I imagine it’s a pretty hard job, largely thankless, working at ICANN. No matter what you do, there’s always somebody on the internet bitching at you for one reason or another.
The job may be about to get even more irksome for some staffers, if ICANN decides to implement new security recommendations made by risk management firm JAS Communications.
In a report published yesterday, JAS suggests that senior IANA staff – basically anyone with critical responsibilities over the DNS root zone – should be made to agree to personal credit checks, drug screening and even psych evaluations.
To anyone now trying to shake mental images of Rod Beckstrom peeing into a cup for the sake of the internet, I can only apologise.
This is what the report says:
JAS recommends a formal program to vet potential new hires, and to periodically re‐vet employees over time. Such a vetting program would include screening for illegal drugs, evaluation of consumer credit, and psychiatric evaluation, which are all established risk factors for unreliable and/or malicious insider activity and are routinely a part of employee screening in government and critical infrastructure providers.
I’ve gone for the cheap headline here, obviously, but there’s plenty in this report to take seriously, if you can penetrate the management consultant yadda yadda.
There are eight other recommendations not related to stoners running the root, covering contingencies such as IANA accidentally unplugging the internet and Los Angeles sinking into the Pacific.
Probably most interesting of all is the bit explaining how ICANN’s custom Root Zone Management System software, intended to reduce the possibility of errors creeping into the root after hundreds of new TLDs are added, apparently isn’t being built with security in mind.
“No formal requirements exist regarding the security and resiliency of these systems, making it impossible to know whether the system has been built to specification,” the report says.
It also notes that ICANN lacks a proper risk management strategy, and suggests that it improve communications both internally and with VeriSign.
It discloses that “nearly all critical resources are physically located in the greater Los Angeles area”, which puts the IANA function at risk of earthquake damage, if nothing else.
JAS recommends spreading the risk geographically, which should give those opposed to ICANN bloat something new to moan about.
There’s a public comment forum over here.
UPDATE (2010-06-13): As Michael Palage points out over at CircleID, ICANN has pulled the PDF from its web site for reasons unknown.
On the off-chance that there’s a good security reason for this, I shall resist the temptation to cause mischief by uploading it here. This post, however, remains unedited.