Dear PSO PC colleagues, The enclosed message from Mr Jefsey Morfin has reached me from several ways. It is an initiative to draft an ICANN ICP on Security and Stability in Internet. I propose to deal with this message in our next teleconference under the agenda item in Security that Tapio and I proposed. My apologies if you have got the message twice or more. Kind regards, Azucena >Date: Wed, 10 Oct 2001 11:47:35 +0200 >To: ecdiscuss@ec-pop.org >From: Jefsey Morfin <jefsey@wanadoo.fr> >Subject: [ecdiscuss] WG-ICP4 Internet Security and Stability Protection >Genlemen, >The next ICANN meeting is to be dedicated to a crash Internet Security >review. I proposed to conduct a more global work on the matter towards an >ICP-4 Internet Security and Stability Protection document and the creation >of an ISSP Advisory Committee. > >A discussion list is under building now. If you are interested to joint >please send a mail to: >icp4-subscribe@yahoogrouos.com. >I definitly think that European should share in what may lead to a complete >review of the Internet due to the daya to day worldwide importance of the >matter. > >For your information here is an upate on the matter. > >The proposed WG-ICP4 methodology is >1. to determine what is to protect: a clear analysis of the Internet system >in our today society >2. to establish the list the generic target areas of that system: its >building layers >3. to list the different types of threats >4. to list the motives of failures and/or attacks. > >2 and 3 will permit us to define a grid of the Internet risks. 4 will >permit to work towards prevention. Possible proposition mechanisms are >introduced further on. > >Each box of such a grid should then be worked on: >- to better define the specifics of the menace in that area >- to asses the level of risks in a pragmatic way and in a subjective way >- to determine the parties involved >- to establish a WG on the matter by concerned stakeholders, with the help >of specialists of the domain involved. The mission would be to asses the >current situation, the immediate and mid term security oriented actions, a >specific preventive policy, recommended joint efforts towards a global >preventive policy and suggested innovations or complete changes which would >better protect the area's stability and foster development. > >That would be the basis of the ICP-4 Internet Security and Stability >Protection document, for the establishment of an Permanent ISSP Advisory >Committee. It would keep that grid updated from observations and >experience, and would keep alive a permanent pragmatic security/stability >concern among the governance. > >A pounderation of the risk levels aking into account the real risks, the >expected impact on public, the risk chaining and the governance >unstabilization. should permit to discover the key targets and to determine >the priorities in term of protection and pro-active policies. > >In a first attempt we have categorized 20 generic areas, 25 types of menace >and 18 motives. They are listed here below. Thank you to add any area we >might have overlooked. This lists are not yet structured nor detailed in >order to leave room to your imagination (several highly debated issues >don't show up because they are part of more generic areas). Please also >comment them as we now have to work on these list "a layer below" and >charatize each threat in each area and for each motive. > >This list as today corresponds to the modlisation of 500 menaces and 9000 >motivated possible destabilization or war acts. >1. Any competence in helping modelizing and grouping the analysis is welcome. >2. from first experience the perusal of these lists by different people >should help defining general concerns. This will be purely subjective and >based upon personal backgrounds. But in confronting these quick analysis we >might have some first propositions quickly and gain working experience. >This would however not replace the permanent and fundemental work ahead. > >We have to be conscioius that this task is unique as it concerns the >publicly disclosed protection of a universal system against its own users, >operators and protectors. Turning the Internet fool and terrorist proof - >or at least less easy to unstabilize. It also concerns the protection of >Peace as the Internet is increasingly a vehicle for all the world's exchanges. > >The ICP-4 Internet Security and Stability Protection document should >propose solutions. > >The easiest way for that is to proceed from proposed solutions and use the >risk grid as a validation, a comparative or a killing filter. An Excell >table should be presented with a proposition telling which menaces it >address and how, providing an easy and visual decision tool. > >Here are the current lists: > >Generic targets: >- interconnection structure >- structural lines >- governance >- centralized services (DNS, IP, ...) >- Internet industry (ISP, ASP, Communication Agency) >- interconnected computer systems - stations, immotic - teleurbanism >- interconnected operators (webmasters, staff, ...) >- generic services (e-mail, ftp, online payment, etc) >- servicing computers >- users >- public and social/community area >- market - economy >- impacted industries >- consumer organizations >- communicating structures - organization, management >- equipment manufacturers, content, services providers >- access lines and Telcos - telecom services >- regulation and standards >- states relations and law >- applications - innovation >- protocols > >Types of menace: >- single point of failure / weakness >- military action - war, civil war, invasion >- terrorist action >- acts of God >- blocus >- lack of supply >- technical failures >- intelligence action >- economic crisis - local/general >- DoS >- hacking >- vandalism >- disclosure >- cybersquatting >- public/management/technical distrust - disinterest >- negative press campaign >- alternative offerings - new technologies/solutions >- complexity >- overload >- technology level >- management instability >- unfair practices >- ignorance - incompetence - lack of education >- misunderstanding (lexical or linguistic) >- governance feud set-up > >Motivations: >- misunderstanding of the Internet nature and social model >- strategic interests of leading partners - states, commercial >- financial greed >- political objections >- fanatism (regligious, professional) >- personal interest - employee retaliation >- fun >- private or political agenda and competition >- attempts to dominance - lack of mutual coordination >- cultural conflicts >- financial, lingual and digital divide >- lack of local financing >- lack of local means >- national exclusion >- national policy >- feuds >- ignorance >- History > >Jefsey Morfin >world@wide > ************************************************* Azucena Hernandez Telefonica Desarrollo de Red c/ Emilio Vargas, 4. E-28043-MADRID Tel: +34 91 5846842 Fax: +34 91 5846843 GSM: +34 609 425506 E-Mail: azucena.hernandez@telefonica.es ************************************************