Skip to main content

CIIO Perspectives- Volume 3

A few weeks back, I blogged about how ICANN manages its IT assets and digital services in light of cyber-security threats. I also wrote at the time that we have engaged a globally-recognized, independent third party to annually audit ICANN's security controls, and I committed to occasionally blog about our journey.

In Buenos Aires, many of you - members of the community - met with me and my colleagues from the ICANN team. During these meetings, there were many suggestions, but the underlying theme was clear and consistent: you want to see ICANN make progress in reducing its cybersecurity risks and for ICANN to become more operationally and technically resilient.

Focusing on cybersecurity, it is common to approach cyber-risk assessments by leveraging a framework. There are numerous such frameworks, which are typically voluntarily adopted and serve as guidance, not as a one-size-fits-all prescription, and organizations customize them to best suit their needs, situation and risks. However once the customization is done, frameworks offer practices and prescriptions for organizations to implementation to achieve positive outcomes. Lastly, many frameworks enable assessors to assign some sort of a score so the organization has a numerical target to shoot for.

This is one sense of a framework. In a different sense, a framework can be likened to a window with many window-panes. It leverages existing standards, guidelines and practices, which helps organizations see all the components that make up its asset/ risk-base in one place. Given the many panes, an organization can quickly get a multi-faceted view of the asset-base, and through that view, a holistic view of the organization's cyber-risk. This also allows organizations to deep-dive into one or more panes in the window, using a set of drivers germane to the organization's context and needs. As a result, it is typical for frameworks to inform organizations as to which activities are most important to assure critical operations and service delivery. This helps organizations make informed choices on where and how best to make investments, maximizing the impact of each dollar. And lastly, frameworks also help organizations to communicate with internal and external stakeholders about the state of cybersecurity and risk in  'plain English' that everyone can understand.

ICANN's Approach

IN 2014, ICANN adopted the SANS Institute Critical Security Controls framework for cyber-defense. On the heels of adopting this framework, ICANN retained the services of Leidos, a company with a reputation for cybersecurity audits. Leidos proceeded to deliver a baseline assessment of ICANN's cybersecurity status.

In their own words, as Leidos conveyed to the management team, ICANN was 'on-par' with typical business organizations when we started. We felt happy that ICANN was not behind, but we were far from satisfied! As I have blogged previously, in one avatar, ICANN serves as a 'data depository desk' which is critical to the operations of the Internet. In this avatar, we have to be playing at the same level as the best – organizations like well-regarded financial institutions, for example.

With timely support from the Board for resources and appropriate priority trade-offs, IT started to rigorously address areas, which merited attention. As a result, in the last 12 months, many aspects of ICANN's cyber-defense were reviewed under the microscope, and efforts to bolster or remediate focused on areas, which merited the most attention. We made palpable progress in a number of different areas such as applications software, training, access controls and pen testing.

As planned, Leidos conducted its annual audit from May-June this year, and we've recently received the audit report, which I am happy to share.

Leidos 2015 Audit Report Highlights

I am pleased to say that, in roughly half the 20 factors measured, ICANN is in the GREEN zone. Equally important, ICANN is not in the RED zone in any dimension. According to the Leidos, "ICANN has dramatically improved its cybersecurity efforts over the past year, reflecting its leadership's commitment to addressing cybersecurity concerns and establishing itself as a leader in the space." Looking ahead, they anticipate that by next year when the current roadmap is finished, ICANN will be on par with world-class organizations.

In the ever-changing landscape of cybersecurity, achieving excellence is not a destination, it is a never-ending journey.  And we are committed to this journey.  We have made steps in the right direction, have a clear roadmap, and we are on our way.

As always, feel free to reach out to me at to discuss further.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."