Date: Mon, 23 Feb 2009 23:03:56 -0800 From: k claffy To: Jeff Schmidt , William Yang Cc: ssac@icann.org Subject: [ssac] thoughts on ssac review report jeff, william, http://icann.org/en/reviews/ssac/ssac-review-final-16feb09.pdf thanks for putting that report draft up. you're writing an important story in history, i really hope you get this right. sorry i didn't have time to make this shorter. for ssac too, fwiw, -k -------------------------------------------------- overall issues: (1) the report claims that SSAC's charter is overly broad, and also not broad enough. just like many say about icann, which is the underlying problem here. (2) task 2 and 4 use language (like "ensure" , "articulate requirements") as if SSAC has any executive authority. SSAC is only making recommendations, like gao.gov reports, many are of high quality and accuracy and include promising solutions, but noone actually has to listen to them. (3) this report seems conflicted on SSAC's fundamental structure, finding that "the mechanism of a Board Advisory Committee to be an appropriate model for engaging subject matter experts in the area of security and stability" while also recommending that SSAC do many FTEs worth of work, which Board Advisory Committes are not expected to do. (4) i think most members of SSAC would empathize with the recommendations but also recognize they're unrealistic at current funding levels and organizational structure. SSAC is yet another committee of mostly technical people chartered to treat obstacles to improving naming and addressing-related security and stability as if they're technical, when by now they're mostly obstacles of economics, ownership, or trust (EOT). so it makes sense to want an expanded scope, but it's also pulling against icann's technocratic roots and charter as a 'technical coordination function'. a report with these recommendations is a call for a review of the architecture of icann itself. i have no objection to that, i just think the report should be more self-aware of its implications. (5) funding SSAC without affecting neutrality is not a simple proposition, you haven't explained how that can happen. (6) goal for "SSAC maintain focus on developing and sharing knowledge and understanding of new and evolving risks". the report should acknowledge that there is a very limited amount of knowledge that folks on SSAC can share, and almost no data that stakeholders can share with SSAC as a group. it's not a data-sharing kind of organization. which makes its 3rd core function questionable: "threat assessment and risk analysis of the Internet naming and address allocation services to assess where the principal threats to stability and security lie, and to advise the ICANN community accordingly. The Committee will recommend any necessary audit activity to assess the current status of DNS and address allocation security in relation to identified risks and threats." a review of performance against that functional goal should acknowledge the fact that the SSAC as a group has no way to acquire the information required for "ongoing threat assessment and risk analysis of the Internet" individual members may acquire data via their own trust relationships, but not usually i n ways that allow them to share it. there is an implication in SSAC's charter that there is a rigorous discpline of Internet security and stewardship, and ICANN and SSAC should follow it. the reality is we are still mostly groping in the dark, trying to stay at least one level ahead in intelligence of the organism we're trying to study, with no resources, no authority, and no legal access to the system under study. much like the academic community, but without govt funding. (7) the sitefinder incident bears comparison to the recent board request for SSAC to generate some research, as i said in email to SSAC 19 dec 08. this kerfuffle over the imminent changes to the root is a symptom of a deeper incongruity in icann's governance architecture. it's reasonable to expect at least be as much public discussion and research about impact of imminent changes to the DNS system, as we had about verisign's sitefinder. i believe eventually, there will be. we're just off to an ungraceful start. the report would also benefit from assessing whether icann's goals and objectives in having SSAC write that sitefinder report were ultimately accomplished on the Internet. (how many companies redirect typos to search pages now?) (8) 22 respondents is a problem, but you know that already. -------------------------------------------------- issues with recommendations -- recommendation 13. shouldn't be abridged in the summary, leaves too much out a) Whenever possible, provide advance notice in the form of a professional "heads up" when uncomfortable situations are reasonably foreseeable. Avoid the perception of "blindsiding" individuals and entities. uncomfortable situations like what? to whom? (i missed who has felt blindsided by SSAC's output? you mention a director felt he had a 'blind spot' but that is completely different from what you imply here.) "Recognize that as an advisory body, SSAC's role is to provide the best advice possible. There is however no requirement for anyone to follow SSAC's advice" right. so all this 'ensure' business in the mission statement has to go. -- rec 14 sounds strange, doesn't explain diff(strategic,tactical) (mentioned on call) -- rec 26 -- simple majority? makes it sound like old boys club. -- rec 27 -- seems simple majority shouldn't be enough for brand use. how are you arriving at these fractions? -- rec 28: SSAC formally and visibly adopt Roberts Rules of Order for conducting SSAC business meetings. need to explain what those rules are, or at least give a URL -- rec 30: "regularly evaluate SSAC performance against objectives, resourcing, and efficiency metrics in the future." what efficiency metrics? can you give some example? -- rec 32: Dissents, Recusals. You're now making SSAC responsible for more work than either the board or ICANN staff. only one guy has any salary. rec 34: which subset of the ICANN Board COI policy? ------------------------------------------------------- comments on text of report: 2.3 RSTEP incomplete description. need explanation of why it started -- SSAC wasn't being sufficiently responsive, verisign didn't want to wait 9 months. RSTEP gets paid for a topic that touches the very big rich guys SSAC doesn't get paid for a topic that touches all Internet users -- director of security is also general manager? a little strange. The SSAC has certainly been proactive in their research and publications surrounding technical security issues, and we are aware of situations where SSAC has recommended audits, particularly of internal ICANN operations. However, the performance of an ongoing "risk analysis" was identified as a weakness by several members of the community, including ICANN Board members. In general, there was a feeling that SSAC produces reports that are too focused on specific technological countermeasures and miss the larger risk management issues most relevant to policy makers. SSAC is now supposed to serve "policy makers", in addition to the Board and the general public? this charter is broader by the minute. it sounds more here like ICANN's board is confused about what they want, or want something not possible to accomplish in the current architecture. if SSAC has failed to provide this "ongoing risk analysis", can you assess why they have failed to do so? p.30 "Several very weak predictors did exist and are worth mentioning. Regarding the current SSAC, gNSO members perceived that SSAC counseled non-ICANN policy makers, while non-Internet industry respondents perceived SSAC provided counsel to ICANN policymakers." what is your perception of who SSAC is counseling, based on what you've learned? page 30 "SSAC is seen" missing an 'as' p.35 "ICANN has made clear efforts to develop management and staff resources to address the security aspects of ICANN's mandate" can you give some examples, and how they interact with SSAC? i'm not sure 1-2 FTEs on a $60M budget is going to be considered 'clear efforts' by most people. what has actually been accomplished, against what metrics? p.36 "This is a clear indication that security is core to the ICANN mission; in fact, it can be read that ICANN is fundamentally in the business of security and stability." that's a strong statement. you might want to provide some more support for that. i think i disagree with it completely. p.38 "SSAC provides the best advice possible to the Board." we do? how often are we talking to the board? how do we know it's the best advice possible? these assertions near the end seem pretty grand. p.41 "SSAC does however have the ability to set its own agenda, function relatively autonomously, and express a full range of opinions." Not sure we can say we represent a full range of opinions. We try. ""Significant" is not in any way intended as a comparison to other components of the ICANN structure, but rather "significant" in that SSAC is resourced by ICANN to the extent that SSAC would not exist in its current form absent ICANN resourcing." that's confusing.. SSAC existed before ICANN provided a budget for Dave. if there are other icann resources keeping SSAC going, say what they are. "While the SSAC has historically focused on technical issues, we see no language in the current charter requiring such a limitation. We believe that SSAC's strong roots in the technical and engineering community, combined with strong technical leadership, has caused SSAC to focus almost entirely on technical issues." as mentioned above, that is dangerous wording. ICANN itself is charted as a 'technical coordination function', so it was always assumed that the SSAC advisory role would be regarding 'technical' issues, whatever that means. it might have been steve's interpretation but given icann's mission statement it seems a reasonable one. "Increased visibility into resource utilization and accountability for resource consumption" that's quite an ambitious goal you slipped in at the end, there. could you add some detail on what you mean by that? how is this visibility supposed to be acquired? who funds/manages/executes it? p.47, 'We support the creation of a risk committee if scope is carefully defined in terms of keeping an eye on the major risks facing ICANN. These would include major political risks, technical risks, business risks, key relationships risks and the like. It would also include oversight of the processes adopted by management for dealing with operational risk, health and safety, and environmental risk etc. Less than half of the board as well as the management believe that the board has adequate focus on the major risks facing ICANN" that seems like a lot to know about. can you circumscribe that at all? "lack of transparency is debiliatting and is damaging SSAC need examples here, since at least i don't even know what you're referring to. "vital instituational knowledge rests ..very few individuals." can you be more specific about what vital instituational knowlege you mean? Economists they're not capitalized. :) one year terms one-year terms "perceived and actual conflicts as supposed by outsiders are a growing and at times debilitating concern. We observe that while SSAC members may feel that they are participating as individuals and "concerned citizens," outsiders may not see past their title and employer and assume that given corporate entities are "represented" on SSAC through these individuals. " examples of damage done? k