S.3480, The Protecting Cyberspace as a National Asset Act of 2010, introduced by Sens Lieberman, Collins and Carper quietly passed committee last week on a voice vote and is now scheduled for debate on the US Senate floor. The controversial, nearly 200-page bill which amends the Homeland Security Act of 2002 has been criticized by civil liberties and industry groups alike, who say it grants the President the ability to order operators of “covered critical infrastructure” to disconnect parts of the Internet. As the Center for Democracy & Technology noted in its letter to the Senate Committee on Homeland Security & Governmental Affairs, the heart of the matter is 1) the ambiguity around what exact powers a newly created National Center for Cybersecurity and Communications (NCCC) housed within DHS would have, and 2) the definition of “covered critical infrastructure” (CCI). Our reading of the bill agrees with these general criticisms, the language is far to loose and needs to be tightened. We are also concerned with specific effects on the Internet’s DNS and possible extraterritorial effects of the legislation.

Is the DNS root zone considered CCI?

The bill defines CCI as

a system or asset

(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and
(B) (i) that is a component of the national information infrastructure; or
(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset;

The DHS maintained critical infrastructure list referred to above is secret. However, an IT Sector Baseline Risk Assessment being undertaken by DHS includes looking at the DNS and threats to the root zone in particular. Given this, it is not unreasonable to assume that the DNS root zone is on that list, therefore implicating operators of the root zone, including ICANN, VeriSign and the other root server operators based in the United States.

What are the extraterritorial effects on Internet governance?

The bill includes sections on international cooperation dealing with securing CCI (section 248) and national cyber emergencies (section 249). According to the language, USG agencies with “responsibilities for regulating the covered critical infrastructure” will carry out the international activities. If the DNS root is a CCI, this implies a US domestic agency will assume some sort of regulatory role over the DNS root when it comes to cyber security matters. The big question is who will do this – NTIA, NIST, FCC, DHS, DoD, State – and what effect this will have on NTIA's relationship with ICANN?

In any case, the agency could work with other governments to inform root server operators located outside the United States (i.e. in Japan, Sweden, and the Netherlands) of cyber vulnerabilities and pressure them to implement mitigation and remediation measures. Domestic government agencies and regulators working closely across borders is not new (see Anne-Marie Slaughter’s work, or e.g., the London Action Plan). As Slaughter notes, these “transgovernmental networks” can be helpful in casting US power in a different light, something the USG has always contended with in regard to its oversight of the DNS root. However, Slaughter and others have identified that these networks can also increase accountability concerns.

Finally, perhaps the most interesting text in sections 248 and 249 is that which requires the NCCC Director to carry out international cooperation “in manner consistent with any international agreement.” This may be a nod to agreements that exist around other CCIs, but we'll note that an international agreement protecting the DNS root zone from any government interference would go great lengths toward alleviating other countries' concerns about this legislation.

14 thoughts on ““Kill Switch” Bill: Ramifications for the DNS root zone?

  1. The RDATA portion of the A6 record contains two or three fields.
    |Prefix len.| Address suffix | Prefix name |
    | (1 octet) | (0..16 octets) | (0..255 octets) |
    o A prefix length, encoded as an eight-bit unsigned integer with
    value between 0 and 128 inclusive.
    o An IPv6 address suffix, encoded in network order (high-order octet
    first). There MUST be exactly enough octets in this field to
    contain a number of bits equal to 128 minus prefix length, with 0
    to 7 leading pad bits to make this field an integral number of
    octets. Pad bits, if present, MUST be set to zero when loading a
    zone file and ignored (other than for SIG [DNSSEC] verification)
    on reception.
    o The name of the prefix, encoded as a domain name. By the rules of
    [DNSIS], this name MUST NOT be compressed.
    The domain name component SHALL NOT be present if the prefix length
    is zero. The address suffix component SHALL NOT be present if the
    prefix length is 128.
    It is SUGGESTED that an A6 record intended for use as a prefix for
    other A6 records have all the insignificant trailing bits in its
    address suffix field set to zero.

  2. You can count on the IETF geeks to help develop the Kill Switch.
    The story comes to mind of an engineer who was to be executed by guillotine. The guillotine was stuck, and custom required that if the blade didn’t drop, the condemned man was set free. Before this could happen, the engineer pointed with excitement to a rusty pulley, and told the executioner to apply some oil there. Off went his head.

  3. ICANN censors their BLOG Comments
    So much for Open and Transparent and Accountable

  4. U.S. Supreme Court Reverses Decision on Verisign & ICANN CARTEL
    One has to wonder where the DOJ and FTC are ?
    Why are private parties (funded from Canada) required to develop expensive anti-trust litigation ?
    ICANN is clearly NOT a public benefit non-profit white.hat

  5. .NET TLD to be used by FCC for Internet ISP Licensing
    ICANN CEO declared .NET as a “Dead TLD”
    Super Secure .NET infrastructure with Key Signing Ceremonies broadcast live from the International Space Station, the surface of the Moon and Mars.
    Annual .NET license expected to be “cost recovery”
    non-profit and about $100,000 per year.

  6. plus the “Cheryl Langdon-Orr Show” on every channel
    who could have guessed how ICANN would end ?
    at least people now see what Consensus means
    there is wide-spread Consensus ICANN is history
    only fools would continue to play the ICANN Game

Comments are closed.