The Compromised Network We All Connect To

In June I participated in the ICANN meeting in Helsinki, Finland. My goal as a member of the At-Large Advisory Committee at these meetings is the get the "best deal" for all users of the global network. The Internet Corporation of Assigned Names and Numbers (ICANN) manages the underlying policy and technical infrastructure of the Domain Name System (DNS) by coordinating the resources that connect IP addresses to Domain names, hence making them websites. As an ALAC member, I'm responsible for relaying the state of things to the user at-large which I am doing here. At the end of this blog I list three specific projects I have launched with the intent of addressing the problems documented below. Feel free to contact me about any of these initiatives. So, why focus on ICANN? Two reasons: 1) ICANN is the top-level policy developer and decisions here impact us all down here; 2) ICANN is supposed to be a bottom-up consensus organization which means smart and concerned people have a say in how policy is drafted or implemented. 

In a 2014 interview with the Washington Post I said "ICANN has not really been a good steward [of the Internet]". I would only change my statement now to be more specific and say ICANN has not been a good network administrator. This relates directly to the way ICANN sees itself and constantly couches its role as one of being "purely a technical coordinator". In terms of the ICANN role, the Internet is lacking an effective administrator. Leadership and guidance is missing at a crucial point in the Internet's (and our civilization's) history. Multiple things are happening including the total transition of the Internet's management to ICANN and the creeping of the "Internet of things" into the fabric of our existence. 

The Horrible State of Things

Check Point (checkpoint.com) reported in July that up to 85 Million Android devices were infected with malware that generates fraudulent click-through advertising revenue. Forbes previously published that 30,000 websites become hacked every day. Stop Badware (stopbadware.org) reports over 3 million infected websites. Sucuri research (sucuri.net) demonstrates that these infections come from the very software webmasters use to deliver content, software that is often supplied by their own service providers. 

I often ask people a simple question: Do you think the Internet is a safe place to conduct business? The answer is always no. The reasons are obvious to anyone who pays attention. So why use it then? There's no choice.  The world is fully immersed in the Internet and there is no way back to the beginning to re-create it from scratch. While the Internet is insecure, it does not have to be. Cybersecurity now builds increasingly complex layers to protect data and services from the infested swamp we are all floating on. It stays infested because we accept the risk and keep using it without serious complaint. 

There should be no doubt that cyberspace has also been weaponized. U.S. elections are the most recent and controversial target, but this is not new by any measure. Attempts to disrupt international politics are normal, the concern is that there seems to be no top-level agenda to address open cyberwar. It is ironic because the complaint for years has been that the U.S. controls the Internet, yet the truth is that there is no control. As real-life global security captures the news cycle issues of digital security, privacy, and consumer protection have been jettisoned from the high-level debate. Yet, digital insecurity is forcing debate without a coherent response on sound cyber policy. Beyond various government failures to address Internet issues in a pragmatic way that protects consumers and businesses, real control of the Internet is being swallowed by a handful of monopolies who also lack trust from the consumers and have sketchy records on privacy. This situation is detrimental to innovation, the free market, and free speech. Additionally, our banks are targeted, our businesses are compromised (see PCWorld: Almost half of US businesses hit by ransomware), and consumers are left in the lurch. Identifiable commercial entities play a huge role in the problem.

First, there are a number of things which are fundamentally wrong with the Internet structure. The Internet was designed for connectivity and flexibility, not security and privacy. Craig Timberg at the Washington Post has written an  excellent series of articles about the overall issues entitled NET OF INSECURITY (parts: 1, 2, 3, 4, and 5) which deal with a number of technical problems with the Internet. In The Death of the Internet Markus Jakobsson puts forward serious fraud issues which erode trust in the Internet. The "death" comes in the increasing trend to ban "all" of something; like all advertisements, an entire software class, or all domain names of a certain type. Soon, it's no longer a globally-open network. The Internet is not going away, but it can morph easily from something annoying into something fractured and less effective. The borderless electronic world may transform into a gated, highly-regulated, and more expensive structure. I would like to avoid this by making some commonsense adjustments to the existing environment. 

Whenever ICANN is posed with questions about the issues above, it resorts to lecturing the questioner with an explanation of its "limited capacity" as a technical coordinator. I have written generally about ICANN's problems previously (see: Internet Compliance is Just a Rumor, Internet Limbo, and Stuck in ICANN's Oubliette). More recently, I have written about the more specific issue of narcotics traffic on the Internet (see: Online Narcotics Traffic). Manufacturing, marketing, sale, and distribution of narcotics are all illegal, yet this traffic is pervasive and open on the Internet from commercial entities located in actionable jurisdictions. The question I will address here concerns the conditions which allow this happen rather than the condition itself. The issue of Internet narcotics traffic is interesting on its own merit but is used here to illustrate a point which is true of the entire Internet architecture. Let me be clear, I do not want ICANN making decisions about Internet content. 

 ICANN as a Network Administrator

Network administration classically involves four areas: Designing the network, creating the network, network maintenance, and then expansion. One of the core functions of Network Maintenance is Network Security which makes up much of the day-to-day activities of the administrator. As far as the other three items go: building security into design, creation and expansion should be part of the work. The primary objective of security is authentication. Authentication exists on many levels: who uses resources, who accesses data, who modifies data, who adds or modifies processes, ad infinitum. Security flaws are ultimately about a lack or failure of authentication. While security has traditionally been about protecting the castle, this idea of a castle in terms of a protected network no longer exists on the Internet. Physical servers are rapidly moving out of organizations into cloud services and no network truly operates in an isolated state. 

When confronted with issues of abuse and criminality ICANN goes to pains to explain it is "just the technical manager of the Internet". So in its role as manager, how has it done on authentication? Authentication on a single network is about determining the identity of users or processes. Authenticated users are authorized to perform certain functions, including authenticating other users and processes. In most organizations this this a shared responsibility between human resources, a department manger, and the IT staff. If authentication is not taken seriously and monitored over time, the entire organization is at risk.

On the Internet, ICANN delegates this authentication to contracted parties (registrars and registries). The contracted parties then authenticate who places website in the Domain Name System. In 2008 I documented dozens of ICANN registrars who did not disclose their business address publicly. This lead to the revelation that there was no contractual obligation for the registrar to post its location. The contract was amended following a push from the community, however many registrars were allowed to renew their contracts without first complying with the new condition. Beyond a failure to disclose real locations, many the registrars simply use a P.O. box as an address. In more specific cases, like OnlineNIC, their true location has been a subject of debate for years (are they in the U.S. or China?) with ICANN refusing to address the concern directly. This general issue of authentication leads to more serious issues, like the outright approval of criminals as contracted parties. This again, seems a matter of contract since ICANN did not conduct criminal checks of its contracted parties until 2011. This failure allowed a number of illicit parties to become registrars, use their control to make money through the domain name system, and extend the reach of various abusive activities.The point of this is that it all occurred a decade after ICANN was given oversight. 

Open Opioid Traffic as Evidence of Failure

Hacks and attacks on the Nat grab headlines. Daily illicit Internet traffic builds revenue for criminals. Last semester I lead my undergraduate students in a research project to evaluate the ease with which one could find illegal opioids for purchase on the Internet (results are published here). There are, of course, a number of fascinating details within the final report, but the general findings are that dangerous opioids are easy to get and the websites are sponsored mostly by providers in the United States where this activity is patently illegal. The opioid crisis in the U.S. is real and Internet poison peddlers are taking advantage of the situation. In the last three months I presented these findings at a number of venues: the Massachusetts Association of Crime Analysts (MACA), the New England Narcotic Enforcement Officers Association Training Conference, the High Technology Crime Investigation Association (HTCIA), and of course at ICANN56. The report has since been cited by the National Association of Boards of Pharmacy in their July 2016 report on opioids and discussed on Dr. Drew Radio.

How does this connect with ICANN? In taking a look at one of the most prominent opioid websites: "drugs-order.net" which sells Hydrocodone, Vicodin, Percocet, and OxyCodone without a prescription and without posting its pharmacy information, all clear violations. 

This website is registered through an ICANN registrar in the U.S. The domain is registered using a garbage list of meaningless data claiming to be in the United Arab Emirates with unverifiable local data in Italy. In essence, ICANN's authorized agent has not authenticated this illicit commercial operation. The system fundamentally fails in the same way for all phishing, counterfeiting, knockoff merchandise, and any fraud site on the Internet. It is a basic lack of control and due diligence. 

So, people are selling drugs on the Internet, how is this connected to the greater security issues? The proprietors of illegal online opioids are using fraud, identity theft, hacking, spam, website compromises, and malware, as well as enabling rogue service providers in their operations. Illegal systems are supported underneath by other illegal systems. 

Opioids are, of course, just one example. Recently, dozens of people in New York were hospitalized after using "K2" or "Spice", a banned synthetic drug. These synthetic drugs are available from similarly illicit sites (these three top search sample links show where the sites are sponsored, not the sites themselves: theofficialk2incense, synthetic incense, spice4fun). 

 Many reading this will automatically say: "Hey! It's not ICANN's job to police the Internet for drug trafficking!" Agreed wholeheartedly, but it is ICANN's job to police the conditions that make illegal commerce easy for the criminals. It is much more lucrative for criminals to engage in the existing system. From the criminal perspective, the global network functions flawlessly. We need to make this more difficult by closing gaps and properly enforcing existing policy.

Specific Issues at ICANN

So, what prevents ICANN from effectively making the Internet a safer structure? I have identified three major issues which are impacting the organization. 

1. ICANN Lacks an internal culture of trust

Within the organization there is a trust issue among employees (what other described as "dysfunctional" or a "culture of fear"). Over the years I have worked with some fantastic and professional ICANN employees, many of whom were fired or reported attempts of intimidation. ICANN touts transparency but various mechanisms for achieving this have failed. The new CEO, in a common but important staff function, must build a culture of trust within the organization if collaboration with the broader Internet community is to be successful. A proper internal culture of trust will flow out from the organization to all of its various partners. I have spoken directly to the ICANN CEO about this grave need.

2. ICANN has criminals among its contracted parties

This is a controversial issue but should not be in dispute as fact (For evidence read any of these articles: 1, 2, 3, 4, 5, 6, 7, 8...the worst is yet to come...). Various entities granted large swaths of control on the Internet use access to target businesses and consumers. This cannot be allowed to continue. 

3. ICANN has no consumer/end-user agenda

ICANN is a non-profit public benefit company whose mission statement states in part: "(3) This Corporation is a nonprofit public benefit corporation and is not organized for the private gain of any person...The Corporation is organized, and will be operated, exclusively for charitable, educational, and scientific purposes ... pursue the charitable and public purposes of lessening the burdens of government and promoting the global public interest...etc AND (4) The Corporation shall operate for the benefit of the Internet community as a whole" . The organization has not been executing this mission in fact. In March I released a report entitled Internet Limbo which explains how the current scope of Internet abuse and criminality is directly attributable to a lack of consumer focus. 

Follow-up Actions

In order to address the above I have started working on the following items:

A. Analysis and Disclosure: I will continue to apply a fundamental review of the way ICANN manages the global network. Next week I will be releasing a number of reports on ICANN contracted parties who either need to change their behavior or be removed. This will not be easy by any stretch, but it is important. To provide a specific example, in March I released a report which showed 10 out  of the 25 most abused registries were owned by one ICANN contacted company: Famous Four Media. We need to understand why this is the case. Ongoing monitoring of the parties authorized to grant authentication in the DNS is required.

B. Process Changes: At the Helsinki ICANN meeting I initiated a number of proposed reforms I'm generally calling a "Consumer Focused Agenda". The specifics include 1) A process that ensures that the intent, benefit, or possible impact of any ICANN project or expenditure on the consumer before work begins (the "Preamble Principle"); 2) Reorganization of the ICANN compliance function; 3) Direct messaging to the consumer by the top policy body; 4) Due process for disputes; and 5) In-Fact Reviews of Internet Use. The details of this agenda are here and may change as debate shapes the final proposal. 

C. Publishing an Investigators Guide: In November 2015 Wiley published my book WHOIS Running the Internet? which is a detailed technical, political and historical documentation of the Internet's record system. The fundamental principle of this text concerns trust in communication through disclosure. I am developing a purely "how to" companion guide for this text that will help investigators better understand the real origin of events. 

In summary, yes the Internet works on a functional technical level for moving bits, but this only part of the job. The underlying structure is an unaccountable den of snakes we have to tiptoe through.