On Wed 2024-05-22 19:03:58-0400 David wrote:
To me, this was an externally visible event that impacted the planned activities of two TLD operators. I’d note that in the last similar incident, Cogent self-reported. It is surprising to me that this would not be considered a reportable incident. Section 4.5 speaks to severity of incidents. I could see an argument that this most recent incident could be considered a lower severity, but not reporting it would seem odd to me.
I'm not saying it shouldn't be reported, just that my personal opinion is that this instance it is debatable.
It is obviously impossible to list the details of every possible scenario, so I’d have assumed their would be guidelines to help inform which incidents should be reported, e.g., “was the incident externally visible”, “did the incident result in sustained resolution failure”, etc.
For both of those guidelines, they lead down rat holes. Viable to or sustained failures for how many people? I'll also note that at various times in the history of the document there were such guidelines (from me and others), but they have been pared back to be less specific over time.
More generally, I worry that depending on self reporting of potentially embarrassing incidents won’t be particularly supportive of goal 5 of the SOW (“5. Maintain/improve confidence in the RSS by providing incident reporting.”) if stuff that is externally visible isn’t reported on.
I totally agree here. But this specific question for this work party is about 'reportable security incident'. I mentioned 'informational' reporting in an earlier email. There has also been talk about 'transparency' report, but again the work party has decided it's not in scope for this document. The work party is on-going, so I invite folks to make suggestions to the document and participate in the calls! Regards, Robert USC Information Sciences Institute <http://www.isi.edu/> Networking and Cybersecurity Division