Breaking News

CRTC says Canadian ISPs may be forced to get tougher on botnets



CRTC says Canadian ISPs may be forced to get tougher on botnets

Canada’s telecom regulator may force internet service providers to adopt network-level botnet blocking to limit criminally-run automated systems’ ability to spread malware.

ISPs can use several techniques to fight botnets, including domain-based blocking, internet protocol (IP)-based blocking and protocol-based blocking. However, these and other strategies aren’t required by regulation or controlled for possible bias.

But on Wednesday, the Canadian Radio-Telecommunications and Telecommunications Commission (CRTC) called for comments on a proposal to require ISPs to implement strategies to fight botnets at the network level by blocking suspicious email, texts and communications by malware to command and control servers.

It would do so by approving a mandatory or voluntary network-blocking framework that carriers would follow. To meet privacy concerns, the commission says any approved framework has to be done in ways that protect internet user privacy, enable subscribers to opt into or out of message blocking, provide a mechanism to correct possible false positives of messages, ensure blocking decisions are unbiased and made in the best interest of Canadians, and minimize subscriber information monitoring, collection, and usage.

Technically, the CRTC says, any filtering or blocking affects the principle of net neutrality — the concept that all internet traffic should be given equal treatment by ISPs, with little or no prioritization. But there are exceptions, the CRTC notes. For example, blocking access to child exploitation material. If rules for network-based blocking are approved, “a limited exception to net neutrality may be warranted” to give Canadians protection from spyware, information theft and ransomware, the regulator says.

The commission also suggests that rather than leave decisions in the hands of ISPs, an independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified. That body could also decide how message blocking decisions can be unbiased and accurate. The commission doesn’t suggest a body, but one possibility is the federal government’s Canadian Centre for Cyber Security.

The commission also acknowledges that any blocklist of forbidden IP addresses will need to change regularly to remain accurate. It wants to hear about worries of over-blocking and false positives and ways to take wrongly-blocked addresses off a list quickly.

“Malicious botnet attacks are a serious and recurring concern,” CRTC chair Ian Scott said in a statement. “Almost every week, we see another organization victimized by ransomware or hear of a fellow citizen lured in by a phishing scam. With the launch of this proceeding, we are aiming to better protect Canadian individuals, businesses and institutions against damaging botnet activity.”

ISPs, exchange carriers, web hosting companies, consumers, and others have until March 15th to file comments. Submissions are limited to 20 pages.

In an interview, telecommunications consultant Mark Goldberg said that by launching this consultation, the CRTC might be signaling that blocking and filtering measures ISPs already perform need formal approval of the commission under the Telecommunications Act. Section 36 of the act says a carrier shall not control content or purpose of communications it carries without permission.

In a statement the Competitive Network Operators of Canada (CNOC), which represents many independent ISPs, said the consultation may raise end-user concerns with content interference and blocking and overreach. At the same time, it added, network integrity, public safety, and user safety are crucial. “We will study this new consultation, to identify any meaningful areas requiring comment in terms of independent ISPs and concerns about how this might affect our users, and our ability to compete fairly.”

Greg Young, vice-president of cybersecurity at Trend Micro who used to work for the federal department of communications, applauded the proposal to create an anti-botnet framework. “Anything that blocks known bad traffic is a good thing,” he said in an interview.

The CRTC has the authority to fight spam by enforcing the Canadian Anti-Spam Legislation (CASL), which prevents Canadian-based companies from sending commercial email without the recipient’s consent, installing software on computers without consent, and making false or misleading representations to promote products or services online. The CRTC expects ISPs to take steps to limit such behaviour on their networks. Botnets, which are huge networks of interconnected PCs, servers and other internet-connected devices around the world that pump out spam, violate CASL.

However, most are controlled outside Canada and therefore out of the reach of the regulator. A framework would give ISPs a guide to implementing technologies to block messages from botnets to domains of their comm

No comments