU market representing on recent figures around 130,000 .AU domains, has been disastrous with the company subsequently being acquired by the Netregistry Group, Australia’s largest group of registrars. Approximately 4800 domain names across four servers, holding domain related services, such as DNS and web hosting suffered complete data loss. 2000 of these were websites and associated data while a further 2800 accounts had DNS hosting. Of the 2000 websites lost, Netregistry is still working to recover data around one month after the hack. The SAN storage device hosting data has been sent to Sydney and in the next few days will go to data recovery experts, but time and cost constraints will in part determine what data can be recovered. To do their work, hackers gained SSH access to a compromised desktop within the company and then gained access to an internal log containing passwords to gain access to the network, Brett Fenton, NetRegistry’s Chief Operating Officer told the Goldstein Report/Domain Pulse/Domain News. The Australian policy and regulatory body auDA worked quickly with Netregistry to ensure the acquisition of Distribute.IT went ahead with minimal disruption. As required under the Registrar Agreement, auDA’s consent was requested by the parties prior to finalisation and was very quickly granted. While the hacking is a rare case, there are lessons the domain name industry – registrants, resellers, registrars and registries – all need to learn. For registries and TLD managers, Fenton says it is important from an Australian perspective “that auDA needs to take responsibility for ensuring security of domain data for domain registrars.” One part of this Fenton believes is that the registrar accreditation test should ensure that registrars have PCI-DSS compliance to ensure best practice security for registrars with the stability of the .AU namespace being the role of the regulator. He further added that a review of the ICANN model of data escrow for registrars should be undertaken with a view to possible implementation in at .AU namespace. Globally it is highly likely there are many registrars where security is inadequete and the possibility of similar attacks is highly probable. Ultimately more care needs to be taken with the domain names, registrant data and data hosted on these domains. Registrars need to ensure their security standards are high, recognising their client’s website can be their business, and the loss of data such as in the Distribute.IT hack has the potential to destroy a business. However it is not just registrars such as Distribute.IT that have to bear some responsibility Fenton said, but also resellers who have to safeguard against catastrophic data loss. And then it comes to the domain name registrant. Registrants need to realise that sometimes despite the best intentions and highest levels of security, hacks and natural disasters can happen that can occasionally lead to a catastrophic data loss. Webhosting companies can and do lose data and people and organisations using these services should also do regular backups.

A map of threat origins, from Trustwave’s free 2011 Global Security Report (WEB HOST INDUSTRY REVIEW) — Security compliance firm Trustwave Holdings ( www.trustwave.com ) announced late last week that it has filed its initial registration documents with the US Securities and Exchange Commission for an initial public offering in which the company hopes to raise up to $100 million through the sale of its stock. Trustwave is reportedly one of quite a few companies to file early IPO documents last week, part of a larger trend toward more new IPOs, after several years of inactivity and near-inactivity. Trustwave posted revenues of $111.5 million in 2010, with an overall loss of $4.6 million.

A map of threat origins, from Trustwave’s free 2011 Global Security Report (WEB HOST INDUSTRY REVIEW) — Security compliance firm Trustwave Holdings ( www.trustwave.com ) announced late last week that it has filed its initial registration documents with the US Securities and Exchange Commission for an initial public offering in which the company hopes to raise up to $100 million through the sale of its stock. Trustwave is reportedly one of quite a few companies to file early IPO documents last week, part of a larger trend toward more new IPOs, after several years of inactivity and near-inactivity.