AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assigned Working Group

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

08 April 2021

Second Security, Stability, and Resiliency (SSR2) Review Team Final Report

ADOPTED

14Y, 0N, 0A

CPWG

Gregory Shatan

Alejandro Pisanty

02 March 2021

01 April 2021

02 April 2021

06 April 2021

31 March 2021

Jennifer Bryce
jennifer.bryce@icann.org

AL-ALAC-ST-0421-01-00-EN

Hide the information below, please click here 

Please join WEBINAR:  SSR2 Final Report on 11 February at 15:00 UTC

Join Zoom Meeting:  https://icann.zoom.us/j/97610425004?pwd=NUVNakJsVDczZDZ2bTFaNFgyRUpUUT09

Meeting ID: 976 1042 5004
Passcode: =Dd2*6qNs^

Brief Overview

Purpose:

On 25 January 2021, the second Security, Stability, and Resiliency (SSR2) Review Team submitted its final report to the ICANN Board. This Public Comment proceeding aims to gather community input on the final report of the second Security, Stability, and Resiliency (SSR2) Review Team.

Current Status: The SSR2 Review Team Final Report is issued for Public Comment to inform Board action on the SSR2 Review Team's final recommendations.

Next Steps: Per the ICANN Bylaws (Section 4.6(a)(vii)(C)), the Board shall consider the SSR2 Review Team Final Report within six months of receipt of the final report, i.e. by 25 July 2021.

The SSR2 Review Team will host a webinar on 11 February 2021 at 15:00 UTC to brief the community on its final recommendations. Please see the wiki page for webinar details.

The Board will consider the Public Comment submissions received as well as a feasibility analysis and impact assessment of the implementation of recommendations, which will take into account initial cost and resource estimates and dependencies with other ongoing efforts within the community. The Board will then direct implementation of the recommendations that were approved subject to planning, scheduling, and prioritization, and provide written rationale for any recommendations that are not approved.

Section I: Description and Explanation

On 25 January 2021 the second Security, Stability, and Resiliency (SSR2) Review Team submitted its final report to the ICANN Board.

The SSR Review is a Specific Review mandated by ICANN's Bylaws (Article 4, Section 4.6) to review "ICANN's execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet's system of unique identifiers that ICANN coordinates." Specific Reviews are crucial to the legitimacy and accountability of ICANN. Specific Reviews serve as ICANN's progress report to the world and demonstrate how ICANN delivers on its commitments and identifies areas where it can improve. Specific Reviews are conducted by members of the stakeholder community who look at past processes, actions, and outcomes in order to make recommendations to improve future performance.

The SSR2 Review Team Final Report contains 63 full consensus recommendations in the following areas:

  • SSR1 implementation and intended effects;
  • Key stability issues within ICANN;
  • Contracts, compliance, and transparency around Domain Name System (DNS) abuse; and
  • Additional SSR-related concerns regarding the global DNS.

The SSR2 Review Team considered comments received on its draft report and amended its report as it deemed appropriate. Appendix H of the SSR2 Final Report contains the SSR2 Review Team's response to the public comments.

Section II: Background

On 14 February 2017, ICANN announced the selection of a 16-member team to conduct the second Security, Stability, and Resiliency (SSR2) Review. The SSR2 Review Team held its first meeting on 2 March 2017.

On 28 October 2017, the ICANN Board, in consideration of concerns received, suspended the SSR2 Review Team's work, pending input from ICANN's Supporting Organizations (SOs) and Advisory Committees (ACs) on any need to adjust the scope, terms of reference, work plan, skill set and/or resources allocated to SSR2. The suspension generated a dialogue among the SO/AC chairs and ICANN Board and led to a request for additional membership on the review team and the engagement of an external facilitator to assist the review team in resolving issues of scope, membership, and other concerns as raised (see 15 February 2018 and 13 March 2018 correspondence for more information). On 7 June 2018, ICANN announced the formal restart of the SSR2 Review Team.

On 24 January 2020, the SSR2 Review Team published its draft report for Public Comment. The SSR2 Review Team received eighteen comments on its draft report, as documented in the Public Comment staff report.

Per the Bylaws, the issues that an SSR review team may assess are the following:

"(A) security, operational stability and resiliency matters, both physical and network, relating to the coordination of the Internet's system of unique identifiers;

(B) conformance with appropriate security contingency planning framework for the Internet's system of unique identifiers; and

(C) maintaining clear and globally interoperable security processes for those portions of the Internet's system of unique identifiers that ICANN coordinates.

(iii) The SSR Review Team shall also assess the extent to which ICANN has successfully implemented its security efforts, the effectiveness of the security efforts to deal with actual and potential challenges and threats to the security and stability of the DNS, and the extent to which the security efforts are sufficiently robust to meet future challenges and threats to the security, stability and resiliency of the DNS, consistent with ICANN's Mission.

(iv) The SSR Review Team shall also assess the extent to which prior SSR Review recommendations have been implemented and the extent to which implementation of such recommendations has resulted in the intended effect."

Section III: Relevant Resources



Section IV: Additional Information


Section V: Reports

FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

View-Only Google Doc, 1 April 2021:

https://docs.google.com/document/d/1Xus48mqvDAJkNkmWQoReT6FL6nN6UB-MJPL8QqF9810/edit?usp=sharing


DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).

ICANNSSR2ALACReview 02 March 2021 DRAFT

 

ICANN SSR2 review by ALAC

Draft by Alejandro Pisanty for joint work with Greg Shatan

 

We provide a draft comment on the SSR2 report for ALAC to discuss and potentially adopt. SSR2 is the Second Stability, Security and Resilience Review.

  1. We are pleased to observe that SSR2 has ratified most of the work of the first SSR-RT (full disclosure, it was chaired by one of us, AP). We agree with the observation that SMART objectives had to be derived from the report in a managerial process starting from ICANN’s receiving the report and the Board’s adoption by a resolution.
  2. We observe with interest that the SSR2 team met the same difficulty as the first SSR-RT in prioritizing recommendations. We attribute this to the many-sided view both reports provide.
  3. The SSR2 team invested great effort and time in finding the right level of aggregation for their analysis and report, which as the SSR-RT team found, cannot be an in-depth security audit, nor is useful to keep at a too general level.
  4. Some significant developments in the time between the two reviews are: DNS Abuse, the introduction of the GDPR, the effects of ICANN’s change of status after changes in its contractual relationships with the government of the United States, significant mood changes in the Internet environment, and geopolitical shifts.
  5. On the way towards implementation the report and those who apply it would find it useful to divide their analysis and plans in three circles: what ICANN does (mostly ICANN.org and the immediate work of the SO/AC Councils); what ICANN influences (contracted parties, participants in ICANN processes especially PDPs); and the rest of the world. Tools adequate for each circle are different.
  6. We applaud Recommendation 2 for the creation of a CSO position, recommending that it take into account the best people, work, practices, and experience already excelling in foresight, proactive, and reactive work.
  7. We agree with Recommendation 4, improving Risk Management, making sure that all risks are considered, with community participation that is balanced in order to avoid risks of capture or disproportionate influence by parties with less at stake than influence or ability to slow processes.
  8. We agree with Recommendation 6, on Vulnerability Disclosures, recommending the highest possible level of interaction with the broad ecosystem.
  9. We agree with Recommendations 7, Continuity, and 8, Public Interest, which must not be construed in a way that reduces efficacy and agility.
  10. We agree with Recommendation 12 on DNS Abuse Transparency, cautioning against implications such as arise from the ongoing, complex relationship between GDPR and WHOIS/RDS; the paradoxal effect that data turn out to be protected but users and their assets are not should be avoided.
  11. We agree with Recommendation 16 on Privacy and RDS with the above caveat related to Recommendation 12 in mind.
  12. We agree emphatically on Recommendation 17 on the avoidance of domain-name collisions, which is particularly protective of the most diversified, global user base.
  13. We agree emphatically on Recommendation 18, Informing Policy Debate, for which intensified relationships, attendance, and invitations for mutual participation are further recommended, with organizations such as the IETF, IEEE, ACM, ISOC, and many other national and regional bodies, including universities and research centers which produce quality research.
  14. We support Recommendation 20 on Key Rollover, recommending further that the experience gained under the COVID-19 emergency be especially considered.
  15. We recommend that geopolitical and similar risks, including consumer and citizen sentiment in different jurisdictions, be given a stronger consideration, with the implication of maintaining a constant, high level of short, medium- and long term situational awareness and interactions with as many relevant parties as possible.

We do not pronounce ourselves on the Recommendations not mentioned here because we support them “as is”, with no further comment.