No one likes malicious botnets, but Canada’s telecom regulator has found no industry support around its suggestion that carriers and internet providers be part of a mandatory network-based malicious botnet-blocking regime.
The idea was raised by the Canadian Radio-Television and Telecommunications Commission (CRTC) to put muscle behind the fight against botnets. In January it suggested the creation of a mandatory or voluntary network-blocking framework for providers to kick off the debate. An independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified.
But among the 46 written submissions made this week, the idea of a mandatory regime got thumbs down from the country’s big three telecom providers, independent internet providers, banks and an insurance company, and internet advocacy groups.
Instead, there were calls for the telecom industry to work closer on cybersecurity, perhaps with a voluntary botnet-fighting framework.
One of the few qualified supporters is the RCMP. In a letter to the CRTC, the RCMP backed the framework.
“Please accept this letter as support from the RCMP National Cybercrime Coordination Unit (NC3) for the development of a framework to address botnet traffic and strengthen public safety,” the letter read.
The Mounties didn’t say the framework has to be mandatory.
Big 3 call botnet blocking regime ‘unnecessary’
Otherwise, the fight against more regulation is led by Bell, Rogers and Telus – the main providers connecting to the internet backbone that would carry much of the burden.
All three telcos say a mandatory network-based botnet blocking regime goes beyond the CRTC’s powers, wouldn’t be effective and is unnecessary because providers already co-operate to reduce the impact of botnets.
Depending on which study is cited, overall botnet traffic could amount to as much as half of all internet traffic with malicious bots accounting for as much as 30 per cent of that.
Here’s a sample of the submissions:
Bell: “The commission’s proposal for a mandatory regulated botnet blocking regime, which would introduce bureaucracy, including a third-party whose prior authority would be required as a precondition to all blocking, appears to be at odds with the existing [federal cybersecurity] framework which is meant to foster co-operation and collaboration amongst public sector and private sector stakeholders.
“The current “co-operative and collaborative environment, in which intelligence is shared with the appropriate industry members, is effective, flexible and nimble. The existing government/industry working groups have succeeded in identifying malicious traffic and providing insights into how to mitigate potential impacts. Group members have extensive expertise and backgrounds in cybersecurity issues.”
Telus: “Network blocking is a reactive approach focused on botnets that are already deployed and present on end-user devices. Government should focus on improving the security of end user devices by establishing and enforcing security standards for end-user devices and for devices eligible for government procurement. Adopting this proactive approach will have a much more significant impact on reducing botnet attacks than the network blocking proposal.
“When it comes to network security practices, it is much preferred for telecom service providers to adopt voluntary best practices and continue to co-ordinate security responses across industry actors. This is the approach advocated by security industry working groups, such as the Canadian Security Telecommunications Advisory Committee (“CSTAC”)4 which has published a series of best practices frameworks which its members are encouraged to adopt within their own environments.”
Rogers: “Blocking of botnet traffic is a highly technical matter that requires in-depth security intelligence. The current proposal for a single network blocking framework is not the best approach to tackle cybercrime.
“The federal government’s Communications Security Establishment and its Canadian Centre for Cyber Security should take the lead on cybersecurity rather than the CRTC. The regulator should approach the CSTAC to develop a collaborative effort to dealing with these cybersecurity issues.
“Government-mandated blocking should only be used as a measure of last resort.”
Shaw: “The commission should consider leading the formation of a new and independent body that would build a list of known botnets” perhaps called the Botnet Blocking Organization (BBO). The commission’s involvement should be limited to setting up the blocking framework. The BBO would rely on expert advice from internet service providers, information technology companies, and law enforcement to complete the blocking framework, and then to build and maintain the block list. The BBO would make its list available to all Canadian ISPs so that they can block their customers’ devices from communicating with any domain or internet protocol (IP) address on the list. This would disrupt communication between bots hosted on any of their end users’ devices and their C2 server, effectively neutralizing the botnet.
A joint submission by TD Bank, Royal Bank, CIBC, Bank of Montreal, Scotiabank, Desjardins and Canada Life insurance: “If there is a regulatory regime, data gathered to protect against botnets should not be used to contravene of any Canadian privacy legislation, hinder legitimate and appropriate commerce, enhance targeted marketing, generate a new revenue stream for telecom service providers, or for gaining competitive advantage by hindering the ability of competitive services from reaching Canadians. The regulatory requirements must be tightly crafted to only allow the exceptions envisioned. A narrowly crafted exemption to net neutrality would avoid these concerns.”
The Internet Society: “We note that, as proposed, the CRTC’s approach would focus only on detection and notification, which neglects other critical dimensions needed to address botnets, including education of users, detection by IPSs, notifying customers and collaboration. The proposed framework may not be agile enough to cope with the changing threat landscape posed by botnets.
“The efficacy of the CRTC’s proposed approach may be quite low, as it mostly addresses the symptoms of botnets in a piecemeal fashion, rather than creating resilient cybersecurity systems which can deal with evolving threats. As such, the creation of a framework focused on individual threats will not, in and of itself, address the problem: botnets will mutate in terms of their approach and servers will migrate, ultimately making users and institutions no safer in the long run. There is also the opposite risk that block lists will become overly broad and deny internet users access to legitimate content in the name of preventing botnet spread.”
Independent internet provider Teksavvy: “In short, network-level blocking of malicious botnet traffic as envisioned in [the CRTC proposal] would break the internet and introduce risks to the open internet without effectively addressing its intended target or enhancing the security and safety of the internet in Canada.
“If the commission approves a botnet-fighting framework internet customers should have the option of opting in, it adds, and ensure privacy and minimize collection of user data.”
Distributel, another independent ISP: “Provisions that protect and ensure end-user privacy, place end-users in control of their decision to participate, and minimize the monitoring, collection and usage of end-user information will be of central importance if the Commission were to proceed with the implementation of a network-level blocking framework.”
The Public Interest Advocacy Centre: “There is limited evidence on the record thus far to support the assertion that network-level anti-botnet efforts are sufficiently effective at catching most malicious botnets and at minimizing false-positives. Consequently, PIAC submits that the evidence, at this time, only supports commission intervention in the form of voluntary guidelines for ISPs, such as a best practices guide, over mandatory standards, such as a network-level botnet blocking framework, since the benefits of network-level anti-botnet efforts do not clearly outweigh the negative effects of anti-botnet activities on civil liberties and consumer rights.”
The Canadian Internet Registry Authority (which oversees the .ca domain): “Adoption of a new network-level blocking framework by ISPs must be voluntary. There should be a simple mechanism for users to opt-out of any filtering provided by an ISP. The decision to block a given cyber threat should not be made by just one actor. To prevent a single point of failure, the framework should provide for multiple certified parties to offer block lists, and use that certification as a key oversight mechanism. Parties providing block lists must be independent from any internet service provider or content provider.”
The Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic: (CIPPIC): “The CRTC has the power to authorize but not compel filtering for network security purposes. “It is also important to note that, with the rapid expansion of networked and connected devices, most effective botnet mitigation efforts will occur within a customer’s home network.”
The Digital ID and Authentication Council of Canada: “Instead of pursuing a top-down, one-size-fits all technical and regulatory options, it would be simpler and more beneficial to pursue citizen-focused solutions to prevent malicious internet traffic. Solutions for consideration include access control via connections from a secure digital ID wallet. These technologies are viable, built in Canada, and shift the focus from government oversight and surveillance to individual empowerment.”