FINISHED COPY
NINTH ANNUAL MEETING OF THE
INTERNET GOVERNANCE FORUM 2014
ISTANBUL, TURKEY
"CONNECTING CONTINENTS FOR ENHANCED
MULTI‑STAKEHOLDER INTERNET GOVERNANCE"
05 SEPTEMBER 2014
10:30
WS 104
CYBERSECURITY FOR ccTLDS –
GOVERNANCE AND BEST PRACTICES (CB)
***
This is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
>> MARIA FARRELL: Good morning, everyone. I think we can begin this session. My name is Maria Farrell. I am the Moderator of this panel. This panel is ccTLDs and governance and best practices. I want to welcome everyone to this session and also say we want to run this very hopefully with a bit of give and take pretty informally. We are going to start off with just putting a quick question and opening question to all of my panelists and really from that point on any time anyone would like to ask their own question put up your hand and I will invite you to speak. One just, what shall we call it, a housekeeping matter, this is a good news and bad news, I unfortunately have to run to the airport in 30 minutes, which is poor timing on my part. So I will not be chairing the full panel. The good news is that my colleague Mark McFadden is going to very ably take over the chairing of the panel. And so you will be in very, very good hands at that stage.
So who do we have today here to speak about ccTLDs and cybersecurity? Well, we have got quite a few luminaries, if I may say. First on my left we have Mohamed El Bashir from the ICT Authority of Qatar. He is the manager of Internet numbering and what are you ‑‑ interconnection. And he is also very, very involved in ICANN in the at large and also in all sorts of fora. And then we have Mark McFadden, my colleague who is, gosh, Mark, I know you so well, I didn't write an introduction for you. He is an expert on many things. He worked for some time, we were colleagues together actually working at ICANN. Mark was then working at IANA and Mark is my colleague at Interconnect Communications in the UK where we do infrastructure and policy consulting.
And beside Mark we have Andrey Kolesnikov, who is the CEO of DotRU, one of the biggest ccTLDs on the planet. Thank you. And here immediately to my left Patrik Faltstrom, who is the Chair of the ICANN Advisory Committee, the SSAC and an expert on many, many security issues and in IETF stalwart. To my right I have here is a question, Marco, I don't know how to pronounce your second name.
>> MAARTEN HOGEWONING: Maarten Hogewoning.
>> MARIA FARRELL: That was ‑‑
>> MAARTEN HOGEWONING: Just call me Marco.
>> MARIA FARRELL: I think that Dutch people have too many consonants in their names. That is Marco Hogewonging. He is the external relations officer at RIPE NCC in the Netherlands and formally an engineer within ISP. And we have a couple of ‑‑ one or two honorary panelists who I am just going to point my finger at, and they will be very surprised, is Eduardo Santoyo of DotCO. And everyone else is terrified in case I am going to point the finger at them. So I am going to stop there.
But just to emphasize this is very much an open session. Put up your hand and ask questions. No question is too foolish or too inexperienced. This is really in a way almost a security for nonsecurity experts type of panel.
My first question is going to be to all the panelists with the exception of Mark who is going to sit here quietly, what would you consider to be the top two or three cybersecurity issues facing Country Code Top Level Domains? And is there much of a difference in the issues faced by very large CC or relatively smaller ones? And how can they mitigate those? What can be done about them? Mohamed, over to you.
>> MOHAMED EL BASHIR: Glad to be in this session. To share some experience from the African perspective as well. I was one of the ccTLDs that established the fTLD. And I think one of the challenges currently that's facing African small ccs that they are operating manual processes and now they are moving to automating those registration procedures. So they are going to automated systems. And some of those automated registry systems have web interfaces. And so we have ‑‑ that's also ‑‑ will raise a security concern, because if you look at the Middle East region in the last year, there have been some political attacks to specific countries and we have seen the rise of the Syrian Electronic Army targeting some in the Middle East region and being able to penetrate those web‑based systems.
I think the challenge is to look at the system that they are going to deploy, ensure that security is really thought through. Maybe they need to get expertise as well in that regard because it is very rare to find a security expert among those ccTLDs registries because they are really small registries, a small group of people, two to maximum five in most of the African countries in the Middle East region. So that expertise, that high level expertise sometimes does not exist. Maybe a coordination with CERTs or security experts to enhance security on the registry systems, I think that's a critical point now when they move to automation. Thank you.
>> MARIA FARRELL: Thanks very much. I think certainly the idea of the ‑‑ the rise of the Syrian Electronic Army is a topic I would like to return to. Andrey, what is your take on the top cc issues?
>> ANDREY KOLESNIKOV: Well, there are two actually. One is maintaining the appropriate operations and mitigating the risks. Any ccTLD operation should be run by the professional people at a high professional level, taking in to consideration all the security recommendations, protecting the network, having internal procedures, et cetera, et cetera. We all know at least people who run the ccTLD operation, they basically know what I'm talking about. Well, this is critical infrastructure. For example, in Russia there are almost 5 million domain names having more than 4 million websites writing ‑‑ running the core businesses for Russia for the governments for people, social Networks, business electronic shops. Depends on how organisation operates the ‑‑ their domain zone. Well, so far there was no single incident for the 20 years of operations. That means we are trying hard to, you know, to maintain its level, this high level.
And the second threat and it is a real threat, is overall level of literacy of the users and wide range of users and end users, consumers, businesses who is using web and ‑‑ who is using the Domain Name System for the ‑‑ for their operations. And even though, you know, what we also consider Russia's kind of highly developed liberated country. Still majority of the cyber threats and cyber incidents coming not from the bad guys who is really trying to, you know, gain some control or do something but from the people who really don't know some basics and how to run the operations and how to run their websites, how to manage their computer, how to update their software, et cetera, et cetera. So if we talk about ccTLD, then it is perfect operations to protect the end users. It is literacy and knowledge about the danger of the Internet threats.
>> MARIA FARRELL: Thanks Andre. Patrik, Patrik Faltstrom.
>> PATRIK FALTSTROM: Thank you very much. I think the recommendation we heard specifically regarding users inability to have their own domain names and servers update is a very good recommendation, but I was thinking of staying the cc itself. And there I see specifically two problems. The first one is to make sure that the name servers always responds and responds correctly given the data that is given to them. And that implies having stable DNS operation, being able to withstand the service attacks. And this can be resolved in specifically two ways, either you are on your own DNS infrastructure or you buy it as a service from someone. Most cases it is a mixture of the two and that's what I would recommend.
The second and by the way when we talk about attacks, we talk about really large attacks and we talk about the real problematic issues on being able to withstand them. The second issue that is ‑‑ that is important that we currently see quite a large number of attacks that is to ensure that the data in ccTLD registry actually is correct. And that includes the cause of that security with the registrars and in the case you are registrars there are quite a lot of attacks that are using social engineering people calling to the registry or registrar faking they are a customer and trying to get data for a specific domain name in the ccTLD changed.
So this can be anything from social engineering to actual hacking and attack against web interfaces, WEPP interface, either at the registrar, registry itself or between the registry and the registrar. So those two attack records are the two that are the most common ones. Regarding what we have been doing in SSAC we have written a couple of reports on both of those issues, but specifically regarding what mechanism a registry can take to protect the data registrant has entered in to the registry sometimes via the registrar. This is highly complicated, like as we heard before you need to have really skilled people that are working with these kinds of things and you need to be prepared on also answering and acting quickly if it is the case that you have an incident. So having an emergency contact number, knowing, having the processes ready to mitigate when there are problems is also sort of the third vectors. My three recommendations would be make sure that you have a stable DNS operation that your actual database is robust and withstand various different attacks. And the third one that you have good processes already designed and tested before you have an incident.
>> MARIA FARRELL: Thank you, Patrik. So Mohamed was talking about the fact that so many ccs, particularly in Africa, but I think around the world have five or less people working for them. And you just mentioned that some ccs, that you even recommend some cc outsource some of their functions. I am not asking you to make kind of a value judgment about what should be, but what are the typical types of outsourcing you would see particularly amongst the smaller ones?
>> PATRIK FALTSTROM: Let me say that this has nothing to do with whether an organisation is small or large. There are small organisations that are really good on operations and there are large operations that do their operation badly. It is not a north/south issue or an east/west thing. It is whether you have the skills or not. Regarding outsourcing there are a couple of typical things that you can do. As a registry you can buy your whole back end, your whole registry system, DNS operation and everything from a third party. There are those that sell those services. You can also decide to run your own registry and, for example, hidden mass DNS server and then you buy the secondary services from people. There are all different kinds of ways that you can slice the cake. And the important thing is that you ask the registry you are responsible for ensuring that your ccTLD works and how much you are dealing with the actual operation yourself and how much you are asking other people to do depends on your own business model, what fits you, what fits you and your culture, et cetera. Because as we just heard earlier it is also important that the people that buy the domain names, the registrants, first of all, understand how to buy it. It is a local language issue. It is an accessibility issue and the ability to use the domain name. Maybe it is the case that the registry should concentrate on the more cultural role of business issues and not so much the technical operational. In other cases several neighboring countries or ccs within the same cultural block can share experience within, for example, centre or LACTLD and those organisations and share experience, share systems, develop things together, et cetera. But the important thing is that each ccTLD are in charge of their ccTLD and sort of build their own business model.
>> MARIA FARRELL: Thanks very much, Patrik. Marco, over to you and maybe you could as well talk about maybe the top issues, share some of the resources that may be available to ccs as well.
>> MAARTEN HOGEWONING: Well, yes. You might be wondering whether or not the registry ‑‑ regional central registry doing on a ccTLD panel. As Patrik said I agree that one of the primary causes of concern are weak points in the infrastructure that might be vulnerable to attack. Patrik said you can buy, you can outsource stuff. We are not necessarily selling it, but one of the services that RIPE NCC offers through the community is secondary DNS. We offer it for 77 ccTLDs, most live in Developing Countries. That service is available for free which will add resilience. Means that we have got our servers back in Europe that can answer DNS queries should the primary source become unavailable.
The other thing we do is we operate quite a large measurement network and that measurement network together with a toolkit that we call DNS MOM can be used to assess the situation and monitor the performance. And I think that's one of the tools, the important part when thinking about security is to plan ahead and anticipate what happens. And these toolkits can help in trying to find weak points in the infrastructure and designing mitigation, designing what to do around them. So that's the thing. And the other thing I think and there was also flagged is lack of human capacity, lack of knowledge and that's not really necessarily a ccTLD issue. It can be in the users of the ccTLD. We are also active in that field and providing DNS secretary courses for our members and trying to enhance that part of the equation.
>> MARIA FARRELL: Eduardo, our honorary panel member, can you offer any insights on top security issues for you in running DotCO? And maybe even any particular tales of whoa, stories or particular case studies that you can think of that are particularly relevant?
>> EDUARDO SANTOYO: Thank you, Maria, for this opportunity to address the panel. I'm not just ‑‑ I happen to be here and to share some of the experiences that we have as a ccTLD. From the very beginning that we had the responsibility to run that DotCO registry in 2010 we took very seriously the security issue as one of the most important things that we have to deal with. It seems like other domains that we don't want to mention here. But also because it is a new way of operational model that we would be running in Colombia since we run before. The first thing that we did as Andrey said be sure that we have a world class appraisal model and we decide to use the operational structure of a big company who can provide the services at that time was user and we use the services from them in order to be sure that the four operational DNS structures of the domain name we have a very good structure. And that is ‑‑ that has been working very well until now. And we still have very close ‑‑ we follow very close how is the operational working going in order to be sure that we can assure to the Colombian Government that we have a very good operational model.
First of all, to integrate us as a company as members of the company, as individuals with other people who share or who discuss things about security and how the cc or the country codes can support this activity. For that reason we hire one person in our organisation who has been charged specifically to run the security engagement of the company with all the international and national organisations which his name is Gonzalo and he has been participating in many, many organisations and in many meetings, not just in Colombia but all around the world in order to connect the dot registry.
We did the environment locally, an international taught environment who told us about the security. It has been very useful for us having Gonzalo doing this. We are part of a Working Group and we are recognized by many organisations internationally that as a organisation to deal with things of security and who do some things and we are doing that. And internally in Colombia now we have a formal relationship by agreements that we signed with the Ministry of the Defense in Colombia with the National Police in Colombia and the Ministry of Information and Technology regarding these specific topic of security.
We also are and have been invited and we participate in the critical infrastructure table that we have in Colombia in order to discuss topics about cyber defense, cybersecurity and cyber defense and we participate as a team member. The country code is involved in these events as a team member. Just given that we have from ourselves and given the possibility to take steps that they require from the domain name. More than that, yes. We also have a rapid domain compliance process. We said that it is something that we are collecting information from many people who know us and who monitor the Web around the world. Symantec and many organisations to monitor the Internet looking for child porn websites. We ask all the people who know that and we sign some agreements with some of them please send some information about the mis‑ or bad use of the space.
We receive this information and we have contracted a lot in order to analyze this information. And then we use the revelation that we have with the registrars in order to ask them to monitor because once we have the evidence that is really having something that could be considered, we don't assume the responsibility to define these as illegal activity or not, but please we are seeing these on this site. And we ask the registrar to contact the registrant to make them know that this domain name has been used to phishing, to child porn for everything and then please take action. And at the same time we are given this information all this information to the Colombian authorities because they need to have the information in order to collect these and to make intelligence at some time. And we haven't had a very good experience during this because as we realise most of the sites using DotCO sites having phishing places has been used by hackers, not by the owners, not by the legal owners of the site and then they realize they are happy to receive our notice that may I didn't realise that our site was being used for that. Thank you for that. And we are going to correct this. It took some measure in order to prevent that not happen again in the future and that was good.
And then for ‑‑ but the main point here for us is letting the people know that we are trying to ‑‑ and we are really doing something in this and we are given information from the Colombian authorities that we have much more time.
The last but not the least that we are doing is that we are integrated with the other cc ‑‑ with the cc community. We are active members of the cc regional global organisations within LACTLD and within ICANN in the ccNSO and we are sharing with them our experiences. We are talking with them every single time what are we doing and we are learning from all of them what else can be done.
This is almost what we are doing on that. That's it.
>> MARIA FARRELL: Thank you so much, Eduardo. I think that's a really fantastic example of all the things that cc can be doing in the national and regional and international ecosystem. Mohamed, I wanted to ask you again, you just mentioned earlier just a little bit about that relationship between ccs and Governments. And Eduardo has touched on it quite a bit. I mean what do you think are ‑‑ here is a question, almost like what should be the ideal type of relationship. I don't mean in governance terms but in terms of cooperation or knowledge sharing and that kind of good examples that you have seen?
>> MOHAMED EL BASHIR: Thank you very much. I think what we are seeing more Government involvement in the ccTLD operations developing world. That means that ccTLDs have a management or a board or whatever you can name it community, a Committee or else name of organisation that consist of different multi‑stakeholders. We have Governments. We can see Governments be involved. Sometimes we see regulators be involved. Academia are involved, Civil Society, which is a good approach. If we have a multi‑stakeholder Internet community backing up and supporting the ccTLD really that's a good approach. Because they add a balance and they ensure that there is support on the community if needed by the ccTLD. And it has also some kind of oversight on the ccTLD as well, having Government and others on governance structures for the registry. Traditionally I am sure you know that the risk of re‑delegation was really a concern from many ccs. There was a tenuous relationship between ccs and the Government at some point. And we have seen re‑delegation in the past. But I think that is changing now. We are seeing more stable ccTLD registries with multi‑stakeholder partners involved on that.
So I think that's important. And that we need to encourage that the cc to ensure that the local community engage and support them.
>> MARK MCFADDEN: One of the things that I, Eduardo, talked about that I am kind of interested in and it comes out of my background, but the Internet addressing community has regional groups that are very mature. They have been around a long time. And in those groups there is a lot of information sharing, a lot of operational information sharing. Security is sometimes although rarely a part of that conversation. But one of the things that's emerging are regional organisations for the ccTLDs. We know that Centre has been around a long time but, for instance, LACTLD, a relatively young organisation by comparison. And what I'm interested in from perhaps Andrey and Eduardo and Mohamed is are those organisations, the regional organisations a successful way to share cybersecurity best practices, a way to share cybersecurity best information? And are they different from, for instance, regional or national CERTs in that way? And maybe I will start with Andrey here. My interest is both Andrey and also Patrik talked about the sort of the need for more talented, better informed people. Are these organisations the way to do that?
>> ANDREY KOLESNIKOV: We are a member of the Centre and they are a Working Group, you know, especially credit to share the experience of the country code managers about the cybersecurity threats and the best practices, et cetera, et cetera. However there is informal communication constantly going between the people who meet very frequently and especially in the technical community it is a very strong informal communication which in some hard times in the red alerts time really help people to mitigate cybersecurity threats rather quickly. And it is not necessary that I think, you know, for me is like if the system works, it is good. I mean it doesn't necessarily mean that we all should like sit together and sign some document to create some kind of a new Working Group to, you know, to do ‑‑ to find cybersecurity threats as far as people who are in charge of the security really live in their own world and they communicate on a daily basis.
I should also say a few words back to the internal issues that there is some experience which I'm happy to share with the community, that one of our projects and one of our tasks is to manage the level of threats online, especially using the national domain names DotRU and DotRF. We have created an interesting group of people and that's leading Internet companies in Russia like Yandex search engine and a few other companies. And we share the information about the threats and we have a mitigation database which is run by our technical centre. And what we do we accept the records about the malicious domain names in DotRU. And we get the signals from the different parts and rate them and put them in a database. And this information is being used by the members of our ‑‑ for example, in the search engine if the domain name is tagged as a malicious or has a phishing, we start to find phishing thing because it is the most dangerous thing in cybersecurity. If you ask something for search engine, it doesn't show you the results which contains the domain name.
The same with the lab, largest antivirus company, they use this information to fine‑tune their antivirus system. And also there are a group of customers who is using this information. So it means that the effective way to battle a cybersecurity threat is actually in communication and different players and different markets. Unfortunately ‑‑ fortunately there are products on the market, for example, but it is a commercial product. It is a set of companies who is providing security data who analyze your domain name and own file. But they charge money. We initially build a system as a non‑profit because I think that the national registry, the cc, the country code organisation, especially if it has some money to spend on some useful projects, this is a good area to spend the money and to build the service because it is a public service. Everyone benefits from it. And, of course, business is business. But this part of the ‑‑ this part of the business I think it is very important to be kind of cooperative and free of charge for the customers because it brings the level of threats down.
So I really look forward if country code ‑‑ I mean we can share this data if there will be a need from other country code organisations. But I think this is a very interesting way to cooperate even internationally.
>> PATRIK FALTSTROM: Yeah, I'd like to take a different angle and talking about capacity building and great to see that we see some regional initiatives starting out the Centre with LACTLD, but the one angle that I would like to touch is when it comes to capacity building is the ccTLD as a community themselves. If there is one thing that the Internet industry and the country together it is their Country Code Top Level Domain. And we from the regional Internet registry when trying to reach out to specific countries always partner a lot of times, partner with the ccTLD because they are a great vehicle to reach out to a local Internet community. Sharing among the ccTLD at a regional level is great but using it as a vehicle to spread it further down it is a very important role that we should keep in mind when talking about security and DNS in general.
>> MARK MCFADDEN: Eduardo, you talked a lot about the relationships in DotCO between the registry, but also you talked about the relationship between you and law enforcement, you and others. What about in the region? And tell us a little bit about your experience with LACTLD in relation to cybersecurity and being able to share information in that region.
>> EDUARDO SANTOYO: The different ccTLDs has really different approaches about this. Not exactly the same for everyone. And what we are doing now is trying to make this topic, this specific issue of cybersecurity put over the table and to have been discussed within the cc community in the LACTLD because the LACTLD space they are friends. They are talking between peers. We are talking within friends. And in many cases or in some cases, in many there are some fears to talk with local authority about these and what are the role of the cc on these. It is not very clear for many of ‑‑ for some of our members how to run this relationship with the local Governments. I guess that some of us in the region are really well connected with their own communities, and I mean the own communities private sector, banks Associations, ISP Association but also with the local Government, but some others probably don't want to have a very close relation with them. They prefer to stay as a technical side, technical community, a little bit a side of the relations of the Government. What we are doing at the moment is trying to introduce this topic to be ‑‑ or to have been discussed or to have been analyzed or to have been Tweeted within Paris in LACTLD. That's what we are doing now.
>> MARK MCFADDEN: Moving ‑‑ move to a different topic entirely and that is slightly a more technical topic than information sharing among ccTLDs and let me turn to Patrik for a moment partly because I know his answer will be yes to a question that's not a yes or no question. And that is what about DNSSEC for ccTLDs is something that is appropriate for all of them, some of them? Is this a it depends question, or is the answer a simple yes, that we have enough experience doing deployment and doing key management, that even for organisations that don't have a lot of technical expertise DNSSEC is critical? Let me guess what your answer is.
>> PATRIK FALTSTROM: The answer is a little bit longer than yes. Yes, to disappoint you. The reason why the answer is relatively short is today we have 700 TLDs as of this morning. And out of those 508 are assigned. So it is ‑‑ so to some degree it is no longer a question of whether they should sign your TLD or not. It should just be done. We have 662 TLDs out of the 700 which do have IPv6 to their name servers. So it is a higher penetration of IPv6 than DNSSEC. According to my test that I run every 24 hours unfortunately 215 TLDs do have errors in their TLD. IPv6 and DNSSEC is something that will be added next time. There is a revision of the technology that you use in‑house.
Now to go back to your ‑‑ you asked about DNSSEC. I think it is important for ccTLD to start using DNSSEC for two reasons. The first one is that you get your own information about your own zone site and that means that all the caching and all the various DNS servers in the world do know whatever data you publish about the IP address, about our own name servers actually is correct. They can validate the signature of the records that is about your own ‑‑ your own DNS servers. So because of that it makes ‑‑ it removes one of the attack vectors for people that want to send a query to your own DNS server and that is directed somewhere else. They get your response and nothing. So you protect your own zone by signing it.
The second thing is that without signing your own zone you don't give the ability for your customers, the registrants to sign their zones because what is needed is a complete chain of trust from the parent which is the root, the ICANN root down to the zone of the registrant, which means if it is the case, if you have potential registrants in your country would like to sign your zone, there is two options, they can't fulfill their interest of getting a signed zone or they have to register somewhere else. The second one could be viewed as a pure business thing, that you lose customers if you don't sign your zone but don't forget the first one that you are protecting your own.
>> MARK MCFADDEN: Can I ask you a question about your statistics which were interesting? The statistics for DNSSEC were promising. Is it because it was a requirement in the new gTLD programme?
>> PATRIK FALTSTROM: Of course. It was much higher and now there are errors and some errors are there because the errors are in the mechanism. Always some kind of problem there. It is also the case that, for example, what I call errors sometimes, of course, for some people is not really viewed as an error. These are my numbers according to my judgment. So yes, that is one of the reasons. But we ‑‑ just because for good reasons as I explained earlier people are outsourcing DNS operation, both slave and master forcing DNSSEC on the new gTLD has created a second error sec which the back end providers have been forced to do provisioning and then sort of old customers that run TLDs have got DNSSEC for free. It is too expensive to one TLD with DNSSEC and even without. The direct effect is higher on the existing one. We have secondary effects which is better than is expected.
>> MARK MCFADDEN: Maybe I could ask the three ccTLD operators. One of the things that people said in the early days was that things like key management, zone signing, key rollover were difficult, that they were complicated tasks to do. And what I would ask my three ccTLDs, perhaps I will start with Mohamed, have those mechanisms ‑‑ are the processes for doing those tasks to manage a zone for DNSSEC, have they gotten better, easier, more mechanical? And as Patrik says is that partly the result of sort of a secondary effect of having many more zones being signed?
>> MOHAMED EL BASHIR: I will share my experience currently as managing ccTLD in preparation to deploy DNSSEC. I think there is available tools that enable all the processed to be easily managed I can say in terms of even having hardwares available software tools available. There is also lots of open source tools already available currently. The major challenge I think is we had this capacity building and training. That's to ensure that really staff have really trained on using those tools and they have the expertise. So we took our time to ensure that the technical operations staff managing the registry they already have the technical knowledge because once we are ‑‑ we sign the zone and there is no reverse back. So we need to ensure that we are already ready for that. But there is currently tools in hand available, not costly I can say, affordable to most of the registries in the developing world. I think the key is not to maybe rush but you need to do it. But you need to plan it carefully and you need to ensure that you have staff that are really capable and trained to implement DNSSEC.
>> ANDREY KOLESNIKOV: Well, thank you for being polite. I will not. Okay? The DNSSEC process is still a pain, okay? The efforts which was spent for signing the procedures, the evidence, the engineers, the generation it is a complete pain because the ‑‑ I mean initially it is such a strange thing, DNSSEC, because there is no killing application which will pay for all our pain. This is how we see DNSSEC, because, you know, with 5 million domain names in DotRU we have maybe a few hundred signed domain names because we cannot explain to people why they ‑‑ why they should take our pain and bring it to their second level domain to increase the cost, operational thing, et cetera, et cetera. Still there is no proof. There is no killer app which will take the DNSSEC to the next level and give them the feel of security and nice, wonderful toys and tools. So I think DNSSEC is one of the failures.
>> EDUARDO SANTOYO: I can agree ‑‑ I can't agree more with you, Andrey. In fact, this is a pain. We are ‑‑ we have the implementation. Just because we outsource our DNS operation completely it is easy for us because we have people doing this for us and we are paying for that. But from our registrants they are not using DNSSEC. We have been ‑‑ we had two different Forums in Colombia who sponsored that for us. We brought many people from many institutions to explain what is DNSSEC, why it is important and how to implement and how to do that. But if we have ‑‑ we are not having 20. We have 15. 20 people in Colombia having DNSSEC implemented. That's it. The problem is not easy to implement and it is not a killer application. It is not a big solver problem.
>> MARK MCFADDEN: Let me go to Mohamed first and then Patrik next.
>> MOHAMED EL BASHIR: I agree to some part of it. The challenge of completing the chain it will be there. Imagine you have registrars really who is even struggling to have the basics of other ‑‑ I mean automating the service itself. But you cannot as well let's say deny the benefit of having a signed zone just to ensure that also when there is crisis that the world ‑‑ the other part of the DNS okay, they have a trusted source of ‑‑ you are a trusted source of information for your DNS. And that is critical when there's attacks happening and there's issues involved. End users definitely take it as an issue. Registrars are not doing anything to really promote DNSSEC. There is no services associated with that to end users. The registrant value proposition is not there. That's the reality currently. That's the reality. But at the registry level add definitely value. It is not easy. It is difficult. You need to get outside parties really to help you in doing that. And it is ‑‑ I think it is doable. Yeah. Even at the small registry is just completing the chain. That's the main argument we are hearing from ccTLDs in even my region. Yeah.
>> PATRIK FALTSTROM: So sure, one can see DNSSEC as a pain and it is a pain to do transfer between one DNS operator to another one. It is still not clear how to do the key management because of the caching in DNS. Yes, that's a pain. I'm ‑‑ in my spare time I'm a co‑owner of a DNS hosting provider. And I must say we started to run DNSSEC on all of our zones. Like many years ago it is completely automated and it is not noticeable. The registrants don't know that their zones is assigned. It is not something they ask for. It is just there. So I think that the only way that we will be using DNSSEC is just by adding it. It is not something people pay extra for, and this means that DNSSEC to some degree will only be deployed when it is sort of built in and everything ‑‑ all the software and everything people are using but it is also ‑‑ that is also the point in time when it is easier to use it because the tools can handle it. For example, if you take the latest version of bind, for example, we can sort of without going in to discussion whether we think it is good or bad, it is today automatically signing, resigning the zones. Just turn it on, done.
Okay. So regarding the killer application, the reason why I am pushing for DNSSEC is sure, for the ability to validate the zone content, but the most important thing is that I see the current X409 certificate hierarchy and PKIs that we are using with the CAs that we use to secure websites is completely broken. And how to get out of that mess is that we cannot handle certificates correctly. So we do need the technology called DANE that is currently involved in the IETF that everyone can create their own certificate and they sign ‑‑ they put it up in the website and sign it with the DNSSEC. And that with DNSSEC we secure the Web transactions and not DNSSEC, I agree with you, the pain is big to use DNSSEC only. I agree with that. Okay. So the Moderator of the session has a broken microphone. Maybe you said something bad. Some censoring going on. Let's start in the back there. You have a question.
>> AUDIENCE: So I don't want to detract from the DNSSEC conversation, but I have a different question. I am Alexander. I am a security guy.
>> PATRIK FALTSTROM: You really have to speak in to the microphone because the speakers are also directing your direction and not toward us. Thank you.
>> AUDIENCE: So my principal question is what the panel thinks of the recent history with DotSU and the recent experience and used to improve domain management. DotSU was fairly ‑‑ was not used in a great way. Around 2007, 2008 when ICANN announced to reregister and starting in 2009 there was an explosion of registration and that's about 150,000 domains on DotSU and much of the badness was associated with DotRU was migrated to DotSU. What is the best way to deal with a domain that was deregistered or do we go ahead and proceed with the registration even though we have 150,000 domains that may or may not be legitimate and take the collateral damage? What's the view of the panel on this?
>> PATRIK FALTSTROM: Can you repeat what the actual question is because it sounded more like a description?
>> AUDIENCE: The question is simply do we simply ask the registry to adopt better registration practices, decreased level of badness that is currently being used on DotSU or, does it go back to the original description of trying to reregister the original domain? It might be viewed as legitimate.
>> ANDREY KOLESNIKOV: Well, there are ‑‑ I believe there are more than 100,000 domain name registrations DotSU and you should probably ask ICANN or the registry who runs the DotSU these kind of questions because I really don't have an answer for that if you look at me, even though it is my neighbors. But it is not our operations. We not ‑‑ we are not assigning rules or thinking about it.
>> PATRIK FALTSTROM: I am a little bit curious, you talk about bad practices. It seems to me that you have an interest or having the registrar or the registry in some combination police the use the registrant or the intent the registrant has. Can you please expand on that?
>> AUDIENCE: So my understanding was that when DotRU increased their registration requirements, for instance, and making it harder for rapid and automatic registration of domains a lot of it moved to DotSU, making it effectively an easy fix for those wanting to maintain badness on the net. So effectively you had an easy shift, rapid shift of activity from DotRU to DotSU and that is because of the registration requirements are lower. So RU has rather stringent registration requirements and DotSU has very low level registration requirements. We have a shift of the ecosystem. And my question is how do we deal with this. Do we go back to the same debate of trying to improve who is ‑‑ requirements, or do we have to go and use the very blunt instruments that was originally proposed back in 2007, 2008 of deregistration which I think also would have questions of legitimacy attached to it? So really a question of looking at registration requirements first and foremost.
>> ANDREY KOLESNIKOV: Okay. I have an answer to your question because I hear it now about the migration use bad guys from DotRU to DotSU. Not statistically used because the bulk registration price in the DotRU is about, you know, the bulk, about 80 Rubels which is below ‑‑ which is now below $2. It is about $2, okay? The registration price of DotSU even in the bulk members is about ‑‑ is above 200 Rubels. It is the 300 something Rubels. It is almost $10, okay? And the bad guys, believe me, we spend a lot of time researching. They are very price sensitive because they are planting thousands and thousands domains for malware and for them the registration price in their business model is a part of their cost. So for them to take off from the DotRU which we kind of are trying to clean up in to DotSU which you said is not under the control is a financial factor which they cannot allow.
So it is not a proved fact that they are moving from DotRU to the DotSU. There are some malicious domain names in almost every domain zone. And let me put it like this, in our data record in the database there are more than 1.5 million domain names second and third level and 40% of come from the DotRU, from the second level domain, but it doesn't necessarily mean they are still malicious. They are being affected by hosting providers. But the most important thing is how to help you protect your user, the Internet user from visiting this bad site because I mean legally there are ‑‑ there is a lot of problems in the legal ‑‑ in the cross‑border field. And considering this I think which I said before our joint cooperation was with leading Internet companies is to delay the domain names, to keep them invisible for the end users. In many legislations you just don't have a tool to like stop this domain working. But, you know, at least we agreed that the phishing domain names and they have been closed within 24 hours of the notification. But I will not answer your question about the ‑‑ is it a legitimate domain Top‑Level Domain or not. It is not for me.
>> MARK MCFADDEN: There was another question here. Sure. Please.
>> AUDIENCE: Okay. My name is Tarik, managing technical ‑‑ managing DotSD registry. It is a ccTLD in Africa for Sudan. And after ‑‑ Mohamed was before me. And I want to talk about African cases. You know, that security issues can only be many or solved by technical, well, nontechnical persons and we don't have those in Africa. Why? Because many of the ccTLDs in Africa are many by Civil Societies, NGOs, not like in Arab regions. It is managed by the Government. So as a Government supported by training, by building capacity, by ‑‑ we in Africa are trying to manage it by ‑‑ through fTLDs, through some capacity building but I think we need more than that, especially in Africa we need capacity building in these issues. So my question what can the ccTLD community do for that? We have in Africa DNS Forum. It was hosted by ‑‑ this is the second DNS Forum we just started but it is not going ‑‑ we need more to develop, to train, to build capacity for our technicians to improve our security issues.
>> MARK MCFADDEN: Marco, I am going to hand this to you. It is reaching out in its community. Service area is very large. And one of the things that it started doing maybe six or seven years ago is starting having regional meeting. RIPE has been very effective of supporting diverse communities that are getting started and doing capacity building. Maybe you can talk about some strategies that would meet Pan‑African needs using that kind of model.
>> MAARTEN HOGEWONING: Yes. Like you said we are growing from a regional. We work with a lot of smaller regional communities and what we call network operators group that got established after a few RIPE series meetings. I think it comes down to ‑‑ partially come downs to what I said earlier about using the ccTLD actually as a vehicle and, for instance, I have also seen back end in the past and I still see, for instance, in the Netherlands the DotNL registry in organizing their courses. What I notice is a lot of times we have got the material available, but unfortunately we can't be everywhere. So one of the things that we are now focusing on now is train the trainer programmes and trying to educate people to educate others. And I think that's the important bit. And for that we need to establish ground rules. Like you said there are DNA fora now in Africa starting. It is a great vehicle, but what's important is that the people that get there get a copy of the material and get more trained in how to further spread the knowledge rather than just being there as a consumer. I think that's ‑‑ and I'm sure that, for instance, our sister in Africa AfriNIC and FNOG, the African operators group. The vehicles are there and ‑‑ but it is necessary for the ccTLD to help us with the outreach to people. Of course, traveling to DNS Forum is expensive. You want the knowledge to be hosted local and I think that ccTLDs have an important role.
>> MARK MCFADDEN: One of the things that we have seen in the Middle East and in the Latin and Caribbean area is this ‑‑ the question ‑‑ the questioner provides this very interesting sort of evolutionary concern. When ccTLD is getting up and running often it is Civil Society that are providing the resources. And then there is a gradual evolution to a professionally managed business that is perhaps supported by Government but perhaps a commercial enterprise that Government is delegating to. And I think one of the things that we see in the Middle East and Mohamed can share his experience and certainly in South America and parts of the Latin America we see that evolution, the changing sort of state of the ccTLDs and their professional approach to cybersecurity. Maybe I could ask the two of you to talk about that evolution and maybe there are some lessons to be learned that help answer that question. Sure, Eduardo.
>> EDUARDO SANTOYO: We identify some vehicles in Latin American region. First of all, we find a way to be more integrated within the regional organisation because within the regional organisation we can find some big registries that can share experiences and can also share capacity in order to help to increase the capacity of the smallest one. The other one is that having the regional organisation is possible to bring other partners in these efforts like ISOC, for instance. ISOC have found that can be used for these specific proposals to build capacity building within the small registries. This is possible to have these found in order to organise meetings through the regional organisations. And, of course, the other one is to participate in ‑‑ within the ICANN meetings we have tech day. That almost the first day of the ICANN meetings the tech day and sometimes this tech day is oriented to help or to increase these capacities within the cc community. There are scholarships to attend these meetings that can be used by small registries.
And the final one is that we have been discussing within the board to have some interchange within the regional organisations. Probably we have been able now to have agreements within LACTLD and AfTLD in order to have a special workshop talking about security or technical capabilities and that workshop could be held in some place in Africa or some place in Latin America. We need to figure out how to do that. We did that last year with Centre talking about commercial topic. It was very, very interesting for both organisations, not just for LACTLD but also for Centre. We can do that for technical aspect, too.
>> MARK MCFADDEN: Mohamed, let me come to you.
>> MOHAMED EL BASHIR: FTLD is doing a good job in terms of bringing training to African ccTLDs and collaborating with other partners who are also helping the African ccTLDs. I want to talk about the evolution of registration. That's important. Start at Civil Society and then building capacity and grew. And I think it is important what I see currently that there is registries who are operating as professional organisations with a set of required skills. If you look at it, there is a technical operation that is needed, highly skilled technical staff on DNS, database networking and that's a fundamental component of the registry. And they need for you to be professional engineers or people managing that. And then you have the business development component which is the registrar's development, the marketing, ensuring that you are already onboarding registrars. So that need also to be ‑‑ to be equipped with really good marketing, sales, business development professionals to ensure the growth of the ccTLDs or the registry and then there is the support function which is very critical as well. Some registries are going to further in having R&D functions either because they develop their own softwares or they produce statistics or they have research in areas like IDNs, for example. So ‑‑ but if you look at it those are the three main components. And it is important that in the registry to have really very skilled, knowledgeable staff on those areas. So it is not ‑‑ that's a necessity. So to run an efficient registry as we are ‑‑ we heard, this is a very critical application for the whole country. And there is lots of e‑commerce, e‑mails, web presence associated with that. So I think it is important that the registries in a developing world, in Africa and the Middle East complete that shift and that requires support from the Government, from the private sector to ensure that really we are moving from a voluntarily run organisation to more professional skilled organisations.
>> MARK MCFADDEN: Patrik, you were going to say something on this topic?
>> PATRIK FALTSTROM: Yes, the one thing that I see in Sweden which might be like a specific Swedish thing is that the Swedish aid organisation, CDON have understood the connection between, for example, ICT democracy and Human Rights. In the various programmes they are running they are definitely linking ICT support to their more sort of traditional support. For example, in Africa I saw the Swedish Government saying in the next four years was going to spend 140 million Euros. And I really hope that if the local community also agree that there is a connection between democracy and Human Rights and ICT that the normal sort of large funds for support Developing Countries in the world can be sort of funneled over to ICT projects and not sort of own ‑‑ not only the traditional help that's going on. So I think we should all help not only sort of we from Sweden which are donating money but also various people which is a closer connection in the receiving countries to also help with this work.
>> MARK MCFADDEN: Sure, please.
>> AUDIENCE: My name is Mary from DotNG and I am also part of the fTLD executive Committee, and fTLD runs three training programmes in a year. There is the IROC, the Initial Registry Operation cost. We have advance and then S is for security. But we have found out that sometimes the location of our programme may affect those that would have come to give us some support, because the one we run in Katoun, there was problem of getting the ‑‑ our resource person coming to give us lectures there. Now that's for that. And in my own ‑‑ we have a mixed bag in the African region that some ccs are run by the Government. Some by volunteers like Civil Society. Some with some professional. But mostly and some are still not even delegated. So in a country of 54 members you find out that only 22 are members of the AfTLD. So there is still issues of membership, issues of re‑delegation and delegation and re‑delegation from ICANN, even to the countries. Some of their ccs they have given it to foreigners to operate for them. So those are mixed, but some of the things that we are still dealing with but come back to the DotNG, my own country, the national security advisor that is looking at cybersecurity do call us for meetings. And they do call us, we are part of the stakeholder organisation that is crafting the cybersecurity strategic policy and will go to the National Assembly and the cc will play a great role to get that.
In terms of DNSSEC we have done a ‑‑ we have not done proper training of our people. Most of our people are still on IPv4, not ‑‑ the adoption is still a process. We are trying to see how we can adopt the IPv6. And so the easiness of signing on these is very questionable. We don't have the capacity. Two, we have not had enough training of even our registrars. So those are things ‑‑ we are still making some plans. We thought we was sign ‑‑ we sign this zone this year but it is slipping out of our hands, but if there is any help that we can get to be able to do the capacity building and be able to sign the DNSSEC on our zone we would appreciate it. Thank you.
>> REMOTE MODERATOR: We have a question from remote participants. Salim, private sector. Question is that can you give us statistics of the DNS security implementation in ccTLD. Okay?
>> (Off microphone).
>> MARK MCFADDEN: That was completely impossible to hear back here. So we are waiting for the transcription. So the question is as I understand it, and you can correct me if I am wrong, is what are the statistics for DNSSEC implementation in the ccTLD community. I know you have your overall statistics for ‑‑
>> PATRIK FALTSTROM: I need to do counting manually. So if you wait a few minutes I will have an answer. I am happy to do it.
>> MARK MCFADDEN: He has the data in front of him. We will make him do a count. Another question from the remote folks? No. Thank you very much. I want to come to the first two observations. In fact, I would like to come to the end of our session with your observation, I think that's very interesting. And one of the things that we heard about DotCO was that there is a very formal and very structured relationship between the registry and the Government on security issues. And a while back as a naive person who sort of maybe didn't think about this very clearly, I thought that that was not that common across all ccTLDs. But in fact, I'm starting to think that the relationship between a national Government and the ccTLD operator on national security issues has become a matter of national importance. And maybe I will finish up by allowing observations from the floor, but also moving among my panelists here to finish by talking about how has that relationship evolved in your mind. Has it started out and been informal in the beginning and become much more formal now? Are there formal regular meetings? How has this changed? And what do you ‑‑ you think that best practices for one country are the same for other countries? How does that work for you, Mohamed?
>> MOHAMED EL BASHIR: I think that relationship definitely is very important, very critical. Because at the moment of crisis really it is ‑‑ sometimes help is needed at the different levels. So I'm in favor of formalizing that relationship in a sort of joint committees. And one of the key stakeholders is the CERT, the local CERT. Because they are the ones who are really dealing with the technical issues. But I think that's ‑‑ that needs to be formalized in some sort of meetings. In our case we have monthly meetings. We have a clear line of communications open between us and in terms of crisis and we have seen that attacks increase in our region in the Middle East in the last year, major attacks. So that's ‑‑ we are working actively together from that relationship. We have dedicated teams working together in enhancements, security enhancement, joint projects to ensure that different layers of security recommendations is already applied. So that's ‑‑ I think that's very critical and it needs to be really in place. If it is not in place, I think a ccTLD should seek that relationship.
>> MARK MCFADDEN: Andrey, has it become more formal for you, the success of your registry? One of the things that happens is obviously you have talked a lot about both the formal and the informal relationships that make up your approach to cybersecurity. What about your relationship with the Government?
>> ANDREY KOLESNIKOV: Well, in August we were part of the field training ‑‑ let me put it like this ‑‑ combatting the simulation, combatting the cyber check on the critical resources in Russia together with Ministry of Defense FSB and our MS guy X. So coordination centre, I was part of it and the Ministry of Telecommunications who were running the event and also the Russian telecom, largest operator in Russia. So we successfully stand against the threats. It was different kinds of threats during this exercise and demonstrated our knowledge and our ability to manage the critical infrastructure. And that's good because well, at least it gives the confidence to our Government that we are doing ‑‑ we are making ‑‑ we are doing the right operations. And we even in catastrophic events, kind of catastrophic events we can still run the operations and do our job. So we have good relations with the Government.
>> MARK MCFADDEN: Eduardo, I want to ask you the question in a different way because the wonderful question that we got sort of made me think about an answer you had given an hour ago. As the registry changes and evolves and in your case as well became very successful do you think that's what motivates the Government to be more interested in integrating in to their thoughts about cybersecurity or just the Government's awareness of the issues?
>> EDUARDO SANTOYO: It is probably both. We are building trust and we are showing them as Andrey mentioned we have capabilities that we are technically able to have some answers or contributions on this. And having ‑‑ and we really built an Ambassador. We are building an Ambassador which is our chief security officer which is Gonzalo Romero and also for the international community as people who can't help to solve problems, who tend to be part of a group of work in order to deal with security issues. Then it begins with this, with the construction from ourselves for one Ambassador and we have this Ambassador and we establish the relationship with the Government in informal ‑‑ at the very beginning in an informal way. In just the last year we began to have formal agreements with the Colombian law enforcement entities. Because why? Because we are sharing information with them. That's the reason why. We need to sign information, to preserve the confidentiality of this information between both parties. That's the reason why we have agreements. If not, we don't need it. We can work together with it.
>> MARK MCFADDEN: And Patrik, is it numbers that you have for us?
>> PATRIK FALTSTROM: Yes, I finished the counting.
>> MARK MCFADDEN: So we are returning to the question from the remote participant and that was the question about the percentage of ccTLDs that had signed zones.
>> PATRIK FALTSTROM: It also shows that I know some programming. I actually didn't count. I wrote a programme and the answer is it is 92 out of 249. So it is 37%.
>> MARK MCFADDEN: 37%. And to put you on the spot here, which is just the right thing to do I think at the end of the week, your experience, your intuition, I am not asking for numbers here but your intuition that in the ccTLD community despite the pain that Andrey so wonderfully described, that number is growing. Do you think it is growing at a rate where eventually maybe in three, five years we will see numbers closer to 80 and 90%?
>> PATRIK FALTSTROM: Absolutely. And once again because there will be no tools do not do DNSSEC. You cannot make more money selling DNSSEC because people don't understand. It will end up in there some day some time. So it is more like hygiene or something. Yes, it is hard. It is painful specifically as yes, you cannot get more income. It is just ‑‑ it is just a cost.
>> MARK MCFADDEN: Okay. Thanks for that. Let me do this, let me bring this session to a close here. And let me make a document of observations. I think that this is a very ‑‑ one of the things that I see because of the questions here is that security is truly a technical area but it combines technical issues, governance issues and we heard so much in the last hour and a half about relationships. It is relationships between the registry operator and its customers, relationships between registry operators and Government, and Andrey expressed it beautifully, the sharing of knowledge. And that's one of the messages that comes out of here. Besides being a technical activity are often clearly documented. The issue of building relationships especially around the area of cybersecurity seems to be extremely important. And I thank our panelists for talking about those issues because I think that's a crucial part of it.
I'd also like to make mention of the fact that this is the last slot in the 9th Internet Governance for workshops and for however much you participated during the week our thanks up here goes to your being participants in the Internet Governance. I know the closing session is this afternoon and I want to thank the people in the back of the room. The fact that we support remote participation through Internet technologies, people who cannot get to Istanbul, Turkey, still can participate and read the transcripts. So the people who provide the transcripts, who support the video I thank them as well. And I hope you join with me in that. Finally, let me thank my panelists on behalf of myself and Maria Farrell, the two co‑Chairs. Thank Mohamed, Andrey, Patrik and Marco and Eduardo. Excellent ‑‑ thank you very much.
(Applause.)
>> Thank you.
>> MARK MCFADDEN: That brings the session to a close. I wish all of you a pleasant rest of the day and certainly a safe journey home.
(Session concluded at 12:30)
***
This is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***