Security Concerns Boosted VeriSign's Dot-Net Bid

2005-04-19 13:14

http://www.washingtonpost.com/wp-dyn/articles/A62302-2005Apr18.html By David McGuire washingtonpost.com Staff Writer April 18, 2005 When the nonprofit organization that oversees the Internet's domain name system announced last month that the world's fourth largest domain would remain in the hands of VeriSign Inc., technology workers and Internet policy wonks around the world were incredulous, wondering aloud how the company had managed to navigate a process that was, in many ways, designed to reduce its hold on key pieces of Internet real estate. Online message boards lit up with rants and conspiracy theories about how VeriSign had managed to keep dot-net -- a vital piece of the Internet's infrastructure, particularly in the United States where major Internet service providers like Verizon and Comcast have assigned millions of dot-net e-mail accounts to their customers. "I would give the job to Microsoft before I'd willingly let VeriSign have another crack at it, and that's not something I'd say lightly. If they built cars, people would have died in the VerisSgn Pinto," one angry poster wrote on Slashdot.org, a message board and news site that caters to the technology audience. Other message boards swelled with accusations that VeriSign had inappropriate connections with the technical team that evaluated the company's proposal to continue managing dot-net, or that VeriSign had somehow bullied Internet authorities into compliance. But experts who closely follow VeriSign and the Internet domain market say the Mountain View, Calif.-based company owes its latest coup to a savvy lobbying effort in which VeriSign worked through the press and with its industry allies to play up already heightened concerns about the stability and security of the Internet. "Competition isn't the only parameter of concern. Security and stability are also issues of concern," said Vinton Cerf, chairman of the Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group that was commissioned by the U.S. government in 1998 to oversee the domain name system. "It's not clear to me anymore that competition comes from binding a top-level domain to a particular operator," Cerf told reporters at an ICANN meeting earlier this month, a few days after the dot-net decision was announced. Cerf's comments were surprising to some observers, as he heads a group that was created with the express mission of breaking up the near monopoly on domain name management maintained at that time by Network Solutions, a company VeriSign bought in 2000. "It's shocking because ICANN and VeriSign basically hate each other and have hated each other since [ICANN's] inception," said Milton Mueller, an information studies professor at Syracuse University and author of a book about Internet governance. "VeriSign basically had to be bludgeoned into accepting ICANN as the administrator of the domain name system, and ICANN has always been run by people fundamentally hostile to VeriSign." ICANN and VeriSign have locked horns in courtrooms, at negotiating tables and even before Congress, as the company has sought to protect its valuable domain name business. The bad blood between the two sides boiled over last year when VeriSign sued ICANN after ICANN officials forced the company to jettison a controversial search service called Site Finder. That suit is still pending in California. But in the post-Sept. 11 world, VeriSign found itself in a strong position to play on ICANN's realigned focus on protecting the stability of the global Internet infrastructure. When ICANN put out its request for dot-net bids last December, the group made security and technical competence two of its top requirements for the next dot-net operator. Telcordia, the company chosen by ICANN to review the dot-net bids, ranked the criteria it used to judge bidders by importance -- high, medium or low. The ability to run a secure and stable registry was ranked "high," while promoting greater competition ranked "medium." Prior to the January deadline for submitting dot-net bids, VeriSign began pleading its case to reporters, touting the importance of the domain and warning of the disruptions that could occur if the domain were ever to go down for any substantial length of time -- something that hasn't occurred under VeriSign's stewardship. "During the period we've been operating dot-net, we've run it at the highest level," Mark McLaughlin, the general manager of naming and directory services for VeriSign said in January. "By definition, changing [the] operator would create the possibility for adding a great deal of instability to the system." "We believed this was a big decision on ICANN's part, and we certainly wanted people to focus on that decision. We wanted people to scrutinize our bid. We wanted people to scrutinize other bids, and we wanted people to scrutinize the process that ICANN used," said Tom Galvin, who was VeriSign's vice president of government relations when the bids were submitted and now works as an outside consultant for the firm. VeriSign also garnered support from some of the nation's largest high-tech companies, including Microsoft, Sun Microsystems and MCI, each of which sent letters to ICANN backing VeriSign's track record on security. Galvin said ICANN didn't do any formal briefings with those companies, but rather had informal conversations about the issue. In some cases, Galvin said the companies offered to write letters support, and in others VeriSign asked for them. "For the .net registry operator to be less than dependable would harm business growth and could endanger the commerce that runs across the Internet Infrastructure," Microsoft Chief Technical Officer Craig Mundie wrote in a letter to ICANN last July. "We endorse VeriSign's performance to date and we hope they will continue to operate the .net registry." The four other groups that submitted bids for dot-net responded that VeriSign was fear mongering. "There's no question that dot-net helps underpin the Internet. The one [assertion] that strikes me as incongruous is that if you touch dot-net, everything will fall apart," Ram Mohan, chief technical officer of Afilias, said last October. Based in Dublin, Afilias finished third in the five-way dot-net race. A Valuable Line of Business The domain name market is lucrative for the largest Internet registries and registrars, the companies that sell and catalog Internet addresses. Starting in 1999 when ICANN began the process of breaking up Network Solutions's monopoly, it focused on the retail side of the business. At the time Network Solutions was sole wholesaler (registry) and the sole retailer (registrar) for Internet addresses ending in dot-com, dot-net and dot-org. In order to give consumers more choices and spur price competition for Internet addresses, ICANN created several new registrars, requiring Network Solutions to offer the new companies a fixed wholesale rate of $6 per domain per year. The move opened the domain name market to hundreds of companies (ICANN has now accredited more than 400 registrars), helping drive the annual price of an Internet address down from a fixed $35 to less than $10 in many cases. VeriSign left the retail business altogether in 2003 when it spun off its Network Solutions business. VeriSign's share price climbed $1.40 to close at $27.40 the day after ICANN announced that dot-net would remain where it is, reflecting the importance some investors placed on the company maintaining a leading role the domain name market. "It's meaningful in terms of the bragging rights. It's not meaningful in terms of stand-alone revenue, but losing it would puncture a hole in VeriSign's story about how unique they are," Merrill Lynch analyst Ed Maguire said. The dot-net operation generates about $30 million in revenue a year for VeriSign -- not a vast sum compared with the nearly $1.2 billion in revenues and $186 million in profits the company reported in 2004. Scott Sutherland, an analyst at Wedbush Morgan, said losing the domain could have panicked some investors, who may have taken it as a sign that VeriSign would eventually lose dot-com as well. That's unlikely, since VeriSign's contract to run dot-com presumes that the company will retain control of the domain indefinitely unless it does something to warrant having it taken away, but Sutherland said winning the dot-net contract is likely to quell investors' concerns on that front. The dot-com registry generates more than $150 million a year for VeriSign. Also, while dot-net may not contribute a large revenue stream, Maguire and Sutherland noted it is an extremely profitable line of business because the technology required to run the registry is already in place. The two analysts don't own stock in VeriSign and their firms don't provide investment-banking services for the company. Unfair Advantage? While it was stressing security in its dot-net bid, VeriSign also argued that competition at the consumer level wouldn't necessarily be served by moving the domain to another operator -- saying that from a consumer standpoint it's more important to bolster competition at the retail level. "I don't think this was a choice between security and competition, security and stability are important, but Telcordia gave VeriSign its highest score for competition," McLaughlin said. But even the choice of Telcordia as the evaluator has raised some hackles among VeriSign and ICANN critics. Telcordia is owned by Science Applications International Corporation, a company that once owned a piece of Network Solutions. Although Telcordia fully disclosed its historic ties before the dot-net evaluation began, the company couldn't help but view VeriSign in a favorable light, said Paul Vixie, president of the Redwood City, Calif.-based Internet Systems Consortium, a company that publishes a key piece of Internet software. "Telcordia shares a lot of corporate DNA with VeriSign. They're the same type of people, and they do things in the same general way, and these evaluations are really smell tests. ... [ICANN] picked someone who would recognize VeriSign as someone who was like themselves," Vixie said. ICANN spokesman Kieran Baker said ICANN didn't go forward with the evaluation process until all the bidders were satisfied that Telcordia could render an unbiased evaluation. But in the wake of the decision in VeriSign's favor, at least three of the four losing bidders have filed formal complaints about some portion of the evaluation process, and all five bidders told ICANN that they'd be submitting written comments on the evaluation process. DeNic, the company that operates Germany's sovereign dot-de, the world's second-largest Internet domain behind dot-com, has been vocal about its unhappiness with the process. "We will comment on these issues, but I'm not sure we'll do further complaints, because we don't think it will change the results. But we're disappointed that ICANN and Telcordia did not take the opportunity to run this process more properly," DeNic director Sabine Dolderer said. DeNic complained that Telcordia misstated information about DeNic's in-house technology in the first draft of the report. Telcordia issued an amended report that did not change DeNic's ranking, which was fourth out of five. Sentan, the joint venture between Sterling Va.-based NeuStar and Japan Registry Services, which runs Japan's sovereign dot-jp domain, placed second in the dot-net bidding process. Sentan wrote a letter to ICANN voicing concerns about the selection process, but other than that has remained fairly silent. VeriSign's current contract to run dot-net expires June 30, and ICANN expects to complete negotiations in the next couple weeks. The ICANN board of directors must approve the final deal, and the U.S. Department of Commerce will then have the final say, but in recent years, the department has gone along with every major decision by the ICANN board. The agency declined to comment on the dot-net issue. _________________________________________ Network Security - http://www.auditmypc.com Free vulnerability test - How secure is your computer?

News URL

http://www.washingtonpost.com/wp-dyn/articles/A62302-2005Apr18.html

#security #verisign