Jeff Moss is famous in the security community as the founder
of DEF CON and Black Hat. He is in Internet governance news today because ICANN
has just hired him as its new “Chief Security Officer.” The corporation has
issued a self-congratulatory news release, prepared by its London public
relations firm, in which various prominent people effusively praise the hire.
Here’s two that got my attention:
“I can think
of no one with a greater understanding of the security threats facing Internet
users and how best to defend against them than Jeff Moss,” said Rod Beckstrom,
ICANN’s President and Chief Executive Officer.
OK, but wait, Rod,
ICANN cannot and does not solve all (or even most) of the “security threats
facing internet users.” ICANN just adds new TLDs to the root zone and manages a
policy making process for doing so. About a year ago Beckstrom generated a negative reaction by proposing a DNS CERT; has that idea taken on a new form?
If you
thought the Beckstrom’s view of this hire was expansive, wait until you see
this one:
“The global
threats to the Internet’s Domain Name System are in essence the digital cold
war of the new millennium,” said Merlin Hay, member of the British House of
Lords and Chairman of the Information Society Alliance. “To win this war we
need someone like Jeff Moss who understands the hacker's mindset and has the
international experience to grasp that today’s online attacks can come from
just about anywhere on the planet.”
Whoa, pardner. Stop playing Winston Churchill and let’s anchor this hire to what ICANN actually
does. ICANN is not fighting a global digital cold war. ICANN just adds new TLDs to the root zone and manages
a policy making process for doing so.
Granted, this could be just another slightly irritating product
of an immature organization that still needs to convince the world, and itself,
of its importance and legitimacy. Or, it could be another indication of an organization with too much money's tendency to offer expensive sinecures to people with gold-plated
names for functions that don’t require such glamor. ICANN doesn’t handle
“security for the Internet,” it handles coordination of the DNS root. Since ICANN
has already implemented DNSSEC at the root, and it already has a Security and
Stability Advisory Committee, what exactly is Moss's job description?
Here's our advice to Mr. Moss: What we need at ICANN is someone who
understands its limited, primarily coordinative role. We need someone who
understand that DNS can be, but shouldn’t be, overloaded with regulatory
functions by people trying to exercise control over the Internet, especially in the name of “security.” We don’t need cold
warriors or world saviors, we just need practical folks who develop
proportional responses to the specific kinds of threats peculiar to ICANN’s
narrow functions. If you’re that kind of a guy, welcome!