Canada’s telecom regulator will create a mechanism that Internet service providers will have to use to block malware-carrying botnets.
In a statement released Thursday, the Canadian Radio-Television and Telecommunications Commission said Internet service providers here will have to block these botnets at the network level — but that won’t start for months until a blocking mechanism is worked out.
A botnet is a network of malware-infected computers (bots) under the control of a server controlled by a malicious actor. In its decision, the CRTC notes that botnets enable spam, distributed denial-of-service attacks, malware deployment and information theft, and give attackers unfettered access to networks through infected systems.
Under the decision, a framework could include a centrally managed block list of Internet addresses overseen by the federal government’s Canadian Center for Cyber Security, the Canadian Internet Registry Authority (CIRA), or a new independent agency.
CIRA, which oversees the .ca domain, already has a botnet blocking service called Canadian Shield, which requires consumers to add a configuration file to their routers. It has not seen widespread adoption. But through a partnership with Mozilla, Canadian Shield automatically works with the Firefox browser to prevent users from going to malicious websites. The government’s Canadian Security Establishment (CSE), which oversees the Cyber Center, operates a network blocking service to protect federal networks.
After an 18-month consultation, the CRTC said botnet traffic is a major cybersecurity problem, both in terms of the extent and severity of damage, and that regulation is needed.
However, recognizing that blocking botnets at the network level will not be easy, the committee has given its network working group nine months to propose minimum technical standards for a blocking mechanism that service providers can apply. The group will propose who decides what is blocked, what exactly is blocked and other technical details related to the implementation.
The standards should be based on the following principles laid down in the CRTC decision:
•Need: Blocking is only allowed for the purpose of cybersecurity and not for any other purpose, including blocking otherwise illegal activity, or blocking it for commercial, competitive or political purposes;
•Accuracy: Any impact on legitimate services should be as minimal as possible, limited to what is necessary to achieve the goal of blocking the malicious traffic. The public should have the ability to report and resolve false positives and overblocking in an effective and timely manner;
•Transparency: Customers and prospects should be provided with clear information about the cybersecurity-level blocking solutions deployed by providers. The information to be released should provide Canadians with enough information to make informed decisions about which airlines to do business with, but should not be so detailed as to undermine the effectiveness of the framework by providing useful information to malicious actors about how to bypass the blocking mechanism. In addition, airlines must maintain and submit specific metrics to the Commission to enable the disclosure of statistics on the use and effectiveness of the blocking framework;
• Customer privacy: In addition to meeting their existing privacy obligations, airlines should adopt practices that reinforce these obligations to take into account the specificities of a blocking framework to provide the highest level of consumer privacy protection;
•Responsibility: Carriers must document and periodically review all of their blocking systems used for cybersecurity purposes to verify that their blocking program is working as intended.
The telecom industry and the public will be able to comment on the proposed minimum standards for a framework before they are confirmed.
In a statement, CIRA head Byron Holland said, “We support the CRTC’s decision to develop a botnet blocking framework to ensure Canadians can use a safe and trusted internet for their social, economic and cultural development.”
Regulating the problem is not what most ISPs in the country want. Of the 46 written submissions to the committee, the idea of a mandatory regime was favored by the country’s three largest telecom providers, independent Internet providers, banks and an insurance company, and Internet interest groups. Many providers say they have already taken steps to reduce botnet traffic.
Instead, the telecom industry was called upon to work more closely on cybersecurity, perhaps with a voluntary botnet-fighting framework.
However, the committee concluded that “regulatory action is needed to ensure that the network-level botnet blocking by Canadian carriers provides a basic level of protection.”
The current botnet-fighting practices of telecom service providers are “diverse and opaque and lack a practical and consistent mechanism for sharing botnet indicators of compromise,” the committee said. Different providers block different threats, using different methods and block lists.
One of the benefits of a regulated regime with minimum standards that providers must meet, the committee argued, would be the creation of a centrally managed block list
At the moment, sharing by providers of compromise indicators is ad hoc, the committee added. “Some level of centralization” would close this gap by ensuring that all telecom providers have a basic level of information, which in turn would ensure a basic level of protection for all customers, it said.
Service providers argued that their blocking methods follow best practices, but the committee found a number of inconsistencies. The most notable departure from best practices is the way they track and categorize blocking events. Most who responded to a request from the commission for more information do not follow blocking events, the ruling said.
The CRTC also believes that network-level blocking programs are effective and appropriate — and have been adopted by other countries.
In a submission to the committee, SaskTel and others estimate that malicious bots account for 20 to 30 percent of all Internet traffic. Nokia argued that 5G wireless networks and the proliferation of Internet of Things (IoT) devices mean that botnet attacks are likely to be much larger and more powerful if left unchecked.
On the other hand, Telus, Rogers, Bell Canada and Xplornet argued that because a very low percentage (0.0002 percent) of Canadian network traffic comes from malicious botnets, regulatory intervention is not warranted.
In its ruling, the commission recognized that malicious websites visited by Canadians as a percentage of the total number of websites visited may be low in absolute terms. “However,” it added, “since visiting a single malicious domain is enough to promote a device infection or lead to credential theft, the committee believes that even the relatively small ratio used by TSPs ( telecom service providers) is detected is significant.”
The committee recognized that no single entity in the cybersecurity landscape, including telecom service providers (TSPs), can solve the botnet problem alone. So far, it added, most of the burden of securing devices against malware threats has fallen on end users. “But while it’s true that TSPs cannot tackle bot infections at their source, their position as an Internet access provider means they are a critical control point for botnet communications,” the ruling reads. “They have a much broader view of the problem and therefore have more opportunities to disrupt botnet communication channels on a large scale. In addition, unlike many end users, they have the skill, expertise and capacity to understand the botnet threat and respond proportionately.”
A narrowly limited blocking mechanism would have minimal or even non-existent net impact on net neutrality, the committee also said. “While some characterize botnet blocking as inconsistent with net neutrality because it blocks the delivery of telecommunications, it also plays a role in preserving net neutrality. Such a mechanism not only serves to protect internet accessibility, a necessary condition for net neutrality, it also corrects the disruption caused by botnets in the total internet bandwidth due to the significant and unfair advantage in favor of machine-generated traffic from cyber threat actors. ”