Minutes | Board Technical Committee (BTC) Meeting | 1 April 2020
Board Member and Liaison Attendees: Harald Alvestrand, Rafael Lito Ibarra, Merike Käo, Akinori Maemura (Chair), Kaveh Ranjbar, and Tripti Sinha.
Other Board Members in Attendance: Avri Doria and Nigel Roberts.
ICANN Organization Attendees: Adiel Akplogan (Vice President for Technical Engagement), Susanna Bennett (SVP Chief Operating Officer), Michelle Bright (Board Content Coordination Director), Franco Carrasco (Board Operations Specialist), James Caufield (VP, Risk Management), David Conrad (Chief Technology Officer), John Crain (Chief Security, Stability & Resiliency Officer), Dan Halloran (Deputy General Counsel), Linna Hsii (Counsel), Vinciane Koenigsfeld (Senior Director, Board Operations), Matt Larson (VP, Research), Erika Randall (Associate General Counsel), Ashwin Rangan (SVP Engineering & Chief Information Officer) and Carlos Reyes (Strategic Policy Planning Director).
The following is a summary of discussions, actions taken and actions identified:
Approval of Minutes – The Committee approved the Minutes of the 5 February 2020 meeting.
Zoom: Mitigation of Security Challenges – The SVP of Engineering and Chief Information Officer (CIO) engaged in a discussion with the Committee about steps ICANN org is taking to review and address certain security challenges identified in recent news articles relating to Zoom. The discussion focused on password practices, data collection, and traffic encryption.
The CIO noted that Zoom includes various password settings to mitigate against the possibility that uninvited guests, including bad actors, intrude into a Zoom session and display objectionable material (i.e. "Zoombombing"). For example, hosts can set up a Zoom session by invitation and protect it with a password so that only those individuals given the password can enter the room. Another option is to have the meeting participants wait in a waiting room until the host opens the room and individually accept each participant into the meeting. The sessions that are more difficult to protect are the open sessions which by virtue of the nature of the session, cannot be password protected. One Committee member suggested the use of Zoom Video Webinar which allows for a single-way broadcast. While this feature has been considered, a decision has yet to be made as additional input from the Supporting Organization (SO) and Advisory Committee (AC) leaders are needed. Another Committee member suggested developing a set of policies around the use of Zoom to address some of Zoom's technical limitations.
The CIO also highlighted the steps ICANN org was taking to discuss with Zoom its data sharing and encryption practices following recent news articles on these topics. A Committee member expressed concerns with the lack of clarity surrounding what data was actually shared with Zoom and the Committee discussed other considerations around Zoom's data collection. The CIO informed the Committee that ICANN org was able to obtain an updated version of the software which address data sharing and encryption concerns.
- The SVP of Engineering and CIO to continue discussions with the SO and AC leaders about how to support public Zoom sessions.
BTC Input & Assessment of the Draft Continuity & Workplan for the Board – The Committee Chair highlighted that all Board is preparing continuity plans in light of the COVID-19 pandemic. The Chair provided the Committee with an overview of the portion of the continuity plan related to the Board Technical Committee, which includes plans for what would happen if the Committee Chair became incapable of fulfilling his role.
The Committee engaged in a discussion about the continuity plans in relation to Board priorities under the purview of the Committee. The Chief Technology Officer (CTO) provided an update on the plans to expand the number of ICANN Managed Root Server (IMRS) clusters. He noted that plans to deploy a cluster in Singapore had been put on hold due to challenges in travel and logistics. ICANN org will continue to deploy IMRS singles and is in the process of preparing papers for both the hyperlocal (the pros and cons of hyperlocal) and root zone distribution.
The Committee also discussed the delays of the DNS Security Facilitation Initiative Project due to challenges identifying a chair (since resolved) and participants in the technical steering group for the project. The Committee concluded Board operational priorities discussions with an update on the DNS ecosystem security assessment which is on hold pending similar working being performed by SSAC.
The Committee also discussed a backup plan for falling below the critical limits of quorum.
- The CTO to send Committee a short paragraph with updates on 1) the expansion of the IMRS clusters; and 2) projects associated with the IMRS strategy.
- ICANN org to provide Committee with advice on next steps if Committee falls below the critical limit of quorum.
DNS Abuse and COVID-19: Project Asclepius – The Chief Security, Stability & Resiliency Officer provided the Committee with a briefing about Project Asclepius. With COVID-19 becoming increasingly a lever for DNS abuse, including malware and phishing, Project Asclepius is focused on identifying and classifying domain names that are misusing COVID-19 related terms and keywords. While the project is in its early stages, it is developing quickly. The idea is to generate a list of names potentially used for DNS abuse that can be passed to contracted parties who can take appropriate action. The briefing provided an overview of the process for identifying the potentially abusive domain names, which includes assessing the list of domains against multiple high-confidence threat intelligence sources to determine whether or not they are involved in phishing and/or malware distribution. Once the list is whittled down, the list then goes through human assessment in an effort to avoid false positives as much as possible.
The Chief Security, Stability & Resiliency Officer reported that the system is being tested internally to ensure the highest confidence levels in the information being shared. He also provided some initial feedback on results of the analysis and noted that ICANN org continues making improvements to the process in each iteration.
- The Chief Security, Stability & Resiliency Officer to follow-up with Committee member Tripti Sinha regarding questions that she did not get an opportunity to raise during the meeting and share with the rest of the Committee these discussions as necessary.
The Chair called the meeting to a close.
Published on 5 June 2020