[RSSAC Caucus] [SPAM] Re: Security Incident Reporting and c-root incident
Robert Story
rstory at ant.isi.edu
Wed May 22 23:36:31 UTC 2024
On Wed 2024-05-22 19:03:58-0400 David wrote:
> To me, this was an externally visible event that impacted the planned
> activities of two TLD operators. I’d note that in the last similar
> incident, Cogent self-reported. It is surprising to me that this would not
> be considered a reportable incident. Section 4.5 speaks to severity of
> incidents. I could see an argument that this most recent incident could be
> considered a lower severity, but not reporting it would seem odd to me.
I'm not saying it shouldn't be reported, just that my personal opinion is
that this instance it is debatable.
> It is obviously impossible to list the details of every possible scenario,
> so I’d have assumed their would be guidelines to help inform which
> incidents should be reported, e.g., “was the incident externally visible”,
> “did the incident result in sustained resolution failure”, etc.
For both of those guidelines, they lead down rat holes. Viable to or
sustained failures for how many people? I'll also note that at various times
in the history of the document there were such guidelines (from me and
others), but they have been pared back to be less specific over time.
> More generally, I worry that depending on self reporting of potentially
> embarrassing incidents won’t be particularly supportive of goal 5 of the
> SOW (“5. Maintain/improve confidence in the RSS by providing incident
> reporting.”) if stuff that is externally visible isn’t reported on.
I totally agree here. But this specific question for this work party is
about 'reportable security incident'. I mentioned 'informational' reporting
in an earlier email. There has also been talk about 'transparency' report,
but again the work party has decided it's not in scope for this document.
The work party is on-going, so I invite folks to make suggestions to the
document and participate in the calls!
Regards,
Robert
USC Information Sciences Institute <http://www.isi.edu/>
Networking and Cybersecurity Division
More information about the rssac-caucus
mailing list