Was ICANN's new gTLDs system hacked?

There are two ways to handle a situation where your computer system may have been hacked.

You can start from the worst case scenario, investigate, and work backwards - this is the process that most companies (with the notable exception of Apple) have learnt from experience is the best way to go.

Alternatively, you can assume the best, investigate, and be forced to constantly re-evaluate how bad the situation really is. This is the approach that inexperienced companies take, and it is the one that ICANN is following with the news that there has been "unusual behavior" in its application system for new gTLDs.

The glitch couldn't have happened at a worse time. The organization was just about to close applications for its flagship program and that same day it had received mainstream media coverage, putting a spotlight on it.

Then on the day of closing, out come an announcement: "Recently, we received a report of unusual behavior with the operation of the TAS system. We then identified a technical issue with the TAS system software…" It shut the system down and extended the deadline by a week to 20 April.

Having just entered the media's collective awareness, the organization was then bombarded by a press which has seen more than its fair share of "unusual behavior" statements to ask the obvious question: were you hacked?

No info

ICANN didn't put out a second statement until 24 hours later, but in the meantime, a limited amount of information was provided to all journalists that inquired. It was this:

• There was not a cyber-attack of any type.
• No application data has been lost from those who have already submitted applications, so it should not pose problems for existing applicants.
• The deadline is being extended until 11:59PM GMT on 20 April, to give applicants the time they would have had if we had not shut down the application system to allow for the diagnoses, any possible repair and subsequent testing of the system.
• At this point, plans are to reopen the online application system on Wednesday, 18 April.

This response fits squarely into the non-denial denial category and immediately highlighted that ICANN was following the second path to dealing with a suspected hack.

It was certainly suspicious that ICANN had this problem within hours of being featured on the BBC, Wall Street Journal, Financial Times and The Daily Telegraph, among others. The system has been thoroughly tested, has been running for three months, and there have been regular, scheduled maintenance checks.

As a result, we asked ICANN four precise questions within an hour of the initial statement. They were:

• Is there any reason to believe that a party other than ICANN staff may have accessed the TAS back-end?
• Why a one week extension (rather than a few days)?
• When was the problem first noticed and was it in relation to a particular event i.e. archiving of information?
• Was the database insecure at all point?

Nearly 24 hours later, we have not received a response. A chase-up this morning saw ICANN refer us to a second statement put out by its COO. As far as we can see, there is currently no intention to answer the questions above.

Rabbithole

The COO statement makes it clear that ICANN is discovering that things aren't what they at first willed themselves to believe.

We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users' file names and user names in certain scenarios.

Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.

We apologize for any concern this may have caused and will communicate on a regular basis on our website, which can be found at http://newgtlds.icann.org

Here's what it looks like to us: as ICANN is digging into the problem, it is finding more and more issues. To wit: ICANN doesn't know if it's been hacked or not, but regardless, it wants to reassure everyone that all is fine. It is understandable; it's just not the smart thing to do.

Will we see another statement tomorrow in which it turns out that the some of the "users" had not paid their $5,000 registration fees i.e. should not have been in the system in the first place? Will the "certain scenarios" start growing beyond the unusual and unlikely and into the pre-ordained or specifically coded by a third-party? Will ICANN find out it is in real trouble, panic, and try to hide the rest of what it finds out altogether?

We don't know how deep the rabbit hole goes. And that is exactly what happens when you've been hacked. Hackers don't leave big signs saying "I broke into your system and this is what I did" - they go in, they do what they can, they grab as much as they can, and they leave. They have no interest in letting anyone know precisely what they did along the way.

Hoping for the best

Of course, ICANN could be lucky. Maybe they weren't hacked. Maybe this really was just a glitch with no real impact. Just as realistic a scenario is that a responsible applicant did something unexpected and found they could see others' application information. They then reported it to ICANN and ICANN is, wisely, closing the system down until they figure out what the problem is and how to fix it.

But if that is the case then it beggars belief that ICANN is not saying so loud and clear, rather than posting cryptic messages about glitches that raises more questions than it answers. The world is watching ICANN: it's time to show you are up to the job.