Comments from Tucows, Inc.
Tucows appreciates the opportunity to provide comments on the proposed rule to implement CIRCIA’s requirements regarding the statute’s cyber incident and ransom payment reporting requirements for covered entities.
Tucows is a long-time provider of Internet connectivity services, launching first in 1993 as a shareware provider and growing since to provide domain name registration services (Tucows Domains and Hover), fiber Internet across the United States (Ting), and communication service provider software solutions (Wavelo).
Tucows believes that the free and open Internet requires good functional reporting and enforcement against cyber-crime and we support efforts to ensure that the Internet remains safe, accessible, and unified. We support regulation and enforcement of requirements for the DNS industry within and as part of the ICANN multistakeholder model.
In this comment we provide responses to the questions specific to entities related to domain name operations. We are available to provide clarification or additional information at your convenience.
The types of entities that are “related to domain name operations” and what type of relationship such entities may have with relevant multi-stakeholder organizations, such as the Internet Corporation for Assigned Names and Numbers.
Domain name registrars and registries are the primary entities related to domain name operations. They are bound to adhere to ICANN contract and policy obligations, including cyber incident reporting requirements.
Domain name registries provide services to registrars, while registrars provide services to domain owners. Both registrars and registries are under contract with ICANN, and the multi-stakeholder organization develops, implements, and enforces policies concerning the Domain Name System (DNS) through this contractual relationship. ICANN previously operated under instruction and oversight from NTIA but now acts independently.
The covered entities which CISA proposes this exception apply to, including whether any additional covered entities involved in DNS operations, such as domain name registries and registrars, should be considered by CISA for this reporting exception.
Domain name registrars and registries should be included in the reporting exception because of their direct relationship with the DNS.
Both domain name registrars and registries provide the critical infrastructure of the DNS by holding various authoritative records that cause the DNS to function. Registries hold the zone file of the respective top-level domain (TLD) and registrars hold the ancillary information related to the domain names registered through the respective registry.
Domain name registrars and registries are governed by ICANN, a multi-stakeholder organization that develops, implements, and enforces policies concerning the DNS. In fact, the policies that govern registries’ and registrars’ requirements in this matter— including the policies that bind both entity types to the DNS—are created by these entities which are ICANN members.
Covered entities are bound by local requirements in addition to ICANN contractual requirements, including jurisdictional reporting requirements (e.g., to a U.S. State or Territory). These jurisdictional reports typically include a requirement to also report to the U.S. government, or that the State or Territory will supply the information itself.
Duplicating this requirement by failing to exempt DNS services providers, such as registrars and registries, would not increase the dataset to which the U.S. government has access, and exempting registrars and registries would not result in a smaller dataset.
Information, facts, or other views that describe or explain the relationship between ICANN and domain name registries and registrars, as well as specific cyber incident and ransom payment information that must be reported to ICANN by entities accredited by ICANN.
Registrars and registries are bound to adhere to ICANN contract and policy obligations.
Registrars sign the Registrar Accreditation Agreement (RAA), and registries sign the Registry Agreement (RA); these contracts with ICANN lay out specific obligations and require compliance with all ICANN Consensus Policies (current or future).
Specifically, §3.20 of the RAA requires that registrars report Security Breaches to ICANN, including details describing the unauthorized data access, number of affected users, and steps taken in response.
Tucows, as a domain name registrar and as a back-end registry services provider for registries under contract with ICANN, supports ICANN being the cyber incident and ransom payment reporting entity for all domain name registrars and registries.
Tucows commits to working with ICANN to formalize a global cyber incident reporting program for domain name registries and registrars.
What types of covered cyber incidents could be unique to, or have a unique impact on, the covered entities that would be exempt from reporting under CIRCIA based on the scoping of the proposed DNS Exception?
Any incident that results in a detriment to the security, stability, and resilience of the Internet or of the DNS are covered. This includes all incidents suffered by a DNS services provider. ICANN, the multi-stakeholder organization that develops, implements, and enforces policies concerning the DNS is the appropriate reporting party for DNS infrastructure providers (registrars and registries).
What are the potential consequences of covered cyber incidents that would not be reported to CISA based on the proposed DNS Exception ( e.g., impacts to the functionality of the internet or to services offered to critical infrastructure)?
As ICANN is the appropriate entity to receive reports of cyber incidents from DNS infrastructure providers, there would be no consequences of failing to report such incidents to CISA directly as long as they are instead reported to ICANN.
In addition, each company has local jurisdictional reporting requirements and reporting requirements, including to CISA, for its non-DNS businesses.
What are the specific technical functions that DNS entities perform or provide in order to support the DNS versus related, but separate commercial offerings? How would this apply to different DNS entities such as root server operators, domain name registries, and domain name registrars?
Domain name registries provide the critical infrastructure of the DNS by maintaining the zone file for the respective TLD (for example, the authoritative information for navigating from a domain name in .com to the appropriate web host is maintained by Verisign, the registry for .com). The zone file includes information about all domains in the TLD (all .com domain names) that allows these domain names to be accessed by anyone anywhere on the Internet. For example, nameserver (NS) records or domain name system security extensions (DNSSEC). Without this zone file, .com domain names would not function.
Domain name registrars perform the critical technical function of populating the information maintained by the registry. This means that, when a domain name is created or NS or DNSSEC records updated, this is done at the registrar and transmitted to the registry, which maintains it as described above. Additional DNS records, such as mail exchange (MX), which allow email functions to work, are held by the registrar. Moreso registrars maintain their own authoritative Whois database which provides access, where appropriate, to the data of the entity that owns the domain.
The complementary relationship between registries and registrars is required for the functioning of the DNS. Without ICANN, without registries, or without registrars, the DNS—and therefore the entire Internet!—could not function. This makes each entity individually and collectively critical infrastructure.
What cyber incident reporting requirements, either in the United States or internationally, are DNS entities currently subject to? To what government agency or other entity must those entities report cyber incidents? Please describe the specific cyber incident reporting requirement (e.g., timing and trigger requirements; details that must be reported; mechanism for reporting; supplemental reporting requirements).
As described above, registrars are bound to adhere to ICANN requirements and report to ICANN regarding such incidents. Tucows, along with other DNS infrastructure providers, commits to working with ICANN to formalize a global cyber incident reporting program at ICANN. In addition, each may have local jurisdictional requirements unique to each registrar or registry and the non-DNS infrastructure businesses that they may have (such as to a State).
How should the U.S. government’s support for the multi-stakeholder system of internet governance inform the DNS Exception?
The U.S. government has historically supported the multi-stakeholder system of Internet governance—and ICANN specifically—since 1998, when ICANN was created explicitly to allow the multi-stakeholder governance of the Internet. Indeed, the U.S. government spearheaded this transition to provide international stakeholders, including other governments and all users of the Internet globally, the ability to participate in the governance of the critical infrastructure that has come to be so necessary to our lives—business, interpersonal, and political. The Internet is necessary to free speech and democracy, as has been shown again and again, both of which are strong interests of the U.S. government, both at home and, crucially, internationally.
In 2016, the U.S. government solidified its support for the multi-stakeholder system of Internet governance by shepherding the “IANA Transition”, moving stewardship of the IANA functions away from NTIA’s direct control to ICANN’s direct control. This move increased international confidence in the functions of the DNS—in the Internet itself—and in the multi-stakeholder system of Internet governance. The U.S. government’s staunch support of the multi-stakeholder system of Internet governance is an example to all governments everywhere.
The U.S. government should continue to support the multi-stakeholder system of Internet governance by allowing the DNS Exception to continue—and, indeed, expanding it to include all DNS providers including domain name registries and domain name registrars—especially in this time when local governments worldwide are attempting to exert undue control over the DNS and the Internet.