VeriSign: Risk of Digital Katrina Without Proposed .Com Terms
The future of Internet security hangs on pricing and renewal provisions in proposed registry contracts with ICANN, VeriSign officials told reporters in a briefing Mon. ahead of Wed.’s Senate Commerce hearing on ICANN’s future. The registry operator has faced criticism from registrar Network Solutions -- and congressional scrutiny -- over its contract for .com, which would let VeriSign raise wholesale prices up to 7% in 4 of 6 years and includes what critics call a “presumptive” renewal clause (WID Sept 15 p1). But VeriSign disputed the “presumptive” characterization and said every registry needs a long-term incentive -- “expectancy” of renewal -- to invest in infrastructure needed for security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Senate Commerce hearing Wed. will feature NTIA Acting Dir. John Kneuer and FTC Comr. Jon Leibowitz. Testifying on the 2nd panel: ICANN Pres.-CEO Paul Twomey, VeriSign Chief Security Officer Ken Silva, and GoDaddy.com Gen. Counsel Christine Jones.
A 2002 cyberattack that took down 9 of 13 root servers was quickly followed by an even larger attack 2 hours later against .com itself, Silva said in the briefing: “We had already stayed ahead of that curve,” so the .com attack was largely rebuffed. But the scale of an attack in Jan. 2006 -- nearly 60 Gbps -- made the 2002 attack seem like “spillage,” he said: “We always knew that security was unpredictable… In the end you're just guessing.” VeriSign has to “build out the infrastructure many times over” just to keep up with Internet user growth and include a sufficient buffer to guard against attacks, Silva said.
Registrars have “newfound” concern over security, which is good, a VeriSign spokesman said. The compliment wasn’t backhanded, the spokesman assured -- although he had previously zinged GoDaddy over a recent security incident, bringing an indignant reaction from the registrar (WID Sept 18 p9).
The recent criticism from registrars -- that the registry contracts lack security provisions -- amounts to “lack of knowledge” at best, Silva said. The agreements are “living” documents that give ICANN and registries “flexibility” to act quickly when security risks bubble up, he said. Once ICANN’s Root Server System Advisory and Security & Stability Advisory committees agree on a “consensus policy,” those changes become binding on registry operators, the spokesman said. The memorandum of understanding between ICANN and the Commerce Dept. changes routinely as well, he added.
Registry challenges are akin to the Army Corps of Engineers’ repeated requests for funding to fortify the levees guarding New Orleans, Silva said. If it had long been certain a hurricane would hit the city, funding would have been an “easy sell,” but the Corps got money only after the hurricane hit: “That’s not the way to do business here,” he said. The spokesman added that VeriSign spent “millions more… earlier than expected” to fortify infrastructure after the Jan. attacks.
Renewal provisions are the industry standard in areas like radio frequency spectrum, Silva said, and they don’t approach creating permanent monopolies. The possibility that a registry could lose its contract when the term expired, simply because it was outbid, would mean drastic underinvestment in the time leading up to expiration, he said. “We can get fired tomorrow” from the .com contract if VeriSign fails its contractual obligations, the spokesman said.
The wholesale price for domains will top out at $7.86, assuming VeriSign raises prices as much as the contract allows, and bulk buyers can lock in lower rates now by buying several years ahead, the spokesman said. If VeriSign does raise prices, consumers must get 6 months’ notice, Silva said: “This is not a blank checkbook.” A July 17 Cowen & Co. report on VeriSign said the proposed increase “would be essentially all profit,” but VeriSign officials said they had never heard of the report.
VeriSign officials addressed other subjects likely to be taken up at Wed.’s hearing. It’s unlikely China will attempt to create its own root server, Silva said, citing failed experiments from smaller countries. The Internet works only because of “informal agreements” between countless players, and China can’t risk a backlash, he said. The split between U.S. agencies and privacy activists on the sensitivity of information accessible in the Whois database (WID July 19 p1) will probably lead to a tiering system that gives some users clearances for more sensitive information -- similar to that adopted by Lexis-Nexis, Silva said.
Network Solutions wasn’t convinced by VeriSign’s justification for its contract terms. “Flexibility to respond to evolving DNS security threats should not translate into a loss of ICANN oversight and operator accountability,” said Chief Policy Counsel Jonathon Nevett. VeriSign has more than an “expectancy” of renewal under the terms, with “repeated and material breach” of one of 3 sections of the agreement the only basis not to renew, he said. Even that remedy is within an arbitrator’s discretion, with VeriSign escaping liability if a breach is fixed within a “reasonable” time, Nevett said: “Security safeguards must be based on enforceable contractual negotiations, not mere corporate good will.”