Is insurance industry prepared for NTIA plan to end ICANN control?

By Richard Bortnick on April 9, 2014

We all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (NTIA), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (ICANN), a U.S. nonprofit, to an organization of multinational stakeholders.ICANN

As readers of Cyberinquirer know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

But ICANN’s Charter isn’t limitless. Its contract with the Commerce Department is set to expire in September 2015. In other words, time is running out to for the Commerce Department to create a new body to replace ICANN, taking into account the interests of myriad constituencies.

According to the March 17 Journal report, the NTIA’s motivation for replacing ICANN is “to reassure other countries that the U.S. isn’t secretly controlling the structure of the Internet. To the extent American businesses have been damaged by the Edward Snowden disclosures…  this is a move aimed at repairing the relationship between the U.S. and other countries on Internet issues.”

And reparation is dearly needed in the post-Snowden world as politicians everywhere are exploiting his disclosures of spying for both political and nationalistic gains.

First, President Dilma Rousseff of Brazil announced that her country would seek to circumvent Internet resources operating from the U.S. In turn, Brazil’s Secretary for IT Policy, Virgilio Almeida, commented that the current regime “doesn’t address issues such as privacy and cybersecurity.”

Shortly thereafter, German Chancellor Angela Merkel stated she would support the creation of a separate European-operated Internet. Others noted a majority of the Internet’s 2.8 billion users reside outside the U.S.

Given these tangible and other perceived threats and concerns, the NTIA determined that an Internet managed on a more diverse global level would allay certain objections to the status quo. The first international meeting toward this end is being held in Sāo Paulo on April 22-23 entitled “NETmundial.”

Several commentators take exception to NTIA’s decision. Objectors cite concerns over censorship. Newt Gingrich has tweeted, “Every American should worry about Obama giving up control of the Internet to an undefined group. This is very, very dangerous.”

The U.S. has recognized a more global governance structure “would lead to the repression of free speech and the Balkanization of the Internet.”

In order to prevent such a result, the NTIA intends to ensure that the new body will be free of government influence and censorship while preserving the Internet’s security and stability.

Interested parties should not delude themselves into thinking this paradigm shift will be easy or fast.

Insurance Industry Impact

In particular, the intervening 17 months will afford the insurance industry time to consider and plan for the governance change.

At present, the industry has not had to meaningfully concern itself with core Internet exposures, as ICANN and the NTIA have had both the interest and resources to virtually “prevent” a significant Internet intrusion and/or dedicated denial of service attack. If anything is secure, it’s the Internet, even more so than the White House, CIA, FBI and Scotland Yard.  (I don’t know why the Internet is so secure. It just is).

In the interim, the impact of the upcoming regime change must be strategically evaluated. What will the coverages available look like? Is the “fix” simply the addition of another insuring agreement? Will the industry need to develop entirely separate monoline forms?

Regardless of a policy’s technical structure, the ultimate decision primarily will be driven by commercial assessments.

How would an insurer account for the risk that the new body (or an unauthorized intruder) takes down a site, a post or even the Internet for political, religious, ethnic or other demographic or social reasons? How would the risk of an Internet wildfire be addressed? Will the change have any effect at all or will insurers consider it to be business as usual?

In short, if you have concerns about aggregations now, just think of what it will look like when ICANN no longer has jurisdiction.

It is incumbent that the insurance industry identify a methodology to address aggregations now, as the situation will only become more complex as technology becomes more sophisticated.

Doing nothing is a decision unto itself.

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.