Jump to content

Second Security, Stability, and Resiliency Review: Difference between revisions

From ICANNWiki
JP (talk | contribs)
JP (talk | contribs)
Line 71: Line 71:


==Board Action and Implementation Planning==
==Board Action and Implementation Planning==
The board addressed the topic of the final report at its regular meeting on July 22, 2021.<ref name="bdreso">[https://www.icann.org/resources/board-material/resolutions-2021-07-22-en#2.a Resolutions of the Board, July 22, 2021</ref><ref name="dashboard" /> In keeping with its updated processes, the board issued a scorecard<ref name="scorecard">[https://www.icann.org/en/system/files/files/ssr2-scorecard-22jul21-en.pdf ICANN.org Archive - SSR2 Scorecard], July 22, 2021</ref> categorizing the recommendations contained in the report under six headings. The board attached a 53-page rationale for its decisions.<ref name="rationale">[https://www.icann.org/en/system/files/bm/rationale-ssr2-22jul21-en.pdf ICANN.org Archive - Rationale for Resolutions regarding the SSR2 Final Report], July 22, 2021</ref> The six categories in the scorecard were each tied to either approval, rejection, or the placing of recommendations in pending status:
The board addressed the topic of the final report at its regular meeting on July 22, 2021.<ref name="bdreso">[https://www.icann.org/resources/board-material/resolutions-2021-07-22-en#2.a Resolutions of the Board], July 22, 2021</ref><ref name="dashboard" /> In keeping with its updated processes, the board issued a scorecard<ref name="scorecard">[https://www.icann.org/en/system/files/files/ssr2-scorecard-22jul21-en.pdf ICANN.org Archive - SSR2 Scorecard], July 22, 2021</ref> categorizing the recommendations contained in the report under six headings. The board attached a 53-page rationale for its decisions.<ref name="rationale">[https://www.icann.org/en/system/files/bm/rationale-ssr2-22jul21-en.pdf ICANN.org Archive - Rationale for Resolutions regarding the SSR2 Final Report], July 22, 2021</ref> The six categories in the scorecard were each tied to either approval, rejection, or the placing of recommendations in pending status:
* Recommendations the Board approves, subject to prioritization, risk assessment and mitigation, costing and implementation considerations; and recommendations that the Board approves with the understanding that they are already fully implemented;
* Recommendations the Board approves, subject to prioritization, risk assessment and mitigation, costing and implementation considerations; and recommendations that the Board approves with the understanding that they are already fully implemented;
* Recommendations the Board rejects because they cannot be approved in full; Maarten Botterman, in his blog post announcing the Board's action on the final report, explains:
* Recommendations the Board rejects because they cannot be approved in full; Maarten Botterman, in his blog post announcing the Board's action on the final report, explains:

Revision as of 22:41, 18 August 2021

The Second Security, Stability, and Resiliency Review (SSR 2) was initiated in June 2016. The review team's final report was submitted to the ICANN Board in January 2021.[1] The board took action on the recommendations contained in the SSR 2 final report in July 2021. As of August 2021, the review is in the implementation planning phase.[1]

Background[edit | edit source]

The Affirmation of Commitments, an agreement between ICANN and the United States Department of Commerce, establishes ICANN's obligations to perform its duties with specific commitments in mind. All of the commitments bear on public and consumer trust of the organization. ICANN is to perform its functions in a manner that:

  • ensures accountability and transparency of decision-making;
  • preserves the security, stability, and resiliency of the DNS;
  • promotes competition, consumer trust, and consumer choice; and
  • enables access to registration data.

ICANN is also charged to periodically review and assess its performance through the lens of each of the above commitments.[2]

ICANN's board enshrined these commitments (and the associated reviews) in its Bylaws in Article 1 (Mission, Commitments, and Core Values)[3] and in Article 4 (Accountability and Review).[4] Article 4.6 deals with "Specific Reviews," each of which are tied to one of the commitments in the Affirmation of Commitments.[5]

The Organizational Effectiveness Committee of the board oversees the conduct of specific reviews.[6] The SSR is one such review. The Bylaws mandate that the review team include independent experts in the field of networking security and stability.[5] The Bylaws also call for SSR reviews to begin no later than five years after the completion of the prior review.[5]

Initiation, Delay, and Suspension of Work[edit | edit source]

The call for volunteer applications was posted in June of 2016.[1] The deadline for applications was extended, in part because the ICANN Board had adopted amendments to the organization's bylaws, some of which affected the selection process for specific reviews such as the SSR.[7] Team selection was delayed until February 2017[1]

The team submitted its Terms of Reference (ToR) on May 11, 2017.[8][9] In June, the Board responded to the review team, noting that the Terms of Reference "in general must provide a clear articulation of work to be done and a basis for how the success of the project will be measured," and expressing some concerns regarding the clarity of the ToR and work objectives.[10] Work continued within the review team and on the listserv, particularly with regard to formulating and refining the team's work plan. However, no formal response issued regarding the board's concerns.

In October 2017, the SSAC submitted a letter to the ICANN Board, advocating for a pause in SSR2 and arguing that the "current approach, if continued without significant change, will ultimately result in a report that does not have the quality expected by the ICANN Community."[11] In the same month, the Board sent objections regarding the scope of the still-evolving work plan, specifically the work of Subgroup 2 and the proposal to conduct a full review of ICANN's internal operational security.[12] Within the review team, reactions were mixed to both letters. A proposed response regarding a planned Los Angeles on-site for Subgroup 2 On October 10-11 (one week from receipt of the letter addressing scope concerns) was not able to obtain consensus, particularly from SSAC-affiliated members of the review team.[13]

In the following weeks, additional actions occurred that were directly or indirectly related to the SSR2 situation. The board had acknowledged their own failure to set expectations for specific review processes, and set about remedying this failure with a proposed operating standards document for public comment.[14] The chairs of other SOs and ACs also reported concerns regarding the direction of the SSR2 review. As a result, on October 28, 2017, the board sent a letter to the review team instructing them to pause all work until meetings could be held between the chairs of the SOs and ACs and board members at ICANN 60.[15] The letter reads in part:

In light of the importance of this effort, the concerns being expressed, and the resources devoted to date, we believe that it is imperative that the community assure itself that the SSR2 is appropriately composed and structured to achieve its purpose. Accordingly, the Board will be meeting with SO/AC Chairs, the SSR2 Review Team, and the community on this topic throughout ICANN 60, and following the meeting will formally ask the SOs and ACs to consider whether they believe there is a need to adjust the scope, terms of reference, work plan, skill set and/or resources allocated to SSR2. Without prejudging the answer to those questions, the Board considers that the most responsible course is to suspend the review team’s work pending responses from the SOs and ACs.[15]

The SSR2 team met with SOs and ACs over the course of ICANN 60, as well as the board.[16] In the aftermath of the meeting between SSR2 and the board, there was a brief discussion between the board and chairs of the SOs and ACs regarding next steps.[17] The result of those meetings was that the SOs and ACs would "do what needed to be done" to correct the trajectory of the review process. There was acknowledgement that there was no existing process for a situation like this, and apologies to chairs and review team members alike regarding potential board or staff contributions to the impasse.[17] The project remained on hold for the SOs and ACs to establish a plan. Board members variously noted that they did not know, and were never informed, that there was a finalized work plan for the team.[17]

In December 2017, the SOs and ACs sent a letter to the SSR2 review team.[18] The letter described the chairs' conclusions regarding the work of SSR2 to date, as well as the responses to a questionnaire submitted to SSR2 review team members.[18] The questionnaire received responses from all but two of the SSR2 members. The chairs concluded that the SSR2 team was made up of dedicated volunteers with a true desire to see the work completed. However, they identified issues of trust, bandwidth, potential conflicts of interest, detail and completeness of the team's work plan, and a challenging and overambitious scope.[18] the chairs summarized their next steps:

The SOAC chairs recognizes [sic] a number of concrete actions for us: first, appoint more members to the SSR2 team and discuss with ICANN Staff what the budget and staffing situation looks like. After these actions have taken place, we are to restart the SSR2 review with some initial concrete items on their agenda: agree internally on updated leadership, COI issues and scope; and work with ICANN Staff and SOAC chairs to agree on communication, milestones, and progress reporting/management of the review.[18]

The letter acknowledged the hard work of the team thus far, and noted that the pause represented an opportunity for team members to assess their bandwidth to continue with the project.[18]

Restart[edit | edit source]

At the beginning February 2018, the NCPH Intersessional meeting took place in Los Angeles. One of the sessions was devoted to SSR2, as well as the planning for and initiation of the Third GNSO Organizational Review.[19] During the plenary session, which was attended by members of the OEC, Susan Kawaguchi from the GNSO Council provided a status update as it related to the GNSO's communication with the other SOs and ACs:

We just finalized a letter to the SO and AC leaders, trying to come to consensus, come to the middle ground to figure out a way to move forward with putting this team back to work un-suspending it and move on, but with the right resources and talent and expertise. So we're taking this very seriously. You know, I'm sort of developing into a process person. If you have a process, it's much easier than designing it on the fly, and unfortunately the board's action has now, you know, everybody sort of had to sit back and go, "Oh, what do we do now?" The GNSO, through Heather, is trying to lead that and has proposed several paths forward. One is the facilitator for the whole team to, review team, to really decide what they need and somebody to work with them. What I don't think they need, and this is a personal opinion, is SO and AC leaders, even Heather as chair as GNSO, saying this is what you need, review team. Having sat - now I'm on my second review team, it's really important to maintain that independence. So that's what the GNSO is leading - is pushing for. We would like to see this, you know, move on. It's important work. And then take the learnings from it and develop a process.[20]

Later that month, the SOAC chairs again communicated with the review team, presenting a status update and findings from additional communications and a survey of team members.[21] As forecast at the Intersessional, the letter noted that survey comments from team members led the SO/AC leadership to conclude that there was "insufficient alignment within the SSR2-RT on many issues ranging from mission/scope to process/leadership."[21] To address this misalignment, the SOAC chairs requested that the OEC provide a neutral facilitator to work with the group to identify common ground and re-orient the goals and expectations of the team.[22] The OEC agreed, and set about working with the SOAC chairs to identify the required skills and experience that the facilitator should have.[23]

After an RFP process, Phil Khoury was engaged as facilitator in June 2018.[24] The review's relaunch was was announced shortly thereafter on June 7, 2018.[25] The culminatoin of Khoury's involvement came in August 2018, when the review team (with five additional appointed members) met in Washington DC and worked on drafting a new Terms of Reference.[26] The agenda and notes from the DC meeting indicate that this was the facilitated resolution of outstanding issues and concerns that the SOAC Chairs had requested.[27] Records of Khoury's work with the review team are available largely through the SSR2 listserv archive from his appointment in June 2018 to his sharing of his draft report following the DC meeting.[28]

The team presented a new Terms of Reference to the Board in September 2018.[29] The team followed up with a work plan in November 2018.[30] The team subsequently updated the board in February 2019 on its status subsequent to another multi-day, face to face meeting in Los Angeles.[31] The board acknowledged receipt of the ToR, work plan, and update report at the end of February.[32]

Mid-2019 Setbacks[edit | edit source]

At ICANN 64 in Kobe, the review team requested technical writing support from the ICANN board and organization.[33] ICANN org conducted a search for a technical writer to be assigned to the review team. A writer was hired in May 2019; however, after two weeks, the writer was dismissed by ICANN org.[33] The review team expressed displeasure about this development (and others) in a letter to the board, CEO, and SOAC chairs:

Unfortunately, the SSR2 Team has a history of being under-supported and obstructed: our work was initially delayed by a lack of documentation regarding the incomplete implementation of the 2012 SSR1 recommendations; we were “paused” for about a year by the Board without prior communication with the Team; we saw considerable delays when asking questions to staff, and received multiple insufficient responses; and we have had professional writing and research support for only 15 days. In addition, the Board’s subsequent handling of the CCT Review Team recommendations* further confused and deflated the enthusiasm of our Team.[33]

*The board approved action on only six of thirty-seven recommendations, placing seventeen of the recommendations on hold pending further research into feasibility, cost, and other unknowns.

The letter reported that the team's work had been substantially set back by the loss of technical writing support. The letter concluded "In addition to raising serious concerns about the accountability, transparency and independence of community reviews required by the ICANN bylaws, these unilateral and in transparent [sic] actions are extremely demoralizing to many Review Team members."[33]

In October 2019, the review team requested an additional $250,000 to complete the work of the review. The request cited the technical writing issue as well as other delays.[34] The Board approved the additional funding in November 2019.[35]

Draft and Final Report[edit | edit source]

The team published its draft report for public comment in January 2020.[1] The report contained 31 recommendations, with many recommendations including multiple action items to fully implement each recommendation.[36] The public comment period on the draft report was extended from March 4 to March 20, 2020. The ICANN Board's response to the report was posted on March 20.[37] Several comments were received after the close of the comment period.[38]

A total of eighteen comments were received.[39] The report on public comments identified four common themes among the comments:

  1. Prioritization - commenters noted that many recommendations were designated high priority, and recommended increased clarity and justifications for prioritization decisions.
  2. Outside of Remit/Scope - commenters noted that some recommendations were beyond the Board's power to enact, or were in their opinion beyond the scope of review.
  3. Clarity of Recommendations - a number of commenters asked for additional specifics, background, or expected outcomes of recommendations within the report.
  4. DNS Abuse - commenters had opinions and objections regarding the definitions of DNS abuse and related terms, as well as the proposed methods of dealing with abuse. There was again concern that some of the policy proposals were more properly addressed to a GNSO policy development process.[39]

The final report was submitted to the board and published for public comment in January 2021.[1] The report contained twenty-four issue areas, with a number of recommendations within each issue area. The review team noted that some recommendations were removed because of lack of alignment with the Board's five-year strategic plan.[40]

There were nineteen public comments submitted on the report; as with the draft report, the comments were diverse and extensive.[41]

Board Action and Implementation Planning[edit | edit source]

The board addressed the topic of the final report at its regular meeting on July 22, 2021.[42][1] In keeping with its updated processes, the board issued a scorecard[43] categorizing the recommendations contained in the report under six headings. The board attached a 53-page rationale for its decisions.[44] The six categories in the scorecard were each tied to either approval, rejection, or the placing of recommendations in pending status:

  • Recommendations the Board approves, subject to prioritization, risk assessment and mitigation, costing and implementation considerations; and recommendations that the Board approves with the understanding that they are already fully implemented;
  • Recommendations the Board rejects because they cannot be approved in full; Maarten Botterman, in his blog post announcing the Board's action on the final report, explains:

The Board does not have the option to selectively approve or reject parts of a single, indivisible community recommendation; they must act on a recommendation as written and not as interpreted by ICANN org or the Board. The Board notes that part of the community intent in incorporating Specific Reviews into the ICANN Bylaws in 2016 was to require the Board to act on recommendations as written, not as interpreted by ICANN org or Board.[45]

  • Recommendations the Board rejects; Although ten recommendations were rejected, those recommendations were clustered around three top-level recommendations: the creation of a CSO position with ICANN org; the creation of a temporary specification requiring all contracted parties to keep domains with reported DNS abuse activity below a certain percentage threshold; and an Expedited Policy Development Process to define and implement an anti-abuse policy.[43]
  • Recommendations the Board determines to be pending, likely to be approved once further information is gathered to enable approval;
  • Recommendations that the Board determines to be pending, holding to seek clarity or further information; and
  • Recommendations the Board determines to be pending, likely to be rejected unless additional information shows implementation is feasible.[43]


Board Rationale[edit | edit source]

The Board Rationale document is notable for its length - typically, even in complex situations, the rationale is not so long as to require an attachment to the recorded minutes. The board cited Article 4.6 as the basis for the comprehensive and lengthy rationale document:

The categorization approach allows for additional community consultation and information gathering where necessary, such as where recommendations are not clear or present inconsistencies with advice or other community work and public input. Further, the approach ensures Board accountability to the Bylaws-mandated deadline to take action on the recommendations within six months of receipt of a final report. The Bylaws require that for every Specific Review recommendation that the Board does not accept, the Board must provide a rationale supporting its action.[44]

The board noted several themes among the recommendations, which in some cases made a particular recommendation impossible to approve as an a priori matter:

  • SSR2 recommendations are considerable in number, complex, and have interdependencies with other significant areas of work underway. The board noted in its scorecard when such other areas of work were implicated by (or addressed the same subject matter as) a given recommendation.
  • Some recommendations contain components that the Board cannot approve, along with components that are feasible, and in some cases already being done. Per Maarten Botterman's comment, above, the board rejected these recommendations, even in situations where they agreed in principle with the spirit of the recommendation.
  • Some recommendations are polarizing, with public comments reflecting different, often opposing views. The board implied, as well, that some recommendations were inconsistent with advice from within the community.
  • Several recommendations repeat, duplicate or significantly overlap with existing ICANN org operations, or recommendations issued by other Specific Review teams. The board cited the public comments of RySG, RrSG, Public Interest Registry, and others who commented on specific recommendations that were repetitive or duplicative.
  • Some recommendations contemplate that the ICANN Board or ICANN org should unilaterally develop policy outside of the GNSO Council’s Policy Development Process. This was also noted during the public comment period by RySG, RrSG, and PIR, along with prominent contracted parties Tucows and Namecheap.
  • Some recommendations do not clearly address a fact-based problem, or articulate what cost/benefit would be derived or how the desired outcome envisioned by the Review Team would add value and improve security, stability, and resiliency. Echoing a common tension between technical attitudes toward security, stability, and resiliency on the one hand, and socially-oriented, policy advocacy stances on the other, the board reiterated its own comments to the previous output of the SSR2 team. Citing both the Operating Standards for Specific Reviews and the conversations held in the development of the Resourcing and Prioritization of Community Recommendations draft proposal for community discussion, the board repeated the importance of well-crafted, fact-based recommendations that could articulate specific benefits to the stability, security, and resiliency of the DNS.[44]

References[edit | edit source]

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 ICANN.org - SSR Dashboard
  2. ICANN.org - Affirmation of Commitments, September 30, 2009
  3. ICANN Bylaws, Article 1
  4. ICANN Bylaws, Article 4
  5. 5.0 5.1 5.2 ICANN Bylaws, Article 4.6
  6. ICANN.org - Organizational Effectiveness Committee
  7. ICANN.org - Application Deadline Extended for SSR2, August 12, 2016
  8. SSR2 Workspace - Correspondence
  9. Terms of Reference, SSR2, May 11, 2017 (Word document)
  10. Board Response to SSR2 Terms of Reference, June 23, 2017
  11. ICANN.org - Faltstrom letter to ICANN Board, October 3, 2017
  12. ICANN.org Listserv Archive - Board Letter regarding Subgroup 2's scope, October 3, 2017
  13. ICANN Listserv Archive - Email Replying to the Board, October 5 2017 (and subsequent replies)
  14. ICANN.org, Draft Operating Standards for Specific Reviews, October 17, 2017
  15. 15.0 15.1 ICANN.org - Letter from Steve Crocker to SSR2, October 28, 2017
  16. SSR2 Workspace - ICANN 60 Meetings
  17. 17.0 17.1 17.2 SSR2 Workspace - Meeting with Board Caucus & Community Leadership, November 2, 2017
  18. 18.0 18.1 18.2 18.3 18.4 ICANN.org - SO/AC Letter to SSR2, December 21, 2017
  19. NCPH Workspace - 2018 Intersessional Meeting Agenda, February 2018
  20. Meeting Transcript - 2018 Intersessional, February 2, 2018
  21. 21.0 21.1 ICANN.org - SOAC Chairs Message on SSR2 Status, February 12, 2018
  22. ICANN.org - SOAC letter to OEC, February 15, 2018
  23. Letter from Khaled Koubaa to SOAC Chairs, March 3, 2018
  24. ICANN.org - OEC letter to SOAC Chairs, June 5, 2018
  25. ICANN.org - SSR2 Restarts, June 7, 2018
  26. ICANN.org - SSR2 Review Team Restarts
  27. SSR2 Workspace - August 2018 Meeting Archive
  28. Draft Facilitator Report to SOAC Chairs - SSR2, September 10, 2018
  29. SSR2 Terms of Reference, September 4, 2018
  30. SSR2 Listserv Archive - SSR2 Team Work Plan, November 14, 2018
  31. SSR2 Listserv Archive - Update from the Review Team, February 13, 2019
  32. SSR2 Listserv Archive - Message from Board to SSR2, February 28, 2019
  33. 33.0 33.1 33.2 33.3 Letter to Board, CEO, and SOAC Chairs, June 26, 2019
  34. SSR2 Listserv Archive - Message to Board, CEO, October 9, 2019]
  35. Resolution of the Board, November 7, 2019
  36. SSR2 Draft Report, January 24, 2020
  37. ICANN.org Listserv Archive - SSR2 Public Comments, First Quarter, 2020
  38. ICANN.org Listserv Archive - SSR2 Draft Report Public Comments
  39. 39.0 39.1 Staff Report on Public Comment Proceeding, April 22, 2020
  40. SSR2 Final Report, January 25, 2021
  41. ICANN.org Listserv Archive - SSR2 Final Report
  42. Resolutions of the Board, July 22, 2021
  43. 43.0 43.1 43.2 ICANN.org Archive - SSR2 Scorecard, July 22, 2021
  44. 44.0 44.1 44.2 ICANN.org Archive - Rationale for Resolutions regarding the SSR2 Final Report, July 22, 2021
  45. ICANN.org Blog - Board Action and Next Steps on the SSR 2 Review, July 26, 2021