[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Wes Young wes at ren-isac.net
Tue Apr 6 14:34:43 EDT 2010 

On behalf of the Research and Education Networking Information Sharing  
and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft  
Policy 2010-3: Customer Confidentiality, herein referred to as "the  
Policy".

The mission of the REN-ISAC is to aid and promote cyber security  
operational protection and response within the higher education and  
research (R&E) communities. The mission is conducted within the  
context of a private community of trusted representatives at member  
institutions, and in service to the R&E community at-large. REN-ISAC  
serves as the R&E trusted partner for served networks, the formal U.S.  
ISAC community, and in other commercial, governmental, and private  
security information sharing relationships.

Among the activities conducted, REN-ISAC sends notifications to EDU  
abuse contacts regarding compromised or otherwise maliciously behaving  
machines. Hundreds of notifications are sent daily. Numerous  
commercial, non-commercial, and governmental organizations rely on REN- 
ISAC's performance in this role, in addition to the EDUs receiving the  
notifications.

Although the REN-ISAC develops and maintains its own contact database,  
unfettered access to contact information in the ARIN registry permits  
us to:

+ Identify new or existing institutions that have obtained or returned  
allocated IP space within our scope of concern.

+ Identify a technical contact at an institution.

Should the Policy be implemented and adopted, it would hamper our  
ability to execute the mission. Implications would include:

+ Significantly increase lead-times and human interrupts required to  
perform notifications regarding compromised and misbehaving machines.

+ Increase the difficulty of identifying a technical contact at the  
organization that is in the best position to deal with a cyber  
security incident.

+ Add a layer of process that would either prevent or inhibit timely  
event notification.

+ Add to the costs of performing notifications.

While we appreciate the need for a balance of privacy on the Internet,  
we don't believe that the Internet or its users would be well-served  
by confidential registrations at above a /x. The policy would prove to  
be a detriment to global cyber security. Ultimately it would equate to  
a reduced ability to deal with active criminal threat.

on behalf of the REN-ISAC,
--
Wes Young
Principal Security Engineer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100406/4fa9071e/attachment.sig>

More information about the ARIN-PPML mailing list