WASHINGTON -- The deadly attacks of September 11 didn't just give us tighter airport checkpoints, new wiretapping and surveillance laws, and countless metric tons of explosives air-lifted to Afghanistan.
They also prompted the Internet Corporation for Assigned Names and Numbers (ICANN) to toss out its customary agenda and replace it with a three-day special meeting, which begins Tuesday in Marina del Ray, California, on how to guard the Net's most vulnerable portions from terrorist attacks.
In the words of an ICANN announcement from September, the "overriding imperative" is to figure out how to thwart al-Qaida or its domestic relations from wreaking electronic havoc on the Internet's domain name system, which translates names like wired.com to the numeric address 209.202.221.20.
Much of the Internet's infrastructure -- such as e-mail servers and websites -- is decentralized and not easily targeted by malcontents. But since the domain-name system intentionally was designed with one master database for efficiency's sake, it also represents a centralized point of failure.
Currently there are 13 computers, called root servers, that manage global Internet traffic. Some can be found in high-security buildings such as Verisign's Herndon, Virginia, offices -- home to the master "A" root server. Others are run by volunteers at universities and corporations in Tokyo, Stockholm and London.
Concern over root-server security led to an Internet Engineering Task Force best-practices memo last year, which stressed that physical and electronic security must be paramount. A malcontent who breached a root server could spoof domain names, forge websites and disrupt the Internet for millions of people.
Other possible points of failure include the dot-com-org-net registry, which is maintained solely by Verisign, and companies such as Register.com and DomainDirect that sell domain names and send the results to Verisign to be included in the master database.
In reality, there's little that ICANN can do on its own to boost security: It has little legal authority to compel the root server operators, Verisign or discount-domain-name registrars to follow its policy advice. It has no power to set technical standards, which is the province of the technologists who gather at Internet Engineering Task Force meetings.
Instead, ICANN has resigned itself to a kind of advisory role, at least for now.
"One of the most important things the meeting is going to do is to raise awareness among people," said Andrew McLaughlin, ICANN's chief policy officer. "Part of this is to say to managers, this stuff really matters. You have to take it seriously."
This week's speakers include Steve Bellovin, an AT&T fellow and one of the Internet's most respected engineers, John Tritak, the director of the U.S. government's Critical Infrastructure Assurance Office and a panel comprised of the root-server operators.
One group of businesses over which ICANN does have some control is the set of registrars that sell domain names. Last week, ICANN proposed a so-called data escrow agreement that would preserve customer information in case of a catastrophic business failure or terrorist attack.
"It's a pretty good system, but there are a lot of things that people could improve," said ICANN's McLaughlin. "Operational practices, technical deployments -- management doesn't always get things right."
Verisign's Network Solutions unit is by far the most important link in the domain name chain. It operates the "A" and "J" root servers, which provide master name information to the 11 other computers in the system, in addition to maintaining the dot-com-net-org database.
Michael Aisenberg, Network Solution's director of public policy, rattled off a list of security precautions: biometric-verified access to server rooms, backup power supplies, redundancy, different types of hardware and software, and multiple Internet links.
Since Sept. 11, Aisenberg said, "we've been visited by a wide range of security officials from government agencies" who want to ensure that the Internet will be protected against al-Qaida or domestic threats.
Aisenberg seems to think that ICANN is doing the right thing, stating "they have the role of a bully pulpit ... calling attention to security responsibilities." But, Aisenberg pointedly noted, Network Solutions' "security responsibilities come from its contract with the Department of Commerce," not its relationship with ICANN.
Rick Forno, a top security official at Network Solutions until earlier this year, said "the Internet, in and of itself, for the most part, is pretty secure physically."
"However, there are some areas where you could probably bring it down," Forno said. "The Baltimore fire a few months ago was a prime example. The train fire in the Baltimore tunnel essentially shut down the East Coast for a few hours.
"Security is in the hands of companies that are charged with maintaining those registries," said Forno, who's currently the chief technologist at Shadow Logic in Virginia. "ICANN's role should be of advice and oversight, but not getting into the operational aspects of security. My concern is that there are very few if any people that have any security experience on the ICANN board."
One exception is Karl Auerbach, a Cisco engineer elected to the ICANN board last year, who has proposed an extensive set of security fixes, including a complete mirror of the domain name system (DNS) with duplicate data for use in emergencies.
"The stability of the Internet, its resilience against attack, and its ability to recover after a catastrophe, would be vastly improved if DNS were to have the redundancy offered by multiple roots," Auerbach said.
Auerbach also recommends a monitoring system to detect possible disruptions, a focus on blocking denial-of-service attacks, and backup copies of databases "stored in multiple locations that are at least 250 kilometers apart."
Michael Froomkin, a University of Miami law professor who's become an ICANN watchdog, says he can't figure out why ICANN would junk its agenda for the three-day security event.
"Why you have to hijack the annual meeting for this, I do not know," said Froomkin, who edits icannwatch.org. "ICANN meetings may be a useful place for people interested in this to meet, but it's not clear to me that it's a core function. Certainly it shouldn't be allowed to completely or near-completely displace things that we should be talking about."
Last Friday, the American Civil Liberties Union wrote a letter to ICANN protesting its decision to prevent the distribution of "materials in the meeting area" except by sponsors -- who had to pay fees starting at $5,000. ICANN backed down later that day.
