By Ahmad Hathout
GATINEAU – Canada’s big telecoms are divided on a CRTC proposal to create a framework that would establish an independent body tasked with creating and maintaining a block list of known malicious software networks, known as botnets.
A botnet is a network of malware-infected devices that are controlled from a central location and used to do things like steal data and/or send an overwhelming number of communications to a server, which causes it to fail (denial-of-service attack). The increasing number of internet-connected devices coming to market, a lot largely with flimsy security measures, are multiplying the risk of the presence of botnets.
“Botnets expose Canadians to spam, spyware, information theft, and ransomware,” Shaw Communications said in a submission made public last week to the CRTC’s consultation on building a body that would oversee the blocking of botnet traffic.
Shaw is recommending a full-fledged organization they call in their submission the Botnet Blocking Organization (BBO), with the CRTC limited to just setting up the blocking framework, they said in their submission.
“Going forward, the BBO would rely on expert advice from Internet service providers (ISPs), information technology companies, and law enforcement to complete the blocking framework, and then to build and maintain the block list. The BBO would make its list available to all Canadian ISPs so that they can block their customers’ devices from communicating with any domain or Internet protocol (IP) address on the list.
The BBO would allow anyone to report suspected new botnets to be included in the block list, to request removal of incorrectly blocked domains or IP addresses, maintain privacy, include education and outreach, and get input from industry, law enforcement and information technology companies.
“Domain blocking is the most appropriate technique because it is already deployed in our network and allows for rapid implementation.” – Quebecor
Quebecor was in Shaw’s corner. It recommended a framework with a central cybersecurity-specialized government entity overseeing it. “Domain blocking is the most appropriate technique because it is already deployed in our network and allows for rapid implementation,” the company said.
Some of Canada’s internet service providers utilize, on an individual basis, measures to protect their subscribers from attacks. The CRTC’s consultation on building a framework would amount to a concerted effort across the country.
Related to this, Wednesday will see the Federal Court of Appeal hear arguments in a challenge by TekSavvy of a lower court decision to force ISPs to block websites connected to alleged copyright infringer GoldTV, which has been allegedly selling unlicensed content over those websites.
Naturally, then, the Internet Society of Canada and TekSavvy are against any such BBO framework because, they argue, it can lead to overblocking. “Introducing a framework for blocking malicious traffic sets a precedent that TekSavvy is concerned would be used to block other traffic or content in violation of the principles of common carriage and network neutrality,” which prevents ISPs from interfering in the flow of internet traffic.
However, if a framework must be put in place, it should include an opt-in option for ISPs; including an appeal system for blocking decisions, akin to a request made in the GoldTV case; ensure maximum privacy and minimize data collection.
“It is CIRA’s view that network-level blocking is a blunt and extreme remedy—rarely necessary, generally disproportionate, and antithetical to the policy of net neutrality.” – CIRA
Cogeco similarly argued that the CRTC must be careful not to get into territory where privacy and net neutrality is compromised. If it must, the framework must endorse an independent third-party with expertise in cyber matter, must focus on blocking domains, not IP addresses, and should allow Canadians to get involved in reporting.
The Canadian Internet Registration Authority argued along the net neutrality line of reasoning as well, suggesting any such framework must include safeguards that ensures content cannot be blocked. “It is CIRA’s view that network-level blocking is a blunt and extreme remedy—rarely necessary, generally disproportionate, and antithetical to the policy of net neutrality that is the fundamental ethos of the internet and its legacy of permissionless innovation.”
Rogers, Bell, Telus, Eastlink, Xplornet and consumer group the Public Interest Advocacy Centre also argued against a framework for blocking. The larger players said there are already existing communications channels and systems in place to co-ordinate industry and government to deal with such threats.
Those bodies include Public Safety Canada, the Canadian Cyber Incident Response Centre, the Royal Canadian Mounted Police, the Treasury Board Secretariat, Foreign Affairs and International Trade Canada, and the Department of National Defence and the Canadian Forces.
Bell said another body would add an additional layer of bureaucracy and threaten the existing co-operation and collaboration between the public and private sector. Despite being opposed to such a measure, Rogers and Eastlink said if the CRTC adopts a framework, it should apply to all service providers.
In any event Telus, Eastlink, and PIAC argued that the internet service providers should adopt voluntary best practices to protect against botnets.
Telus, in fact, said a framework with a central body wouldn’t solve the issue because that system would be a reactive measure – as the attack would’ve already taken place – and the CRTC should focus on pressing for better security measures for devices, which the malware targets.
The Vancouver-based telecom used the example of internet-of-things devices that come with default passwords that are easily cracked. It said the number of IoT devices in the market has shown that the industry has prioritized speed versus security.
Xplornet similarly argued that the framework would only deal with the issue after the fact, suggesting instead on an educational campaign and to encourage Canadians to protect themselves by using security software. The company said it has a security product that it charges $4 a month for.
Replies to these initial interventions are due April 14.
