[Ssr2-review] ICANN Board's Input and Comments to ICANN SSR Subteam Scope of Work for Second Security, Stability, and Resiliency Review Team (SSR2)

[Registrar]

Subject: ICANN Board's Input and Comments to ICANN SSR Subteam Scope of Work for Second Security, Stability, and Resiliency Review Team (SSR2)

Date:  6 October 2017

From:  Denise Michel and Eric Osterweil, Co-Chairs, SSR2

To:  Steve Crocker, Chair, ICANN Board of Directors

Cc:  Cherine Chalaby, Vice Chair, ICANN Board of Directors

Dear Steve,

As Co-Chairs of the second Security, Stability and Resiliency Review Team (SSR2), we are responding to the Board’s letter of 3 October. Several of our members are currently or shortly to be in transit to Los Angeles for the scheduled fact-finding workshop with staff on October 9-10.  Our response is therefore brief at this stage; we intend to follow this letter with more discussion after the workshop and additional correspondence.

The SSR2 gains its mandate from ICANN’s new Bylaws<https://community.icann.org/display/SSR/Mandate>, adopted following the IANA transition. SSR2 is one of the required “community reviews” that are intended to provide increased accountability and transparency of ICANN to its community for key aspects of ICANN’s performance of its mission, through independent reviews performed by volunteers from across ICANN’s diverse community.

The SSR2’s terms of reference<https://community.icann.org/display/SSR/Terms+of+Reference> (TOR), adopted on 4 May 2017, are closely modelled on the language of the ICANN Bylaws, which mandate community reviews, and follow the template provided by ICANN Staff and used by previous review teams. Those terms of reference were discussed by the entire Review Team and adopted by majority consensus, have been publicly available since 4 May 2017, and were communicated to the Board by email by the SSR2’s Co-Chairs on 11 May 2017. The Review Team’s work plan<https://community.icann.org/pages/viewpage.action?pageId=64075835&preview=/64075835/69283891/SSR2%20Workplan%20gant%20chart%20Aug%202017.pdf> and timeline<https://docs.google.com/spreadsheets/d/1IUKMvoaomSqoY0quZBjdQ3cOK5Wsw2hDgBWXNZiwCms/edit#gid=569434754>, and sub-group activities<https://community.icann.org/display/SSR/Subgroups> flow from those terms of reference and also have been publicly discussed and available since their publication months ago.

The Board will note the SSR2 sub-group’s fact-finding mission at ICANN headquarters in part addresses SSR2’s obligation under Bylaws 4.6(c)(i) and 4.6(c)(iii):

4.6(c)(i) “ICANN's execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet's system of unique identifiers…,”
and
4.6(c)(iii) “The SSR Review Team shall also assess the extent to which ICANN has successfully implemented its security efforts, the effectiveness of the security efforts to deal with actual and potential challenges and threats to the security and stability of the DNS, and the extent to which the security efforts are sufficiently robust to meet future challenges and threats to the security, stability and resiliency of the DNS, consistent with ICANN's Mission.”

This fact-finding mission also will, in part, investigate the fulfilment of SSR1 recommendations<https://community.icann.org/display/SSR/SSR1+Review+Implementation+Home> 17, 25, 26, 27, and 28, as is our explicit mandate. Moreover, the Review Team’s interest in these matters also relates to the Security and Stability Advisory Committee’s (SSAC’s) documented recommendations, and the extent to which they have been adopted by ICANN, in SAC-074<https://www.icann.org/groups/ssac/documents> [en<https://www.icann.org/en/system/files/files/sac-074-en.pdf>].

While we note the Board’s anxiety about the risks of exceeding the SSR2’s scope, it’s important to note that the Review Team adopted the following directive as part of its ToR in May (emphasis add):

The scope of the SSR2 as mandated by ICANN’s Bylaws are cast in broad terms. The SSR2 discussed the potential risk of over-reach at great length, and through majority consensus made the specific provision in its Terms of Reference as follows (emphasis added):
In order to understand the security, stability, and resiliency importance of the ICANN identifier space (the elements that are within ICANN’s authoritative scope), the SSR2 Review Team will consider the issues in its entirety including inter-connected functions.  The SSR2 Review Team may, therefore, review, discuss and seek advice from varying stakeholders in the community including those entities providing specific functions on behalf of ICANN to ensure that any recommendations provided takes into account the most complete reflection of the operational reality of ICANN.  However, the SSR2 Review Team will then focus its recommendations on those efforts, issues, policies, systems, and identifiers that are clearly within ICANN’s scope and remit.

We request more information on what seems to be the Board’s contention that responsibilities of the ICANN Organisation should be off-limits to community reviews, as that is not the understanding or position of a majority of the Review Team.

We look forward to discussing this with the full Board at ICANN 60. Meanwhile, since there is such short time remaining before the LA meeting on 9 October, and considerable time and resources have been expended by both the volunteer team members and the ICANN organisation in its preparation, we will complete that fact-finding mission.

We look forward to discussing these and related issues during the Review Team’s meeting with the Board at ICANN60 in Abu Dhabi.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20171006/9a14db92/attachment.html>