Difference between revisions of "Second Security, Stability, and Resiliency Review"

From ICANNWiki
Jump to navigation Jump to search
Line 39: Line 39:
 
After an RFP process, [[Phil Khoury]] was engaged as facilitator in June 2018.<ref>[https://www.icann.org/en/system/files/correspondence/gurnick-to-soac-chairs-05jun18-en.pdf ICANN.org - OEC letter to SOAC Chairs], June 5, 2018</ref> The review's relaunch was was announced shortly thereafter on June 7, 2018.<ref>[https://www.icann.org/en/announcements/details/second-security-stability-and-resiliency-of-the-dns-review-ssr2-restarts-7-6-2018-en ICANN.org - SSR2 Restarts], June 7, 2018</ref> The culminatoin of Khoury's involvement came in August 2018, when the review team (with five additional appointed members) met in Washington DC and worked on drafting a new Terms of Reference.<ref>[https://www.icann.org/en/blogs/details/ssr2-review-team-re-starts-on-boards-new-members-updates-terms-of-reference-5-9-2018-en ICANN.org - SSR2 Review Team Restarts]</ref> The agenda and notes from the DC meeting indicate that this was the facilitated resolution of outstanding issues and concerns that the SOAC Chairs had requested.<ref>[https://community.icann.org/pages/viewpage.action?pageId=71603683 SSR2 Workspace - August 2018 Meeting Archive]</ref> Records of Khoury's work with the review team are available largely through the SSR2 listserv archive from his appointment in June 2018 to his sharing of his draft report following the DC meeting.<ref>[https://mm.icann.org/pipermail/ssr2-review/attachments/20180910/ca98b3e3/2018_0910ReportreSSR2toSOACChairs.pdf Draft Facilitator Report to SOAC Chairs - SSR2], September 10, 2018</ref>
 
After an RFP process, [[Phil Khoury]] was engaged as facilitator in June 2018.<ref>[https://www.icann.org/en/system/files/correspondence/gurnick-to-soac-chairs-05jun18-en.pdf ICANN.org - OEC letter to SOAC Chairs], June 5, 2018</ref> The review's relaunch was was announced shortly thereafter on June 7, 2018.<ref>[https://www.icann.org/en/announcements/details/second-security-stability-and-resiliency-of-the-dns-review-ssr2-restarts-7-6-2018-en ICANN.org - SSR2 Restarts], June 7, 2018</ref> The culminatoin of Khoury's involvement came in August 2018, when the review team (with five additional appointed members) met in Washington DC and worked on drafting a new Terms of Reference.<ref>[https://www.icann.org/en/blogs/details/ssr2-review-team-re-starts-on-boards-new-members-updates-terms-of-reference-5-9-2018-en ICANN.org - SSR2 Review Team Restarts]</ref> The agenda and notes from the DC meeting indicate that this was the facilitated resolution of outstanding issues and concerns that the SOAC Chairs had requested.<ref>[https://community.icann.org/pages/viewpage.action?pageId=71603683 SSR2 Workspace - August 2018 Meeting Archive]</ref> Records of Khoury's work with the review team are available largely through the SSR2 listserv archive from his appointment in June 2018 to his sharing of his draft report following the DC meeting.<ref>[https://mm.icann.org/pipermail/ssr2-review/attachments/20180910/ca98b3e3/2018_0910ReportreSSR2toSOACChairs.pdf Draft Facilitator Report to SOAC Chairs - SSR2], September 10, 2018</ref>
  
The team presented a new Terms of Reference to the Board in September 2018.<ref>[https://community.icann.org/download/attachments/66061139/SSR2-Terms%20of%20Reference-Final%202018-Sep-1%5B2%5D.docx SSR2 Terms of Reference], September 4, 2018</ref>
+
The team presented a new Terms of Reference to the Board in September 2018.<ref>[https://community.icann.org/download/attachments/66061139/SSR2-Terms%20of%20Reference-Final%202018-Sep-1%5B2%5D.docx SSR2 Terms of Reference], September 4, 2018</ref> The team followed up with a work plan in November 2018.<ref>[https://mm.icann.org/pipermail/ssr2-review/2018-November/001344.html SSR2 Listserv Archive - SSR2 Team Work Plan], November 14, 2018</ref> The team subsequently updated the board in February 2019 on its status subsequent to another multi-day, face to face meeting in Los Angeles.<ref>[https://mm.icann.org/pipermail/ssr2-review/2019-February/001475.html SSR2 Listserv Archive - Update from the Review Team], February 13, 2019</ref> The board acknowledged receipt of the ToR, work plan, and update report at the end of February.<ref>[https://mm.icann.org/pipermail/ssr2-review/2019-February/001507.html SSR2 Listserv Archive - Message from Board to SSR2], February 28, 2019</ref>
 +
 
 +
==Mid-2019 Setbacks==
 +
At [[ICANN 64]] in Kobe, the review team requested technical writing support from the ICANN board and organization.<ref name="juneletter">[https://community.icann.org/download/attachments/60489949/Letter_to_Board_CEO_SO_AC-20190626.pdf Letter to Board, CEO, and SOAC Chairs], June 26, 2019</ref> ICANN org conducted a search for a technical writer to be assigned to the review team. A writer was hired in May 2019; however, after two weeks, the writer was dismissed by ICANN org.<ref name="juneletter" /> The review team expressed displeasure about this development (and others) in a letter to the board, CEO, and SOAC chairs:
 +
 
 +
<blockquote>Unfortunately, the SSR2 Team has a history of being under-supported and obstructed: our work was initially delayed  by a lack of documentation regarding the incomplete implementation of the 2012 SSR1 recommendations; we were “paused” for about a year by the Board without prior communication with the Team; we saw considerable delays when asking questions to staff, and received multiple insufficient responses; and we have had professional writing and research support for only 15 days. In  addition, the Board’s subsequent handling of the [[First Competition, Consumer Trust, and Consumer Choice Review|CCT Review Team recommendations]]* further confused and deflated the enthusiasm of our Team.<ref name="juneletter" /></blockquote>
 +
 
 +
''*The board approved action on only six of thirty-seven recommendations, placing seventeen of the recommendations on hold pending further research into feasibility, cost, and other unknowns.''
 +
 
 +
The letter reported that the team's work had been substantially set back by the loss of technical writing support. The letter concluded "In addition to raising serious concerns about the accountability, transparency and independence of community reviews  required by the ICANN bylaws, these unilateral and in transparent [sic] actions are extremely demoralizing to many Review Team members."<ref name="juneletter" />
 +
 
 +
In October 2019, the review team requested an additional $250,000 to complete the work of the review. The request cited the technical writing issue as well as other delays.<ref>[https://mm.icann.org/pipermail/ssr2-review/2019-October/001891.html SSR2 Listserv Archive - Message to Board, CEO], October 9, 2019]</ref> The Board approved the additional funding in November 2019.<ref>[https://www.icann.org/resources/board-material/resolutions-2019-11-07-en#1.j Resolution of the Board], November 7, 2019</ref>
 +
 
 +
==Draft and Final Report==
 +
The team published its draft report for public comment in January 2020.<ref name="dashboard" /> The report contained 31 recommendations, with many recommendations including multiple action items to fully implement each recommendation.<ref name="draftrep">[https://www.icann.org/en/system/files/files/ssr2-review-24jan20-en.pdf SSR2 Draft Report], January 24, 2020</ref> Public comment on the
 +
 
 +
 
  
 
==References==
 
==References==
 
{{reflist}}
 
{{reflist}}
 
__NOTOC__
 
__NOTOC__

Revision as of 17:39, 26 May 2021

The Second Security, Stability, and Resiliency Review (SSR2) was initiated in June 2016. The review team's final report was submitted to the ICANN Board in January 2021.[1] As of May 2021, the report is awaiting board action.[1]

Background

The Affirmation of Commitments, an agreement between ICANN and the United States Department of Commerce, establishes ICANN's obligations to perform its duties with specific commitments in mind. All of the commitments bear on public and consumer trust of the organization. ICANN is to perform its functions in a manner that:

  • ensures accountability and transparency of decision-making;
  • preserves the security, stability, and resiliency of the DNS;
  • promotes competition, consumer trust, and consumer choice; and
  • enables access to registration data.

ICANN is also charged to periodically review and assess its performance through the lens of each of the above commitments.[2]

ICANN's board enshrined these commitments (and the associated reviews) in its Bylaws in Article 1 (Mission, Commitments, and Core Values)[3] and in Article 4 (Accountability and Review).[4] Article 4.6 deals with "Specific Reviews," each of which are tied to one of the commitments in the Affirmation of Commitments.[5]

The Organizational Effectiveness Committee of the board oversees the conduct of specific reviews.[6] The SSR is one such review. The Bylaws mandate that the review team include independent experts in the field of networking security and stability.[5] The Bylaws also call for SSR reviews to begin no later than five years after the completion of the prior review.[5]

Initiation, Delay, and Suspension of Work

The call for volunteer applications was posted in June of 2016.[1] The deadline for applications was extended, in part because the ICANN Board had adopted amendments to the organization's bylaws, some of which affected the selection process for specific reviews such as the SSR.[7] Team selection was delayed until February 2017[1]

The team submitted its Terms of Reference (ToR) on May 11, 2017.[8][9] In June, the Board responded to the review team, noting that the Terms of Reference "in general must provide a clear articulation of work to be done and a basis for how the success of the project will be measured," and expressing some concerns regarding the clarity of the ToR and work objectives.[10] Work continued within the review team and on the listserv, particularly with regard to formulating and refining the team's work plan. However, no formal response issued regarding the board's concerns.

In October 2017, the SSAC submitted a letter to the ICANN Board, advocating for a pause in SSR2 and arguing that the "current approach, if continued without significant change, will ultimately result in a report that does not have the quality expected by the ICANN Community."[11] In the same month, the Board sent objections regarding the scope of the still-evolving work plan, specifically the work of Subgroup 2 and the proposal to conduct a full review of ICANN's internal operational security.[12] Within the review team, reactions were mixed to both letters. A proposed response regarding a planned Los Angeles on-site for Subgroup 2 On October 10-11 (one week from receipt of the letter addressing scope concerns) was not able to obtain consensus, particularly from SSAC-affiliated members of the review team.[13]

In the following weeks, additional actions occurred that were directly or indirectly related to the SSR2 situation. The board had acknowledged their own failure to set expectations for specific review processes, and set about remedying this failure with a proposed operating standards document for public comment.[14] The chairs of other SOs and ACs also reported concerns regarding the direction of the SSR2 review. As a result, on October 28, 2017, the board sent a letter to the review team instructing them to pause all work until meetings could be held between the chairs of the SOs and ACs and board members at ICANN 60.[15] The letter reads in part:

In light of the importance of this effort, the concerns being expressed, and the resources devoted to date, we believe that it is imperative that the community assure itself that the SSR2 is appropriately composed and structured to achieve its purpose. Accordingly, the Board will be meeting with SO/AC Chairs, the SSR2 Review Team, and the community on this topic throughout ICANN 60, and following the meeting will formally ask the SOs and ACs to consider whether they believe there is a need to adjust the scope, terms of reference, work plan, skill set and/or resources allocated to SSR2. Without prejudging the answer to those questions, the Board considers that the most responsible course is to suspend the review team’s work pending responses from the SOs and ACs.[15]

The SSR2 team met with SOs and ACs over the course of ICANN 60, as well as the board.[16] In the aftermath of the meeting between SSR2 and the board, there was a brief discussion between the board and chairs of the SOs and ACs regarding next steps.[17] The result of those meetings was that the SOs and ACs would "do what needed to be done" to correct the trajectory of the review process. There was acknowledgement that there was no existing process for a situation like this, and apologies to chairs and review team members alike regarding potential board or staff contributions to the impasse.[17] The project remained on hold for the SOs and ACs to establish a plan. Board members variously noted that they did not know, and were never informed, that there was a finalized work plan for the team.[17]

In December 2017, the SOs and ACs sent a letter to the SSR2 review team.[18] The letter described the chairs' conclusions regarding the work of SSR2 to date, as well as the responses to a questionnaire submitted to SSR2 review team members.[18] The questionnaire received responses from all but two of the SSR2 members. The chairs concluded that the SSR2 team was made up of dedicated volunteers with a true desire to see the work completed. However, they identified issues of trust, bandwidth, potential conflicts of interest, detail and completeness of the team's work plan, and a challenging and overambitious scope.[18] the chairs summarized their next steps:

The SOAC chairs recognizes [sic] a number of concrete actions for us: first, appoint more members to the SSR2 team and discuss with ICANN Staff what the budget and staffing situation looks like. After these actions have taken place, we are to restart the SSR2 review with some initial concrete items on their agenda: agree internally on updated leadership, COI issues and scope; and work with ICANN Staff and SOAC chairs to agree on communication, milestones, and progress reporting/management of the review.[18]

The letter acknowledged the hard work of the team thus far, and noted that the pause represented an opportunity for team members to assess their bandwidth to continue with the project.[18]

Restart

In February 2018, the SOAC chairs again communicated with the review team, presenting a status update and findings from additional communications and a survey of team members.[19] The letter was not optimistic, stating that survey comments from team members led them to conclude that there was "insufficient alignment within the SSR2-RT on many issues ranging from mission/scope to process/leadership."[19] To address this misalignment, the SOAC chairs requested that the OEC provide a neutral facilitator to work with the group to identify common ground and re-orient the goals and expectations of the team.[20] The OEC agreed, and set about working with the SOAC chairs to identify the required skills and experience that the facilitator should have.[21]

After an RFP process, Phil Khoury was engaged as facilitator in June 2018.[22] The review's relaunch was was announced shortly thereafter on June 7, 2018.[23] The culminatoin of Khoury's involvement came in August 2018, when the review team (with five additional appointed members) met in Washington DC and worked on drafting a new Terms of Reference.[24] The agenda and notes from the DC meeting indicate that this was the facilitated resolution of outstanding issues and concerns that the SOAC Chairs had requested.[25] Records of Khoury's work with the review team are available largely through the SSR2 listserv archive from his appointment in June 2018 to his sharing of his draft report following the DC meeting.[26]

The team presented a new Terms of Reference to the Board in September 2018.[27] The team followed up with a work plan in November 2018.[28] The team subsequently updated the board in February 2019 on its status subsequent to another multi-day, face to face meeting in Los Angeles.[29] The board acknowledged receipt of the ToR, work plan, and update report at the end of February.[30]

Mid-2019 Setbacks

At ICANN 64 in Kobe, the review team requested technical writing support from the ICANN board and organization.[31] ICANN org conducted a search for a technical writer to be assigned to the review team. A writer was hired in May 2019; however, after two weeks, the writer was dismissed by ICANN org.[31] The review team expressed displeasure about this development (and others) in a letter to the board, CEO, and SOAC chairs:

Unfortunately, the SSR2 Team has a history of being under-supported and obstructed: our work was initially delayed by a lack of documentation regarding the incomplete implementation of the 2012 SSR1 recommendations; we were “paused” for about a year by the Board without prior communication with the Team; we saw considerable delays when asking questions to staff, and received multiple insufficient responses; and we have had professional writing and research support for only 15 days. In addition, the Board’s subsequent handling of the CCT Review Team recommendations* further confused and deflated the enthusiasm of our Team.[31]

*The board approved action on only six of thirty-seven recommendations, placing seventeen of the recommendations on hold pending further research into feasibility, cost, and other unknowns.

The letter reported that the team's work had been substantially set back by the loss of technical writing support. The letter concluded "In addition to raising serious concerns about the accountability, transparency and independence of community reviews required by the ICANN bylaws, these unilateral and in transparent [sic] actions are extremely demoralizing to many Review Team members."[31]

In October 2019, the review team requested an additional $250,000 to complete the work of the review. The request cited the technical writing issue as well as other delays.[32] The Board approved the additional funding in November 2019.[33]

Draft and Final Report

The team published its draft report for public comment in January 2020.[1] The report contained 31 recommendations, with many recommendations including multiple action items to fully implement each recommendation.[34] Public comment on the


References

  1. 1.0 1.1 1.2 1.3 1.4 ICANN.org - SSR Dashboard
  2. ICANN.org - Affirmation of Commitments, September 30, 2009
  3. ICANN Bylaws, Article 1
  4. ICANN Bylaws, Article 4
  5. 5.0 5.1 5.2 ICANN Bylaws, Article 4.6
  6. ICANN.org - Organizational Effectiveness Committee
  7. ICANN.org - Application Deadline Extended for SSR2, August 12, 2016
  8. SSR2 Workspace - Correspondence
  9. Terms of Reference, SSR2, May 11, 2017 (Word document)
  10. Board Response to SSR2 Terms of Reference, June 23, 2017
  11. ICANN.org - Faltstrom letter to ICANN Board, October 3, 2017
  12. ICANN.org Listserv Archive - Board Letter regarding Subgroup 2's scope, October 3, 2017
  13. ICANN Listserv Archive - Email Replying to the Board, October 5 2017 (and subsequent replies)
  14. ICANN.org, Draft Operating Standards for Specific Reviews, October 17, 2017
  15. 15.0 15.1 ICANN.org - Letter from Steve Crocker to SSR2, October 28, 2017
  16. SSR2 Workspace - ICANN 60 Meetings
  17. 17.0 17.1 17.2 SSR2 Workspace - Meeting with Board Caucus & Community Leadership, November 2, 2017
  18. 18.0 18.1 18.2 18.3 18.4 ICANN.org - SO/AC Letter to SSR2, December 21, 2017
  19. 19.0 19.1 ICANN.org - SOAC Chairs Message on SSR2 Status, February 12, 2018
  20. ICANN.org - SOAC letter to OEC, February 15, 2018
  21. Letter from Khaled Koubaa to SOAC Chairs, March 3, 2018
  22. ICANN.org - OEC letter to SOAC Chairs, June 5, 2018
  23. ICANN.org - SSR2 Restarts, June 7, 2018
  24. ICANN.org - SSR2 Review Team Restarts
  25. SSR2 Workspace - August 2018 Meeting Archive
  26. Draft Facilitator Report to SOAC Chairs - SSR2, September 10, 2018
  27. SSR2 Terms of Reference, September 4, 2018
  28. SSR2 Listserv Archive - SSR2 Team Work Plan, November 14, 2018
  29. SSR2 Listserv Archive - Update from the Review Team, February 13, 2019
  30. SSR2 Listserv Archive - Message from Board to SSR2, February 28, 2019
  31. 31.0 31.1 31.2 31.3 Letter to Board, CEO, and SOAC Chairs, June 26, 2019
  32. SSR2 Listserv Archive - Message to Board, CEO, October 9, 2019]
  33. Resolution of the Board, November 7, 2019
  34. SSR2 Draft Report, January 24, 2020
Retrieved from "https://icannwiki.org/index.php?title=Second_Security,_Stability,_and_Resiliency_Review&oldid=1316647"