By Eric Beasley
Every once in a while I decide to delve into some national, in this case international, issue to bring a little clarity to our readers. The only time I do this is when I have some background in the issue which makes whatever I say relevant and meaningful.
I’ve actually tried to write this article like 3 times over the past month. It’s hard to explain ICANN, DNS, and the entire Internet in simplistic terms. There will be gaps that I skip due to simplification limitations. But I can tell you, the Internet is not in a little black box.
On October 1st, control of Domain Name Service (DNS) is going to be handed over to ICANN, an international non-profit organization that presently handles IP address assignments, top-level domain assignments, protocol identification and the main DNS pool.
Likely, that paragraph makes no sense to you. So let’s break this down:
As many of you know, the internet as we know it was created through a DARPA grant before I was born. Under strict government regulation, very few people and organizations could actually connect to it, generally DoD and university types. Over the years, the internet has been deregulated and privatized (dirty words to big-government liberals). This deregulation and privatization is what made the internet into the behemoth of commerce and information that it is today.
For the internet to function, there are multiple background processes which have to be managed in order to create a simple user experience. One such function is that certain computers need to have a static IP address. This is a numerical representation for Computer A to talk to Computer B. Second, that IP address has to be translated from domain form (human readable) to a number form (preferred by machines) like converting www.aminerdetail.com to 22.214.171.124.
I came across this letter today, signed by some retired flag officers, politicians, and the Military-Industrial Complex. I wanted to break down the entire letter and debunk some of the nonsense they included in the letter.
As individuals with extensive, first-hand experience with protecting our national security, we write to urge you to intervene in opposition to an imminent action that would, in our judgment, cause profound and irreversible damage to the United States’ vital interests.
The list of signatories is long. I was unable to identify any individual on this letter who have an actual technical background in information technology. These are all high-level policy wonks, lots of theory but no practical experience of application of that experience. I’d bet a dollar that if you sat any of them in front of a Kali Linux terminal and told them to take down a website they’d be lost in the sauce.
On October 1st, the contract between the Commerce Department’s National Telecommunications and Information Administration (NTIA) and the Internet Corporation for Assigned Names and Numbers (ICANN) will expire. Upon expiration, the President will allow the Government’s remaining control over the Internet to transfer to ICANN. This includes the Internet Assigned Numbers Authority (IANA) function and NTIA’s review of all Internet Protocol addresses and authorization for them to be placed on the authoritative root server (the A Server). In simple terms, nothing now is accessible on the Internet until it has undergone an IP address assignment and NTIA review and NTIA has authorized Verisign to post the address to the A server.
They left out a lot of important details here:
- Traditional IP addresses are also called IPv4. This is the format that you saw above, four numbers separated by a period, each number being 255 or less. This address space has been completely filled, purchased by various companies and entities. All ~4 billion addresses are filled. That’s why a few years ago, they created IPv6, which has a theoretical limit of over 340 undecillion addresses. Since you’ve likely never heard that number, typed out it’s 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses. We will not run out of addresses anytime soon.
- It literally takes 20 minutes to get an IP address and a DNS record added to an authoritative root server. That’s how long it takes for DNS to synchronize world wide. There are no delays, this part is merely fear-mongering.
The IANA function is critical to our nation’s ability to effectively defend our national assets and civilian population and ensure integrity in our cyberwarfare capabilities. As Congress has considered this transfer of authority, it has stated that ICANN should ensure that .mil and .gov remain exclusive to DoD and that all IP addresses assigned to DoD are used exclusively by the Government. That ignores the fact that DoD is reliant upon private sector critical infrastructure for its operations, and the integrity and security of the IP addresses associated with these assets are equally important to the protection of the American people.
Military and government domain names are not in any danger. You want to know why? Because these foreign governments that they are so afraid of using ICANN for malicious purposes have the exact same concerns. Russia and China do not want their official government domains hijacked anymore than we do. Nor do they want their classified military network traffic which is routed over civilian transmission routes hijacked and decrypted.
But also ask yourself a simple question, “if the information is so critical, then why is it being sent over the civilian internet?” It’s not complicated to create your own internet, private networks exist all over the world which have no access to the internet. Hell, I have one in my own home. Why doesn’t the DoD keep it’s private and classified network traffic on private and classified networks?
In the absence of U.S. Government involvement in IANA, it seems possible that, over time, foreign powers – including potentially or actually hostile ones – will be able to influence the IANA process. Even coercing the delay in approving IP addresses could impact military capabilities.
As I said above, there are no more available IPv4 addresses. If this is such a concern, all the military has to do is reserve the address space that they need. For a mere $256,000, the military could reserve 1,152,921,504,606,847,000 addresses, more addresses than exist right now in IPv4.
That’s not to mention multiple technologies which exist to allow multiple devices to access the internet using one IP address, like Network Address Translator (NAT). Sounds complicated, right? Not so much, your home router uses NAT to access the internet. Every device in your home shows as having the same public IP address.
From a broader view, given the well-documented ambition of these actors to restrict freedom of expression and/or entrepreneurial activity on the Internet, such a transfer of authority to ICANN could have far-reaching and undesirable consequences for untold numbers of people worldwide.
More fear-mongering. The Internet in the US is so complex that there is no feasible way to censor or restrict access. The countries where you hear about censorship designed their networks with a single point of failure, meaning that censorship devices can be placed at this single point to block everything. Let alone the fact that technology exists to bypass these restrictions, like Tor and Virtual Private Networks (VPNs)
Of more immediate concern to us, however, is the prospect that the United States might be transferring to future adversaries a capability that could facilitate, particularly in time of conflict, cyberwarfare against us. In the absence of NTIA’s stewardship, we would be unable to be certain about the legitimacy of all IP addresses or whether they have been, in some form or fashion, manipulated, or compromised. Given the reliance of the U.S. military and critical infrastructure on the Internet, we must not allow it to be put needlessly at risk.
This paragraph is what really told me that the signatories do not understand IT security:
- Even with NTIA being in control of DNS, there is no way to know by a domain name whether or not a server has been compromised. How many hacks has the US Government experienced in the last year with NTIA in charge? Too many to count anymore, DHS, State, OPM, etc.
- Authoritative DNS can be hacked. It’s no different than any old server on the internet. With the resources of a Nation-State, this worst-case-scenario is not only plausible, but likely, in the event of a full-scale war.
Indeed, there is, to our knowledge, no compelling reason for exposing the national security to such a risk by transferring our remaining control of the Internet in this way at this time.
In light of the looming deadline, we feel compelled to urge you to impress upon President Obama that the contract between NTIA and ICANN cannot be safely terminated at this point. At a minimum, given the irreversible character of this decision and its potential for grave and enduring harm to our national security and other vital interests, the decision should be delayed.
This is what it comes down to. The Internet is not going to be censored, Saudi Arabia is not going to be censoring the Internet, and the concerns expressed about this deregulation and privatization are not grounded in the reality of Information Technology.